Professional Documents
Culture Documents
<S>GARP
2020
EXAM PART II
Operational Risk and Resiliency
Pearson
Book: G A R P _O R R 000200010272205729
Project M anager: EEB
Rights Ed: KW
Copyright © 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011 by Pearson Education, Inc.
All rights reserved.
Pearson Custom Edition.
This copyright covers material written expressly for this volum e by the editor/s as well as the com pilation itself. It does not cover the individual
selections herein that first appeared elsew here. Permission to reprint these has been obtained by Pearson Education, Inc. for this edition only. Further
reproduction by any means, electronic or m echanical, including photocopying and recording, or by any information storage or retrieval system , must
be arranged with the individual copyright holders noted.
Grateful acknowledgment is made to the following sources for "Stress Testing Banks," by Til Schuermann, reprinted from the International
permission to reprint material copyrighted or controlled by them: Journal o f Forecasting 30, no. 3, (2014) pp. 717-728, by permission of
Elsevier BV.
"Principles for the Sound M anagem ent of O perational Risk," by Basel
Com m ittee on Banking Supervision, Ju n e 2011, by permission of the Bank "G uidance on Managing Outsourcing Risk," Supervisory Letter SR 13-19/
for International Settlem ents. Information retrieved from the Bank for C A 1 3-21, D ecem ber 2013, by permission of the Board of Governors of
International Settlem ents is freely available at their w ebsite: w w w .bis.org. the Federal Reserve System .
"En terp rise Risk M anagem ent: Theory and Practice," by Brian W. Nocco "M anagem ent of Risks Associated with M oney Laundering and Financing
and Rene M. Stulz, reprinted from Journ al o f A p p lie d C o rp o ra te Finance, of Terrorism ," by Mark C arey, February 2019, the G A R P Risk Institute.
vol. 18, no. 4, Fall 2006, by permission of John W iley & Sons, Inc. "Regulation of the O T C D erivatives M arket," by John C Hull, reprinted
from Risk M an agem en t and Financial Institutions, 5th edition (2018), by
"W hat is ER M ?," by Jam es Lam, reprinted from En terp rise Risk
permission of John W iley & Sons, Inc.
M anagem ent: From Incentives to C ontrols, Second Edition (2014), by
permission of John W iley & Sons, Inc. "C apital Regulation Before the Global Financial C risis," by Mark Carey,
April 2019, the G A R P Risk Institute.
"Im plem enting Robust Risk A p p etite Fram ew orks to Strengthen Financial
Institutions," Ju n e 2011, by permission of the Institute of International "Solvency, Liquidity and O ther Regulation A fter the Global Financial
Finance. C risis," by Mark C arey, April 2019, the G A R P Risk Institute.
"Banking Conduct and Culture: A Perm anent M indset C h an g e," by "High-Level Sum m ary of Basel III Reform s," by Basel Com m ittee on
the G 30 W orking G roup, 2018, by permission of the Group of 30 Banking Supervision, D ecem ber 2017, by permission of the Bank for
Consultative Group on International Econom ic and M onetary Affairs, Inc. International Settlem ents. Information retrieved from the Bank for
International Settlem ents is freely available at their w ebsite: w w w .b is.o rg .
"Risk C ulture," by Alessandro Carretta and Paola Schwizer, reprinted
from Risk Culture in Banking by Alessandro Carretta, Franco Fiordelisi "Basel III: Finalising Post-Crisis Reform s," by Basel Com m ittee on
and Paola Schw izer (2017), by permission of Palgrave Macmillan. Banking Supervision, D ecem ber 2017, by permission of the Bank for
International Settlem ents. Information retrieved from the Bank for
"O p R isk Data and G o vern an ce," by Marcelo G Cruz, Gareth W Peters International Settlem ents is freely available at their w ebsite: w w w .b is.o rg .
and Pavel V Shevchenko, reprinted from Fundam ental A sp e c ts o f
"The Cyber-Resilient O rganization," by A ndrew Coburn, Eireann Leverett,
O perational Risk and Insurance A nalytics: A H andbook o f O perational
and Gordon W oo, reprinted from Solving C yb er Risk: Protecting Your
Risk (2015), by permission of John W iley & Sons, Inc.
Com pany and S o cie ty (2019), by permission of John W iley & Sons, Inc.
"Adoption of Supervisory G uidance on Model Risk M anagem ent,"
"Cyber-Resilience: Range of Practices," by Basel Com m ittee on Banking
reprinted from Financial Institution Letter FIL-22-2017, Ju n e 2017,
Supervision, D ecem ber 2018, by permission of the Bank for International
published by the Federal D eposit Insurance Corporation.
Settlem ents. Information retrieved from the Bank for International
"Inform ation Risk and Data Q uality M anagem ent," by David Loshin, Settlem ents is freely available at their w ebsite: w w w .b is.o rg .
reprinted from Risk M an agem en t in Finance: Six Sigm a and O th er "Building the U K Financial Sector's O perational Resilience," by the Bank
N ext-G eneration Techniques, edited by Anthony Tarantino and Deborah of England and the Financial Conduct Authority, Ju ly 2018, reprinted by
Cernauskas (2009), by permission of John W iley & Sons, Inc. perm ission.
"Validating Rating M odels," by G iacom o De Laurentis, Renato Maino, "Striving for O perational Resilience: The Q uestions Boards and Senior
and Luca M olteni, reprinted from D evelop in g, Validating and Using M anagem ent Should A sk ," by Rico Brandenburg, Tom Ivell, Evan Sekeris,
Internal Ratings (2010), by permission of John W iley & Sons, Inc. M atthew G rub er and Paul Lewis, 2019, by permission of O liver W ym an.
"Assessing the Q uality of Risk M easures," by Allan M Malz, reprinted Learning O bjectives provided by the Global Association of Risk
from Financial Risk M an agem en t: M o d e ls, H istory, and Institutions (2011), Professionals.
by permission of John W iley & Sons, Inc.
All tradem arks, service marks, registered tradem arks, and registered
"Risk Capital Attribution and Risk-Adjusted Perform ance M easurem ent," service marks are the property of their respective owners and are used
by Michel Crouhy, Dan Galai and Robert Mark, reprinted from The herein for identification purposes only.
Essentials o f Risk M anagem ent, 2nd Edition (2014), by permission of the
Pearson Education, Inc., 330 Hudson Street, New York, New York 10013
M cGraw-Hill Com panies, Inc.
A Pearson Education Com pany
"Range of Practices and Issues in Econom ic Capital Fram ew orks," by
Basel Com m ittee on Banking Supervision, March 2009, by permission of w w w .pearsoned.com
the Basel Com m ittee on Banking Supervision. Printed in the United States of Am erica
"C apital Planning at Large Bank Holding Com panies: Supervisory ScoutAutomatedPrintCode
Expectations and Range of Current Practice," August 2013, by
permission of the Board of Governors of the Federal Reserve System . 000200010272205729
EEB /K W
1.1 Preface 2
Chapter 2 Enterprise Risk
1.2 Role of Supervisors 2
Management:
1.3 Principles for the Management Theory and
of Operational Risk 3
Fundamental Principles of Operational
Practice 13
Risk Management 4
Governance 5
2.1 How Does ERM Create
Risk Management Environment 5
Shareholder Value? 14
Role of Disclosure 5
The Macro Benefits of Risk Management 14
1.4 Fundamental Principles of The Micro Benefits of ERM 15
Operational Risk Management 5
2.2 Determining the Right
1.5 Governance 6 Amount of Risk 16
The Board of Directors 6
2.3 Implementing ERM 20
Senior Management 7
Inventory of Risks 20
1.6 Risk Management Environment 8 Economic Value versus Accounting
Identification and Assessment 8 Performance 21
Monitoring and Reporting 9 Aggregating Risks 22
Control and Mitigation 10 Measuring Risks 24
Regulatory versusEconomic Capital 24 Section 2 - Key Outstanding
Using Economic Capital to Challenges in Implementing
Make Decisions 25 Risk Appetite Frameworks 41
The Governance of ERM 26
Section 3 - Emerging Sound
Conclusion 26 Practices in Overcoming
the Challenges 43
3.1 Risk Appetite and Risk Culture 44
Chapter 3 What Is ERM? 27 3.2 "Driving Down" the Risk Appetite
into the Businesses 45
3.3 Capturing Different Risk Types 47
3.1 ERM Definitions 28 3.4 The Benefits of Risk Appetite
as a Dynamic Tool 48
3.2 The Benefits of ERM 29 3.5 The Link with the Strategy
Organizational Effectiveness 29 and Business Planning Process 49
Risk Reporting 29 3.6 The Role of Stress Testing
Business Performance 30 within an RAF 52
Introduction 38 Introduction 78
Section 1 - Principal Findings Section 1. Assessment
from the Investigation 39 of Industry Progress 86
iv ■ Contents
Mindset of Culture 88 External Frauds 120
Senior Accountability and Governance 89 Internal Fraud 120
Performance Management Employment Practices and Workplace
and Incentives 91 Safety 120
Staff Development and Promotions 92 Damage to Physical Assets 121
An Effective Three Lines of Defense 94 7.3 The Elements of the OpRisk
Regulators, Supervisors, Enforcement Framework 121
Authorities, and Industry Standards 95
Internal Loss Data 121
Section 2. Lessons Learned 98 Setting a Collection Threshold
and Possible Impacts 121
Completeness of Database
(Under-Reporting Events) 122
Chapter 6 Risk Culture 105 Recoveries and Near Misses 122
Time Period for Resolution
of Operational Losses 123
6.1 Introduction 106
1
Contents ■ v
Chapter 8 Supervisory Chapter 9 Information Risk
Guidance on and Data Quality
Model Risk Management 151
Management 137
9.1 Organizational Risk, Business
8.1 Introduction 138 Impacts, and Data Quality 152
Business Impacts of Poor Data Quality 152
8.2 Purpose and Scope 138
Information Flaws 153
8.3 Overview of Model Risk
9.2 Examples 153
Management 138
Employee Fraud and Abuse 153
8.4 Model Development, Underbilling and Revenue Assurance 153
Implementation, and Use 140 Credit Risk 153
Model Development and Insurance Exposure 154
Implementation 140
Development Risk 154
Model Use 141
Compliance Risk 154
8.5 Model Validation 142
9.3 Data Quality Expectations 154
Key Elements of Comprehensive
Validation 143 Accuracy 154
Validation of Vendor and Other Completeness 154
Third-Party Products 146 Consistency 154
Reasonableness 155
8.6 Governance, Policies,
Currency 155
and Controls 146
Uniqueness 155
Board of Directors and Senior
Management 147 Other Dimensions of Data Quality 155
Policies and Procedures 147 9.4 Mapping Business Policies
Roles and Responsibilities 147 to Data Rules 155
Internal Audit 148
9.5 Data Quality Inspection,
External Resources 148 Control, and Oversight:
Model Inventory 149 Operational Data Governance 155
Documentation 149
9.6 Managing Information
Conclusion 149 Risk Via a Data Quality Scorecard 156
Data Quality Issues View 156
Business Process View 157
Business Impact View 157
Managing Scorecard Views 157
Summary 157
vi ■ Contents
12.3 RAROC: Risk-Adjusted Return
Chapter 10 Validating on Capital 184
Rating Models 159
1
Contents ■ vii
Business-Level Use 199 13.10 Annex 3: Interest Rate
Enterprise-Wide or Group-Level Use 200 Risk in the Banking Book 227
Governance 202 Sources of Interest Rate Risk 227
Supervisory Concerns Relating to Use Interest Rate Measurement
of Economic Capital and Governance 203 Techniques and Indicators 228
13.5 Risk Measures 205 Modelling Issues 229
Desirable Characteristics of Risk Main Challenges for the
Measures 205 Measurement of Interest Rate
Risk in the Banking Book 229
Types of Risk Measures 206
Calculation of Risk Measures 207 References 233
Supervisory Concerns Relating
to Risk Measures 208
13.6 Risk Aggregation 208
Aggregation Framework 208
Chapter 14 Capital Planning
Aggregation Methodologies 209 at Large Bank
Range of Practices in the Choice of Holding
Aggregation Methodology 212 Companies 235
Supervisory Concerns Relating
to Risk Aggregation 213
13.7 Validation of Internal 14.1 Introduction 236
Economic Capital Models 214 14.2 Foundational Risk
What Validation Processes Management 238
Are in Use? 215 Risk Identification 238
What Aspects of Models Does
Validation Cover? 218 14.3 Internal Controls 239
Supervisory Concerns Relating Scope of Internal Controls 239
to Validation 218 Internal Audit 239
13.8 Annex 1: Dependency Independent Model Review and
Validation 240
Modelling in Credit Risk Models 218
Policies and Procedures 240
Types of Models 219
Ensuring Integrity of Results 241
Supervisory Concerns Relating to
Currently Used Credit Portfolio Documentation 241
Models 221 14.4 Governance 241
13.9 Annex 2: Counterparty Board of Directors 241
Credit Risk 223 Board Reporting 242
Counterparty Credit Risk Challenges 223 Senior Management 242
Range of Practices 225 Documenting Decisions 243
viii ■ Contents
14.5 Capital Policy 243 Modeling Losses 273
Capital Goals and Targets 244 Modeling Revenues 274
Capital Contingency Plan 244 Modeling the Balance Sheet 275
14.6 BHC Scenario Design 245 15.5 Stress Testing Disclosure 275
Scenario Design and Severity 245 Conclusion 278
Variable Coverage 246
Acknowledgments 278
Clear Narratives 246
References 278
14.7 Estimation Methodologies
for Losses, Revenues, and
Expenses 246
General Expectations 246 Chapter 16 Guidance
Loss-Estimation Methodologies 249 on Managing
PPNR Projection Methodologies 257 Outsourcing
14.8 Assessing Capital Risk 281
Adequacy Impact 261
Balance Sheet and RWAs 261
Allowance for Loan and Lease 16.1 Purpose 282
Losses (ALLL) 262
16.2 Risks from the Use
Aggregation of Projections 262
of Service Providers 282
14.9 Concluding Observations 263
16.3 Board of Directors
and Senior Management
Responsibilities 282
Chapter 15 Stress Testing 16.4 Service Provider Risk
Banks 265 Management Programs 282
A. Risk Assessments 283
B. Due Diligence and Selection
Abstract 266 of Service Providers 283
C. Contract Provisions and
15.1 Introduction 266
Considerations 284
15.2 Stress Testing in the D. Incentive Compensation Review 286
Literature 270 E. Oversight and Monitoring
15.3 Stress Testing Design 271 of Service Providers 286
F. Business Continuity
15.4 Executing the Stress and Contingency Considerations 287
Scenario: Losses and Revenues 272 G. Additional Risk Considerations 287
Contents ■ ix
18.2 Post-Crisis Regulatory
Chapter 17 Management of Changes 297
Risks Associated Uncleared Trades 297
with Money Determination of Initial Margin: SIMM 298
Laundering and 18.3 Impact of the Changes 299
Financing of Liquidity 299
Terrorism 289 Rehypothecation 300
The Convergence of OTC and
Exchange-Traded Markets 300
17.1 Background 290 18.4 CCPS and Bankruptcy 300
17.2 Application of Standard Summary 301
Practices 290
Further Reading 301
17.3 Risk Assessment 291
17.4 Customer Due Diligence
and Acceptance 291
Chapter 19 Capital
17.5 Transaction and Other Regulation
Monitoring and Reporting 291
Before the
17.6 Correspondent Banking 291 Global
17.7 Wire Transfers 292 Financial
17.8 International Scope 292 Crisis 303
References 292
19.1 The Basel Accord:
Basel I Variant 304
Chapter 18 Regulation The Risk-Based Capital Ratio 305
of the OTC 19.2 The Basel Accord:
Derivatives Basel II Variant 309
Market 293 Capital for Credit Risk 310
Retail Exposures Under IRB 312
Credit Mitigants Other Than Collateral 313
18.1 Clearing in O TC Markets 294 Capital for Operational Risk 313
Margin 294 Solvency II 314
Central Clearing 295 Summary 315
Bilateral Clearing 296
Netting 296 References 315
Events of Default 296
x ■ Contents
Chapter 20 Solvency, Chapter 21 High-Level
Liquidity Summary of
and Other Basel III
Regulation Reforms 327
After the
Global
Standardised Approach for
Financial Crisis 317 Credit Risk 328
Internal Ratings-Based
20.1 The Financial Stability Approaches for Credit Risk 331
Board 318 Removing the Use of the Advanced IRB
Approach for Certain Asset Classes 331
20.2 Basel 2.5 318 332
Specification of Input Floors
Stressed VaR 318
Additional Enhancements 332
Incremental Risk Charge 318
Correlations and the Comprehensive CVA Risk Framework 332
Risk Measure 319 Operational Risk Framework 333
20.3 Basel 3 319 Leverage Ratio Framework 333
The Definition of Capital 320 Buffer for Global Systemically
Leverage Ratio Capital Requirements 321 Important Banks 333
Systemically Important Financial Refinements to the Leverage Ratio
Institutions 321 Exposure Measure 334
Buffers 321 Output Floor 334
Liquidity Requirements 323
Transitional Arrangements 335
Derivatives Counterparty Credit Risk 324
20.4 Resolution Planning and
Preparation 324
CoCos 324
Chapter 22 Basel III: Finalising
Living Wills 325 Post-Crisis
Reforms 337
20.5 Stress Testing and Other
Local Applications of Basel 325
20.6 Other Reforms 326 22.1 Introduction 338
References 326 22.2 The Standardised Approach 338
Contents ■ xi
The Business Indicator 338
The Business Indicator Component 338 Chapter 23 The Cyber-Resilient
The Internal Loss Multiplier 338 Organization 345
The Standardised Approach
Operational Risk Capital
Requirement 339 23.1 Changing Approaches
22.3 Application of the to Risk Management 346
Standardised Approach within Identify, Protect, Detect, Respond,
Recover 346
a Group 339
Threat Analysis 346
22.4 Minimum Standards for
the Use of Loss Data Under 23.2 Incident Response
the Standardised Approach 339 and Crisis Management 346
Real-Time Crisis Management:
22.5 General Criteria on Loss How Fighter Pilots Do It 346
Data Identification, Collection Rapid Adaptation to Changing
and Treatment 340 Conditions 347
22.6 Specific Criteria on Loss Cyber Risk Awareness in Staff 347
Data Identification, Collection Business Continuity Planning
and Treatment 340 and Staff Engagement 347
Building of the Standardised Approach Gaming and Exercises 348
Loss Data Set 340 Nudging Behavior 348
Gross Loss, Net Loss, and Recovery 23.3 Resilience Engineering 348
Definitions 340
Safety Management 348
22.7 Exclusion of Losses from Hotel Keycard Failure Example 349
the Loss Component 341
23.4 Attributes of a
22.8 Exclusions of Divested Cyber-Resilient Organization 349
Activities from the Business Anticipate, Withstand, Recover,
Indicator 342 and Evolve 349
22.9 Inclusion of Losses and Negative Attributes 350
Bl Items Related to Mergers Six Positive Attributes for Resilience 350
and Acquisitions 342 Cyber Resilence Objectives 350
xii ■ Contents
23.6 Resilient Security Solutions 352 24.4 Approaches to Risk
Resilient Software 352 Management, Testing and
Detection, Containment, and Incident Response and Recovery 367
Control 352 Methods for Supervising Cyber-Resilience 368
Minimize Intrusion Dwell Time 353 Information Security Controls Testing and
Anomaly Detection Algorithms 353 Independent Assurance 368
Penetration Testing 354 Response and Recovery Testing and
The Risk-Return Trade-Off 354 Exercising 369
Cyber-Security and Resilience Metrics 370
23.7 Financial Resilience 355
Financial Consequences of a 24.5 Communication and Sharing
Cyber Attack 355 of Information 371
Financial Risk Assessment 355 Overview of Information-Sharing
Frameworks Across Jurisdictions 371
Reverse Stress Testing 355
Sharing Among Banks 373
Defense in Depth 356
Sharing from Banks to Regulators 373
Enterprise Risk Management 356
Sharing Among Regulators 374
Cyber Value at Risk 356
Sharing from Regulators to Banks 375
Re-Simulations of Historical Events 357
Sharing with Security Agencies 375
Counterfactual Analysis 357
Building Back Better 357 24.6 Interconnections with
Events Drive Change 358 Third Parties 377
Education for Cyber Resilience 358 Governance of Third-Party Connections 377
Improving the Cyber Profession 359 Business Continuity and Availability 379
Information Confidentiality and Integrity 380
Specific Expectations and Practices with
Regard to the Visibility of Third-Party
Chapter 24 Cyber-Resilience: Connections 381
Range of Auditing and Testing 381
Practices 361 Resources and Skills 382
Contents ■ xiii
Important Concepts in the Supervisory Cloud Services 403
Authorities' Approach to Operational Continuity 403
Resilience 384
Economic Functions 403
Discussion Paper Structure 386
Financial Market Infrastructure (FMI) 403
25.2 Operational Resilience General Data Protection Regulation
of Business Services 387 (GDPR) 403
Focusing on Business Services 387 Impact Tolerances 403
Prioritising by Business Services 387 Impact Tolerance Statement 403
Building Resilient Business Services, Integrity 403
Assuming Disruption Will Occur 388 Operational Resilience 403
25.3 Operational Resilience Operational Risk 403
of Firms and FMIs 389 Risk Appetite 403
Factors Relating to the Supervisory Real Economy 403
Authorities' Objectives 390 Real-Time Gross Settlement
Existing Regulatory Requirements and (RTGS) Service 403
Expectations for Firms and FMIs 392 Senior Manager's and Certification
What This Might Mean for Firms and Regime (SM&CR) and Senior Insurance
FMIs in Practice 395 Managers Regime (SIMR) 403
Supervisory Authorities 404
25.4 Clear Outcomes for
Systems and Processes 404
Operational Resilience 397
Vital Services 404
Current Approaches 398
Potential Benefits of Setting Impact
Tolerances 398
25.5 Supervisory Assessment Chapter 26 Striving for
of Operational Resilience 399
Operational
Sector-Wide Work 399
Reviewing How Impact Tolerances Are
Resilience 405
Set and Used 400
Analysis of Systems, People and Processes
that Support Business Services 400 Executive Summary 406
Gaining Assurance that Firms and 26.1 Why Now?: Need for Operational
FMIs Have the Capabilities to Deliver Resilience 406
Operational Resilience 400
Supervisory Tools 401 26.2 Bend, But Don't Break:
Operational Resilience Approach 406
Conclusion 401
26.3 Has the Organization Got It?:
Responses and Next Steps 402
Important Questions to Ask
Feedback and Questions 402 About Operational Resilience 409
Annex 1: Glossary of Terms 402 26.4 Improving Resilience:
Business Services 402 Getting Started 409
Capabilities 402
Bibliography 413
Clearing House Automated Payment
System (CHAPS) 403 Index 417
xiv ■ Contents
Chairman
Dr. Rene Stulz
Everett D. Reese Chair of Banking and M onetary Econom ics,
The Ohio State University
Members
Richard Apostolik Dr. Attilio Meucci, CFA
President and C E O , Global Association of Risk Professionals Founder, ARPM
FRM® Committee ■ xv
Learning Objectives
A fter com pleting this reading you should be able to:
Describe the three "lines of defense" in the Basel model Describe tools and processes that can be used to identify
for operational risk governance. and assess operational risk.
Summarize the fundam ental principles of operational risk Describe features of an effective control environm ent and
m anagem ent as suggested by the Basel Com m ittee. identify specific controls that should be in place to address
operational risk.
Explain guidelines for strong governance of operational
risk, and evaluate the role of the board of directors and Explain the Basel Com m ittee's suggestions for managing
senior m anagem ent in implementing an effective opera technology risk and outsourcing risk.
tional risk fram ework.
E x c e rp t is rep rin ted by perm ission from the Basel C om m ittee on Banking Supervision.
1
1.1 PREFA CE that banks should consider when designing operational risk poli
cies, processes and risk m anagem ent system s.
1. In the Soun d Practices for the M anagem ent and Supervision 4. Supervisors will continue to encourage banks "to move along
o f O perational Risk (Sound Practices), published in February the spectrum of available approaches as they develop more
2003, the Basel Com m ittee on Banking Supervision (Com m ittee) sophisticated operational risk m easurem ent system s and prac
articulated a fram ework of principles for the industry and super tic e s ."23Consequently, while this chapter articulates principles
visors. Subsequently, in the 2006 International C on verg en ce o f from emerging sound industry practice, supervisors expect
Capital M easurem ent and Capital Standards: A R evised banks to continuously improve their approaches to operational
Fram ew ork— C om prehensive Version (commonly referred to as risk m anagem ent. In addition, this chapter addresses key ele
"Basel II"), the Com m ittee anticipated that industry sound prac ments of a bank's Fram ework. These elem ents should not be
tice would continue to evo lve.1 Since then, banks and supervi viewed in isolation but should be integrated com ponents of the
sors have expanded their knowledge and experience in overall fram ework for managing operational risk across the
implementing operational risk m anagem ent fram eworks (Fram e enterprise.
work). Loss data collection exercises, quantitative im pact stud
5. The Com m ittee believes that the principles outlined in this
ies, and range of practice reviews covering governance, data
chapter establish sound practices relevant to all banks. The
and modelling issues have also contributed to industry and
Com m ittee intends that when implementing these principles, a
supervisory knowledge and the em ergence of sound industry
bank will take account of the nature, size, com plexity and risk
practice.
profile of its activities.
2. In response to these changes, the Com m ittee has deter
mined that the 2003 Sound Practices paper should be updated
to reflect the enhanced sound operational risk m anagem ent 1.2 ROLE O F SUPERVISORS
practices now in use by the industry. This docum ent— Principles
for the Sou n d M anagem ent o f O perational Risk and the Role o f 6. Supervisors conduct, directly or indirectly, regular indepen
Supervision— incorporates the evolution of sound practice and dent evaluations of a bank's policies, processes and systems
details eleven principles of sound operational risk m anagem ent related to operational risk as part of the assessm ent of the
covering (1) governance, (2) risk m anagem ent environment and Fram ework. Supervisors ensure that there are appropriate
(3) the role of disclosure. By publishing an updated paper, the mechanisms in place which allow them to remain apprised of
Com m ittee enhances the 2003 sound practices fram ework with developm ents at a bank.
specific principles for the m anagem ent of operational risk that
7. Supervisory evaluations of operational risk include all the
are consistent with sound industry practice. These principles
areas described in the principles for the m anagem ent of opera
have been developed through the ongoing exchange of ideas
tional risk. Supervisors also seek to ensure that, where banks are
between supervisors and industry since 2003. Principles for
part of a financial group, there are processes and procedures in
the Sou n d M anagem ent o f O perational Risk and the Role o f
place to ensure that operational risk is managed in an appropri
Supervision replaces the 2003 Sound Practices and becom es the
ate and integrated manner across the group. In performing this
docum ent that is referenced in paragraph 651 of Basel II.
assessm ent, cooperation and exchange of information with
3. A Fram ew ork for Internal C ontrol System s in Banking O rgan other supervisors, in accordance with established procedures,
isations (Basel Com m ittee, Septem ber 1998) underpins the may be necessary. Some supervisors may choose to use exter
Com m ittee's current work in the field of operational risk. The nal auditors in these assessm ent processes.4*
C ore Principles for Effective Banking Supervision (Basel Com m it
tee, O ctober 2006) and the C ore Principles M eth o d o lo g y (Com
m ittee, O ctober 2006), both for supervisors, and the principles
identified by the Com m ittee in the second pillar (supervisory 2 B C B S (2006), paragraph 646.
review process) of Basel II are also im portant reference tools
3 Refer to the Com m ittee's papers H igh-level prin ciples fo r the
cro ss-b o rd er im plem entation o f the N ew A cco rd , August 2003, and
Principles fo r hom e-host su p erviso ry cooperation and allocation m echa
nisms in the co n te x t o f A d v a n ce d M easu rem en t A p p ro a ch e s (A M A ),
N ovem ber 2007.
1 Basel Com m ittee on Banking Supervision, International C o n verg en ce
o f Capital M easu rem en t and Capital Standards: A R evised Fram ew ork— 4 For further discussion, see the Com m ittee's paper The relation
C om prehen sive Version, Section V (O perational Risk), paragraph 646, ship b etw een banking su p erviso rs and bank's external auditors,
Basel, Ju n e 2006. January 2002.
2 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
8. Deficiencies identified during the supervisory review may be with applicable laws and regulation. In practice, the two notions
addressed through a range of actions. Supervisors use the tools are in fact closely related and the distinction between both is less
most suited to the particular circum stances of the bank and its important than achieving the objectives of each.
operating environment. In order that supervisors receive cur
12. Sound internal governance forms the foundation of an effec
rent information on operational risk, they may wish to establish
tive operational risk m anagem ent Fram ework. Although internal
reporting mechanisms directly with banks and external auditors
governance issues related to the m anagem ent of operational
(e.g ., internal bank m anagem ent reports on operational risk
risk are not unlike those encountered in the m anagem ent of
could be made routinely available to supervisors).
credit or m arket risk operational risk m anagem ent challenges
9. Supervisors continue to take an active role in encouraging may differ from those in other risk areas.
ongoing internal developm ent efforts by monitoring and evalu
13. The Com m ittee is seeing sound operational risk governance
ating a bank's recent im provem ents and plans for prospective
practices adopted in an increasing number of banks. Common
developm ents. These efforts can then be com pared with those
industry practice for sound operational risk governance often
of other banks to provide the bank with useful feedback on
relies on three lines of defence— (i) business line managem ent,
the status of its own work. Further, to the extent that there are
(ii) an independent corporate operational risk m anagem ent func
identified reasons why certain developm ent efforts have proven
tion and (iii) an independent review.6 Depending on the bank's
ineffective, such information could be provided in general terms
nature, size and com plexity, and the risk profile of a bank's activ
to assist in the planning process.
ities, the degree of form ality of how these three lines of defence
are im plem ented will vary. In all cases, however, a bank's opera
tional risk governance function should be fully integrated into
1.3 PRINCIPLES FOR THE the bank's overall risk m anagem ent governance structure.
M AN AGEM EN T O F OPERATIONAL
14. In the industry practice, the first line of defence is busi
RISK ness line m anagem ent. This means that sound operational risk
governance will recognise that business line m anagem ent is
10. Operational risk5 is inherent in all banking products, activi
responsible for identifying and managing the risks inherent in
ties, processes and system s, and the effective m anagem ent of
the products, activities, processes and systems for which it is
operational risk has always been a fundam ental elem ent of a
accountable.
bank's risk m anagem ent program m e. As a result, sound opera
tional risk m anagem ent is a reflection of the effectiveness of the 15. A functionally independent corporate operational risk func
board and senior m anagem ent in administering its portfolio of tion (C O R F)7*is typically the second line of defence, generally
products, activities, processes, and system s. The Com m ittee,
through the publication of this chapter, desires to promote and
enhance the effectiveness of operational risk m anagem ent
throughout the banking system. 6 A s discussed in the Com m ittee's paper O perational Risk— Sup ervisory
G uidelines fo r the A d v a n ce d M easu rem en t A p p ro a ch es, Ju n e 2011,
11. Risk management generally encompasses the process of independent review includes the following com ponents:
identifying risks to the bank, measuring exposures to those risks Verification of the Fram ew ork is done on a periodic basis and is typi
(where possible), ensuring that an effective capital planning and cally conducted by the bank's internal and/or external audit, but may
involve other suitably qualified independent parties from external
monitoring programme is in place, monitoring risk exposures and
sources. Verification activities test the effectiveness of the overall Fram e
corresponding capital needs on an ongoing basis, taking steps to w ork, consistent with policies approved by the board of directors, and
control or mitigate risk exposures and reporting to senior man also test validation processes to ensure they are independent and im ple
agem ent and the board on the bank's risk exposures and capital m ented in a manner consistent with established bank policies.
positions. Internal controls are typically em bedded in a bank's Validation ensures that the quantification system s used by the bank
day-to-day business and are designed to ensure, to the extent are sufficiently robust and provides assurance of the integrity of inputs,
assum ptions, processes and outputs. Specifically, the independent
possible, that bank activities are efficient and effective, informa validation process should provide enhanced assurance that the risk
tion is reliable, timely and com plete and the bank is compliant m easurem ent m ethodology results in an operational risk capital charge
that credibly reflects the operational risk profile of the bank. In addition
to the quantitative aspects of internal validation, the validation of data
inputs, m ethodology and outputs of operational risk m odels is im portant
5 O perational risk is defined as the risk of loss resulting from inadequate
to the overall process.
or failed internal processes, people and system s or from external
events. This definition includes legal risk, but excludes strategic and 7 In many jurisdictions, the independent corporate operational risk func
reputational risk. tion is known as the corporate operational risk m anagem ent function.
10 Internal operational risk culture is taken to mean the com bined set of
8 The Com m ittee's paper, Internal A u d it in Banks and the Supervisor's individual and corporate values, attitudes, com petencies and behaviour
Relationship with A u d ito rs, August 2001, describes the role of internal that determ ine a firm's com m itm ent to and style of operational risk
and external audit. m anagem ent.
4 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Governance11 place at the board, senior m anagem ent, and business line levels
that support proactive m anagem ent of operational risk.
The Board of Directors
Principle 3: The board of directors should establish, approve Control and Mitigation
and periodically review the Fram ework. The board of directors Principle 9: Banks should have a strong control environ
should oversee senior m anagem ent to ensure that the policies, ment that utilises policies, processes and system s; appropri
processes and system s are im plem ented effectively at all deci ate internal controls; and appropriate risk mitigation and/or
sion levels. transfer strategies.
Principle 4: The board of directors should approve and review a
risk appetite and tolerance statem ent1
12*for operational risk that
1 Business Resiliency and Continuity
articulates the nature, types, and levels of operational risk that Principle 10: Banks should have business resiliency and continu
the bank is willing to assume. ity plans in place to ensure an ability to operate on an ongoing
basis and limit losses in the event of severe business disruption.
Senior Management
Principle 5: Senior m anagem ent should develop for approval by
Role of Disclosure
the board of directors a clear, effective and robust governance
structure with well defined, transparent and consistent lines of Principle 11: A bank's public disclosures should allow stakehold
responsibility. Senior m anagem ent is responsible for consistently ers to assess its approach to operational risk m anagem ent.
implementing and maintaining throughout the organisation poli
cies, processes and systems for managing operational risk in all
of the bank's material products, activities, processes and sys 1.4 FUNDAM ENTAL PRINCIPLES O F
tem s consistent with the risk appetite and tolerance.
OPERATION AL RISK M AN AGEM EN T
Risk Management Environment Principle 1: The board of directors should take the lead in
establishing a strong risk management culture. The board
Identification and Assessment of directors and senior management should establish a cor
Principle 6: Senior m anagem ent should ensure the identification porate culture that is guided by strong risk management
and assessm ent of the operational risk inherent in all material and that supports and provides appropriate standards and
products, activities, processes and system s to make sure the incentives for professional and responsible behaviour. In this
inherent risks and incentives are well understood. regard, it is the responsibility of the board of directors to
ensure that a strong operational risk management culture
Principle 7: Senior m anagem ent should ensure that there is an
exists throughout the whole organisation.
approval process for all new products, activities, processes and
system s that fully assesses operational risk. 21. Banks with a strong culture of risk m anagem ent and ethi
cal business practices are less likely to experience potentially
Monitoring and Reporting damaging operational risk events and are better placed to deal
effectively with those events that do occur. The actions of the
Principle 8: Senior m anagem ent should im plem ent a process to
board and senior m anagem ent, and policies, processes and
regularly monitor operational risk profiles and material exp o
system s provide the foundation for a sound risk m anagem ent
sures to losses. Appropriate reporting mechanisms should be in
culture.
23. Senior m anagem ent should ensure that an appropriate level d. describe the bank's approach to establishing and moni
of operational risk training is available at all levels throughout toring thresholds or limits for inherent and residual risk
the organisation. Training that is provided should reflect the exposure;
seniority, role and responsibilities of the individuals for whom it e. establish risk reporting and M anagem ent Information Sys
is intended. tem s (MIS);
Principle 2: Banks should develop, implement and maintain a f. provide for a common taxonom y of operational risk terms
Framework that is fully integrated into the bank's overall risk to ensure consistency of risk identification, exposure rating
management processes. The Framework for operational risk and risk m anagem ent objectives14;
management chosen by an individual bank will depend on a
g. provide for appropriate independent review and assess
range of factors, including its nature, size, complexity and
ment of operational risk; and
risk profile.
h. require the policies to be reviewed w henever a material
24. The fundam ental premise of sound risk m anagem ent is that
change in the operational risk profile of the bank occurs,
the board of directors and bank m anagem ent understand the
and revised as appropriate.
nature and com plexity of the risks inherent in the portfolio of
bank products, services and activities. This is particularly impor
tant for operational risk, given that operational risk is inherent in 1.5 G O V ER N A N CE
all business products, activities, processes and system s.
25. A vital means of understanding the nature and com plexity The Board of Directors
of operational risk is to have the com ponents of the Fram ework
Principle 3: The board of directors should establish, approve
fully integrated into the overall risk m anagem ent processes of
and periodically review the Framework. The board of direc
the bank. The Fram ework should be appropriately integrated
tors should oversee senior management to ensure that the
into the risk m anagem ent processes across all levels of the
policies, processes and systems are implemented effectively
organisation including those at the group and business line lev
at all decision levels.
els, as well as into new business initiatives' products, activities,
processes and system s. In addition, results of the bank's opera 28. The board of directors should:
tional risk assessm ent should be incorporated into the overall
a. establish a m anagem ent culture, and supporting processes,
bank business strategy developm ent processes. to understand the nature and scope of the operational
26. The Fram ework should be com prehensively and appropri risk inherent in the bank's strategies and activities, and
ately docum ented in board of directors approved policies and develop com prehensive, dynamic oversight and control
should include definitions of operational risk and operational environments that are fully integrated into or coordinated
loss. Banks that do not adequately describe and classify opera with the overall fram ework for managing all risks across
tional risk and loss exposure may significantly reduce the effec the enterprise;
tiveness of their Fram ework. b. provide senior m anagem ent with clear guidance and direc
27. Fram ework documentation should clearly: tion regarding the principles underlying the Fram ework
and approve the corresponding policies developed by
a. identify the governance structures used to manage opera
senior m anagem ent;
tional risk, including reporting lines and accountabilities;
c. regularly review the Fram ework to ensure that the bank has
b. describe the risk assessm ent tools and how they are used;
identified and is managing the operational risk arising from
external market changes and other environmental factors,
6 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
as well as those operational risks associated with new prod governance structure with well defined, transparent and
ucts, activities, processes or system s, including changes in consistent lines of responsibility. Senior management is
risk profiles and priorities (e.g ., changing business volumes); responsible for consistently implementing and maintaining
d. ensure that the bank's Fram ework is subject to effective throughout the organisation policies, processes and systems
Senior Management 36. Senior m anagem ent should ensure that bank activities
are conducted by staff with the necessary exp erien ce, tech n i
Principle 5: Senior management should develop for approval
cal capabilities and access to resources. Staff responsible for
by the board of directors a clear, effective and robust
m onitoring and enforcing com pliance with the institution's
risk policy should have authority independent from the units
they oversee.
15 See the Com m ittee's 2006 International C o n verg en ce o f Capital M ea
surem en t and Capital Standards: A R evised Fram ew ork— C o m p reh en 37. A bank's governance structure should be com m ensurate
sive Version; paragraph 718(xci). with the nature, size, com plexity and risk profile of its activities.
a. Com m ittee structure— Sound industry practice for larger 39. Exam ples of tools that may be used for identifying and
and more com plex organisations with a central group func assessing operational risk include:
tion and separate business units is to utilise a board-created
a. Audit Findings: W hile audit findings primarily focus on con
enterprise level risk com m ittee for overseeing all risks,
trol weaknesses and vulnerabilities, they can also provide
to which a m anagem ent level operational risk com m ittee
insight into inherent risk due to internal or external factors.
reports. Depending on the nature, size and com plexity of
the bank, the enterprise level risk com m ittee may receive b. Internal Loss Data Collection and Analysis: Internal opera
tional loss data provides meaningful information for assess
input from operational risk com m ittees by country, business
or functional area. Sm aller and less com plex organisations ing a bank's exposure to operational risk and the
may utilise a flatter organisational structure that oversees effectiveness of internal controls. Analysis of loss events can
operational risk directly within the board's risk m anagem ent provide insight into the causes of large losses and informa
com m ittee; tion on whether control failures are isolated or system atic.18
Banks may also find it useful to capture and monitor opera
b. Com m ittee com position— Sound industry practice is for
tional risk contributions to credit and market risk related
operational risk com m ittees (or the risk com m ittee in
losses in order to obtain a more com plete view of their
sm aller banks) to include a combination of members with
operational risk exposure;
expertise in business activities and financial, as well as inde
pendent risk m anagem ent. Com m ittee mem bership can
c. External Data Collection and Analysis: External data ele
also include independent non-executive board m em bers, ments consist of gross operational loss amounts, dates,
recoveries, and relevant causal information for operational
which is a requirem ent in some jurisdictions; and
loss events occurring at organisations other than the bank.
c. Com m ittee operation— Com m ittee m eetings should
External loss data can be com pared with internal loss data,
be held at appropriate frequencies with adequate time
or used to explore possible weaknesses in the control envi
and resources to perm it productive discussion and
ronment or consider previously unidentified risk exposures;
decision-m aking. Records of com m ittee operations
should be adequate to perm it review and evaluation of d. Risk Assessm ents: In a risk assessm ent, often referred to
com m ittee effectiveness. as a Risk Self Assessm ent (RSA), a bank assesses the pro
cesses underlying its operations against a library of poten
tial threats and vulnerabilities and considers their potential
1.6 RISK M AN AGEM EN T impact. A similar approach, Risk Control Self Assessm ents
(RCSA), typically evaluates inherent risk (the risk before con
ENVIRON M EN T
trols are considered), the effectiveness of the control envi
ronment, and residual risk (the risk exposure after controls
Identification and Assessment are considered). Scorecards build on RCSAs by weighting
Principle 6: Senior management should ensure the identifica residual risks to provide a means of translating the RCSA
tion and assessment of the operational risk inherent in all output into metrics that give a relative ranking of the con
material products, activities, processes and systems to make trol environment;
sure the inherent risks and incentives are well understood. e. Business Process M apping: Business process mappings
38. Risk identification and assessm ent are fundamental charac identify the key steps in business processes, activities and
teristics of an effective operational risk m anagem ent system. organisational functions. They also identify the key risk
points in the overall business process. Process maps can
A /
16 For exam ple, the bank's structure, the nature of the bank's activities,
the quality of the bank's human resources, organisational changes and
em ployee turnover.
18 M apping internal loss data, particularly in larger banks, to the Level 1
17 For exam ple, changes in the broader environm ent and the industry business lines and loss event types defined in A nnexes 8 and 9 of the
and advances in technology. 2006 Basel II docum ent can facilitate com parison with external loss data.
8 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
f. Risk and Perform ance Indicators: Risk and perform ance indi that are geographically distant from the head office. Moreover,
cators are risk metrics and/or statistics that provide insight the level of risk may escalate when new products activities, pro
into a bank's risk exposure. Risk indicators, often referred to cesses, or system s transition from an introductory level to a level
as Key Risk Indicators (KRIs), are used to monitor the main that represents material sources of revenue or business-critical
drivers of exposure associated with key risks. Perform ance operations. A bank should ensure that its risk m anagem ent con
indicators, often referred to as Key Perform ance Indicators trol infrastructure is appropriate at inception and that it keeps
(KPIs), provide insight into the status of operational pro pace with the rate of growth of, or changes to, products activi
cesses, which may in turn provide insight into operational ties, processes and system s.
w eaknesses, failures, and potential loss. Risk and perfor
42. A bank should have policies and procedures that address
mance indicators are often paired with escalation triggers
the process for review and approval of new products, activi
to warn when risk levels approach or exceed thresholds or
ties, processes and system s. The review and approval process
limits and prompt mitigation plans;
should consider:
g. Scenario Analysis: Scenario analysis is a process of obtaining
a. inherent risks in the new product, service, or activity;
expert opinion of business line and risk managers to identify
potential operational risk events and assess their potential b. changes to the bank's operational risk profile and appetite
outcom e. Scenario analysis is an effective tool to consider and tolerance, including the risk of existing products or
potential sources of significant operational risk and the activities;
need for additional risk m anagem ent controls or mitigation c. the necessary controls, risk m anagem ent processes, and risk
solutions. Given the subjectivity of the scenario process, mitigation strategies;
a robust governance fram ework is essential to ensure the
d. the residual risk;
integrity and consistency of the process;
e. changes to relevant risk thresholds or limits; and
h. M easurem ent: Larger banks may find it useful to quantify
f. the procedures and metrics to measure, monitor, and man
their exposure to operational risk by using the output of the
age the risk of the new product or activity.
risk assessm ent tools as inputs into a model that estim ates
operational risk exposure. The results of the model can be The approval process should also include ensuring that appro
used in an econom ic capital process and can be allocated priate investm ent has been made for human resources and
to business lines to link risk and return; and technology infrastructure before new products are introduced.
i. Com parative Analysis: Com parative analysis consists of The implementation of new products, activities, processes and
comparing the results of the various assessm ent tools to system s should be monitored in order to identify any material
provide a more com prehensive view of the bank's opera differences to the expected operational risk profile, and to man
tional risk profile. For exam ple, comparison of the fre age any unexpected risks.
Control and Mitigation c. safeguards for access to, and use of, bank assets and records;
Principle 9: Banks should have a strong control environment d. appropriate staffing level and training to maintain expertise;
that utilises policies, processes and systems; appropriate e. ongoing processes to identify business lines or products
internal controls; and appropriate risk mitigation and/or where returns appear to be out of line with reasonable
transfer strategies. expectations;20
47. Internal controls should be designed to provide reasonable f. regular verification and reconciliation of transactions and
assurance that a bank will have efficient and effective opera accounts; and
tions; safeguard its assets; produce reliable financial reports; and g. a vacation policy that provides for officers and em ployees
comply with applicable laws and regulations. A sound internal being absent from their duties for a period of not less than
control programme consists of five com ponents that are integral
two consecutive weeks.
to the risk m anagem ent process: control environm ent, risk
assessm ent, control activities, information and com munication, 51. Effective use and sound implementation of technology
can contribute to the control environm ent. For exam ple, auto
and monitoring activities.19
mated processes are less prone to error than manual processes.
48. Control processes and procedures should include a system However, autom ated processes introduce risks that must be
for ensuring com pliance with policies. Exam ples of principle ele addressed through sound technology governance and infra
ments of a policy com pliance assessm ent include:
structure risk m anagem ent programmes.
a. top-level reviews of progress towards stated objectives; 52. The use of technology related products, activities, processes
b. verifying com pliance with m anagem ent controls; and delivery channels exposes a bank to strategic, operational,
19 The Com m ittee's paper Fram ew ork fo r Internal C ontrol System s in 20 For exam ple, where a supposedly low risk, low margin trading activity
Banking O rganisations, Septem ber 1998, discusses internal controls in generates high returns that could call into question w hether such returns
greater detail. have been achieved as a result of an internal control breach.
10 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
and reputational risks and the possibility of material financial product offerings, and improve services, it also introduces risks
loss. Consequently, a bank should have an integrated approach that m anagem ent should address. The board and senior man
to identifying, measuring, monitoring and managing technology agem ent are responsible for understanding the operational risks
risks. Sound technology risk m anagem ent uses the same pre associated with outsourcing arrangem ents and ensuring that
cepts as operational risk m anagem ent and includes: effective risk m anagem ent policies and practices are in place to
manage the risk in outsourcing activities. Outsourcing policies
a. governance and oversight controls that ensure technology,
and risk m anagem ent activities should encom pass:
including outsourcing arrangem ents, is aligned with and
supportive of the bank's business objectives; a. procedures for determ ining whether and how activities can
be outsourced;
b. policies and procedures that facilitate identification and
assessm ent of risk; b. processes for conducting due diligence in the selection of
c. establishm ent of a risk appetite and tolerance statem ent potential service providers;
as well as perform ance expectations to assist in controlling c. sound structuring of the outsourcing arrangem ent, includ
and managing risk; ing ownership and confidentiality of data, as well as term i
nation rights;
d. im plem entation of an effective control environm ent and the
use of risk transfer strategies that mitigate risk; and d. programmes for managing and monitoring the risks associ
ated with the outsourcing arrangem ent, including the finan
e. monitoring processes that test for com pliance with policy
thresholds or limits. cial condition of the service provider;
23 Refer also to the Jo in t Forum's February 2005 paper O utsourcing in 24 See also the Com m ittee's paper, R eco gn isin g the risk-m itigating
Financial Services. im pact o f insurance in operational risk m odelling, O cto b er 2010.
12 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Learning Objectives
A fter com pleting this reading you should be able to:
Define enterprise risk m anagem ent (ERM) and explain Describe the role of and issues with correlation in risk
how implementing ERM practices and policies can create aggregation, and describe typical properties of a firm's
shareholder value, both at the macro and the micro level. market risk, credit risk, and operational risk distributions.
Explain how a company can determ ine its optimal amount Distinguish between regulatory and econom ic capital, and
of risk through the use of credit rating targets. explain the use of econom ic capital in the corporate deci
sion making process.
Describe the developm ent and implementation of an ERM
system , as well as challenges to the implementation of an
ERM system.
E x c e rp t is from Journal of Applied Corporate Finance 18, No. 4 (2006), b y Brian W. N occo and Rene M. S tu lz *
* W e are grateful for com m ents from Don Chew , Michael Hofmann, Jo anne Lamm-Tennant, Tom O 'B rien , Jero m e Taillard, and W illiam W ilt.
13
The past two decades have seen a dram atic change in the role level. A t the macro level, ERM creates value by enabling senior
of risk m anagem ent in corporations. Twenty years ago, the job m anagem ent to quantify and manage the risk-return trade-off
of the corporate risk m anager— typically, a low-level position in that faces the entire firm. By adopting this perspective, ERM
the corporate treasury— involved mainly the purchase of insur helps the firm maintain access to the capital markets and other
ance. A t the same tim e, treasurers were responsible for the resources necessary to im plem ent its strategy and business plan.
hedging of interest rate and foreign exchange exposures. O ver
A t the micro level, ERM becom es a way of life for managers and
the last ten years, however, corporate risk m anagem ent has
em ployees at all levels of the company. Though the academ ic
expanded well beyond insurance and the hedging of financial
literature has concentrated mainly on the macro-level benefits of
exposures to include a variety of other kinds of risk— notably
ERM , the micro-level benefits are extrem ely im portant in prac
operational risk, reputational risk, and, most recently, strategic
tice. As we argue below, a well-designed ERM system ensures
risk. What's more, at a large and growing number of com panies,
that all material risks are "o w n ed ," and risk-return trade-offs
the risk m anagem ent function is directed by a senior executive
carefully evaluated, by operating managers and em ployees
with the title of chief risk officer (CRO) and overseen by a board
throughout the firm.
of directors charged with monitoring risk measures and setting
limits for these measures.
14 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
debt capacity, it may be faced with the tough choice of cutting earnings as the underlying would have a similar advantage over
back on planned investments or raising equity in difficult cir a derivatives dealer.
cum stances and on expensive term s. If the cost of issuing equity
More generally, in making decisions whether to retain or trans
is high enough, m anagem ent may have little choice but to cut
fer risks, com panies should be guided by the principle of com
investm ent. And unlike the adjustm ent of market expectations
parative advantage in risk-bearing.2 A company that has no
in response to what proves to be a tem porary cash shortfall, the
special ability to forecast m arket variables has no com parative
loss in value from the firm having to pass up positive-NPV proj
advantage in bearing the risk associated with those variables. In
ects represents a perm anent reduction in value.
contrast, the same company should have a com parative advan
For most com panies, guarding against this corporate "underin tage in bearing information-intensive, firm -specific business risks
vestm ent problem " is likely to be the most im portant reason to because it knows more about these risks than anybody else. For
manage risk. By hedging or otherwise managing risk, a firm can exam ple, at Nationwide Insurance, exposures to changes in
limit (to an agreed-upon level) the probability that a large cash interest rates and equity markets are managed in strict ranges,
shortfall will lead to valuedestroying cutbacks in investment. with excess exposures reduced through asset repositioning or
And it is in this sense that the main function of corporate risk hedging. A t the same tim e, Nationwide retains the vast majority
m anagem ent can be seen as protecting a company's ability to of its insurance risks, a decision that reflects the firm's advantage
carry out its business plan. relative to any potential risk transfer counterparty in term s of
experience with and knowledge of such risks.
But which risks should a company lay off and which should it
retain? Corporate exposures to changes in currencies, interest One im portant benefit of thinking in term s of com parative
rates, and com m odity prices can often be hedged fairly inex advantage is to reinforce the message that com panies are in
pensively using derivatives such as forwards, futures, swaps, business to take stra teg ic and business risks. The recognition
and options. For instance, a foreign exchange hedging program that there are no economical ways of transferring risks that are
using forward contracts typically has very low transaction costs; unique to a company's business operations can serve to under
and when the transfer of risk is inexpensive, there is a strong score the potential value of reducing the firm's exposure to
case for laying off econom ic risks that could otherwise under other, "non-core" risks.3 O nce m anagem ent has decided that
mine a company's ability to execute its strategic plan. the firm has a com parative advantage in taking certain business
risks, it should use risk m anagem ent to help the firm make the
On the other hand, com panies in the course of their normal
most of this advantage. Which brings us to a paradox of risk
activities take many strategic or business risks that they can
m anagem ent: By reducing non-core exposures, ERM effectively
not profitably lay off in capital markets or other developed risk
enables com panies to take more strategic business risk— and
transfer markets. For instance, a company with a promising
greater advantage of the opportunities in their core business.
plan to expand its business typically cannot find an econom ic
hedge— if indeed there is any hedge at all— for the business
risks associated with pursuing such growth. The company's The Micro Benefits of ERM
m anagem ent presumably understands the risks of such expan
sion better than any insurance or derivatives provider— if they As discussed above, an increase in total risk can end up reduc
don't, the company probably shouldn't be undertaking the ing value by causing com panies to pass up valuable projects or
project. If the company were to seek a counterparty to bear otherwise disrupting the normal operations of the firm. These
such business risks, the costs of transferring such risks would costs associated with total risk should be accounted for when
likely be prohibitively high, since they would have to be high assessing the risk-return trade-off in all major new investm ents.
enough to com pensate the counterparty for transacting with If the company takes on a project that increases the firm's total
a better informed party and for constructing models to evalu risk, the project should be sufficiently profitable to provide an
ate the risks they're being asked to hedge. For this reason, we adequate return on capital after com pensating for the costs
should not be surprised that insurance com panies do not offer associated with the increase in risk. This risk-return trade-off
insurance contracts that provide com plete coverage for earn
ings shortfalls or that there is no market for derivatives for which
the underlying is a company's earnings. The insured com panies For an extended treatm ent of this concept, see Rene Stulz, "Rethink
ing Risk M anagem ent," Jo u rn a l o f A p p lie d C o rp o ra te Finance, Vol. 9
would be in a position not only to know more than the insurers No. 3, Fall 1996.
about the distribution of their future earnings, but to manipulate
3 For a discussion of core and non-core risks, see Robert M erton,
that distribution to increase the payoffs from such insurance "You Have More Capital Than You Think," Harvard Business R eview
policies. A firm that entered into a derivatives contract with its (Novem ber, 2005).
16 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
recognizing that the costs associated with the cash shortfalls we risk portfolio by trading off the probability of large shortfalls
discussed earlier would not exist if the firm had a larger buffer and the associated costs with the expected gains from taking or
stock of equity capital invested in liquid assets. But carrying retaining risks.
excess equity also, of course, has costs. For exam ple, a recent
Let's refer to this targeted minimal level of resources (which can
study concludes that, for some com panies (typically larger,
be form ulated in term s of cash flow, capital, or market value) as
mature com panies), the last dollar of "excess" cash is valued by
the company's financial distress "threshold." Many companies
the market at as little as 60 cents.4
use bond ratings to define this threshold. For exam ple, m anage
By reducing risk, a company can reduce the amount of exp en ment may conclude that the firm would have to start giving up
sive equity capital needed to support its operating risks. In this valuable projects if its rating falls to Baa. In that case, it would
sense, risk m anagem ent can be viewed as a substitute for equity adopt a financial and risk m anagem ent policy that aims to limit
capital, and an im portant part of the job of the C R O and top to an acceptably low level the probability that the firm's rating
m anagem ent is to evaluate the trade-off between more active will fall to Baa or lower. Given a firm's current rating— and let's
risk m anagem ent and holding a larger buffer stock of cash assume it is A a— it is straightforward to use data supplied by the
and equity. rating agencies to estim ate the average probability that the
firm's rating will fall to Baa or lower. A study by Moody's using
As we saw earlier, for com panies without a large buffer of excess
data from 1920 to 2005 shows that the probability of a company
equity, a sharp drop in cash flow and value can lead to financial
with an Aa rating having its rating drop to Baa or lower within a
distress and a further (permanent) loss of value from underin
year's tim e is 1.05% , on averag e.5
vestm ent. Let's define "financial distress" to be any situation
where a company is likely to feel com pelled to pass up positive W hether such a probability is acceptable is for top m anagem ent
net present value (NPV) activities. and the board to decide. For a company with many valuable
growth opportunities, even just a 1% chance of having to forgo
Many com panies identify a level of earnings or cash flow that
such investments may be too risky. By contrast, a basic m anufac
they want to maintain under almost all circum stances (i.e.,
turing firm with few growth opportunities is likely to be better
with an agreed-upon level of statistical confidence, say 95%,
off making aggressive use of leverage, maximizing the tax ben
over a one-year period) and then design their risk m anage
efits of debt, and returning excess funds to shareholders. For
ment programs to ensure the firm achieves that minimum. For
such a firm, the costs associated with financial trouble would be
exam ple, in the case described earlier of the firm with a $250
relatively low, at least as a percentage of total value.
million shortfall, m anagem ent may want to explore steps that
would ensure that the firm almost never loses more than, say, For financial com panies like Nationwide, however, there is
$100 million in a year, since that may be the point where man another im portant consideration when evaluating the costs of
agem ent begins to feel pressure to cut projects. But, as the financial distress that is specific to financial institutions: financial
mention of statistical confidence intervals suggests, a company trouble has an adverse impact on liabilities like bank deposits
cannot— nor should it attem pt to— guarantee that its cash and and insurance contracts that constitute an im portant source of
earnings will never fall below the level it's aiming to protect. As the value of banks and insurance com panies.6 Because such lia
long as a com pany operates in a business that promises more bilities are very credit-sensitive, these financial institutions gen
than the risk-free rate, there will be some risk of falling into erally aim to maximize their value by targeting a much lower
financial distress. probability of distress than the typical industrial firm.
W hat m anagem ent can accomplish through an ERM program, Let's suppose for the moment that a rating is a com pletely reli
then, is not to minimize or elim inate, but rather to limit, the able and sufficient measure of the probability that a company
probability of distress to a level that m anagem ent and the board will default— an assumption we will reexam ine later. And let's
agrees is likely to maximize firm value. Minimizing the prob consider a company that would have to start giving up valuable
ability of distress, which could be achieved by investing most of
the firm's capital in Treasury bills, is clearly not in the interests of
shareholders. M anagement's job is rather to optim ize the firm's
5 Moody's Default and Recovery Rates of Corporate Bond Issuers,
1920-2005, March 2006. We com pute probabilities that assume that the
rating is not w ithdraw n.
4 By contrast, for riskier com panies with lots of growth opportunities, 6 See M erton, Robert C ., 1993, "O peration and Regulation in Financial
the sam e dollar can be worth as much as $1.50. See Lee Pinkowitz and Interm ediation: A Functional Persp ective," in O peration and Regulation
Rohan W illiam son, "W hat Is the M arket Value of a Dollar of Cash Hold o f Financial M arkets, edited by P. Englund. Stockholm : The Econom ic
ing s?," G eorgetow n University working paper. Council.
Rating To:
A verage one-year rating transition m atrix, 1920-2005, conditional upon no rating w ithdraw al.
S o u rce: Moody's Default and Recovery Rates of Corporate Bond Issuers, 1920-2005, March 2006.
projects if its rating fell to Baa or below (that is, Baa would In practice, however, the process of determ ining a target rating
serve as its financial distress threshold). Assum e also that man can involve more considerations, which makes it more com pli
agem ent and the board have determ ined that, for this kind of cated. For exam ple, Nationwide analyzes and manages both
business, the optimal level of risk is one where the probability its probability of default and its probability of dow ngrade, and
of encountering financial distress is 7% over a one-year period. it does so in separate but related fram eworks. The company's
Such an optimal level of risk would be determ ined by com par optimal probability of default is anchored to its target Aa ratings
ing the costs associated with financial distress and the benefits and reflects the default history of Aa-rated bonds. By contrast,
of having a more levered capital structure and taking on riskier the probability of downgrade to Baa or below is assumed to be
projects. affected by, and is accordingly managed by limiting, risk con
centrations such as those arising from natural catastrophes and
To the extent that ratings are reliable proxies for financial health,
equity markets.
com panies can use a rating agency "transition m atrix" to esti
mate the amount of capital necessary to support a given level of In the exam ple above, the com pany is assumed to maximize
risk. The transition m atrix shown in Table 2.1 can be used to value by targeting a rating of A . As we noted earlier, equity
identify the frequency with which com panies moved from one capital provides a buffer or shock absorber that helps the firm to
rating to another over a certain period (in this case, 1920 to avoid default. For a given firm, a different probability of default
2005).7 For any rating at the beginning of the year (listed in the corresponds to each level of equity, so that by choosing a given
left-hand column of the table), the column of numbers running level of equity, m anagem ent is also effectively choosing a prob
down from the heading "B a a " tells us the probability that a ability of default that it believes to be optim al.
company will end up with a Baa rating at the end of the year.
As can be seen in Table 2.1, an A rating is associated with a
Again, let's assume m anagem ent wants the probability of its rat probability of default of 0.08% over a one-year period. Thus,
ing falling to Baa or lower over the next year to average around to achieve an A rating, the company in our exam ple must have
7%. To determ ine the probability of a downgrade to or lower the level of (equity) capital that makes its probability of default
than Baa for a given initial rating, we add up the probabilities of equal to 0.08% . If we make the assumption that the value of a
ending with a rating equal to or lower than Baa along the row company's equity falls to a level not materially different from
that corresponds to the initial rating. The row where the prob zero in the event of default, we can use the probability of
abilities of ending at Baa or lower is closest to 7% is the one default to "back out" the amount of equity the firm needs to
corresponding to an A rating. Consequently, by targeting an A support its current level of risk.
rating, m anagem ent would achieve the probability of financial
distress that is optimal for the firm. Although the probability of default is in fact a com plicated func
tion of a number of firm characteristics, not just the amount of
equity, the analytical process that leads from the probability of
7 See footnote 2. default to the required amount of capital is straightforward.
18 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
To see this, suppose that the company
becom es bankrupt if firm value at the
end of the fiscal year falls below a
default threshold level, which is a
function of the composition and
amount of the firm's d e b t.8 Given this
assum ption, the firm needs the
amount of equity capital that will
make the probability of its value fall
ing below the default threshold level
equal to 0.08% (or alternatively, the
amount that will ensure that its value
will not fall below the default thresh
old level with a probability of 99.92% ).
3. M anagem ent determ ines the optimal combination of capi 10 For banks, the definition of operational risk that prevails in the Basel
11 accord is much narrower; for instance, it ignores the reputational risks
tal and risk that is expected to yield its target rating. For
that are today a major concern of many financial institutions. A s a result,
a given amount of capital, m anagem ent can alter its risk for banks, there will be a tension betw een the m easurem ent of opera
through hedging and project selection. Alternatively, for tional risk for regulatory purposes and from the perspective of ERM .
20 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
portfolio— as well as their liability side, such com panies gener units often resist such monitoring efforts because they are time-
ally use a different typology. Nationwide Insurance regularly consuming and distract from other activities. A well-known
measures and monitors its asset, liability, operating, liquidity, exam ple of such resistance that ultimately created massive prob
and strategic risks— and it considers reputational risks in the lems for the old UBS took place when the firm attem pted to
context of each of these risks and of its overall business. (M arket include its equity derivatives desk into its risk m easurem ent sys
and credit risks are both treated as parts of asset risks.) tem . Because the equity derivatives desk used a different com
puter system , such an undertaking would have required major
Having identified all of the company's major risks, m anagem ent
changes in the way the desk did its business. But since the desk
must then find a consistent way to measure the firm's exposure
was highly profitable, it was allowed to stay outside the system.
to these risks— a common approach that can be used to identify
Eventually, the operation incurred massive losses that funda
and quantify all the firm's significant exposures. W ithout such a
mentally w eakened the bank and led it to seek a m erger.11
m ethod, exposure to the same risk could have different effects
on the perform ance evaluation and decision-making of differ
ent business units and activities. The resulting possibility that Economic Value versus Accounting
identically risky activities would be allocated different amounts Performance
of capital would almost certainly create tension within the firm.
Furtherm ore, risk would gradually migrate within the organiza Although credit ratings are a useful device for helping a com
tion to those parts of the firm where it received the lowest risk pany think about its risk appetite, m anagem ent should also
rating and sm allest capital allocation. recognize the limitations of ratings as a guide to a value-m axi
mizing risk m anagem ent and capital structure policy. Because
For an inventory of risks to be useful, the information pos of the extent of their reliance on "accounting" ratios as well as
sessed by people within the organization must be collected, analysts' subjective judgm ent, credit ratings are often not the
made com parable, and continuously updated. Organizations most reliable estim ates of a firm's probability of default. For
that have grown through acquisitions or without centralized IT exam ple, a company might feel confident that the underlying
departm ents typically face the problem of incom patible com econom ics of its risk m anagem ent and capital structure give
puter system s. Com panies must be able to aggregate common it a probability of default that warrants an A rating, but find
risks across all of their businesses to analyze and manage those itself assigned a Baa rating— perhaps because of a mechanical
risks effectively. application of misleading accounting-based criteria— by the
Nationwide em ploys both a top-down and a bottom-up pro agencies. In such cases, m anagem ent should rely on its own
cess of risk identification. From a top-down perspective, the econom ics-based analysis, while making every effort to share its
company's ERM leadership and corporate level risk com m ittee thinking with the agencies.
have identified all risks that are large enough in aggregate to But having said this, if maintaining a certain rating is deem ed to
threaten the firm with financial distress in an adverse environ be critical to the success of the organization, then setting capital
ment. The bottom-up process involves individual business units at a level that achieves the probability of default of the targeted
and functional areas conducting risk-control self assessments rating may not be enough. M anagem ent may also have to tar
designed to identify all material local-level risks. The goal is to get some accounting-based ratios that are im portant determ i
identify all im portant risks, quantify them using a consistent nants of ratings as well.
approach, and then aggregate individual risk exposures across
This question of econom ic or value-based m anagem ent vs.
the entire organization to produce a firm-wide risk profile that
accounting-based decision-making raises a fundamental ques
takes account of correlations among risk. For exam ple, Nation
tion of risk m anagem ent: W hat is the shortfall that m anage
wide analyzes and establishes aggregate limits for the equity
ment should be concerned about? Is it a shortfall in cash flow
risk stemming from three main sources: (1) the stock holdings
or in earnings? Is it a drop in a company's G A A P net worth or a
in its property and casualty insurance investm ent portfolio;
market-based measure of firm value?
(2) the fee levels that are tied to equity values in the variable
annuity and insurance contracts of its life insurance business; If the company is managing its probability of default, it should
and (3) the asset m anagem ent fees that are tied to equity obviously focus on the measure that is most directly linked to
values in its investm ent m anagem ent business. that outcom e. For exam ple, an unexpected drop in this year's
cash flow may not be a problem for a company if its future cash1
Corporate failures to conduct thorough "inventories" of their
risks on a regular basis have been responsible for a striking num
ber of major corporate disasters over the last 20 years. Business 11 See Dirk Schutz, La Chute de I'U BS, Bilan, 1998.
22 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Market Risk
Loss
2 4 6 8 10
Loss
Operational Risk
risk, such an approach is not appropriate for credit and opera regardless of w hether they use their own or other firms' correla
tional risks because these risks have fat tails. tion m easures, com panies should keep in mind the tendency for
correlations to increase in highly stressed environments.
W hen aggregating the risks, one must also estim ate their cor
relations. The probability of experiencing sim ultaneously highly One im portant issue in estimating correlations across types of
adverse market, credit, and operational outcom es is typically risks is the im portance of recognizing that such correlations
very low. This means that there is diversification across risk cat depend to some extent on the actions of the com pany. For
egories, and that the firm-wide VaR is thus less than the sum exam ple, the total risk of an insurance com pany depends on the
of the market risk, credit risk, and operational risk VaRs. How correlation between its asset risk and its liability risk. By chang
much less depends on the correlation between these risks. The ing its asset allocations, the company can modify the correlation
estimation of the correlations between certain types of risks is at between its asset risk and its liability risk. As a consequence, an
present more art than science. For this reason, many com panies insurance company's asset portfolio allocations can be an essen
choose to use averages of correlations used by other firms in tial part of its risk m anagem ent effort. For exam ple, Nationwide
their industry rather than relying on their own estim ates.13 But Insurance uses a sophisticated asset/liability model to create an
efficient frontier of investm ent portfolios. The actual target port
13 For data on correlations used in practice for financial institutions, see
folio selected takes into consideration the firm's tolerance for
Andrew Kuritzkes, Til Schuermann, and Scott M. Weiner, "Risk Measure
ment, Risk Management and Capital Adequacy in Financial Conglomer interest rate, equity market, and other risks as well as the oppor
ates," Brookings-Wharton Papers on Financial Services, 2003, pp. 141-193. tunity for expected econom ic value creation.
limitations and to com plem ent its use with other risk measures. to a downgrade to Baa can be estim ated more precisely. O ver
Perhaps the main problem is that while VaR measures the loss that much narrower range of possible outcom es, the prob
that is expected to be exceeded with a specified probability, lems created by "asym m etries" in the distribution of firm value
it says nothing about the expected size of the loss in the event changes and the so-called "fat tail" problems (where extrem e
that VaR is exceeded. Some have argued that com panies should negative outcom es are more likely than predicted by common
instead focus on the expected loss if VaR is exceeded. But statistical distributions) are not likely to be as severe. In such
focusing on this risk measure, which is often called conditional cases, m anagem ent may have greater confidence in its esti
VaR, instead of focusing on VaR has little econom ic justification mates of the distribution of value changes corresponding to a
in the context of firm wide risk m anagem ent. Setting the com pa downgrade rather than a default and will be justified in focusing
ny's capital at a level equal to the conditional VaR would provide on managing the probability of a downgrade.
the firm with a lower probability of default than the targeted As discussed previously, it is also im portant to understand and
level, leading to an excessively conservative capital structure. take account of risk correlations when analyzing and m anag
But a more important reason for companies to look beyond a ing default and distress probabilities. Nationwide Insurance
VaR measure estimated at the probability level corresponding incorporates in its econom ic capital model a correlation matrix
to a default threshold is that ERM adds value by optimizing the that reflects sensitivity-tested stress correlations. It is also now
in the process of exploring event-driven correlation analysis
probability and expected costs of financial distress. It is therefore
critical for companies to make sure that the equity capital set for scenarios that include terrorist attacks, mega hurricanes,
based on a VaR estim ate leads to the targeted optimal probabil and pandem ics.
24 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
potential com petitors of the firm face the same onerous regula way to estim ate the cost of the impact of a new risky activity on
tory capital requirem ents, the capital the firm has to hold that the firm's total risk is to evaluate how much incremental capital
is not justified on econom ic grounds is simply a regulatory tax. would be necessary to ensure that the new risky activity has no
If some potential com petitors could provide the firm's products impact on the firm's probability of financial distress.
without being subjected to the same regulatory capital, these
To illustrate, suppose that before the company takes on the new
less regulated com petitors could offer the products at a lower
activity, the VaR estim ate used to set the firm's capital is $5 bil
price and the firm would risk losing business to them . In this
lion. Now, with the new activity, this VaR estim ate increases
case, the firm would have to factor in the cost of regulatory cap
to $5.1 billion. Thus, for the firm to have the same probability
ital of its various activities and would want to grow its portfolio
of financial distress as it had before it undertook the new risky
of activities in a way that requires less regulatory capital.
activity, it would need to raise capital of $100 million. Moreover,
Regulatory capital is generally defined in term s of regulatory this capital would have to be invested in such a way that the
accounting. For purposes of an ERM system , com panies focus investment does not increase the risk of the firm, since otherwise
on G A A P and econom ic capital. An exclusive focus on account the VaR of the firm would further increase. If the risky new activ
ing capital is mistaken when accounting capital does not accu ity is expected to last one year, and the cost to the firm of having
rately reflect the buffer stock of equity available to the firm. this additional $100 million available for one year is estimated to
The firm may have valuable assets that, although not marked to be $8 million, then the econom ic value added of the new activ
market on its books, could be sold or borrowed against. In such ity should be reduced by $8 million. If the firm ignores this cost,
cases, the firm's book equity capital understates the buffer stock it effectively subsidizes the new risky activity. To the extent that
available to it that could be used to avoid default. riskier activities have higher expected payoffs before taking into
Thus, in assessing the level of a company's buffer of capital, this account their contribution to the firm's probability of financial
suggests that the amount of its G A A P equity capital is only part distress, a firm that ignores the impact of project risks on firm
of the story. The composition and liquidity of the assets matters wide risk ends up favoring riskier projects over less risky ones.
as well. If the firm incurs a large loss and has no liquid assets it Though the exam ple just discussed is straightforward, the
can use to "finance" it, the fact that it has a large buffer stock of implementation of this idea in practice faces several difficulties.
book equity will not be very helpful. For this reason, many com A com pany is a collection of risky projects. A t any tim e, a proj
panies now do separate evaluations of their liquidity and the ect's contribution to the firm's total risk depends on the risk of
amount of equity capital they require. A s the practice of ERM the other projects and their correlations. When business units
evolves, we would expect such com panies to pay more atten are asked to make decisions that take into account the contri
tion to the relation between the optimal amount of equity and bution of a project to firm-wide risk, they must have enough
the liquidity of their assets. information when making the decision to know how to evaluate
that contribution. They cannot be told that the contribution will
Using Economic Capital to Make Decisions depend on everything else that is going to happen within the
firm over the next year, and then have a risk charge assigned to
As we saw earlier, if com panies could simply stockpile equity
their unit after the fact.
capital at no cost, there would be no deadw eight costs associ
ated with adverse outcom es. M anagem ent could use its liquid Many com panies sidestep this issue and ignore correlations alto
assets to finance the losses, and the bad outcom e would have gether when they set capital. In that case, the capital required
no effect on the firm's investm ent policy. But in the real world, to support a project would be set so that the project receives
there are significant costs associated with carrying too much no benefit from diversification, and the contribution of the
equity. If the market perceives that a company has more equity project to firm-wide risk would then be the VaR of the project
than it needs to support the risk of the business, it will reduce itself. To account for diversification benefits under this system ,
the firm's value to reflect management's failure to earn the cost the firm would reduce the cost of equity. But when evaluating
of capital on that excess capital. the perform ance of a business unit, the VaR of the business
unit would be used to assess the contribution of the unit to
W hen a company undertakes a new risky activity, the probability
the firm's risk and the units would effectively get no credit for
that it will experience financial distress increases, thus raising
diversification benefits.
the expected costs of financial distress. O ne way to avoid these
additional costs is by raising enough additional capital so that When decentralizing the risk-return trade-off, the company has
taking on the new risky activity has no effect on the probability to enable the managers of its business units to determ ine the
of financial distress. Consequently, the most straightforward capital that has to be allocated to a project to keep the risk of
sistent with their com petitive operating environment. paid to measures of tail risk like VaR, it has becom e clear from
attem pts to im plem ent ERM that a more com plete understand
ing of the distribution of firm value is required. Though correla
The Governance of ERM tions between different types of risks are essential in measuring
firm-wide risk, existing research provides little help in how to
How does a com pany know that its ERM is succeeding? W hile
estim ate these correlations. Com panies also find that some of
one outcom e of effective ERM should be a better estim ate of
their most troubling risks— notably, reputational and strategic
expected value and better understanding of unexpected losses,
risks— are the most difficult to quantify. A t this point, there is
ERM does not eliminate risk. Thus, extrem e negative outcomes
little research that helps practitioners in assessing these risks,
are still a possibility, and the effectiveness of ERM cannot be
but much to gain from having a better understanding of these
judged on whether such outcom es m aterialize. The role of ERM
risks even if they cannot be quantified reliably.
is to limit the probability of such outcom es to an agreed-upon,
value-m axim izing, level. But what if the probability of default In sum, there has been considerable progress in the im plem en
is set at one in 1,000 years? Q uite apart from whether this is tation of ERM , with the promise of major benefits for corporate
indeed the value-maximizing choice, such a low probability shareholders. And, as this implementation improves with the
means that there will be no obvious way to judge whether the help of academ ic research, these benefits can only be expected
C RO succeeded in managing risk so as to give the firm its target to grow.
probability of default.
To evaluate the job of a C R O , the board and the C E O must Brian Nocco is the C h ief Risk O fficer of N ationwide Insurance.
attem pt to determ ine how well the company's risk is understood Rene Stulz is the Reese Chair of Banking and M onetary Econom ics at
O hio State University's Fisher School of Business and a research fellow
and m anaged. A company where risk is well understood and
at the N BER and at the European Corporate G overnance Institute. He is
well managed is one that can command the resources required also a m em ber of the executive com m ittee of the Global Association of
to invest in the valuable projects available to it because it is Risk Professionals (G ARP).
26 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
What Is ERM?
Learning Objectives
A fter com pleting this reading you should be able to:
Describe Enterprise Risk M anagem ent (ERM) and compare Describe the role and responsibilities of a chief risk officer
and contrast differing definitions of ERM . (CRO ) and assess how the C RO should interact with other
senior m anagem ent.
Com pare the benefits and costs of ERM and describe the
motivations for a firm to adopt an ERM initiative. Describe the key com ponents of an ERM program.
E x c e rp t is C hapter 4 o f Enterprise Risk M anagem ent: From Incentives to Controls, S e co n d Edition, by Ja m es Lam.
27
Earlier, we reviewed the concepts and processes applicable to across business units and functions, and provide overall risk
almost all of the risks that a company will face. We also argued monitoring for senior m anagem ent and the board.
that all risks can be thought of as a bell curve. Certainly, it is a
Nor is risk monitoring any more efficient under the silo
prerequisite that a com pany develop an effective process for
approach. The problem is that individual risk functions measure
each of its significant risks. But it is not enough to build a sepa
and report their specific risks using different m ethodologies
rate process for each risk in isolation.
and form ats. For exam ple, the treasury function might report
Risks are by their very nature dynamic, fluid, and highly inter on interest rate and FX risk exposures, and use value-at-risk as
dependent. As such, they cannot be broken into separate com its core risk m easurem ent m ethodology. On the other hand,
ponents and managed independently. Enterprises operating in the credit function would report delinquencies and outstand
today's volatile environm ent require a much more integrated ing credit exposures, and measure such exposures in term s of
approach to managing their portfolio of risks. outstanding balances, while the audit function would report out
standing audit items and assign some sort of audit score, and
This has not always been recognized. Traditionally, com panies
so on.
managed risk in organizational silos. M arket, credit, and opera
tional risks were treated separately and often dealt with by dif Senior m anagem ent and the board get pieces of the puzzle,
ferent individuals or functions within an institution. For exam ple, but not the whole picture. In many com panies, the risk func
credit experts evaluated the risk of default, m ortgage specialists tions produce literally hundreds of pages of risk reports, month
analyzed prepaym ent risk, traders were responsible for mar after month. Yet, oftentim es, they still don't manage to provide
ket risks, and actuaries handled liability, mortality, and other m anagem ent and the board with useful risk information. A good
insurance-related risks. Corporate functions such as finance and acid test is to ask if the senior m anagem ent knows the answers
audit handled other operational risks, and senior line managers to the following basic questions:
addressed business risks. • W hat are the company's top 10 risks?
However, it has becom e increasingly apparent that such a • Are any of our business objectives at risk?
fragm ented approach sim ply doesn't work, because risks are • Do we have key risk indicators that track our critical risk
highly interdependent and cannot be segm ented and managed exposures against risk tolerance levels?
by entirely independent units. The risks associated with most
• W hat were the company's actual losses and incidents, and did
businesses are not one-to-one m atches for the primary risks
we identify these risks in previous risk assessm ent reports?
(m arket, credit, operational, and insurance) implied by most tra
ditional organizational structures. Attem pting to manage them • Are we in com pliance with laws, regulations, and corporate
risk policies?
as if they are is likely to prove inefficient and potentially danger
ous. Risks can fall through the cracks, risk inter-dependencies If a company is uncertain about the answers to any of these
and portfolio effects may not be captured, and organizational questions, then it is likely to benefit from a more integrated
gaps and redundancies can result in suboptim al perform ance. approach to handling all aspects of risk— enterprise risk man
For exam ple, imagine that a com pany is about to launch a agem ent (ER M ).1
new product or business in a foreign country. Such an initiative
would require:
28 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
"ERM is a process, effected by an entity's board of company and rationalizes the use of derivatives, insurance, and
directors, m anagem ent, and other personnel, applied in alternative risk transfer products to hedge only the residual risk
strategy setting and across the enterprise, designed to deem ed undesirable by m anagem ent.
identify potential events that may affect the entity, and
Third, enterprise risk m anagem ent requires the integration of
manage risk to be within its appetite, to provide rea
risk m anagem ent into the business processes of a company.
sonable assurance regarding the achievem ent of entity
Rather than the defensive or control-oriented approaches used
objectives."
to manage downside risk and earnings volatility, enterprise risk
Another definition was established by the International O rgani m anagem ent optim izes business perform ance by supporting
zation of Standardization (ISO 31000): and influencing pricing, resource allocation, and other business
decisions. It is during this stage that risk m anagem ent becomes
Risk is the "effect of uncertainty on objectives" and risk
an offensive weapon for m anagem ent.
m anagem ent refers to "coordinated activities to direct
and control an organization with regard to risk." All this integration is not easy. For most companies, the implemen
tation of ERM implies a multi-year initiative that requires ongoing
W hile the C O S O and ISO definitions provide useful concepts
senior management sponsorship and sustained investments in
(e.g ., linkage to objectives), I think it is im portant that ERM is
human and technological resources. Ironically, the amount of time
defined as a value added function. Therefore, I would suggest
and resources dedicated to risk management is not necessarily
the following definition:
very different for leading and lagging organizations.
Risk is a variable that can cause deviation from an
The most crucial difference is this: leading organizations make
expected outcom e. ERM is a com prehensive and inte
rational investments in risk m anagem ent and are proactive, opti
grated fram ework for managing key risks in order to
mizing their risk profiles. Lagging organizations, on the other
achieve business objectives, minimize unexpected earn
hand, make disconnected investments and are reactive, fighting
ings volatility, and maximize firm value.
one crisis after another. The investments of the leading com pa
The lack of a standard ERM definition can cause confusion for a nies in risk m anagem ent are more than offset by improved effi
com pany looking to set up an ERM fram ework. No ERM defini ciency and reduced losses.
tion is perfect or applicable to every organization. My general
Let's discuss the three major benefits to ERM : increased organi
advice is for each organization to adopt an ERM definition and
zational effectiveness, better risk reporting, and improved busi
fram ework that best fit their business scope and com plexity.
ness perform ance.
Business Performance exam inations, setting risk-based capital and com pliance require
ments, and reinforcing key roles for the board and senior man
Com panies that adopt an ERM approach have experienced agem ent in the risk m anagem ent process.
significant im provem ents in business perform ance. Figure 3.1
This introspection often leads to the em ergence of a risk cham
provides exam ples of reported benefits of ERM from a cross-
pion among the senior executives who will sponsor a major
section of com panies. ERM supports key m anagem ent decisions
program to establish an enterprise risk m anagem ent approach.
such as capital allocation, product developm ent and pricing, and
As noted above, this risk champion is increasingly becoming a
mergers and acquisitions. This leads to improvements such as
form alized senior m anagem ent position— the chief risk officer,
reduced losses, lower earnings volatility, increased earnings, and
or C R O .
improved shareholder value.
Aside from this, direct pressure also comes from influential
These im provem ents result from taking a portfolio view of all
stakeholders such as shareholders, em ployees, ratings agencies,
risks; managing the linkages between risk, capital, and profit
and analysts. Not only do such stakeholders exp ect more earn
ability; and rationalizing the company's risk transfer strategies.
ings predictability, m anagem ent have few er excuses today for
The result is not just outright risk reduction: com panies that
not providing it. O ver the past few years, volatility-based m od
understand the true risk/return econom ics of a business can take
els such as value-at-risk (VaR) and risk-adjusted return on capital
more of the profitable risks that make sense for the company
(RARO C) have been applied to measure all types of market risk
and less of the ones that don't.
within an organization; their use is now spreading to credit risk,
Despite all these benefits, many com panies would balk at and even to operational risk. The increasing availability and
the prospect of a full-blown ERM initiative were it not for the liquidity of alternative risk transfer products— such as credit
M arket value im provem ent Top money center bank O utperform ed S&P 500 banks by 58% in stock price
perform ance
Early warning of risks Large commercial bank Assessm ent of top risks identified over 80% of future losses;
global risk limits cut by one-third prior to Russian crisis
Loss reduction Top asset-m anagem ent 30% reduction in the loss ratio enterprise-wide; up to 80%
company reduction in losses at specific business units
Regulatory capital relief Large international commercial $1 Billion reduction of regulatory capital requirem ents, or
and investm ent bank about 8-10%
Risk transfer rationalization Large property and casualty $40 million in cost savings, or 13% of annual reinsurance
insurance company premium
Insurance premium reduction Large manufacturing company 20-25% reduction in annual insurance premium
30 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
derivatives and catastrophe bonds— also means that com panies • Implementing a set of risk indicators and reports, including
are no longer stuck with many of the unpalatable risks they losses and incidents, key risk exposures, and early warning
previously had no choice but to hold. O verall, the availability of indicators;
such tools makes it more difficult and less acceptable for com • Allocating econom ic capital to business activities based on
panies to carry on with more primitive and inefficient alterna risk, and optimizing the company's risk portfolio through
tives. Managing risk is management's job. business activities and risk transfer strategies;
• Com m unicating the company's risk profile to key stakehold
ers such as the board of directors, regulators, stock analysts,
3.3 THE CH IEF RISK O FFIC ER
rating agencies, and business partners; and
The role of a chief risk officer has received a lot of attention • Developing the analytical, system s, and data m anagem ent
within the risk m anagem ent community, as well as from the capabilities to support the risk m anagem ent program
finance and general m anagem ent audiences. Articles on chief Still, given that enterprise risk m anagem ent is still a relatively
risk officers and ERM appear frequently in trade publications new field, many of the kinks have yet to be smoothed out of the
such as Risk M agazine and Risk and Insurance, but have also C hief Risk O fficer role. For exam ple, there are still substantial
been covered in general publications such as C F O magazine, amounts of ambiguity with regard to where the C R O stands in
the Wall S tre e t Journal, and even USA Today. the hierarchy between the board of directors and other C-level
• • •
positions, such as C E O s, C F O s, and C O O s.
Today, the role of the CRO has been widely adopted in risk In many instances, the C R O reports to the C FO or C E O — but
intensive businesses such as financial institutions, energy firms, this can make firms vulnerable to internal friction when serious
and non-financial corporations with significant investment activities clashes of interest occur between corporate leaders. For exam
and/or foreign operations. Today, I would estimate that as many ple, when Paul Moore, form er head of regulatory risk at H BO S,
as up to 80% of the biggest U.S. financial institutions have CRO s. claimed that he had been "fired . . . for warning about reckless
lending," the resulting investigations led to the resignation of
The recent financial and econom ic m eltdowns have increased
H BO S' chief executive, Sir Jam es Crosby, as the deputy chair
the demand for com prehensive ERM fram eworks. As an indica
man of the Financial Services A uthority.*•3
tion of this increased dem and, executive m anagem ent training
programs in ERM are increasingly offered by leading business One organizational solution is to establish a dotted-line report
schools. For exam ple, in Novem ber 2010, Harvard Business ing relationship between the chief risk officer and the board or
School im plem ented a five-day program designed to train board risk com m ittee. Under extrem e circum stances (e.g ., C E O /
C E O s, C O O s, and C R O s in managing risk as corporate leaders: C FO fraud, major reputational or regulatory issues, excessive
there have been two other sessions to date, one in February risk taking beyond risk appetite tolerances), that dotted line may
o
2012, and one just recently, in February 2013. convert to a solid line so that the chief risk officer can go directly
to the board without fear for his or her job security or com pen
Typical reports to the C R O are the heads of credit risk, mar
sation. Ultim ately, to be effective, risk m anagem ent must have
ket risk, operational risk, insurance, and portfolio m anage
an independent voice. A direct communication channel to the
ment. O ther functions that the C RO is commonly responsible
board is one way to ensure that this voice is heard.4
for include risk policy, capital m anagem ent, risk analytics and
reporting, and risk m anagem ent within individual business units. For these dotted-line reporting structures between the C RO
In general, the office of the C RO is directly responsible for: and the board (and between the business line risk officers and
the C R O ), it is critical that an organization clearly establish and
• Providing the overall leadership, vision, and direction for
docum ent the ground rules. Basic ground rules include risk
enterprise risk m anagem ent;
escalation and communication protocols, and the role of the
• Establishing an integrated risk m anagem ent fram ework for all board or C RO in hiring/firing, annual goal setting, and com pen
aspects of risks across the organization; sation decisions of risk and com pliance professions who report
• Developing risk m anagem ent policies, including the quantifi to them .
cation of the firm's risk appetite through specific risk limits;
2 W inokur, L.A . "The Rise of the Risk Leader: A Reappraisal," Risk Pro 4 Lam, Jam es. "Structuring for A cco untab ility," Risk Progressional, Ju n e
fessional, April 2012, 20. 2009, 44.
problems of its own; oftentim es, audit com m ittees are already
working at maximum capacity just handling audit m atters, and Some argue that a com pany shouldn't have a C RO because that
are unable to properly oversee ERM as well. Henry Ristuccia, of job is already fulfilled by the C E O or the C F O . Supporting this
Deloitte, affirms that unless the "audit com m ittee [can improve] argum ent is the fact that the C E O is always going to be ulti
its grasp of risk m an ag em en t. . . a separate risk com m ittee mately responsible for the risk (and return) perform ance of the
needs to be fo rm e d ."6 com pany, and that many risk departm ents are part of the C FO 's
organization. So why create another C-level position of C RO and
The lack of an ERM standard is also a significant barrier to the
detract from the C EO 's or C FO 's responsibilities?
positive developm ent of the C R O role. Mona Leung, C FO
of Alliant Credit Union, says that "w e have too many varying The answer is the same reason that com panies create roles for
definitions" of enterprise risk m anagem ent, with the result other C-level positions, such as chief information officers or
that ERM means something different to every company, and chief marketing officers. These roles are defined because they
is im plem ented in different ways. O f course, firms from differ represent a core com petency that is critical to the success for
ent industries should (and must) tailor their approaches to risk the company— the C E O needs the experience and technical
m anagem ent in order to m eet the requirements of their specific skills that these seasoned professionals bring. Perhaps not every
business models and regulatory fram eworks, but nonetheless, it company should have a full-time C R O , but the role should be an
is im portant to have a general ERM standard. explicit one and not simply one implied for the C E O or C F O .
Despite the remaining am bivalences in the structure of the For com panies operating in the financial or energy m arkets, or
C RO role, I believe that it has elevated the risk m anagem ent other industries where risk m anagem ent represents a core com
profession in some im portant ways. First and forem ost, the petency, the C R O position should be considered a serious pos
appointm ent of executive managers whose primary focus is sibility. A C RO would also benefit com panies in which the full
risk m anagem ent has improved the visibility and organizational breadth of risk m anagem ent experience does not exist within
effectiveness of that function at many com panies. The successes the senior m anagem ent team , or if the build-up of required risk
of these appointm ents have only increased the recognition and m anagem ent infrastructure requires the full-time attention of an
Second, the C R O position provides an attractive career path for W hat should a company look for in a C R O ? An ideal C RO would
risk professionals who want to take a broader view of risk and have superb skills in five areas. The first would be the leadership
business m anagem ent. In the past, risk professionals could only skills to hire and retain talented risk professionals and establish
aspire to becom e the head of a narrowly focused risk function the overall vision for ERM . The second would be the evangeli
such as credit or audit. Nearly 70 percent of the 175 participants cal skills to convert skeptics into believers, particularly when it
in one online seminar that I gave on Septem ber 13, 2000, said com es to overcoming natural resistance from the business units.
they aspired to becom e C R O s. Third would be the stewardship to safeguard the company's
financial and reputational assets. Fourth would be to have the
Today, C R O s have begun to move even further up the corpo
technical skills in strategic, business, credit, market, and opera
rate ladder by becom ing serious contenders for the positions
tional risks. And, last but not least, fifth would be to have con
of C E O and C F O . For exam ple, M atthew Feldm an, form erly
sulting skills in educating the board and senior m anagem ent,
C R O of the Federal Home Loan Bank of C hicago, was
as well as helping business units im plem ent risk m anagem ent
appointed its C E O and President in May of 2008. Likew ise,
at the enterprise level. W hile it is unlikely that any single indi
D eutsche Bank C R O Hugo Banziger was a candidate for UBS
vidual would possess all of these skills, it is im portant that these
C E O . Kevin Buehler, of M cKinsey & C o .'s, affirm s that the
com petencies exist either in the C RO or elsewhere within his or
gradual m ovem ent of C R O s from control functions to more
her organization.
32 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
3.4 CO M PO N EN TS O F ERM Corporate Governance
Corporate governance ensures that the board of directors and
A successful ERM program can be broken down into seven key
m anagem ent have established the appropriate organizational
com ponents (see Figure 3.2). Each of these com ponents must
processes and corporate controls to measure and manage risk
be developed and linked to work as an integrated whole. The
across the com pany. The mandate for effective corporate gov
seven com ponents include:
ernance has been brought to the forefront by regulatory and
1. Corporate governance to ensure that the board of directors industry initiatives around the world. These initiates include the
and m anagem ent have established the appropriate organi Treadway Report from the United States, the Turnbull Report
zational processes and corporate controls to measure and from the UK, and the Dey Report from Canada. All of these
manage risk across the company. made recom m endations for establishing corporate controls
2. Line m anagem ent to integrate risk m anagem ent into the and emphasized the responsibilities of the board of directors
revenue-generating activities of the com pany (including and senior m anagem ent. Additionally, the Sarbanes-O xley A ct
business developm ent, product and relationship m anage provides both specific requirem ents and severe penalties for
ment, pricing, and so on). non-compliance.
3. Portfolio m anagem ent to aggregate risk exposures, incor From an ERM perspective, the responsibilities of the board of
porate diversification effects, and monitor risk concentra directors and senior m anagem ent include:
tions against established risk limits.
• Defining the organization's risk appetite in term s of risk poli
4. Risk transfer to mitigate risk exposures that are deem ed too cies, loss tolerance, risk-to-capital leverage, and target debt
high, or are more cost-effective to transfer out to a third rating.
party than to hold in the company's risk portfolio.
• Ensuring that the organization has the risk management skills
5. Risk analytics to provide the risk m easurem ent, analysis, and and risk absorption capability to support its business strategy.
reporting tools to quantify the company's risk exposures as • Establishing the organizational structure of the ERM fram e
well as track external drivers. work and defining the roles and responsibilities for risk man
6 . Data and technology resources to support the analytics and agem ent, including the role of chief risk officer.
reporting processes. • Implementing an integrated risk m easurem ent and m anage
ment fram ework for strategic, business, operational, financial,
7. Stakeholder m anagem ent to com m unicate and report the
and com pliance risks.
company's risk information to its key stakeholders.
• Establishing risk assessm ent and audit processes, as well
Let's consider these in turn.
as benchmarking company practices against industry best
practices.
34 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Data and Technology Resources Stakeholder Management
O ne of the greatest challenges for enterprise risk m anagem ent Risk m anagem ent is not just an internal m anagem ent process. It
is the aggregation of underlying business and market data. Busi should also be used to improve risk transparency in a firm's rela
ness data includes transactional and risk positions captured in tionship with key stakeholders. The board of directors, for exam
different front- and back-office system s; m arket data includes ple, needs periodic reports and updates on the major risks faced
prices, volatilities, and correlations. In addition to data aggrega by the organization in order to review and approve risk man
tion, standards and processes must be established to improve agem ent policies for controlling those risks. Regulators need to
the quality of data that is fed into the risk system s. be assured that sound business practices are in place, and that
business operations are in com pliance with regulatory require
As far as risk technology goes, there is no single vendor soft
ments. Equity analysts and rating agencies need risk information
ware package that provides a total solution for enterprise risk
to develop their investm ent and credit opinions.
m anagem ent. Organizations still have to either build, buy, and
customize or outsource the required functionality. Despite the An im portant objective for m anagem ent in com m unicating
data and system challenges, com panies should not wait for and reporting to these key stakeholders is an assurance that
a perfect system solution to becom e available before estab appropriate risk m anagem ent strategies are in effect. O ther
lishing an enterprise risk m anagem ent program. Rather, they w ise, the com pany (and its stock price) will not get full credit,
should make the best use of what is available and at the same since interested parties will see the risks but may not see the
tim e apply rapid prototyping techniques to drive the systems- controls. The increasing em phasis of analyst presentations
developm ent process. Additionally, com panies should consider and annual reports on a com pany's risk m anagem ent cap ab ili
tapping into the power of the Internet/lntranet in the design of ties is evidence of the im portance now placed on stakeholder
an enterprise risk technology platform. com m unication . . . .
Describe best practices for the implementation and com Assess the role of stress testing within an RAF, and
munication of a risk appetite fram ework (RAF) at a firm. describe challenges in aggregating firm-wide risk
exposures.
Explain the relationship between a firm's RAF and its risk
culture, and between the RAF and a firm's strategy and Explain lessons learned in the implementation of a RAF
business planning process. through the presented case studies.
E x c e rp t is rep rin ted from Implementing Robust Risk A ppetite Fram eworks to Strengthen Financial Institutions, by the Institute o f
International Finance, Ju n e 2011.
37
INTRODUCTION taking can help achieve business objectives while respect
ing constraints to which the organization is subject." A key
1. O ne of the key lessons of the financial crisis was that some finding of the C M BP was that putting in place a robust risk
firms took more risk in aggregate than they were able to appetite fram ework constitutes an essential com ponent
bear given their capital, liquidity, and risk m anagem ent of adequate risk m anagem ent. The C M BP elaborated on
capabilities, and some took risks that their m anage a number of aspects regarding risk appetite, including the
ment and Boards did not properly understand or control. high-level governance aspects of defining and im plem ent
Indeed, in its O ctober 2009 report, Risk M anagem ent L e s ing a risk appetite fram ework.
sons from the G lobal Banking Crisis o f 2008, the Senior 5. In 2009 the IIF, recognizing the need to actively promote
Supervisors Group (SSG) highlighted major governance the im plem entation of the C M BP recom m endations,
challenges at the 20 largest banks in the most-affected established a Steering Com m ittee on Implementation
jurisdictions, in particular "the unwillingness or inability (SCI). This com m ittee was charged with steering the EF's
of Boards of Directors and senior managers to articulate, efforts on further analysis of key risk m anagem ent im plica
measure and adhere to a level of risk acceptable to the tions of the crisis as well as tracking EF m em bers' efforts
firm ." The SSG concluded that "a key weakness in gov in revising their practices and implementing Industry
ernance stem med from . . . a disparity between the risks practices recom m endations. In D ecem ber 2009 the SCI
that their firms took and those that their Boards of D irec issued its report, Reform in the Financial Services Industry:
tors perceived the firms to be taking." Put simply, Boards Strengthening Practices for a M ore Stable System , which
did not understand well enough, or properly control in assessed the progress made by the Industry in im plem ent
advance, the risks that their firms were taking. These con ing and em bedding revised risk m anagem ent and gover
clusions are not disputed by the Industry. nance practices.
2. Three years after the crisis, largely as a consequence of 6. Am ong other issues, the 2009 SCI report focused once
these conclusions, there is now consensus between super again on risk appetite, further developing and discussing
visors and the Industry that a clearly articulated statem ent the concept and a number of related issues. The report
of risk appetite and the use of a well-designed risk ap p e also provided an augm ented definition of risk appetite
tite fram ework to underpin decision-making are essential as being "the amount and type of risk that a company is
to the successful m anagem ent of risk. Taken together, able and willing to accept in pursuit of its business objec
such a statem ent and fram ework provide clear direction tives." The statem ent of risk appetite balances the needs
for the enterprise and ensure alignment of expectations of all stakeholders by acting both as a governor of risk
among the Board, senior m anagem ent, the risk m anage and a driver of current and future business activity. It is
ment function, supervisory bodies, and shareholders. In expressed in both quantifiable and qualitative term s and
combination with a strong risk culture, they provide the covers all risks." In particular, the 2009 report set out an
cornerstone for building the effective enterprise-wide risk analytical fram ework for risk appetite and outlined a num
m anagem ent fram ework that is essential to the long-term ber of key issues in regard to the practical implementation
stability of a firm. of the concept by financial firms.
3. In 2008 the Institute of International Finance form ed a
7. Risk appetite has also received a great deal of atten
high-level Com m ittee on M arket Best Practices (CM BP) to
tion from the regulatory community. In particular, the
draw key lessons for the financial services industry from
SSG — which has been the public sector group most
the global financial crisis that was unfolding at that tim e.
deeply involved in the analysis of the risk m anagem ent
The C M BP issued a report containing a number of key
implications of the crisis— has focused extensively on risk
principles and recom m endations for the Industry, focusing
appetite issues and related supervisory im plications. Sp e
on areas such as governance, risk m anagem ent, and trans
cifically, the SSG's 2009 report, Risk M anagem ent Lessons
parency. The core purpose of these recom m endations was
from the G lobal Banking Crisis o f 2008, identified risk
to promote much more robust risk m anagem ent and gov
appetite as a crucial elem ent of robust risk m anagem ent.
ernance fram eworks in financial institutions.
The SSG identified a number of deficiencies in the way the
4. Early in the discussion and analytical process that led to Industry was approaching risk appetite issues, observing,
the final C M BP report, IIF members identified risk appetite for exam ple, that much more evidence was needed of
as being of fundamental im portance. The C M BP report Board involvement in setting and monitoring adherence
defined risk appetite as "a firm's view on how strategic risk to firms' risk appetite, and that the Industry needed to
38 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
continue working to make risk appetite statem ents much • To develop specific practical recom m endations for
more robust to encom pass a suitably wide range of m ea firms to address the challenges of implementing a
sures and actionable elem ents. robust and meaningful risk appetite fram ework.
8. In D ecem ber 2010, the SSG issued another report, O b ser 12. The W G R A has carried out an Industry survey, group dis
vations on D evelopm en ts in Risk A p p e tite Fram eworks cussions, interviews, and case studies involving a diverse
and IT Infrastructure, which elaborated on this subject. In sam ple of participants globally. As detailed in A nnex II,
particular, the SSG highlighted the im portance of Board respondents to the survey represented a cross-section of
and senior m anagem ent involvem ent in the articulation geography and institutional size, all at various stages of
and implementation of the risk appetite fram ework and the implementation journey. The survey was sent to 79
em phasized the need to em bed revised practices within firms; 73 responses were received from 40 firms. Although
firms so that such practices can be sufficiently resilient in the survey responses received were rich and com prehen
an increasingly com petitive environment. sive, in order to get behind them to understand at a prac
tical level how challenges were overcom e to enable the
9. W hile there is clearly a substantial amount of ongoing
sharing of good practices, multiple them atic conference
work by both the Industry and the regulatory community
calls, as well as bilateral in-depth discussions, were held
in the area of risk appetite fram eworks, it is widely recog
with Industry participants in several continents, covering
nized that additional guidance would be helpful as firms
the key topics and challenges considered in Section 2. The
continue refining their practices and m ethodologies. The
survey responses, conference calls, extensive bilateral dis
reports by the 11F and the SSG , together with the substan
cussions, and the four case studies supplied have provided
tial experience gained by firms in the last several years,
the background for our in-depth analysis of the current
constitute a fertile ground in which to continue developing
challenges facing the Industry and a practical set of rec
guidance as to how m anagem ent and Boards should con
om mendations to move forward.
front and resolve difficult, basic issues linked to the design
and implementation of a risk appetite fram ework. 13. A nnex I presents four highly detailed case studies which
were generously provided, upon request, by Com m on
10. As fi rms, in response to the crisis, continue to make
wealth Bank of Australia, National Australia Bank, Royal
progress in improving their risk appetite processes, pri
Bank of Canada, and Scotiabank. These case studies are
marily in pursuit of stronger risk m anagem ent but also
intended to com plem ent the evidence gathered through
to meet evolving supervisory expectations, additional
the survey and the W G R A discussions and to provide valu
guidance should draw on lessons from firms' experience
able insights and "real-life" exam ples of the approaches
and from the successful practices that are being devel
that large firms have taken to overcoming the challenges
oped globally by many in the Industry. This can, in turn,
involved in establishing a risk appetite fram ework (RAF).
form the basis for a constructive dialogue with the global
The case studies represent an integral part of this report
supervisory community.
and are recom m ended reading as they contain a wealth of
11. In order to organize the in-depth analysis and discus detailed information regarding the diversity of approaches
sion of risk appetite issues, assess the Industry's state of taken, the role of leadership and collaboration, the itera
practice on the subject, and learn by leveraging the exp e tive nature of RAF developm ent and the influence of cul
rience and expertise of a broad range of market partici ture in the risk appetite process.
pants, the 11F SCI established the Working Group on Risk
A ppetite (W G RA). The W G R A and the present report have
the following key objectives:
SECTION 1 - PRINCIPAL FINDINGS
• To assess and evaluate current Industry practices in the
area of risk appetite.
FROM THE INVESTIGATION
• To identify the key stages and the technical and cultural 14. This section outlines a number of key findings of our
challenges in the journey toward setting— and moni work on risk appetite, the extent to which the Industry
toring adherence to— appropriate boundaries for risk, is em bracing it, and the principal im pedim ents to im ple
within a sound risk appetite fram ework. mentation. It outlines a number of practical steps that
• To bring Industry expertise and sound practices to firms have taken to overcom e the principal challenges and
bear on examining how these challenges have been which form the basis of emerging Industry sound practices
addressed, including the analysis of real-life case studies. in this evolving area. In some instances the findings of
40 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
c. W hile implementing an RAF is challenging, those f. The survey shows that a large majority of firms (70%)
firms that have made progress are clear that they see are taking a comprehensive view of all risks across
tangible benefits resulting from their risk appetite the firm, not merely focusing on those risks that can be
process. W hile these benefits are not always apparent easily m easured, and are using a combination of quan
at the start, there is a high degree of consensus among titative and qualitative metrics in expressing risk ap p e
such firms that the RAF is allowing the Board and the tite. This reinforces the point that risk appetite does
senior m anagem ent to have a more informed discus not mean the creation of a com plex, highly granular
sion of the risks in the business plan and strategy. Firms set of limits. That said, at this stage in the journey the
reporting the most progress have also established most common transmission mechanism for com muni
strong linkages between risk issues and strategy, plan cating Board-level risk appetite statem ents throughout
ning, and finance— the last two of these being areas the enterprise is the translation into limits. This in part
in which risk was often not form ally considered in the reflects the quantifiable nature of some risks and pro
past. These linkages have been put in place at both vides for clear, recognizable boundaries.
the enterprise-wide and business unit (BU) levels. Such g. Stress testing and stress metrics play a role in the
processes may, at least initially, make the resource risk appetite fram ework of almost all respondents
planning cycle longer and more com plicated, but this is (only one firm stated that they are not used). The use
a price well worth paying in return for fostering a more of stress tests varies, with some banks putting them at
robust risk culture and a stronger awareness through the center of the risk appetite setting process, whereas
out the organization. Firms at a more advanced stage others use stress tests primarily to "sense-check"
also highlight the benefits deriving from a stronger their appetite.
integration of risk considerations into the strategic and
h. A large majority of those responding indicated that
business plans and more effective risk/reward decision
risk appetite is monitored on an ongoing basis at the
making across the organization. These benefits can be
group level and that a contingency plan or escalation
clearly seen in the case studies attached in A nnex I.
procedure is triggered when a risk appetite metric
d. There is a high degree of commonality around the most is exceeded.
relevant inputs driving the shaping of a firm's risk 20. As noted above, the case studies in A nnex I are an essen
appetite. Most often used is capital capacity, followed tial part of this report and clearly illustrate many of the
by budget targets, liquidity, and other market con points listed above.
straints and stress test results. Although not captured in
the survey data, several firms em phasized that a firm's
overall strategy and financial objectives should be con SECTION 2 - K EY OUTSTANDING
sidered as a key input. CH A LLEN G ES IN IM PLEM ENTING
e. Limits and controls have a central role in any well-run RISK APPETITE FRAM EW ORKS
organization, but an excessively narrow emphasis on
granular limits (or too many of them) can provide false 21. Despite the visible progress being made by many in the
com fort to m anagem ent and supervisors; lead to a Industry in the im plem entation of effective risk appetite
m echanical, "tick-box" (or com pliance-type) approach; fram eworks, more needs to be done. The survey and
and detract from or undermine this crucial dialogue. A discussion reveal there is a degree of com monality in the
strong RAF is much more powerful than limits alone: hurdles firms are facing and the need for proven practi
staff at all levels with any significant responsibility cal solutions to these issues. Section 3 provides a number
should know what they need to do and why, rather of exam ples of emerging Industry sound practices in
than merely follow instructions. The overwhelm ingly addressing these. This section outlines the largest chal
im portant conclusion from firms' experiences in this lenges that are proving most difficult to overcom e. The
area is that developing an RAF is not about putting in chart below shows the most relevant survey results in
place "tablets of stone" and creating and im plem ent this context.
ing a structure of many hundreds of highly granular 22. The link with the wider risk culture is of central impor
limits. It is im portant that stakeholders, including super tance but is also problematic in some firms. Broad
visors, should recognize this when assessing progress in discussion among firms reinforces the point that without
this area. a strong risk culture success on the risk appetite journey
0 5 10 15 20 25
Effectively cascading the risk appetite statement through the operational levels
10 VJ 6
of the organization and embedding it into operational decision making processes
Using the risk appetite framework as a dynamic tool for managing risk rather than
another way of setting limits or strengthening compliance
Using the risk appetite framework as a driver of strategy and business decisions 5 5 2
Achieving sufficient clarity around the concept of risk appetite and some of the
7 2 3
terminology used (e.g. difference between risk appetite and risk limits)
42 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
qualitative indicators, most are making significant efforts 27. Stress testing, and how it should be effectively incor
to quantify such risks, through, for exam ple, proxy m ea porated into the risk appetite framework, remains an
sures and use a combination of qualitative and detailed area of uncertainty and evolving practice in the Industry.
quantitative elem ents in their risk appetite statem ents. While it is widely accepted as being a component of an
effective risk appetite framework, there is less consensus
25. Some respondents are finding it difficult to shift the
about exactly how stress testing should be incorporated
perception that risk appetite is primarily about set
into a framework. The use of stress tests varies widely,
ting limits. W hile limits and risk policies are important
with some banks putting them at the center of the risk
com ponents of an effective risk appetite fram ework, the
appetite— setting process, even as others use stress tests
more dynamic nature of risk appetite and its role in man
primarily to sense-check their appetite. As a general obser
aging risk, driving strategy, and optimizing return on a
vation, the firms that were most affected by the financial
much broader basis needs to be ingrained throughout
crisis appear to be more advanced in this area, but further
the organization. Ensuring that the RAF is positioned and
guidance is required for the majority. While an important
perceived internally as a dynamic tool for shaping the risk
focus of an RAF will be the level of risk with which the Board
profile of the institution, rather than as merely a dressed-
and senior management are comfortable during "business
up, "grander" process for setting limits and additional
as usual" conditions, it is equally important to understand
business constraints is also an im portant challenge. In real
and consider the implications of extreme but plausible sce
ity, it is necessary to strike the right balance between a
narios on the risk profile. The technical and methodological
fram ework on the one hand which is so rigid, constraining
challenges of stress and scenario testing are well known. In
and inflexible over time as to be unable to sensibly and
the RAF context, Boards, senior management, and business
prudently accom m odate the evolution of the businesses
units need to ask how the results of stress tests should be
and group strategy in a tim ely fashion, having due regard
interpreted and what they mean for risk profiles and prefer
to the risk im plications, and one on the other hand which
ences. One particularly important question in this context is
is excessively flexible and too easily substantially changed
the extent to which Board members and risk professionals
from one period to the next (perhaps in response to any
are equipped a) to make sense of scenarios that have poten
number of proposed growth initiatives), and consequently
tially very substantial impacts but low probability and b) to
imposes insufficient discipline on the businesses, lacks
push back against the pressures from the business that are
continuity, and is difficult for all em ployees to understand
curtailing apparently profitable lines of business.
and em brace. Striking this balance correctly requires care
ful judgm ent by Boards and senior m anagem ent. 28. A related issue is how to achieve an appropriate aggre
gation at the group level of the levels of risks for the
26. Many firms have difficulty forging the necessary links different individual businesses and how to establish rela
between risk appetite and the strategic and busi tionships between these. Individual business units need to
ness planning processes, though leading firms have have a consistent fram ework for setting their own toler
done this successfully. It is relatively straightforward to ances for risk, and these need to be consistent with the
establish an RAF in the sense of the Board setting out overall enterprise-wide risk appetite, both individually and
a statem ent of risk preferences that the business then in aggregate. Although progress has been made in this
seeks to translate into a range of limits. There is a growing area by a number of firm s, no single approach is dominant
recognition, however, that this is a very narrow concept today. There is currently no uniform process for translating
of risk appetite and that the establishm ent of actionable high-level risk appetite indicators into more specific m ea
guidance at the business unit level is crucial. The tradi sures, such as risk limits and tolerances, and further work
tional approach of making high-level statem ents and then is needed in the area of risk aggregation.
seeking to turn these into a plethora of granular and not
well-understood limits has been shown to have serious
limitations, as it tends to result in risk appetite being seen
SECTION 3 - EM ERGIN G SOUND
within the businesses as a remote and som etim es irrele PRACTICES IN O VERCO M IN G THE
vant part of the risk m anagem ent apparatus. A s explained CH A LLEN G ES
further below, risk appetite needs to be an integral part of
a business. Its effects need to be pervasive throughout the 29. The objective of this section is to draw on the survey and
organization, and there needs to be a clear link between the case studies, as well as discussions with firms to iden
the RAF and business decisions. tify ways in which the principal challenges identified in the
44 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
guidelines is consistent with cultivating a strong risk cul 36. Two points, however, em erged very clearly in this regard:
ture, provided it is consistent and relatively transparent. • An effective risk appetite fram ework should be perva
• Clear communication of risk appetite param eters and sive throughout the organization in that all staff with
preferences is a prerequisite for developing the appro any significant decision-making authority should under
priate culture. Individuals need to feel incentivized to stand the institution's stance toward risk and what it
com ply with these and confident in doing so. There can means for them .
be no hidden agendas or revealed preferences on the
• Yet the benefits of an effective risk appetite fram ework,
part of m anagem ent. while very real, are often not apparent to more junior
• Consistency of m essages and consistency of senior staff and, indeed, there may be some initial resistance
behaviors with these m essages, rewards and sanctions or skepticism among these groups.
that are dem onstrably consistent with the m essages, and 37. For this reason, communication and training are essential
the absence of barriers to bad news travelling upward starting points. The C E O needs to be personally involved
are essential com ponents of a strong culture. in promulgating the message about the risk appetite
• There is value in measures such as the creation of a fram ework and what it means. There needs to be com
meaningful and non-public statem ent of values codify plete agreem ent within the Board and management on a
ing this. But culture is determ ined ultimately by what the meaningful and com prehensive definition of risk appetite,
leadership does rather than by what it says. and the concepts need to be communicated in a straight
forward way without jargon. There also needs to be clarity
3.2 "Driving Down" the Risk Appetite into in communications about where risk appetite fits alongside
risk capacity or tolerance, that is, how much risk it is techni
the Businesses
cally possible to take, and the current level of risk being
35. Effective internal communication that makes risk appetite taken. Finally, there needs to be clarity regarding the own
directly relevant to employees in the business units is seen ership of risk. The risk function should own the overall risk
as a major challenge by all participating banks. A variety of fram ework and the interface with the Board on risk appe
approaches have been taken, but no clear consensus has yet tite. However, responsibility for risk within the business
emerged about how to do this most effectively. This remains units and for achieving consistency with the enterprise
very much work in progress, even for the leading banks. wide risk stance rests squarely with business unit heads.
A cornerstone in the architecture o f an R A F and a key step in • A n o th er firm has a rather d eta iled statem en t covering
its internal communication is the articulation of a risk appetite the follow ing qualitative and quantitative elem en ts: 1. To
statement. Som e firm-specific exam ples are provided below :• g en era te sustainable econom ic p ro fit com m ensurate
with the risks taken; capital liquidity & im pairm ents &
• O ne firm explains that its risk a p p etite statem en t is cur
e x p e c te d loss; 2. To b e well capitalised on a regulatory
rently a mix o f quantitative lim its/m etrics and qualitative
basis and maintain a long-term d e b t rating o f X ; 3. To
guidelin es:
maintain a strong Tier 1 ratio co m p rised o f a large core
i) Limits and m etrics consistently m onitored include: R O E: Tier 1 p ro p o rtio n ; 4. To maintain a w ell-diversified funding
Stress tests: RW A limits; Capital m arket m easures (e.g. structure; 5. To keep o ff the balance sh e e t vehicles non
VaR, trading limits): Liquidity ratios: Single-N am e C on material in size relative to the size o f the balance sh e e t;
centration: Industry concentration; and Country en ve 6. Risk m anagem ent to ensure im pairm ents and losses
lopes. These lim its/m etrics co rresp o n d to the Target are m anaged within the group's toleran ce; 7. To m anage
Rating se t fo r the Bank. all risk ca teg o ries within its a p p e tite ; 8. To harness b e n
ii) Qualitative guidelines mainly stem from a co m p re efits from business diversification to g en era te nonvolatile
hensive se t o f Risk forum s at the Execu tive M anage and sustainable earnings; 9. To co m p ete in businesses
m ent level (e .g ., Portfolio d ecision s: Risk C om m ittee, with international custom ers w here m arket connectivity
Stra teg ic Risk Forum s on C ountries, Industry/Product/ is critical, b u sin esses with local custom ers w here w e have
S ecto rs, as well as on Capital M arket activities. Key local scale and p ro d u cts w here global scale is critical to
Individual d ecision s: Risk com m ittees on one sp ecific effe ctiven ess; 10. To use robust and appropriate scenario
transaction/counterparty; Excep tio n a l Transaction and stress testin g to assess the potential im pact o f the chosen
N ew A ctivity Validation C om m ittees. Them atic trans scenario on the G roup's capital adequacy and stra teg ic
versal p o licies: C red it policies). plans.
In som e banks the business unit leaders are required to have the operational groups/enterprise risk appetite. This awareness
prim ary' accountability for preparing and interpreting their is created through learning program s targeted at mid-level
own risk a p p etite statem ents to ensure that they are both management. M id-level m anagem ent in front-line opera
p ro p erly aligned with the group risk a p p etite statem ents tions is g u id ed in part by the sim plified statem ents created
and also w ell-design ed and effective in com m unicating to by the enterprise. Both qualitative and quantitative aspects
the sta ff in their own businesses. Fo r instance, in one firm are reflected through policies and procedures that govern
the "line o f Business (LO B) m anagem ent is resp on sib le for the activities o f mid-level staff. These policies and procedures
execu tin g the stra tegic and financial operating plans o f the provide m ore detail to the high-level statem ents o f the risk
business, optim izing the risk and rew ard o f the business appetite, including business practices for exam ple, reputa
within limits establish ed by execu tive m anagem ent, and tional risk, regulatory and legal requirem ents), risk transparency
ensuring internal controls are appropriate. A dditionally, each requirem ents for exam ple, new products and initiatives) as well
LO B d evelo p s a Line o f Business Risk A p p e tite which further as detailed limit fram eworks (market risk, liquidity and funding,
drives the en terprise Risk A p p e tite into the individual Lines credit risk) that are se t at various levels o f the organization."
o f Business. Every em p loyee understands that it is his or her
A few banks highlight a link with business planning: "The
responsibility to im plem ent and adhere to the Risk A p p e tite
integration o f the risk a p p etite statem en t production into the
while making daily business d e c isio n s."
fram ew ork o f the business planning p ro ce ss gives a linkage
In addition, other banks seem to rely on an appropriate inter o f the Board's risk a p p etite to the decisions and strategies
action am ong risk culture, awareness, and policies and p ro ce m ade b y business at that tim e. This is also e x p re sse d via the
dures. A s explained by one bank participating in our survey: Board's capital plan, w here return requirem ents, capitaliza
"The link is b a sed on an awareness o f the qualitative aspects, tion targets, and capital allocation resolutions com bine with
o f e x p e cte d norms and behaviors and how decisions impact business volum e ta rg e ts."
46 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Overall Lessons: among the participants about how the risks that cannot be
easily quantified (if at all) should be captured in the RAF.
• Comm unication and education on the benefits of a risk
appetite fram ework are essential. M em bers of senior 44. Some firms report that an effective first stage in the iden
m anagem ent need to be visibly and consistently associ tification of risk appetite has been a free-ranging and
ated with these. sometimes quite qualitative discussion of risk with the
Board. It is reported that this can be helpful in avoiding
• Limit setting is a key part of risk m anagem ent, whether
becoming bogged down either in issues of definition or
or not it is part of a wider risk appetite fram ework. Busi
quantification. The Board's preferences are then subse
ness unit and risk m anagem ent heads should use the risk
quently turned into a quantified fram ework.
appetite fram ework as the context for explaining and
promulgating limits and risk policies. 45. In some banks there is a clear link between elem ents of
the RAF and operational risk m anagem ent. To the extent
• Business unit heads must own local business plans, which
that operational risk m anagem ent seeks to identify, quan
in turn must pay proper regard to risk. This, including the
tify, and control less intrinsically quantifiable aspects of
link to the wider risk appetite, should be clearly and con
risk, the m ethodologies developed can be a useful input
sistently communicated to staff.
to a broader RAF fram ework. Some firms indicated that
• Continuous and open dialogue about risks is seen as
a range of indicators is reported to the Board as part of
fundamentally important in effectively em bedding risk
regular reporting on com pliance with the risk appetite
appetite in the business lines. Business unit leaders have a
fram ework. Many banks involved in the study were seek
strong leadership role to play in this. When this dialogue
ing proxies to help them to understand the manner in
about risks— within and across business units and with
which risks (both internal and external) are evolving, at
risk and senior management— works well, it facilitates
least directionally. In this context, defining risk appetite
both intelligent challenges to the risk appetite boundaries
was described as "an art around the science." There was
and their evolution over time. In this way, the risk appe
agreem ent that around any set of similar metrics one
tite framework is made dynamic and is able to sensibly
needs to overlay a good measure of interpretation.
accom m odate new business opportunities over time.
46. However, some clear examples were given that resulted
in a significant change to the risk appetite for certain busi
3.3 Capturing Different Risk Types nesses. One high-profile example of this is material changes
43. Incorporating different risk types into the risk appetite to the regulatory landscape (e.g., Lehman minibonds in
framework and, more specifically, capturing risks that can Hong Kong). These kinds of changes in the regulatory (and
political) environment fundamentally change the level of risk
not easily be quantified, is a challenging task. There is wide
agreement that the RAF should capture and include all associated with certain businesses and, subsequently, the
material risks, including those that are not easily quanti risk/reward of the business proposition significantly.
fied, such as operational and reputational risks. However, 47. Comm ittee structures, if thoughtfully designed, can provide
although 70 percent of the participating firms stated that an opportunity to draw on experienced judgm ent and over
their RAF covers all risks, no real consensus was seen sight in areas in which quantification is inherently weak.
One institution n o te d that, w herever p o ssib le, estim ates are arriving at an overall indication o f how large or small that risk
m ade o f the potential im pact o f crystallized risks on future is in com parison with o th er risks. This is m ore a question o f
earnings capacity. Exam ples o f this w ould b e the e ffe ct o f m agnitude rather than precision, as the o b jective is to ensure
regulatory changes or sanctions on the revenue from individ that it carries enough w eight versus o th er risks.
ual business lines. An effo rt is then m ade to com pare these
O ne firm undertakes a regular assessm ent o f the p erceptio n s
im pacts with th ose o f o th er risks. However, "this is re c o g
o f various stakeholders (clients, shareholders, em ployees,
nized as being very su b je ctiv e " and o f very lim ited value with
and regulators) noting a) that these legitim ately differ and b)
re sp e ct to non-linear tail risks such as litigation or serious
that the ob jective should b e "no su rp rise s." This approach is
reputational dam age.
reinforced through the creation o f a senior Reputation Risk
A n o th er bank d o es not g o as far in seekin g to quantify C om m ittee com prised o f senior m anagem ent (C FO , C RO ,
risks but d o es try to estim ate the potential im pact o f risks and heads o f Legal and Com pliance). This com m ittee reviews
on future earnings capacity fo r each risk with the o b je c t o f highly com plex or structured transactions that may create
(Continued)
• Com m unications to the central bank/regulator regarding • Trading with su sp e c te d insider traders; and
m oney laundering breaches; • Com plaints from custom ers.
48. The point was also made by many firms that, notwithstand 50. O ur investigation has shown that successfully position
ing a professed "zero tolerance" for some categories of ing the RA F internally as a dynam ic tool for shaping the
risk (such as reputation risk and the risks of legal or regula risk profile of an institution depends critically on how
tory non-compliance) there are, in reality, always tradeoffs, it is em bedded in the businesses and on the quality of
and zero levels of these risks are not achievable in practice. the ongoing, day-to-day dialogue about risk within and
The key thing is to recognize these risks and manage them across business units and with risk m anagem ent staff and
intelligently. senior m anagem ent. As discussed in section 3.2, when
this dialogue works w ell, it facilitates both intelligent
Overall Lessons: challenges to risk appetite boundaries and their evolu
• To be effective, the risk appetite fram ework needs to tion over tim e. In such circum stances, the risk appetite
fram ew ork is seen and understood to be dynam ic by all
incorporate all material forms of risk, including those that
are not readily quantifiable. Zero tolerance is not a very participants.
meaningful or practical concept— all risks need to be 51. Risk appetite fram eworks and processes of the kind
actively m anaged. discussed in this report are relatively new in many orga
• Firms should make a maximum effort to quantify such nizations, and take tim e to institutionalize. Participating
risks, making use of such innovative approaches as esti banks agree that the benefits are not im m ediately appar
mates of earnings foregone. ent at the outset; in some banks, there is (or was) active
resistance from some business units that needed to be
• Maximum use should also be made of proxies and other
overcom e.
m etrics, even where these do not perm it the direct quan
tification of losses. Quantification and the developm ent 52. It is obvious that leadership from the top is important, in
of proxies need to draw on operational risk fram eworks. term s of stating the reason for creating the risk appetite
• Com m ittee structures to address reputational or legal fram ework and associated processes and explaining the
risks directly, and the risk implications of new products benefits to be gained from doing this. Nevertheless, from
can, if well operated, bring experienced oversight to the experience of some banks it may be necessary to start
bear effectively. with an elem ent of com pulsion. Participants reported that
they needed to push quite hard initially to get the busi
nesses to think about risk appetite, although after "learn
3.4 The Benefits of Risk Appetite as a ing by doing" for a while, many reported that they have
Dynamic Tool seen the benefits.
49. The following two challenges are som ewhat linked and 53. In general, senior executives appreciate the benefits of
need to be addressed as im portant steps in building an risk appetite more readily than those lower down in the
RAF: positioning and communicating the RAF internally as business. The active dialogue linked to specific transac
a dynamic tool for shaping the risk profile of the institu tions within the business line was described earlier, and it
tion, rather than as merely a dressed-up, more elaborate is key to educating front-line staff about risk appetite and
process for setting limits or a source of additional business the benefits that awareness and understanding of it bring
constraints, and communicating its benefits. to the business and the group.
48 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
described. The key is to be "real" with the business— it is
O ne participating bank ran a series o f w orkshops for line im portant to make the risk appetite measures and metrics
sta ff in se le c te d business units, titled "H o w risk appetite clear and real in the individual business units to facilitate
affects y o u ." These p ro v e d useful in raising awareness o f
effective challenge and discussion. If this is achieved,
the key risk a p p etite co n cep ts and received positive fe e d
it is the experience of the leading participants that the
back from participating staff, who generally saw why this
was im portant from an organizational p ersp e ctive . benefits will becom e progressively clearer to all stakehold
ers as time passes; this is also strongly reflected in the
Similarly, another bank holds risk a p p etite w orkshops with
each o f its m ajor busin esses to identify concerns such as case studies.
im plem entation and/or resource issues. These w orkshops
aim not only at "driving d o w n " the R A F into the busi Overall Lessons:
n esses but also at enabling the busin esses to understand
the full b en efits available from a co m p lete risk a p p etite • Leadership from the top is crucial, in term s of stating the
fram ework, such as an assessm en t o f limits and financial reason for creating the RAF and explaining its benefits.
volatility, that is, the volatility o f a business's plan, where N evertheless, it may be necessary to start with an ele
to focus resources and capital, alignm ent to oth er p ro ment of compulsion.
ce sse s through stress testing, and gauging the potential o f
the business goin g forward. • The active dialogue within and across business units and
with risk m anagem ent staff and senior m anagem ent is
essential to communicate the benefits that the im plem en
tation of an RAF brings to the firm. Such dialogue should
54. In general, participants agreed that there is a balance to also be linked to specific transactions within the business
be found between coercion ("this is the policy/limit, keep line in order to effectively involve front-line staff.
to it") and understanding ("here is the broader risk con
• Education is a key elem ent in raising awareness about
text and rationale to help guide what you do").
the full benefits originating from a com plete risk appe
55. As noted previously, business unit leaders must have the tite fram ework.
principal responsibility for bringing risk appetite into their
• Business unit leaders must have the principal responsibil
business units and incorporating it into the regular fab
ity not only for bringing and incorporating risk appetite
ric of their businesses. Similarly, they have the principal
into their business but also for articulating the benefits of
responsibility for articulating the benefits of risk appetite
risk appetite in their businesses.
in their businesses— and so they need to be convinced of
the benefits them selves. Some participants reported that
initial resistance in particular business units can be effec 3.5 The Link with the Strategy and
tively overcom e in many instances by the C E O , C R O , and Business Planning Process
other senior leaders actively explaining and reinforcing the
need for business unit staff to em brace risk appetite and
58. The establishm ent of an effective link between the risk
appetite fram ework and the strategy and business plan
have it becom e part of the fabric of the organization.
ning processes is fundam ental.
56. It is im portant to note that if specific business units can't
59. A key finding of this study is that such a link has been
get the needed quantitative information to see how they
effectively established at a number of leading institu
are tracking against key risk appetite metrics, then risk
tions in recent years. This has been achieved in several
appetite concepts have less traction and less "b ite" in
different ways, as the National Australia Bank (NAB) and
those business units; in these circum stances the benefits
of the fram ework and processes are less clear to front-line Com m onwealth Bank of Australia (CBA) case studies
illustrate. There is strong agreem ent, however, that the
staff. For this reason, firms should be acutely aware of the
relationship needs to be iterative and based on extensive
m easurem ent limitations at each stage of their risk ap p e
internal dialogue.
tite fram ework evolution.
57. In making the benefits more visible in the businesses, it 60. The fi rms that have made the most progress in this typi
cally followed a process that involved some variation of
is im portant to em phasize the return dimension of risk
the following:
appetite and the opportunity for risk/reward optimization
and to position risk appetite as a foundation for active • The Board set key, top-level principles and risk param
dialogue within and about the business, as previously eters for the overall risk appetite at the group level.
ing their own, divisional business and budget plans. In process needs to involve a com bination of breaking down
some cases this involves the creation of local risk ap p e the high-level aspirations into m easurable dim ensions
tite statem ents. In others it involves the articulation of and business units form ulating their bottom-up plans in
a risk "posture" that indicates w hether risk is expected a consistent form , allowing the appropriate consistency
to increase, decrease, or remain constant in the busi checks to take place.
ness unit. 63. The fi nal stage in the iterative process may involve chang
• Ensuring that, w hatever the form of the local plan, it ing either aspects of the business plans or of the overall
em beds and is fully consistent with the high-level risk risk appetite— but if the latter, this is done on a properly
appetite statem ent or principles. informed basis in order to create the needed alignm ent
between the two that has often been missing in many
• Individual and aggregated assessm ent at the group
institutions in the past. The fact that such decisions are
level of proposed business and budget plans and com
made on a properly measured and informed basis, and
parison with the group risk appetite.
within a formal and robust governance fram ework, is the
• Revision and am endm ent as appropriate of divisional
key to ensuring that the risk appetite fram ework strikes
level plans and budgets— or, in some cases, group risk
the right balance between being unduly rigid— and there
appetite.
fore unable to effectively and prudently accom m odate
61. In some cases the formal planning process, rather than business and strategy evolution— and excessively flexible,
being wholly "top dow n," incorporates a significant in which case it would fail to create the necessary disci
am ount of "bottom up" planning at an early stage, pline on the business.
starting at the divisional level. But in either case,
iteration— starting with a concept of risk appetite — ►
business planning — ►aggregation — ►checking back with One bank p ro vid ed an exam ple o f when the explicit con
sideration o f risk a p petite in the planning p ro cess led to
the risk appetite fram ework and adjusting as necessary—
an increase in a business line/asset class rather than the
was observed to be the key and an im portant method to im position o f a reduction. The group had a g reed to a firm
creating essential alignm ent between the divisional and w ide risk appetite for a certain asset class, and one busi
business unit plans and the group risk appetite statem ent. ness unit w anted to increase exposure. This led to a risk vs.
This process also builds common awareness of the inter return discussion, which led to a shift within the asset class
o f increased allocation to the requesting business unit, but
action and tradeoffs between key risk appetite constraints
without an increase in firm-wide risk appetite for that asset
and revenue opportunities. Some firms have found the
class. It was rep o rted that "n ot everyone liked the answer,
use of standardized form ats for setting out strategic plans but they appreciated the openness o f the discu ssion ."
incorporating m andatory sections on risk profile and risk
appetite to be useful mechanisms for ensuring that these
issues have the appropriate prominence in the planning 64. The value of a stronger link between risk appetite and
process. business-level planning was summed up by C B A , "B u ild
ing of the consideration of risk appetite into the group's
62. In general, the process begins with high-level signaling of
strategic planning process has been a significant step
risk or key risk param eters. For instance, N A B, as further
forward and has given both m anagem ent and Board trans
explained in the case study in A nnex I, starts its process
parency either to amend the strategy to align with the
by discussing and agreeing the high-level risk posture
existing appetite or the appetite to allow for the proposed
of each major business and the group. A nother institu
strategy over decisions."
tion noted that prior to the strategy planning risk man
agem ent and/or finance provide indications of current
65. The following have been key factors in building and rein
sensitivities (e.g ., leverage, liquidity, capital objectives forcing the necessary links with the business units:
or constraints, etc.), so that the initial business planning • The creation of a strong partnership between the
process is done on a more informed basis. There is no group risk m anagem ent, strategy, and finance func
uniform approach for translating high-level risk appetite tions, notwithstanding some initial resistance to this
decisions into w orkable param eters for business units. in a few institutions, because of some concerns about
50 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
potentially com plicating the planning/budget process. and widely understood concept that avoids technical
There was general recognition and acceptance that language and enables extensive participation by a wide
form ally including the risk m anagem ent function in the group of participants in the dialogue and discussion
planning process may make the process longer and about risk appetite. The iterative process described
more com plicated, but this was seen by those banks above needs to include an explicit discussion of the
that have taken this step as well worth it for the result risk/reward tradeoffs. The relevant questions are: W hat
ing alignm ent of risk appetite and plans. As the plan are we trying to do? and W hat are the tradeoffs? One
ning process is repeated, participants learn by doing firm reported: "This [risk appetite] approach allows an
and a new process with new expectations becom es intelligent discussion of 'who we are' and the optimal
established that becom es more efficient over tim e. business mix and balance based on risk and return."
However, as observed by NAB in its case study, the Another said: "getting the Head of Strategy to recog
language of risk used by risk m anagem ent staff can nize and incorporate Risk M anagem ent personnel into
often be opaque and not closely associated with the planning decisions was big win for us."
language used by those staff who develop strategy • Periodic reviews between risk m anagem ent, finance,
and business plans. Therefore, it is im portant for risk and each business division to discuss what is new or
m anagem ent staff to find ways to com m unicate and growing rapidly, what is changing, what's driving those
engage effectively in the planning process. changes, and what are the emerging risk/capital/liquid-
• Use of the concept of "risk posture"— a qualitative ity capacity issues, are a good tool for keeping the
expression of whether the business unit intends to take required linkage strong. These reviews also support the
more, less, or approxim ately the same amount of risk process for the next planning cycle.
over the next planning period— at both the divisional • Some firms require that each business head be able to
and group levels is an effective approach in moving the explain how risk appetite has been taken into account in
discussion forward and supplem ents the use of quan local strategy documents and how key elements of the
titative m etrics. Risk posture is an intuitive, accessible, business unit strategy are consistent with risk appetite.
W hat follow s is a notew orthy exam ple o f how a resp o n d en t • C ustom er and p ro d u ct profitability are m easured via C us
firm is achieving the link b etw een its R A F and stra teg y and tom er Level Profitability R eporting (CLPR), which in co rp o
planning: rates econom ic capital;
Links b etw een Risk A p p e tite and Stra teg ic Planning: • Capital is re p re se n te d in the Risk A p p e tite sta tem en t and
m easured and m onitored as such.
• Line o f Business Risk m anagem ent is involved from the
beginning o f the stra teg ic planning cycle to evaluate and Links b etw een Risk A p p e tite and Liquidity Planning:
assess how grow th or revenue targets fit with the C om • Together with the C h ief Financial O fficer G roup, Risk M an
pany's Risk A p p e tite ; agem ent is involved in settin g and m onitoring liquidity risk
• The Plan is d e v e lo p e d to assure G overnance and Control limits, guidelines and early warning indicators;
functions are appropriately aligned and sta ffed around • Risk M anagem ent controls include the analysis o f co n
new grow th; tractual obligations and utilization o f stress m odeling to
• A ll plans fo r grow th are alig n ed around the Risk ensure that excess liquidity is sized appropriately and
A p p e tite ; aligned with the liquidity risk tolerance o f the en terprise;
• The C h ief Risk O fficer ensures alignm ent o f the Strategic • Risk M anagem ent incorporates liquidity risk analysis into
Plan to the Risk A p p e tite . Risk m anagem ent has o p p o rtu new p ro d u ct, business and investm ent decisions where
nities throughout the p ro cess to challenge any elem ents applicable, and works with Lines o f Business that have
o f the plan. material contingent funding exp o su res and/or require
Links b etw een Risk A p p e tite and Capital Planning: material levels o f unsecured funding;
• Liquidity Risk is re p re se n te d in the Risk A p p e tite sta te
• The capital fram ew ork assesses capital adequacy in rela
m ent and m easured and m onitored as such.
tion to risk and p ro vid es a com m on currency for m easur
ing business unit perform an ce; Links b etw een Risk A p p e tite and Perform ance M anagem ent:
• The capital m anagem ent p ro ce ss considers credit, mar • Perform ance m anagem ent is tied to adherence to the Risk
ket, operational, interest rate, liquidity, country, com pli A p p e tite in all areas o f the enterprise, including Risk, Lines
ance and stra teg ic risks in the Internal Capital A d e q u a cy o f Business and En terprise C ontrol Functions.
A ssessm e n t P rocess;
68 . These assessments are crucial but very com plex and dif for losses and how these com pare to what are judged
ficult, involving both significant technical challenges and to be acceptable loss levels within the existing risk
the exercise of a substantial amount of judgm ent. They appetite. It is also necessary to ensure that the im plica
cannot be reduced to a series of sim ple, form ulaic steps. tions for capital levels are rigorously assessed.
This is because, as the financial crisis has shown, for large • The implications of the foregoing for risk appetite
financial groups the aggregate, integrated risk profile of a and strategy. Boards and m anagem ent need to be
firm and the way this evolves is opaque, to insiders as well equipped to assimilate and act upon the outcom es of
as to outsiders, and difficult for senior m anagem ent, direc stress tests, even where they em body relatively low
tors, and supervisors to properly understand. probability events.
52 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
73. It would appear that in many banks these judgm ents have likely losses that would be experienced under more severe
been made som ewhat implicitly to date, given the con stress scenarios and treating the results of these stress
siderable technical challenges involved. These are very scenarios as more binding in the risk appetite process.
subjective but im portant questions, and a divergence of
76. Some banks participating in our investigation, including
views regarding their treatm ent was seen among the par
some banks in jurisdictions that were less affected by the
ticipating banks. Indeed, participants reported that it is
financial crisis, have not yet built a com prehensive, group
common to see a divergence of views on these questions
wide stress testing capability or have not yet fully incor
even within the m anagem ent team s of individual banks.
porated stress testing into their process for setting risk
74. It is nevertheless im portant to distinguish between the appetite. For these banks, selected stress tests have been
relatively technical challenges of ensuring that scenarios
used to date primarily as a basis for checking and chal
are chosen carefully and their implications properly lenging the reasonableness of quantitative risk appetite
worked through and the strategic challenge of ensuring param eters and boundaries that have been set via other,
that the outcom es of stress and scenario tests are acted more subjective means. Some banks in this category have
upon. Boards and m anagem ent often report difficulty in placed higher emphasis to date on ensuring a strong risk
assimilating the implications of relatively low probability
culture and effective dialogue about risks at all levels, and
events and pushing through the necessary adjustments to they caution that placing heavy emphasis on stress test
business models and strategies. Some report that this will ing in the risk appetite— setting process may risk placing
becom e even more of a challenge as com petitive pres too much focus on "known unknowns." Consequently, it
sures reassert them selves as memories of the crisis fade. is clear from our investigation that the further develop
75. It is possible to make a tentative observation that some ment of stress testing capabilities and the evolution of
of the banks that were hit hardest in the financial crisis are the way in which stress testing outcom es are incorporated
currently taking a more conservative approach than others into the process and context for setting risk appetite is an
that were im pacted less severely. The form er are placing area that many firms are continuing to develop, as can be
more w eight in setting their overall risk appetite upon the clearly seen in some of the case studies.
One leading firm has d e v e lo p e d a co m p reh en sive, firm business lines and establish ed an unam biguous level o f sever
w ide stress-testin g capability and uses this in a way that is ity. Subsequ ently, scenarios covering o th er potential firm
central to the p ro c e ss o f settin g its risk a p p e tite . The bank w ide vulnerabilities have been im plem ented.
had originally built its firm -w ide risk a p p e tite fram ew ork D evelop m en t o f scenarios typically begins with the identifica
around a s e t o f statistical loss m easures, which it co m p a red tion and prioritization o f an area o f concern, i.e., a potential
with earnings and capital m etrics. U nderpinning the fram e
econ om ic or m arket crisis, through dialogue am ong risk
w ork w ere statistical m od els fo r individual b u sin esses and m anagers, econom ists, and line m anagem ent. Scenarios are
p o rtfo lio s, co m p le m e n te d b y stress m o d els ta rg e te d tow ard calibrated on a "h ow bad could it plausibly g e t" basis. B ased
the idiosyn cratic vulnerabilities o f th o se p o rtfo lio s (not on a broad outline o f the prim ary scenario drivers, the firm
gen erally com binable du e to in co n sisten t scenario assum p d evelo p a d etailed scenario specification describing the evo
tions). Lim its on a com bination o f th ese stress and sta tisti
lution o ver 1-2 years o f a few dozen broad macro and m arket
cal m o d el results w ere u se d as o p era tin g con trols on the
variables such as G D P grow th in m ajor m arkets, interest and
b u sin esses. W hile severa l units within the bank had g a in ed FX rates, equity m arkets, cred it spreads, inflation, and hous
substantial e x p e rie n ce in the g en eration o f m acro and mar ing prices. Both short-term and long-term behavior m ust b e
ket scen arios and the evaluation o f their im pacts on their m o d ele d to evaluate im pact on po rtfo lio s at o p p o site ends
re sp e ctiv e b u sin esses, th e se had not b ee n in teg ra ted to
o f the liquidity spectrum , i.e., m arket vs. cred it risks. H istory
d e v e lo p firm -w ide scenarios.
and sta keh o ld er input inform the setting o f th ese param
During the financial crisis, the firm reco g n ized the n ee d eters, which are u p d a ted periodically (at least once a year)
to ensure that scenario assum ptions remain econom ically
to adapt its risk a p p etite fram ew ork to incorporate stress
m eaningful.
scenarios alongside its statistical m odels and to particularly
em phasize protection o f its Tier 1 capital as a risk a p p etite In tandem with this, analysis— often making use o f historical
o b jective. The p e rio d follow ing the Lehman collapse se rv e d data at a granular level— is p erfo rm e d to identify' the key
as a catalyst and m odel exam ple for the d evelo p m en t o f sensitivities o f business/portfolio incom e with the scenario
firm -wide scenarios, since it im pacted many o f the bank's inputs; w here necessary (i.e., for trading portfolios), the
(Continued)
Challenges Associated with Firm-wide Risk • The inability of capital measures to capture the liquidity
Aggregation: dimensions of risk, which are so crucial for understand
ing potential losses in severe scenarios.
77. O ne of the significant challenges that firms will eventually
face as they proceed along the risk appetite journey is • More fundam entally, the non intuitive nature of capi
the issue of risk appetite aggregation— that being, once tal m easures. Experience has shown that it is difficult
individual businesses have set their own risk appetite to get senior managers and directors to engage in a
boundaries, how does an organization decide whether, in meaningful way with statistical variables and capital
aggregate, these boundaries fit within the firm's overall measures (e.g ., Value at Risk at 99% or 99.95% confi
risk appetite? Or, conversely, if key quantitative aspects of dence levels) and use them with confidence in the risk
the group's overall risk appetite have been determ ined, appetite process. The experience of a number of firms
how can the risk appetite of individual businesses be set has been that it can be easier to get active engage
in such a way as to ensure alignm ent with the overall risk ment from senior m anagem ent and directors around
appetite in aggregate? Given that this discussion includes specific m acroeconom ic scenario assumptions.
all risks, some of which are not easily quantified, a great For these reasons, although certain capital measures (e.g.,
deal of m anagem ent judgm ent is required to effectively Tier 1 capital adequacy) are the subject of prominent focus
manage this issue, which is obviously very closely related in the overall risk appetite process, it is difficult to robustly
to the issue of risk aggregation. determine an acceptable level of aggregate risks using
78. The technical challenges involved in risk aggregation are capital measures alone. This is one reason why, in addition
numerous and com plex. In practice, most banks use a to capital and liquidity measures, leading banks in certain
variety of regulatory and econom ic capital measures for jurisdictions are increasingly using a variety of stress testing
risk aggregation purposes. However, these measures suf processes, as discussed in detail above.
fer from a number of im portant weaknesses when used for 79. W hile Industry practice is clearly still developing in this
this purpose. These include: area of risk appetite aggregation, our investigation has
• The inability of capital measures to capture and reflect shown that there are certain practices that have proven
non quantifiable risks. effective to date. These include:
• The challenges of determ ining the appropriate treat • All risks should be included in the aggregation process,
ment of risk concentrations and diversification within not just those that are quantifiable, such as market,
and between risk types. credit, and liquidity.
• The difficulty of directly linking capital measures to sp e • For risks that are quantifiable, comparison of the
cific m acroeconom ic stress scenarios. enterprise-level limit fram ework to the aggregation
54 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
of business unit limits— including single name, Industry • M anagem ent and Boards need to feel confident in
concentration limits or econom ic and regulatory capi assessing the results of the chosen stress and scenario
tal allocation— is an effective and practical measure tests. It is often more meaningful to present outcomes
of alignment. in concrete term s ("This is what the following scenario
• Attention to the diversity, quality, and stability of earn would imply for Tier 1 capital . . .") than in more abstract
ings across the enterprise is essential; term s ("There is a 1 percent probability of a loss of
$X m illion.")
• Aggregation should identify areas of excessive risk
concentration. In this regard it is also im portant that • Boards need to ensure that there is a robust m echa
when aggregating risk, over-reliance not be placed nism for holding the line on risk appetite in light of
on a potential diversification benefit. Recent history stress results when faced with inevitable resistance
has proved that in tim es of crisis, diversification of risk from the business. If the decision is to take no action in
often fails in practice. response to a stressed scenario, the Board and m anage
ment should be able to explain fully why this decision
• For all risks, the aggregate view of risk posture (as
is defensible.
outlined in this paper) is helpful in determ ining how
an organization is approaching risk overall. If, for • The com pliance of stressed outcom es with the bound
exam ple, the individual business units are each willing aries contained within the RAF should be monitored
to take on more risk in the coming year, comparison frequently, and the risk appetite and stress testing
of risk posture at the platform level is a simple cross fram eworks them selves should be reviewed at least
check to determ ine if senior m anagem ent has that annually with the Board.
same awareness.
and markets expertise, together with informed judg with m anagem ent, risk m anagem ent, and the business
ment, are needed to assess the array of secondary impli is crucial in this. Th e follow ing are the main im p lica
cations for the firm as a whole. tions of our investigation for Board m em bers. Th ey are
p articularly relevant for m em bers of Board Risk M an
• Results of stress tests need to be linked to key objective
agem ent C o m m ittees.
variables such as P&L, RW As, and Tier 1 capital and illus
trate explicitly how outcom es for these would comply 83. Board members need to be properly equipped to
with risk appetite boundaries through tim e. engage fully with risk and risk appetite. They need
56 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
90. Even the strongest risk culture needs to be supported by and business leaders. This includes recognition and
effective systems and controls. Board m em bers need to acknowledgm ent that a clear statem ent of risk appetite
satisfy them selves that the firm has a clear and consistent helps drive risk and governance discussions, is integral
set of controls and limits that support the objectives of to the strategic and business planning discussions, and
the risk appetite statem ent and the observance of the provides assurance to regulators and rating agencies that
boundaries of acceptable risk em bodied within the risk the institution has clear param eters for how much risk it
appetite fram ework. Board members should challenge will take on. The following are the main implications of our
m anagem ent on the way in which these system s are used investigation for senior m anagem ent:
to encourage com pliance and penalize noncompliance. 94. To be effective it is essential that senior manage
This may, for exam ple, involve the setting of objective ment set the tone and lead the discussion regarding
and quantifiable behavioral norms or objectives that can risk appetite. Senior m anagem ent must be seen as
be used in determ ining remuneration or promotion or, taking a leadership role in articulating the importance
conversely, as the basis for disciplinary action when neces and benefit of risk appetite throughout an organiza
sary. The Board may seek input from the C RO in regards tion. This is an ongoing responsibility and must be
to any risk cultural or behavioral issues that the Board continually em phasized.
should consider in making incentive paym ent decisions
95. Recognition that risk appetite and risk culture are inex
for executives.
tricably linked is important, given that culture derives
91. Boards have a key role to play in the evaluation of from leadership and determ ines inter alia, how middle-
stress and scenario test results. M embers need to satisfy level managers assimilate and em bed risk appetite.
them selves that the stress tests are conducted rigorously,
96. Creation of an enterprise-wide RAF is an iterative
that the stresses and scenarios strike the right balance
process involving the Board, senior m anagem ent, and
between severity and realism, and that the implications
risk m anagem ent staff. A t the heart of the process is an
have been properly evaluated across all businesses in
ongoing dialogue, and senior m anagem ent should expect
the group. Boards have a fundamental role in deciding
to be challenged by the Board as to what is being recom
w hether risk appetite needs to be revisited or adjusted in
m ended, including risk/return tradeoffs and regular close
light of the results. Board members also need to ask them
scrutiny and discussion of all aspects of the firm's risk pro
selves searching questions about their ability to assimilate
file under stressed conditions.
and respond to low-probability but high-impact scenarios.
97. It is an absolute requirement that the business (and not
Many Board members find this very challenging. Boards
risk management) take ownership and drive the devel
need to be aware of their limitations in this regard and
opment of line-of-business risk appetite and profile. It
consider carefully whether these are acting as a brake on
must be recognized that risk appetite does not belong
effective decision-making.
to the risk m anagem ent staff and is not simply another
92. Finally, Boards should subject their own operations
way to set limits and constrain business. Business unit risk
and processes to constant review. Every effort should appetite fram eworks are the main vehicle for providing
be made to identify, on a continuous basis, areas in which
guidance and clarity regarding which activities and risks
Board procedures have worked well and not so well and
businesses can consider and what would be outside of
to learn from m istakes. There should be an annual review agreed upon appetite.
of how the Board interacts with the m anagem ent and
98. It is im portant to recognize that while it is helpful to have
business heads. O verall, the Board should have a formal
an articulation of risk appetite that can be used by the
process at least annually for considering whether and
Board and all levels of m anagem ent, there is no clear
how it has made a real difference to risk m anagem ent in
need to have the enterprise-level RA F as a docum ent
the organization.
that middle m anagem ent across the enterprise must use.
The critical com ponent is to have a risk appetite fram e
work that helps drive a clear and com prehensive limit
Recommendations for Senior
structure for the various businesses as well as activities
Management
and limits that determ ine the ability of middle m anage
93. Implementation of an effective risk appetite framework ment to pursue and grow specific lines of activity that
is highly dependent on visible support from senior link back to the enterprise risk appetite fram ework. Line-
management, including a bank's Executive Com m ittee of-business risk appetite frameworks should not be
99. Senior management needs to ensure that the risk appe discussion that can frustrate the participants and extend
tite framework includes full consideration of and appro the process unnecessarily. In this regard, it is important
priately reflects business strategy. It is important that the that risk m anagem ent provide the necessary coaching and
Board and the market understand that the senior manage training to facilitate the understanding of risk appetite on
ment takes risks in areas that are central to its key strategies an enterprise-wide basis.
and businesses and that losses in those areas, while not 104. An effective RAF covers all risks, and it is im portant that
positive, are expected and understood as a likely outcome risk m anagem ent work with all stakeholders in developing
in both normal business conditions and under a difficult the right balance of appropriate quantitative and quali
market/stress scenarios. Smaller and more peripheral tative metrics. Recognizing that the appetite for some
businesses by contrast should not be a source of significant risks is more easily quantified than others, it is important
losses. that risk m anagem ent lead the discussion and develop
100. It is im portant that senior m anagem ent understands and ment of desired behavior and tolerances for less quantifi
accepts how the RAF will apply to its activities and impact able risks such as reputation risk.
any initiatives, growth plans, or acquisitions that may be 105. Risk appetite is an iterative process that requires perse
under consideration. The strategic planning process verance. To that end, the challenges faced early in the
must include discussions relating to risk appetite and process are different from those experienced later. A t
profile. W hile risk appetite needs to becom e a fundam en all stages, it is im portant for risk m anagem ent to ensure
tal driver of strategy and of front-line business decisions, it full engagement by all key stakeholders, including the
should be accepted that it will take time and effort to get Board, senior m anagem ent, and risk practitioners.
this to a point at which business unit leaders and risk man
106. A t the same tim e, risk management must allow the busi
agers are com fortable with the process.
nesses to take charge of the process of developing line-
101. Business leaders must ensure that risk metrics ade of-business-level risk appetite statements. This means
quately capture and reflect all material risks of their the business unit leaders them selves, not the em bedded
business. These metrics should be meaningful and pertain risk m anagem ent staff within the business units.
to their key business and risk drivers. Similarly, the busi
107. Risk m anagem ent needs to provide the appropriate
nesses are responsible for putting appropriate controls in
infrastructure and controls to support the ongoing
place to effectively manage their risks, so as to ensure that
maintenance of the RAF. This includes com prehensive
they do not exceed their defined risk appetite.
and tim ely reporting to senior m anagem ent and the
Board to provide clear reference to the current risk profile
Recommendations for Risk Management and to make the fram ework itself both real and relevant.
Ongoing reporting of the firm's risk profile relative to the
102. Developm ent and m aintenance of an effective risk ap p e
agreed upon risk appetite— and how this is changing—
tite fram ework is a shared responsibility, with risk man
and repeated/iterative discussions of the evolving fram e
agement staff playing an essential role in the process. It
work itself, will help to build both "pattern recognition"
is not uncommon for risk m anagem ent to take the lead in
and acceptance of the fram ework as a useful tool.
building m anagem ent support and engaging the Board as
the fram ework is developed. Similarly, the ongoing main 108. Risk appetite needs to be viewed in the context of both
tenance of a robust fram ework is heavily dependent on normal and stress conditions. Risk m anagem ent needs
risk m anagem ent to provide good-quality reporting of risk to be capable of providing both of these perspectives and
metrics to support the fram ework and its application. The facilitating the appropriate discussion at the Board level
following are the main implications of our investigation for with regard to the potential impact on business strategy
risk m anagem ent staff: and planning.
58 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
109. It is critical that risk management engage with the busi Initial Planning and Development of RBC's Risk
nesses in the strategy and planning process to ensure Appetite Framework
proper alignm ent between the enterprise-level state
Work to form alize RBC's enterprise risk appetite began in 2006,
ment of risk appetite and those statem ents created at the
as part of the annual process to benchm ark and refresh credit
business-specific level.
risk and market risk limits. An initial presentation on risk appe
110. Risk m anagem ent should be the catalyst and conduit tite was made to the Risk Com m ittee of our Board of Directors
for effective discussion of risk appetite between the to gain feedback on the approach to articulating RBC's risk
Board and the businesses by translating what may be at appetite, and confirm areas of priority.
tim es high-level statem ents of risk preference into effec
Initial statem ents of RBC's risk appetite were derived from
tive risk measures and limits appropriately tailored to
a review of decisions made by senior m anagem ent and the
each business.
Board that yielded explicit statem ents about what risks were
111. Risk m anagem ent must ensure that the RAF is supported acceptable, and what risks we wanted to avoid. We identified
by a suite of risk policies that reinforce and reflect the
to the Board areas we intended to enhance, as well as a plan to
risk appetite as articulated. This includes a clear under
develop a com prehensive Risk A ppetite Fram ework. The global
standing of the process for dealing with and reporting
financial crisis of 2008 then triggered further prioritization of risk
transactions that may be approved outside of policy
appetite for financial services institutions.
boundaries as well as excesses to approved risk appetite.
The Chief Risk O fficer and Group Risk M anagem ent (risk man
112. Education and communication are areas in which it is vital
agem ent corporate function) acted as a catalyst to define and
for risk m anagem ent to participate on an ongoing basis. It
communicate the value of risk appetite. O ur Board of Directors
is necessary to effectively com m unicate the key elem ents
was engaged primarily through the Board Risk Com m ittee, and
of the design, im plem entation, and m aintenance of the
this com m ittee provides feedback and challenges the risk/return
risk appetite fram ework to all stakeholders internally and
tradeoffs implicit within risk appetite. It was understood that our
externally. It also is im portant that the Board be able to
Risk A ppetite Fram ework would be expanded and refined over
address questions raised by shareholders and regulators
tim e, and that we were learning as we progressed through the
alike as to the appropriateness of the nature and quan
developm ent process.
tum of the risks being assum ed, both individually and in
aggregate, and how senior m anagem ent is challenged in RBC's Risk A ppetite Fram ework was created through an itera
this regard. tive process. We faced an early challenge to reach consensus on
a single m anagem ent view of self-imposed constraints or other
specific param eters to put forward to the Board for feedback
A N N EX I: CA SE STUDIES and approval. We gradually gained senior m anagem ent buy-
in, yet had to remain focused on building senior m anagem ent
Developing a Risk Appetite Framework understanding and acceptance of how the Risk A ppetite Fram e
at RBC May 2011 work would apply to the key activities and decisions they faced
within their business segm ents.
A boutRBC
Buy-in to the Risk A ppetite Fram ework also had to be built
Royal Bank of Canada (RY on T S X and N YSE) and its subsidiaries
within our Group Risk M anagem ent function. We needed to cre
operate under the master brand name RBC. We are Canada's
ate a forum for the various specialist groups within Risk to shape
largest bank as measured by assets and market capitalization,
the fram ework, and we now rely on these team s to com muni
and among the largest banks in the world, based on market
cate and reinforce the fram ework.
capitalization. We are one of North Am erica's leading diversi
fied financial services com panies, and provide personal and Central to our fram ework is the consideration of business strat
commercial banking, wealth m anagem ent services, insurance, egy, and the concept that not all losses are created equally. This
corporate and investm ent banking and transaction processing pertains to our ongoing intention to take risks in areas that are
services on a global basis. We em ploy approxim ately 79,000 full- central to our key strategies and businesses, and that losses in
and part-time em ployees who serve close to 18 million personal, those areas, while not a positive, are expected and understood
business, public sector and institutional clients through offices in as a likely outcom e in difficult market and stress scenarios.
Canada, the U.S. and 50 other countries. For more information, Sm aller and more peripheral businesses by contrast should not
please visit rbc.com . be a source of significant losses.
prise Risk M anagem ent Fram ework is our strong risk culture, that guide businesses in their risk taking activities
which is both a prerequisite to and reinforced by risk appetite. • Regularly m easure and evaluate our risk profile against
Used effectively, risk appetite aligns business strategy, people, risk limits and to leran ces, ensuring appropriate action
processes and infrastructure. is taken in advance of risk profile surpassing risk
appetite
We define risk appetite as the amount and type of risk we are
willing to accept in the pursuit of our business objectives. RBC's RBC's Risk A ppetite Fram ework is com posed of four major
Risk A ppetite Fram ework provides a structured approach to: com ponents:
The largest circle represents the regulatory constraints RBC faces. RBC's regulatory
constraints are classified as:
1) Financial - Tend to be quantitative in nature and therefore easier to interpret.
Capital ratios and liquidity metrics are examples of financial regulatory
constraints.
2) Other - Tend to be predominately qualitative in nature and therefore require
judgment in interpreting requirements and assessing compliance. Examples
include maintaining compliance with legislative and regulatory requirements,
and adhering to privacy and information security regulations.
Financial
Financial
The center circle refers to our risk limits and tolerances that we translate from
risk appetite:
1) Risk limits are quantifiable levels of maximum exposure RBC will accept. They
are established only for risks that are financial and measurable, such as
credit risk and market risk.
2) Risk tolerances are qualitative statements about RBC's willingness to accept
risks that are not necessarily quantifiable and for those risks where RBC does
Regulatory Reputational
not have direct control over the risk we accept (such as legal risk and
reputational risk).
We communicate risk limits and tolerances through policies, operating procedures and
Financial
limit structures.
The striped oval represents the organization's risk profile at a given point in time.
Regulatory
Reputational
60 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
A key elem ent of RBC's Risk A ppetite Fram ework is self- Reporting
imposed constraints and drivers in which we have chosen to
Risk profile relative to risk appetite is reported quarterly to
limit or otherwise influence the amount of risk undertaken. We
senior m anagem ent and the Board of Directors. An Annual
have seven key categories of self-imposed constraints:
Enterprise Risk Presentation is also made to the full Board of
• Maintain a "A A " rating or better Directors. We have found that a com prehensive and balanced
• Ensure capital adequacy by maintaining capital ratios in set of our most meaningful m etrics, connected with external
excess of rating agency and regulatory thresholds developm ents, has yielded effective discussion and decision
making. Reporting has been a key com ponent in building under
• Maintain low exposure to "stress events"
standing of the fram ework and its application.
• Maintain stability of earnings
• Ensure sound m anagem ent of liquidity and funding risk Success Factors
• Maintain a generally acceptable regulatory risk and com
An im portant success factor has been strong support of our
pliance control environment
Board of Directors, C hief Executive Officer, and senior m anage
• Maintain a risk profile that is no riskier than that of our ment. Our emphasis on risk appetite as an enterprise priority
average peer has been fram ed and accepted as a critical elem ent to advance
For each category of self-imposed constraints we then have our strong risk culture.
a set of quantitative and qualitative key m easures. O ur self- Repeated iterations with stakeholders were helpful in gradually
imposed constraints and key measures are regularly reviewed building pattern recognition, senior m anagem ent buy-in, Board
and updated, and approved by the Risk Com m ittee of our of Directors' support, and confirmation of the central com po
Board of Directors. nents of our Risk A ppetite Fram ework.
Risk appetite and risk profile are effective communication tools. elements ("posture," "budget" and "settings," described
Increased transparency and reporting on these matters has facil below) sets out our capacity for taking on risk and the settings
itated internal alignm ent among business and functional lead associated therewith.
ers, and supports effective decision making. O ur enterprise risk O ur current capability, in term s of risk appetite, reflects an
profile provides a consolidated view of risk concentrations and ongoing journey over a number of years and will continue to
deficits to ensure alignm ent between actual risk exposure and evolve as our thinking develops. As with most large organisa
target risk exposure. O ur Risk A ppetite Fram ework and risk pro tions, the pace of change is a function of the ability of the
file have also been very helpful in conversations with our Board, organisation to absorb that change. As such, our strategy for
regulators and rating agencies. improving the risk appetite has been m easured, rather than
Risk appetite is increasingly integrated into our business strate dram atic, so as to ensure understanding, acceptance and use
gies and planning processes, so that strategies are developed as we progress. This has allowed us to approach the task with
and approved in the context of risk appetite. We are em bed a longer term vision, introduce change progressively, reflect on
ding into our annual strategic planning process analysis of how the responses and then refine our thinking.
growth objectives, degree of planned change and "risk posture" The risk appetite fram ework (RAF) is grounded in:
may im pact business segm ent risk profile and risk appetite. In
• strong engagem ent between key stakeholders, including
addition, our annual process where the Board approves del
Board and Executive, in setting the planning envelope
egation of authorities to m anagem ent and the associated limit
for the business; and
structures is now put forward with direct linkage to risk appetite.
• an interactive process over the planning period that sees
Moving Forward agreem ent on the risk reward tradeoffs that are required
for the plan.
Our enterprise Risk A ppetite Fram ework is updated at least
The fram ework results in a statem ent on risk appetite, the RAS,
annually, focused on continued developm ent of self-imposed
which encom passes:
constraints. For exam ple, we are enhancing constraints pertain
ing to low exposure to stress events, operational risk and quali • a "risk posture" that seeks to qualitatively describe our
tative measures for non-financial risks. O ther areas of focus are capacity and willingness to take risk at any point con
to create more forward looking metrics, and achieve the right sidering the internal and external circum stances and a
blend of qualitative and quantitative key measures. forward view;
62 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• a "risk budget" expressed as an econom ic capital limit of risk is som ewhat opaque and not broadly identified with by
within which the Group must operate; and those tasked to develop and execute strategy and plan— that
• "risk settings" that express key operational limits. is, the businesses. Finding ways for Risk to communicate and
engage in planning was thus critical to the developm ent of
Through a combination of a fram ework strongly integrated into
risk appetite.
the plan, and the production of a RAS as the em bodim ent of
risk appetite, we seek to effectively com m unicate this appetite On top of all this, responsibility for preparing the RAS frequently
throughout the organisation. changed hands between team s in either Risk or Finance, which
made it difficult to establish a long-term vision or change
agenda for risk appetite.
Modest Beginnings
The developm ent of our RAS and associated fram ework has Our First Steps-Dedicated Resources and
been, and continues to be, iterative. As described below we are Defining "Risk Posture" Qualitatively
currently up to the 3rd generation RAS. Our current capability
By 2009, we found ourselves at a crossroads. Thinking around
owes much to the learnings, insights and persistence of those
risk appetite was relatively basic and the RAS was seen by many
tasked with earlier efforts.
as having limited relevance or influence.
We have been preparing RASs for a number of years and well
Despite our best efforts it focused primarily on econom ic capital
before it was becoming an explicit regulatory expectation. The
(a measure not widely understood in the business), was pre
RAS was created under the leadership of the Board Risk C o m
pared after the annual planning and strategy process was com
mittee and the sponsorship of the C FO and C R O . W hilst rigor
plete (hence merely reflecting what was to be done) and was
ous and well-grounded in principles of corporate finance, the
widely seen as uninformative in term s of strategic and business
em phasis was on quantitative risk and capital metrics and not
decisioning (and hence of little strategic use).
enough on qualitative discussion or actual risk settings, limits
and policies. For this reason the RAS remained a centrally man The Group C R O and the Board Risk Com m ittee continued
aged docum ent with little visibility or traction beyond the Board to push for further im provem ents in the thinking behind, and
and Group Executive. delivery of, the RAS, highlighting areas that could be improved
to assist the Group in its understanding and application around
O ur "second-generation" RASs set out to respond to these
risk appetite. A t this stage, responsibility for the RAS changed
identified gaps by incorporating clear, explicit and detailed
hands yet again, and was given to a designated owner within
risk settings, limits and triggers. The drawback of these RASs
Risk. We created a new position— Head of Risk A ppetite, who
was that whilst there was a lot of detail around risk settings,
reported through the General M anager C redit Strategy to the
it becam e inaccessible to readers given its com plexity. More
Group C hief Credit Officer. A dedicated risk appetite function
im portant, the Board and the executive felt that the detail
was an im portant step in the journey, taken to lift the relevance
made it hard to "see the wood for the trees" and were of the
and influence of risk appetite concepts and m ethodology in the
view that links between the RAS and overall business strategy
Group. For the first tim e, it had an owner whose principal role
were unclear.
was to not only prepare the RAS but to develop our thinking
This issue of the lack of strategic relevance for the RAS was around how best to em bed risk appetite into the business.
com pounded by the absence of a fully integrated role for the
Given this structural change, the risk appetite team em barked
Risk function itself within the planning process. W hilst Risk had
on developing the "third-generation" RAS by starting with a
a clear role in matters such as the validation of forecasts on loan
clean slate and spending tim e thinking more explicitly about
loss provisioning or expectations about the m ovem ent in asset
what we were looking to achieve.
quality, it had a minimal part in framing the initial risk envelope
in which the business strategies and financial plans were to fit. The challenge was to give life and meaning to risk appetite so
that there was one agreed [upon] view that was used and under
W hy was this the case? A part from the well-accepted view that
stood throughout the Group.
Finance "ran the planning process," Risk lacked both a platform
to effectively com m unicate its views and a fram ework to mean The major breakthrough was the decision to describe the "risk
ingfully participate in the planning process. In particular, Risk posture" for the Group, and separately each business unit, in
was not successful in identifying a language that readily con term s of three broad settings linked to directional benchm arks.
veyed its position and views. Unlike Finance, whose language is These settings were qualitative, and conveyed how the Group
encapsulated in metrics that are well understood, the language would position itself over the plan period, having regard to the
Business Unit 1 This has also allowed for more effective review and challenge
throughout the planning process (over some 6-8 months) in
order that plan outcomes reflect not only the financial exp ec
tations but also the risk appetite. W here they are outside this,
adjustm ents to either the plan or the risk appetite are made.
H i U n it 2
This integration and the role of the RA F in the planning cycle
j are shown below in Exhibit 4.1.
64 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
This approach to the RAF is shown below.
W hilst the fram ework for the RAS and risk appetite was evolv
ing, we were conscious that communication through to bankers
Rik Appetite, Fisnaneial Plan remained a challenge. The language of the RAS is targeted at
and Strategy are integrally
connected
the Board, Executive and Senior M anagem ent. Beyond this,
the language is less appropriate for day-to-day activity. N ot
All three communicate risk /
reward 'trade-off^ to be withstanding, it is clear that effective communication to bank
made, though with different
language ers needs to occur in some form if the RAS is to fulfil its role of
"Board to Banker" understanding of risk appetite.
Exhibit 4.1 Risk appetite in the planning cycle. of the business. W hilst these clearly need to align to the RAS,
they provide more latitude to effectively com m unicate to a
broader audience. Although some progress has been m ade, this
plan and provide a fram ework for thinking about risk mitigation.
remains a work in progress.
In addition, because they are described in common language
rather than technical term s, they provide a more broadly under
stood link for those outside the Risk community. Lessons Learned-Successes and Challenges Along
Having established the role of "risk posture" (a qualitative risk the Way
setting description) in risk appetite we have also sought to The developm ents described above have been interactive
enhance our thinking around the more quantitative aspects of with enhancem ents to both the RAS and the fram ew ork
the RAS, in particular: occurring as w e progressed. In the course of our journey,
• setting a "risk budget" in term s of econom ic capital; and the absence of an "o ff the shelf" solution has m eant we
have spent significant tim e discussing w hat w orks and w hat
• describing operational "risk settings" to further enhance
do esn't. O ur approach has alw ays been to dem onstrate
the communication with bankers.
ongoing steady im provem ent rather than com ing up with the
The "risk budget" is described in econom ic capital term s and
"co m p lete so lu tio n ." G iven the uniqueness of the issue, the
sets our maximum risk taking capacity. Reflecting the posture,
m ultifaceted nature of the challenge and the relative interest
it establishes a limit in advance on the use of our available risk
and needs of stakeho ld ers, w e have concluded that this is not
capital to support business activity. Allocated to the businesses
achievab le. Rather, ongoing develop m ent and refinem ent will
by risk class (e.g ., credit, m arket, operational risk, etc.), it pro
lead to b etter outcom es.
vides a quantitative boundary for planned activity. Actual use
of econom ic capital is then measured against these limits. This Against this backdrop, there are lessons we have learnt along
approach has served as a trigger to review increased business the way that have shaped, and continue to shape, our thinking.
activity in certain areas where econom ic capital limits were likely The things that have led to significant im provem ent for us
to be insufficient to support the proposed activity. include:
In the past, econom ic capital would not have acted as such a • fostering leadership of the debate on risk appetite from
constraint as it had always been an outcom e of the plans (i.e., the C E O , the C RO and the Board Risk Com m ittee;
the agreed upon plan used "this" amount of econom ic capital)
• fostering a receptive internal environment. The organisa
and as such was not seen as a limit on activity or as a trigger
tion has worked hard on its culture over time and has a
point for a decision.
strong em phasis on team work, collaboration and enter
Having set a "risk posture" (qualitative) and a "risk budget" prise thinking. This, alongside the wake-up call issued to
(quantitative), we then establish "risk settings" to further pro all parties associated with the financial services sector
vide guidance as to the risk tolerances within which the Group (arising from the global financial crisis and its aftermath),
should operate. These risk settings are represented by limits, has enabled more sophisticated and planned discus
policies and procedures and other setting statem ents and are sions and analysis on the forward outlook for risk and the
more operational in nature. They are at different levels of granu environm ent and our response through posture, appetite
larity depending on the messaging required. and strategy;
Limits
Confidence in • Industry • Equity
capabilities • Country • Product
• Market • Liquidity
• IRRBB • etc.
Expectations
for return
Processes / procedures
• Making • Customer
decisions onboarding
• Product • Training
exposure
Regulatory Legacy monitoring
Risk-taking
capacity constraints assets /
Messaging
liabilities
Not all risk settings are in the RAS-but all are consistent with it
Exhibit 4.2 From risk posture to risk budget and actual risk settings.
• identifying a single, dedicated team with accountability • identifying key stakeholders in the business to champion
for the RAS and the broader fram ework has allowed us risk appetite discussion; and
to attain consistency in approach and provide the im pe • maintaining the ongoing com mitment of key stakehold
tus for innovation; ers such as the Board and senior executive.
• separating discussion of risk appetite into three parts, Most important, we can already say that in the past few years
each of which are linked but serve a different purpose: the outcome of a number of material strategic decisions taken
risk posture, risk budget and risk settings; by the Group were significantly influenced by the fram ework
• integrating the risk appetite and RAS with the strategic described above.
and financial planning process; As there are diverse views around the approach to risk appetite
• increasing the dialogue with the business units around (and the RAS) our journey has not been without challenges.
their view of risk posture; Some of the more significant challenges have been:
• delivering three RASs to the Board with the cycle and • balancing the desire for quantitative or prescriptive crite
content linked to the planning process. This has allowed ria to define risk posture with the flexibility and generality
for more regular Board discussion on risk appetite and that qualitative, "principles-based" definitions provide.
has reinforced the link between risk appetite and the We have responded by developing a number of quantita
business strategies and plans. The Board now sees more tive metrics which are "indicative" of risk posture whilst
careful consideration of the implications of proposed avoiding the trap of attempting to define it formulaically.
actions and activities on the Group risk profile and its
• choosing the appropriate m etric for each application.
relation to the Group Risk A ppetite and evidence of risk
For exam ple, econom ic capital is the m etric for risk
appetite thinking in its discussions with m anagem ent;
"budgeting" across the Group, but other metrics are
• supplem enting the RAS and associated discussion with more useful for other applications, such as exposure lim
risk workshops and targeted risk papers for the Board, its, trading desk limits, industry or country credit exp o
has assisted the Board in linking risk appetite to the busi sure limits, etc. Our response has been not to promote a
ness activities and the portfolios; single all-encompassing risk metric but rather to identify
• engaging with our Regulator; the most appropriate risk metrics for each purpose.
66 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• whilst used as the measure of risk budget, the use of from a risk portfolio perspective, not just our limits, bud
econom ic capital still remains a challenge. We continue get and tolerances;
to use it given its historic link to past RASs, IC A A P and • further linking the "return-on-risk" (as opposed to return
the fact that most measured risks can be quantified in on-capital) with the risk appetite;
econom ic capital term s (albeit there is always debate
• using the RAS to further enhance transparency around
as to the voracity of the number). Notwithstanding this,
trade-offs in respect to choices between strategic priori
most stakeholders still have little engagem ent with eco
ties, investments and risk levels we are prepared to accept;
nomic capital as a meaningful m etric to measure risk
• continuing to develop the fram ework for defining "risk
perform ance against. The proper place and purpose of
econom ic capital as a useful tool in the RAF continues to setting statem ents" (RSSs) within the businesses; and
• never allowing the sole use of "risk adjusted" metrics changes in risk appetite.
results, which is a task that is still a work in progress; and • fully engaging Risk as key participant in the planning
risk type), with other material risks (such as operational • continuing to develop thinking around the RAF by
or reputation risk), which are less easily quantified or engaging with the key stakeholders; and
described. As with stress testing, this is still a work • seeking ways to broaden the view and understand
in progress. ing of risk appetite so others feel more engaged in its
developm ent.
Where We Co from Here-Further Increasing the The benefits from the advancem ent of our RAF and the align
Value of the Risk Appetite Framework ment on issues of strategy, finance and risk have elevated the
The journey never ends. W hilst we have made progress, we quality of debate around risk profile and the linkages with the
are of the view that further enhancem ents can be, and will current and targeted risk profile. O ur approach has been to
be, made to our RAF to increase its effectiveness within the develop our risk appetite fram ework in a manner which meets
Group. In recent discussions with stakeholders, including our organisational needs, reflecting our experiences and our
Board m em bers, a range of issues have been identified that level of maturity. We have taken an evolutionary approach to
would further enhance the impact of the RAS and associated ensure we bring the organisation along at a pace that will more
fram ework including: deeply em bed the RAF into our organisational culture and
processes. We know that if we pushed the pace of change too
• further progressing the discussion around stress testing,
rapidly, and without the appropriate engagem ent and consulta
scenarios and responses and incorporating this more
tion with the business units, our efforts would not be as suc
robustly into the planning process;
cessful. We know this because we hear and observe many more
• continuing to com plem ent the use of econom ic capital discussions and debates around risk appetite today than in the
with consideration of other key measures such as regula past. O ur internal culture has aided the developm ent of the Risk
tory capital and sim ple, unadjusted exposure; A ppetite fram ework and at the same tim e, the Risk Appetite
• enhancing how the risk appetite shapes portfolios from fram ework assists in continuing to define, describe and shape
a top-down perspective, with analysis on why such deci our risk culture. The challenge is to remain vigilant to ensure that
sions would be taken— e .g ., matching external risks with we continue to learn and adapt our thinking reflecting where we
portfolio shape and defining "where we want to be" are at and where we want to be. We cannot be com placent.
68 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
preservation that spans the full spectrum of risk . . . mak Developm ent of the next iteration of the Fram ework focused on
ing risk m anagem ent a strategic priority shared by all a few key areas:
em ployees. Today, a key aspect of this culture is to be
• The context of the Bank's governing financial objectives
well-diversified across business lines, countries, products
and strategic principles;
and industries. Another key elem ent of the culture is
• Articulation of Risk M anagem ent principles (qualitative
the relatively long tenure of em ployees. For exam ple, of
attributes) that would guide the Bank's overall approach
Canadian-based managers— people in decision-making
in risk-based activities;
roles— over one-third have been with the Bank more
than 20 years. And the Executive M anagem ent Com m it • Bringing into focus a limited number of risk measures
tee's tenure is even longer. Based on that deep exp eri that were considered essential objective expressions of
ence, senior m anagem ent has a strong sense for what the Bank's risk profile, along with corresponding target
would be "offside" relative to the cultural norms estab ranges; and
lished over alm ost one hundred and eighty years; • Establishm ent of monitoring and reporting structures.
• Existing limit structures w ere, in effect, a network of Developm ent of the Risk A ppetite Fram ework was driven by
contracts already in place between Risk M anagem ent, Risk M anagem ent in collaboration with a broad range of stake
the Business Lines and the Board on what risks could be holders. Finance was a pivotal partner in the work as they had
taken, or not; and overall m anagem ent of the Bank's Balanced Scorecard (more
• Business lines clearly owned risk, complemented by highly recently moved to the Strategic Planning O ffice). As well,
centralized decision-making on risk policy setting and sig Global Human Resources ensured that em ployee incentives are
nificant transactions through executive committees. linked to perform ance, and that risk perform ance is taken into
consideration. Engagem ent of senior m anagem ent in the Busi
However,
ness Lines was a key part of the review and approval process.
• The existing limit structure was com plex and not co d i The Bank's A sset & Liability Com m ittee served as the forum
fied in any w ay that made it straightforw ard to com for review prior to presentation to the Executive M anagem ent
bine and report the total risk taking activities to the Com m ittee, and ultimately the Board.
Board; and
The approach could be relatively expedient based on a few
• There was no explicit statem ent of the objectives
factors:
and principles that governed the Bank's decisions for
risk-taking. • The well-established risk culture;
Most experts on "risk appetite" acknowledge that the develop • The independence of the Risk M anagem ent oversight
ment of a fram ework should engage senior m anagem ent in the function; and
Risk M anagem ent function and in the Business Lines, as well as • The specific limits to be brought into the Fram ework
the Board. However, the biggest obstacle to developing the could be largely to be drawn from the network of exist
fram ework and implementing it can be the lack of consensus on ing controls.
what risks are appropriate for the firm and the extent of controls The Framework that emerged from the discussions had two sides: a
needed to mitigate the risks. So, when there is broad apprecia qualitative, principles-based component, and specific risk measures
tion of an established risk culture along with specific risk-based in key risk disciplines. More specifically, the structure was under
contracts already in place between the stakeholders, the task pinned by sound risk governance, followed by the Risk Appetite
of designing and implementing a risk appetite fram ework is Framework itself. The use of risk management techniques was con
already well advanced. sidered to be another key component, including the strategies, pol
icies, limits, processes, measurement and monitoring tools which
Diving In Risk Management implements. These risk management techniques
are deployed across the spectrum of risk disciplines covering credit,
The first iteration of the Risk A ppetite Fram ework involved
market, liquidity, operational and reputational risk. Finally, the
selection of existing quantitative metrics (covering Board-
entire structure is underpinned by the Bank's strong risk culture.
approved risk limits, perform ance targets and capital targets) as
key indicators of the Bank's risk appetite and actual risk profile.
The indicators were consolidated and incorporated into the
Operationalizing the Framework
Capital M anagem ent Policy. By the end of 2008, however, it was With the Fram ework generally agreed upon, the risk measures
evident that a more com plete policy was needed. were operationalized through quarterly monitoring, including
70 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
provide a link between actual risk-taking activities and the evolve from reliance on the culture and norms, to em bedding
risk m anagem ent principles, strategic principles and gov the Fram ework as the more clearly defined and rigorous context
erning financial objectives. These measures include capita for decision-making.
and earnings ratios, market and liquidity risk limits and
As for "the right balance," there still needs to be linkage
credit and operational risk targets.
between the high-level principles and metrics as expressions
of risk appetite at the top of the Bank and the risk indica
Strategies, Policies Guidelines, Processes tors and limits deployed at a business unit level. W hile some
a Limits a Standards
measures of credit and market risk have been allocated to
businesses, others, including most measures for operational
risk are not easily aggregated, nor divided. As such, the Bank
Risk Management (and the industry) continues to work at an effective way to link
Techniques
certain "top of the house" measures with business specific risk
perform ance measures.
72 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• The risk-taking boundary— specific boundaries exposures/outcom es that we do not wish to experience but
(expressed in both quantitative and qualitative terms) for recognise are not 100% preventable. W here they arise the RAS
major risk drivers, together with expressions on how par commits us to take rapid and com prehensive action to minimise
ticular risk types are controlled. the chance of reoccurrence.
Having an appropriate "Risk Culture" is viewed as absolutely key Having developed the content of the Group RAS with the
to effective risk m anagem ent. The RAS sets down a high-level Board, an im portant second step was to validate the alignment
statem ent of intent with regard to risk, i.e., what we stand for of the existing Group-level risk policies, and in particular the
in risk term s (e.g ., the business, not Risk, m anages and own the limits contained within those policies, to the RAS. These poli
risks), and the expected behaviours of em ployees with regard to cies com plete the definition of the overall risk appetite. The
risk. The aim is to ensure that the right people own the risk and RAS metrics are now one of the key drivers of the limits that
support the desired risk outcom es. are included in risk policies, for exam ple, the counterparty,
The approach to defining the culture was no different to the industry and country limits within the credit concentration policy
other content in the RAS— we asked the Board questions about fram ework.
the culture and behaviours they exp ected and then drafted
content that we thought reflected their responses. The result Cascading of the Risk Appetite
was a single page containing around 10 cultural and 6 behav
By necessity, the Group-level risk appetite is high level and
ioural principles relating to risk, which was edited based on
requires translation into more specific and meaningful term s for
Board responses to it. Exam ples of the types of topics that we
a particular business unit.
cover are the need to understand and appropriately price for
risk and a culture where it is safe to call out m is-m anagem ent of The approach to this was to make the head of each business
risk by others. unit— not the C hief Risk O fficers of the business units—
accountable for developing an equivalent RAS for their business
In order to em bed the desired culture there was a need to link it
unit. The RAS would need to be both aligned with the Group
to the remuneration system and this has been addressed in two
risk appetite but also specific to the characteristics of their busi
main ways:
nesses. This responsibility was an im portant part of the cultural
The Board asked, as one elem ent of aligning with the regula change, with the business them selves rather than Risk M anage
tor's requirem ents, that risk m anagem ent opine on com pliance ment being responsible for the risks being taken on and for their
with these principles for their consideration in setting executive outcom es.
incentive awards; and
Board members read these docum ents to test their specificity
The Group's internal staff perform ance review system opens to the activities of the business unit, and also as a lens through
with the requirem ent to consider whether an individual's key which to view the strategies presented by businesses.
perform ance has been achieved by operating within the culture
and boundaries of the Group's and the relevant business units'
RAS.
Bedding in RAS
The risk-taking boundary includes qualitative expressions of re q u ire s c a s c a d i n g
"risks to which the Group is intolerant" together with more
Principles Supporting lim its
quantitative limits for key financial outcom es for the Group.
r-h
74 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
day-to-day decision making on the front line. Business • The incorporation of stress testing outcomes into the
units are developing risk param eters for lower level contextual setting of risk appetite is an area that we con
portfolios/products that will translate the limits/prin- tinue to develop.
ciples established in the Group and business unit RASs
into meaningful limits for staff working in these areas. Summary of Key Lessons Learned
This will allow a more granular inclusion of RAS con
As the risk appetite has been developed a number of lessons
sideration into perform ance assessm ents and incentive
have been learned, the forem ost of which include:
paym ent outcom es.
• W ithout sponsorship from the top it is difficult to get
• There has been som e initial reluctance by som e busi
traction in developing a risk appetite fram ework.
ness units to set the hard quantitative boundaries
required to help define risk ap p etite. This may be • W ithout a clear conceptual definition of risk appetite
partly due to the presence of a form al policy limit se t there are many confusing and ineffective discussions
ting fram ew ork, plus a previously held view that once about risk m anagem ent and we fail to get business buy-
set, RAS quantitative boundaries would be difficult to in to the fram ework.
change. (The Board actively assists in this m atter by • The conversations around risk appetite are equally as
engaging on proposed changes out of cycle to the im portant and beneficial as the actual Risk A ppetite
annual RAS review process.) Further w ork is needed Statem ent docum ent produced from them .
to include more specific quantitative boundaries for • Culture is a fundamental part of risk appetite and to the
these businesses. success of em bedding risk appetite in the organisation.
• Further developm ent is ongoing in adding clarity to busi Taking the time to craft descriptions of what risk appetite
ness unit RASs and strategies so that they becom e more the Group and business units have for variance in risk
overtly com plem entary and aligned. culture breathes life into risk culture.
Learning Objectives
A fter com pleting this reading you should be able to:
Describe challenges faced by banks with respect to Summarize expectations by different national regulators
conduct and culture, and explain motivations for banks to for banks' conduct and culture.
improve their conduct and culture.
Describe best practices and lessons learned in managing a
Explain methods by which a bank can improve its corporate bank's corporate culture.
culture, and assess progress made by banks in this area.
E x c e rp t is rep rin ted from Banking Conduct and Culture: A Perm anent M indset Change, by the G 30 W orking G roup, 2018.
77
IN T R O D U C T IO N m anagem ent, and supervisors, and promised to provide an
update on the progress major banks have made in implementing
This year marks the tenth anniversary of the 2008-09 global our recom m endations. This report provides that update.
financial crisis, an event that put banking culture and conduct We focus on two fundam ental questions: (1) How much progress
under the global spotlight. In the previous installment of our has the banking industry made in culture and conduct (Box 5.1)
series of reports on this topic, Banking C on d u ct and Culture—A since the financial crisis, particularly since our last report?, and
Call for Sustained and C om prehensive Reform (2015), we put (2) W here do we go from here? That is, in what areas should
forth a set of recom m endations for banks, their boards and banks continue to press on, and what evolving questions should
INPUTS OUTCOM ES
BANK HISTORY
78 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
they be mindful of going forward? 85
To address these questions, we inter 80
viewed a significant number of C E O s,
75
board m em bers, and senior executives
at major banks across the globe, as well — 70
£ 55
insights from O liver W yman's global
practice. 50
45
O v e r th e last d eca d e , bank culture
and con d u ct have re c e iv e d in creased 0
atten tion from bank m anagem ent 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
and th e ir su p e rv iso rs, clien ts/ — Banks Consumer goods Media Automotive
cu sto m ers, and in vesto rs. Supervisors, Energy Health care Technology
regulators, and governm ents globally Figure 5.2 Edelman Trust Barometer results by industry sector, 2006-2018.
have increased scrutiny of culture and
Sou rce: Edelm an Trust Barom eter Archive.
conduct issues; since the financial crisis,
the banking industry has paid an esti Note: Trust level results are distinguished betw een tw o populations: "Inform ed public" (ages 25-64,
collegeeducated, in top 25 percent of household income per age group/country), and "general
mated US$350 billion to US$470 bil population" (all population ages 18+). Due to differences in publicly disclosed results by Edelm an,
lion1 in penalties (including fines and years 2006-2011 of this figure show informed public results; years 2012-2015 show a blend of
litigation/settlem ent charges) for informed public and general population results; and years 2016-2018 show general population
results.
conduct-related m atters, evidence that
these so-called soft people issues can significantly impact the • Systematization of the roles of second and third lines of
bottom line. Both institutional clients and retail custom ers are defense in culture and conduct, and a push toward greater
becoming more focused on bank conduct and culture, driven by ownership of these concerns by the first line
highly publicized cases of conduct failures. Senior executives • Changes to business processes, including new prod
and board members are increasingly expected to dem onstrate uct approval and product governance, revised pric
that conduct risk is understood and m anaged, and that appro ing approaches, improved whistleblowing m echanism s,
priate discipline and culture are being reinforced. and review of questionable m arket practices in trad
A s a resu lt, banks have in v e ste d significant e ffo rt in im prov ing and hedging, all of which are signs that the conduct
ing th e ir culture and conduct. With increasing appreciation of agenda is beginning to cascade down to the way business
the scope and scale of culture and conduct issues, banks have is done.
instituted many changes focused on improving their culture and D e sp ite th e se e ffo rts to im p ro ve co n d u ct and culture, th e
conduct. These efforts span both formal and informal measures banking in d u stry still su ffe rs from a n e g a tive rep u ta tio n ,
and include: and tru st still n e e d s repairing. According to the Edelm an
Trust Barom eter, the banking industry historically ranked
• Refinem ent and/or re-articulation of bank purpose and val
among the most highly trusted industries since the end of the
ues, with subsequent establishm ent of extensive com m unica
World W ar II; however, trust declined precipitously during the
tion and training programs
financial crisis, and today remains low com pared to other indus
• Heightened engagem ent at the board level on conduct and
tries and far from recovering to precrisis levels, as shown in
culture issues
Figure 5.2.
• Modification of compensation and perform ance m anagem ent
The ongoing stream of conduct scandals, ranging from lapses
schem es to incorporate not just financial results but also
in custom er protection to anti-m oney-laundering deficiencies
behavioral considerations
to m anipulation of m arket benchm ark rates to rogue trad
ers, has called attention to the intim ate link betw een conduct
1 Sou rces: Conduct Costs Project, Good Jo b s Project, O liver W yman and reputation and continues to take a toll on the bank
analysis. ing industry's reputation. The broad spectrum of topics and
N ote: A M L — anti-money laundering; BBSW = Bank Bill Swap Rate; E T F = exchange-traded fund; EU = European Union; FX = foreign exchange;
IPO = initial public offering; LIBO R — London Inter-bank O ffered Rate; 1M DB
80 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the reputational overhang can live on long after the m iscon are n o t " Banks have a small window to figure out how to man
duct occurs, som etim es even after the specific issue has been age culture and conduct and regain the public's trust. W ithout
addressed. All this shows that while trust and reputation are earning trust every day, the continued survival of banks is at risk
easy to lose, rebuilding it is much more difficult. Even as banks from displacem ent by new industry entrants, a growing list that
continue their efforts to becom e more trustworthy, becoming includes fintech start-ups, technology firm s, retailers, and te le
trusted again will be a slower process. com com panies.
Banks cannot a ffo rd to b e com placent a b o u t th e ir tru st and In addition to the risk of client attrition, trust and reputational
reputational problem s, especially in light o f em erging com issues may over time also lead to problems in acquiring and
p e titio n from altern a tive p ro vid e rs. As Bill G ates presciently retaining talent. For instance, young m illen n ial continue to be
put it nearly twenty-five years ago, "banking is necessary; banks turned off by banks' reputational problems and are opting instead
IN G & BANK
Money laundering: An investigation opened in 2016
has resulted in a US$900 million fine for failing to
prevent years of money laundering abuse.
ABN AMRO I s l pumob notionol bonk
Mortgage fraud: M ortgage Fraudulent transaction:
advisors forged client signatures Issued fraudulent guarantees A B L V
in revised docum entation on for diamond merchant firms Violated International sanctions
m ortgages to withdarw unsecured loans against North Korea & bribed Latvian
from overseas branches official to prevent tougher A M L rules
WELLS
p
FARGO
CornnomweaHhRmk
Fraudulent accounts: Deutsche Bank
O pened millions of Money laundering: Money laundering: Failied
|CBC Negligence led to more to prevent a US$10 billion
fradulent savings C5 l*>ST\l.S\U\uSliVNK«JFCIU\» 1
& checking accounts Loan fraud: 19 banks granted loans than 50,000 breaches Russian money-laundering
without custom er to criminals who illegally pledged of A M L & counterterriosm schem e, resulting in
consent gold of low purity as collateral laws worth US$ millions US$630 million in fines
i
2015
i 2016
i i
2017
i
2018
i f f 5= ^ t
ID
bsi.
Cotinionwealth Jarik Bank
IALC0NPRIVY!! RANK
Unsuitable financial Aggressive sales Money laundering: C E O
Money laundering: Bankers targets: Increased resigns amid probe into
advice: Encouraged
participated in and coordinated overdraft protection US$200 billion m oney
more than 3,500
money laundering activities linked amounts & credit card laundering scheme
clients to undertake
to corrupt Malaysian 1M BD fund borrowing limits without perpetrated at its
risky, inappropriate,
investments custom er authorization Estonia branch
WELLS
p
FARGO
Comnonwoatth - AMP .
"Forced" auto insurance sales: Fees for "no service":
Sold auto collateral protection Charged thousands of
insurance to more than 550,000 custom ers for financial
custom ers who did not need advice that was not
coverage delivered
for other sectors, as seen in the changing career destinations cho banks to be able to play their role in society, and to the stability
sen by M BA students post-graduation (Figure 5.4). Despite a of the broader financial system. Banks are held to a higher stan
number of high-profile discrimination lawsuits, banks' efforts dard than many other service providers given that the services
focused on improving diversity have been minimally successful, as banks provide are viewed by many as a public good that ben
diverse talent remains deterred by cultures they view as not efits society— that is, interm ediating between sources and needs
supportive and attentive to their developm ent and well-being. of funds and facilitating transactions throughout the econom y—
Further, the shift toward digitization will continue to reveal gaps and the effects of failure extend beyond just shareholders, with
in banks' technology capabilities, pressuring banks to compete repercussions for the broader econom y. Further, because bank
for talent that is already in high demand by other industries. ing products and services can be com plex and difficult to under
stand, the public expects banks to provide good advice based
This and similar trends may spark concerns about potential
on expertise and in the clients' best interest.
talent shortages in an industry that is highly dependent on its
human resources as a com petitive differentiator. And yet, many banks that devote considerable attention to their
business strategies and actions spend insufficient time thinking
Bank culture and con du ct are m ore im portant than ever,
about their purpose and the role they play in society. Despite
to rep air tru st and reputational issu es and fulfill the role
the trending notion of balancing stakeholder needs and the
o f banks in so ciety. Sound culture and conduct are critical for
argument that, over the long run, putting the custom er first is
2 "W hy Diversity Program s Fail," Frank Dobbin and A lexandra Kalev, the best way to drive sustainable shareholder value, shortterm
Harvard Business R eview 94 (7) (July/August), 2016. trade-offs often confront banking executives, in which doing
82 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Finance
Consulting
Technology
what is best for custom ers may lead to less im m ediate profit or • Have things really changed? Skeptics wonder whether true
more im m ediate cost. In such situations, clarity of purpose is change is possible in an industry that maintains large poten
critical to enable executives to resist the tem ptation of near- tial upsides to pushing the boundaries, and point to the
term gains, and to make decisions for the long run. Banks must exam ple of Wall Street in 2017 recording its highest bonuses
understand, reinforce, and internalize their key econom ic and since 2006.4 In addition, despite banks implementing many
social purpose and improve their culture and conduct to fulfill process and policy changes to mitigate m isconduct, culture
that purpose. and conduct have yet to be fully em bedded in many banks in
how they do business, and conduct issues are still observed
Responsibility for ensuring the organization's ability to bal
in banks worldwide. O thers are concerned about the passage
ance purpose and profit ultim ately resides with the board and
of time dimming the effect of the lessons learned during the
the C E O . Under the rubric of culture, as with other aspects
global financial crisis, and of the possible return to old prac
of business perform ance, the board should see it as its key
tices, especially if interest rates rise, regulation is lessened,
responsibility to set the right tone and reinforce the desired
and other business conditions improve. As post-global finan
culture, and to oversee the bank's efforts to sustain a healthy
cial crisis regulations are potentially rolled back (in some juris
culture. In addition to the board, the chief executive should
dictions), firm-level focus on conduct and culture (by the
have a com prehensive aw areness of the overall tone and know
board and senior leaders) must take on even greater
w hat is happening under his or her w atch. An expectation that
im portance.
senior m anagem ent should invariably be aware of every depar
ture from desired behaviors w ould, of course, be unrealistic, • Potential for culture and conduct fatigue. Especially in
inappropriately implying a reversal of the burden of proof. But some geographies where there has been a long-standing
it is a specific responsibility of the board and senior m anage focus on conduct and culture problem s, we detected some
ment to put in place robust processes to identify and ensure desire to move on and get on with business. Banks cannot
appropriate escalation of behavioral breaches. Such processes think of culture and conduct as separate from business,
should be designed to be auditable and the subject of regular or as m erely soft or HR-specific issues. They are business,
monitoring by internal audit as a key ingredient of the third line that is, how business needs to be done and the means by
of defense. which banks can achieve continued success and sustain
ability. For culture and conduct initiatives to be success
Despite significant efforts, many still voice concern about the
ful, they need to becom e internalized as a way of doing
industry's ability to make profound and lasting change. In our
business rather than a program that is created and then
interviews, industry leaders voiced several questions and con
ignored. Conduct and culture must be understood by all
cerns about culture and conduct:
em ployees.
3 Balancing stakeholder needs with putting the custom er first ultimately 4 "N Y S Com ptroller DiN apoli: Wall Street Profits and Bonuses Up
im proves com pany success, so no trade-off between custom ers and Sharply in 2 0 1 7 ," O ffice of the New York State Com ptroller, March 26,
shareholders should exist. 2018; http://w w w .osc.state.ny.us/press/releases/m arl8/032618.htm .
84 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BO X 5.3 NOT JU ST BANKS
Exam ples of corporate m isconduct are not limited to the are rampant. During the tenure of its form er C E O , Uber's
banking industry. O ther industries w orldw ide, including man culture had serious faults and resulted in numerous inci
ufacturing, autom otive, and high tech, have exhibited various dents of m isconduct, including deliberately undermining
forms and levels of m isconduct, especially over the last few its com petitors (for exam ple, booking thousands of fake
years. As in banking, the root causes of m isconduct stem Lyft rides, spamming Lyft drivers), underpaying its drivers,
from poor corporate cultures, inexperienced or self-absorbed using technology to deceive law enforcem ent, applying
m anagers, w eak internal controls, and lack of safe escalation surge prices inappropriately, and stealing trade secrets
procedures. These have resulted in billions of dollars in fines, from Waymo (the Uber exam ple is also an interesting case
criminal investigations and charges, leadership removal, and of social media turning on a company for its decisions/
loss of custom ers. behaviors, and the #D eleteU ber m ovement showed cus
tom ers voting with their feet).
Two industries, in particular, autom otive and high tech, high
In D ecem ber 2017, A pple adm itted to slowing the pro
light the sim ilarities in environmental factors also observed in
cessors on its older generation iPhones, presumably to sell
the banking industry, which led to cultural breakdowns and
more batteries or new iPhones. Finally, Facebook has
eventually to m isconduct issues.
dem onstrated significant negligence in managing the pri
• Automotive: In G erm any, in particular, several major vacy of millions of its users' data, as revealed in the C am
incidents of m isconduct have em erged from the bridge Analytica scandal in early 2018. Personal conduct
intentional manipulation of vehicular software to deceive of senior executives is also under scrutiny; in a one-month
em issions tests. In Septem ber 2015, the United States period in the summer of 2018, three C E O s in the chip
and G erm any opened investigations into Volkswagen's/ industry resigned or were fired for conduct reasons (the
Audi's deliberate rigging of software on 11 million diesel- com panies involved are Texas Instruments, Intel, and
powered vehicles w orldw ide between 2009 and 2015, Ram bus).3
including 600,000 vehicles in the United States, to falsify
em issions levels to pass U.S. emissions tests. Investigators
further found active approval, engagem ent, and conceal Cross-industry lessons
ment of this program by the Volkswagen/Audi senior Upon examination of other industries that have suffered
leadership, including th en -C EO Martin W interkorn. significant and system ic cultural breakdowns similar to
Consequently, Volkswagen has faced numerous federal those observed in banking, we identify five characteristics
investigations in both the United States and Germ any; that these industries have in common and that might
criminal charges or arrests of senior leaders and m anag provide insights into characteristics that lead to greater
ers, including Volkswagen's and Audi's C E O s; and over culture risk.
US$30 billion in recalls, legal penalties, and settlem ents
1 1. Lack of diversity: Industry hom ogeneity in backgrounds,
as of m idyear 2018. In addition, Germ an authorities are
education, gender, and racial/ethnic composition
investigating sim ilar m isconduct at Daimler, which faces a
remains prevalent and can foster groupthink cultures.
potential U S$4.4 billion fine for illegal software in some
Such environments limit the number of challenges or
M ercedes-Benz m odels.1 2
alternative opinions required to effectively mitigate poor
It is worth noting that the Germ an car executives
business decisions.
concerned received among the highest bonuses in the
country. 2. Presence of dominant companies: A few large, success
• High tech: The high-tech industry has also struggled with ful players dom inate these industries and may lead to
deprioritizing culture, given that these com panies have
many reputational issues, allegations of m isconduct, and
been able to attract custom ers and talent due to their
loss of business due to actions that negatively impact key
stakeholders (that is, custom ers and em ployees). In addi dominant brands.
tion, the hightech industry overall has been plagued by 3. High dependence on specialized skills: High-quality,
extensive accusations of discrimination and mistreatm ent well-educated candidates with specialized knowledge
of fem ale em ployees. The exam ples of cultural failings are critical in these industries. As a result, such individu
als can often take on an outsized organizational role in
(Continued)
86 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 5.1 Summary of 2015 Recommendations
Area Recommendations
1 Fundamental shift in a. Banks should look at culture and look to achieve consistent behavior and conduct aligned
the overall mindset on with firm values, as key to strategic success.
culture
b. Banks should reinforce the m essages in their actions and in their internal communications.
2 Senior accountability d. O versight of em bedded values, conduct, and behaviors should receive regular attention in
and governance boards' agenda setting, given sensitivity to reputational risk.
e. Board charters should include responsibility for oversight of values and conduct.
f. Boards should build a reputation, values, and conduct risk tolerance dashboard to aid in their
evaluation of cultural issues.
g. If the Chair and C E O positions are not split, boards should ensure that the lead independent
director spends adequate tim e in the effective challenge role to the C E O on values and con
duct issues.
h. The C E O and Executive team should be highly visible in championing the desired values and
conduct, and face material consequences if there are persistent or high-profile breaches.
i. The C E O should ensure that there is a thorough process that reviews the bank's brand and
reputational standing.
j. A sset owners and third-party fund managers should tell boards directly that they consider
effective governance and accountability to be a priority cultural m atter for the firm and
investors.
3 Performance k. Com pensation and promotion processes should ensure reflection of desired behaviors,
management and including consequences for weak m anagem ent oversight or willful blindness.
incentives
l. A com prehensive set of indicators is needed to monitor and assess the adherence of individu
als and team s to firm values and desired conduct.
m. Individual review and assessm ent of senior executives by the senior leadership and C E O is
required.
4 Staff development and n. Banks should buttress first-line skills and ensure that frontline m anagem ent and leadership are
promotion properly trained in how to conduct judgm ent-based staff evaluation and deal with identified
breaches.
o. Banks should develop programs for staff across all areas of the bank that regularly reinforce
what the desired values and conduct mean in practice.
p. Institutions should form ulate and im plem ent a system-wide values and conduct evaluation
process for internal promotions and external hires.
5 An effective three lines q. Staff and management in the business (first line of defense) should shoulder the largest respon
of defense sibility forjudging whether behavior is in line with the bank's values and desired conduct.
r. Banks should allocate clear second-line ownership to Com pliance or Risk M anagem ent func
tions and ensure that the designated function is on the Executive team .
s. Banks should provide assurance to all em ployees that reports of wrongdoing in the workplace
will be taken seriously and confidentially without reprisal. Banks should challenge the conven
tional wisdom on legal im pedim ents and ensure that robust penalties and appraisal processes
are in place.
(Continued)
Area Recommendations
t. Staff rotation between control and business functions may be beneficial and help develop the
desired firm-wide cultural mindset.
u. Banks should ensure that the third line of defense is robust, has operational independence, is
suitably staffed, and has a clear mandate to exam ine adherence to standards.
6 Regulators, supervi v. Regulators should carefully consider the limited effectiveness of promulgating rules related to
sors, and enforcement values and conduct.
authorities
w. Conduct-of-business and prudential supervisors can, however, gauge the effectiveness of
board and m anagem ent processes that generate tangible oversight and change in values and
conduct.
x. Conduct-related assessm ent should be em bedded into the core supervisory work, rather than
developed as an "add-on" task or objective.
and managerial deficit, one regarding Wells Fargo in the United money-laundering scandal has shown that whistleblowing cannot
States and one regarding Com m onwealth Bank of Australia be overlooked and should always be carefully and swiftly investi
(CBA ). Wells Fargo, considered an industry leader in cross-sell gated by senior m anagem ent with the oversight of and reporting
metrics and praised for having successfully navigated the finan to the board. Likewise, a money laundering scandal at ING led to
cial crisis, saw a series of high-profile scandals erupt in succes a US$900 million fine earlier this year. The Punjab National Bank
sion from late 2016 that revealed serious cultural failings such US$2 billion fraud has also highlighted conduct and oversight
as flawed incentives and excessive sales pressures, a pattern of weaknesses in India's state-owned banks. Finally, the reported
corner-cutting and unethical behavior, and inaction by senior conduct failure at Goldman Sachs related to 1M DB, drives home
leadership. C B A , the largest financial institution in Australia and that a focus on conduct and behavior is essential to all firms.
a bank respected for its history of financial success and technol
ogy innovations, also underwent a succession of scandals and
was found in a 2018 prudential inquiry to harbor critical cultural Mindset of Culture
shortcom ings, including a sense of com placency; utilizing only
Since the financial crisis, culture and conduct concerns have
a reactionary approach to exposed risks; insularity; and pursuit
risen in prominence at many banks, representing a clear shift in
of consensus at the expense of constructive challenge and
the mindset of culture. Most banks by now have re-articulated
accountability.
their core values (which are unique to each bank, but commonly
In some ways, these cases shook up the industry in each market include concepts such as custom er/client centricity, integrity,
more than other cases because they were so unexpected; these and internal collaboration) in a Code of Conduct or similar docu
were institutions with stellar reputations that had weathered the ment and have made efforts to repeatedly com m unicate these
financial crisis relatively unscathed. They were also considered throughout their organizations (including implications of per
solid traditional banking institutions with a community focus. sonal and com pany behaviors and expectations related to the
These scandals proved that conduct issues are not limited to firm's values).
investment banking and can in fact permeate conventional retail
Banks have taken various approaches to com m unicate values
and wealth management banking activities. As one senior industry
throughout their organizations. One C E O personally reviews
member stated, it is when the institution is successful, growing,
im portant bank-wide communications to increase visibility of
and well-regarded that senior leadership must be most vigilant
the bank's values and ensure alignm ent with the organization's
against the "tyranny o f su ccess," extreme overperformance vis-a-
culture. O ther banks have set up regular town halls and focus
vis competitors, and the temptation of willful blindness.
groups to promote dialogue on values and create venues for
Unfortunately, major conduct failures continue elsewhere, further constructive challenge. A number of institutions have devel
underscoring this is not predominantly an Anglo-Saxon matter. oped interactive training and role-playing to further clarify and
For exam ple, the Danske Bank US$200 billion Estonia-Russia entrench the values and expectations.
88 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Despite significant progress in formal intention, fram eworks, and dedicated attention to culture and conduct topics, leading to a
com m unications, the degree to which these values have been deficit in expectations and guidance for senior executives on
em bedded in the day-to-day behaviors of em ployees has yet such issues. Today, conduct and culture discussions account for
to be determ ined. W hile "tone from the to p " is appropriately a meaningful share of board agendas, and as observed by indus
focused on conduct and culture m atters, it is unclear if this has try participants, the increased board involvem ent represents not
flowed throughout the organization and whether em ployees at just lip service but tangible im provem ent.
all levels, and especially in the front lines, have fully internalized
The specific form of implementation varies across banks. Some
how this will change how they do business. Much opportunity
boards have co-opted existing, more broadly mandated com
also remains in working with middle m anagem ent layers to
mittees (for exam ple, Risk Com m ittees); some banks have newly
ensure that tone from above properly reflects the m essage and
established dedicated subcom m ittees on culture and conduct
intent from the top, and that em ployees are not in a position
topics; and still others have opted for multiple overlapping com
where they feel a conflict between what they hear from senior
mittees to exercise joint oversight over these issues.
leadership and what they are required to do on a day-to-day
basis. O ur prior recommendation to split Board Chair and C E O roles
has been executed to varying degrees. Many U.S. banks persist
Accurately understanding and measuring changes in culture on
in a com bined role. Wells Fargo notably shifted to a split model
the ground remains challenging (especially in large, multi-geog
driven by shareholder pressure in the aftermath of the conduct
raphy and multi-business-unit banks), and will require banks to
failure and scandal, and Citigroup has announced they will
continuously monitor whether the formal shifts in their mindset
confine to split the Chair and C E O roles. W hile the splitting of
of culture have translated to changes in the day-to-day conduct
roles does not on its own guarantee elimination of misconduct
and behaviors of their em ployees.
(scandals have occurred in banks with split roles), it nonetheless
Banks need to ensure that the inclusion of behavior and is good governance practice and facilitates checks and balances
conduct within their m indset and approach toward business is between board and executive leadership.
perm anent, and to view the process underway as a fundamental
shift in how they do business rather than a program or set of Board-Level Conduct Management Reporting
initiatives. Many leaders interviewed shared the concern that as
Developing m anagem ent and board-level conduct m anagem ent
the crisis and scandals are put behind us, the lessons might be
reporting has been a major area of focus for many banks over
forgotten and a return to old practices might occur.
the last few years, in response to regulatory and senior m anage
ment pressure. Many banks are in the process of creating and
Senior Accountability and Governance refining their culture (and often also ethics) dashboards, often
leveraging data and information that is already collected across
Board Responsibilities and Involvement the organization, and now collating and analyzing these
With the increased public scrutiny on conduct and culture, and indicators through a culture lens for the first tim e. There is
greater expectation for Boards to be fully informed of and general agreem ent on the value and im portance of such
involved in such issues, ignorance is no longer an acceptable dashboards, though the approaches vary in the type, amount,
excuse. In fact, on conduct issues and risk taking, many directors and granularity of indicators. Results are often exam ined by a
are asking them selves "how do we really know ?" and are put variety of factors including geography, business unit/function,
ting in place measures for greater involvement and insights into tenure, and em ploym ent level, to identify subcultures, discrep
the company culture. ancies, and pockets of issues existing today and appearing
over tim e.6
The banking industry overall has stepped up board-level involve
ment on these topics. Prior to the crisis, only one-third of global The trend analysis across both leading and lagging indicators
system ically im portant financial institutions (SIFIs) had a dedi has been used effectively in a number of institutions, but many
cated board- level financial risk com m ittee,5 and boards rarely organizations still struggle with shortcom ings in their reporting
(for exam ple, once a year or som etim es even less frequently) abilities. The challenges reported by banks include:
• USEFULNESS: Conduct and culture reporting in many institu Role of Asset Owners and Third-Party Fund
tions is a relatively new exercise and will require practice to Managers in Influencing the Board and
get right. Many banks are still struggling with how to best Management Focus on Culture and Conduct
use the data and metrics to trigger action or achieve goals
• A sset owners and shareholders are beginning to increase
of better managing conduct risk. Interpreting the data and
pressure on banks with regard to culture and conduct, and in
translating it into actionable insights is a work in progress at
a number of interviews, C E O s spoke about actively engag
many banks we interviewed.
ing key shareholders in a dialogue about their firm's culture.
Monitoring and m easurem ent will always be difficult, but this Investors, on the other hand, still feel it is difficult to have
should not dissuade firms from the exercise, as they can con a true voice in the process given the diffuse nature of the
tinue to develop and adjust their tools over tim e. investor community; that is, they rarely speak with one voice
(see Box 5.4).
Modeling Behavior • The Wells Fargo scandals revealed the extent of increasing
Banks increasingly recognize the im portance of leading from the investor attention on these topics: not only did they incite
vocal reactions from activist investors, dem anding improved
top ("tone from the top") and the need for senior m anagem ent
governance and changes in board m em bership, but the
to consistently set concrete exam ples of desired behavior for
the organization to follow. W hile tone from the top can m aterial resulting record US$60 million senior executive claw-backs
were made possible by prior activism in 2013 by New York
ize in various ways, a few best practices have em erged in recent
years. City's pension funds to enable claw- backs in the event of
m isconduct.7,87
8
First, leaders can ensure that their communications through
out the bank are consistent, clear, and relatable, (for exam ple,
clearly explaining key decisions, how they fit with the firm's
overall strategy and culture, and how the decision is relevant
to em ployees). Second, leaders can dem onstrate the desired 7 "C iti, W ells broaden exec pay claw back policies, M arketW atch,
behavior by living it on a daily basis and exhibiting it in how they March 13, 2013; https://w w w .m arketw atch.com /story/
citi-wells-broaden-exec-pay-clawback-policies-2013-03-13.
act within the firm, with em ployees, and with custom ers and
8 Claw backs (especially ones due to public/investor dem ands) should be
clients. Exam ples matter, and those set by a firm's leadership
seen by the industry as a last resort m easure. The industry should strive
are key to em bedding culture. One C E O set a strong tone early to achieve effective upfront com pensation assessm ents rather than after-
in their tenure by rejecting a business opportunity that was not the-fact rem ediation.
90 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BOX 5.4 THE IN V ESTO R VIEW
As com panies in the banking industry (and in other industries) returns are necessary but not sufficient; returns can be wiped
face increasing conduct issues, and have incurred significant out by one event. Culture failures not only lead to hard costs
financial costs (fines, lawsuits, lost business), we have seen (fines, lawsuits) and financial losses, but scandals and reputa
investors increasingly paying attention to the softer issues tional issues put m anagem ent in a crisis m ode, which detracts
beyond financial results. A number of bank C E O s reported from their focus on business growth and revenue generation.
to us that they have started engaging directly with large A sustainable business model must include a focus both on
investors to discuss their culture— and the potential impact financial results and on addressing the interests and w ell
of strategy on culture and conduct. For the first tim e, we being of all stakeholders. As one institutional investor stated:
included interviews with large institutional investors in our "It is not a choice between profit or purpose— we are long
report, the key findings of which are described below. term investors for our clients and that requires our portfolio
com panies to pay attention to both profit and purpose."
Investors we interviewed care about the culture of their
portfolio com panies from two perspectives: (a) they look for The challenge, of course, is that even today, the markets
a board that is independent and strong, while also being put significant focus on quarterly earnings, which can lead
appropriately involved in understanding how the business is to business decisions and actions that maximize short-term
run; and (b) they look for sustainability, which requires both financial results over other priorities. One institutional inves
strong financial results and positive outcom es for all stake tor told us that the market needs to start thinking long term
holders, not just shareholders. rather than in quarterly results, "but the market is not good at
pricing the value of having sustainable results: there is value
Board culture: The investors we spoke with look at the corpo
in good culture and good corporate citizenship but we call
rate culture but also, importantly, at the board culture. W hile
these the nonfinancial elem ents because we don't know how
the two are related, they are not the sam e. Assessing the
to price sustainability." This investor looks carefully at envi
board culture enables investors to understand the effective
ronmental, social, and corporate governance (ESG )* elements
ness of the board in representing and defending the interests
as they believe these provide forward-looking insights. Finan
of shareholders. Elem ents that they look at include:
cial results report on historical perform ance, but the ESG
• Diversity of board members (such as experience, back elem ents provide predictive insights into an organization's
ground, and gender) health, and therefore continued ability to perform.
• Culture of accountability within the board W hile asset owners have the potential to significantly influ
• Ability to dissent and have differing views from the ence boards and m anagem ent to focus on culture as a driver
majority of long-term sustainability; the greatest im pedim ent remains
• "Chum m iness" of the board with the C E O . the diffuse nature of the investor community and of their
interests. Even the largest institutional investors rarely have
Investors also assess how well the board understands the cul significant ownership in any one com pany, and it can be dif
ture of the firm and how the culture drives ability to achieve ficult for them (on their own) to influence board/m anagem ent
desired results. One investor we spoke with said that while agendas. A side from specific scandals that can cause inves
boards have becom e more involved in discussions with man tors to align their interests, shareholders in any one com
agem ent about culture, many directors are still unable to fully pany often have very diverse goals and may seek divergent
articulate or describe the company culture. From the inves outcom es. The asset owners we interviewed spoke about
tors' viewpoint, there appears to be room for im provem ent the need for the investm ent community as a whole to better
in term s of boards' understanding, involvement in, and influ align on the im portance of culture and governance as drivers
ence on corporate culture. of sustainable financial results.
Culture as a driver of sustainability: W hile investors focus on Note: The ESG elem ents are the three main areas of focus in
returns, there is an increasing recognition that "so ft" fac measuring the sustainability and ethical im pact of an investm ent in a
tors such as culture can make or break a company. Financial com pany.
and Incentives schem es, and incorporated cultural and behavioral consider
ations into perform ance scorecards, most notably at senior
Many banks, particularly in the UK and Europe,9 driven by m anagem ent levels. Banks are at varying stages of formalizing
recent Financial Conduct Authority (FCA) and European Banking these measures, cascading them to middle m anagem ent levels
9 In Australia, A PR A released an updated rem uneration fram ew ork and Sydney, April 2018. Specifics on im plem entation and outcom es are not
set of standards; see "Inform ation Paper: Rem uneration practices at yet available.
large financial institutions," Australian Prudential Regulation Authority,
Recent years have seen cases of conflicted rem uneration To be credible, the shift toward a balanced perform ance man
m odels that incentivize overly aggressive sales behaviors that agem ent culture also requires willingness and courage on the
resulted in harmful outcom es for custom ers. A num ber of indi part of leadership to deal with high perform ers (from a purely
vidual firm s have rem oved sales-focused incentives for frontline results perspective) who display toxic behaviors. W hen m anage
staff, opting instead for alternative m easures such as those ment unevenly upholds standards of behavior, it sends a power
based on team goals and custom er satisfaction outcom es. ful message to all team members of what is im portant in reality
O ne bank shifted com pensation away from paying based on regardless of the stated values.
profitability m etrics to paying commission based on a service
Banks have also becom e more willing to act on and publicize
provided to the customer. For the com mission to be paid, the
breaches of conduct, and some have signaled when conduct
client must be aware of and happy with the service (a third
failures have led to term inations, which, when done, sends
party is em ployed to collect client satisfaction key perform ance
a very strong firm -wide m essage. W hereas in the past poor
indicators [KPIs]). A nother bank shifted to a three-pronged
behavior from a strong producer may have been overlooked,
perform ance evaluation for all staff: (a) perform ance in jo b , (b)
banks today have much lower tolerance for bad behavior
effectiveness of behavior, and (c) results on personal stretch
and have stated that they are even willing to forego revenue
goals.
opportunities (for exam ple, w ithdraw from certain deals or
This transition in compensation structures has not been without businesses) where necessary in favor of maintaining a strong
friction, with some banks experiencing initial sales declines, and culture.
others needing to experim ent with alternative perform ance
Banks are also beginning to weigh the potential benefits of
measures to achieve the right balance between incenting good
using breach of conduct incidents and term inations as teaching
conduct and achievem ent of strategic goals. The changes in
moments, against the potential risks of running afoul of privacy,
incentives will also require efforts in other areas, such as reedu
confidentiality, and em ploym ent law. Some banks are choosing
cating staff to better assess custom er needs and make suitable
to explicitly com m unicate such narratives, while others rely on
recom m endations, and introducing new service tools and rou
informal grapevines and collective consequences (for exam ple,
tines for frontline staff.
heavier scrutiny of activities) imposed on team s of the offend
A nother challenge of transitioning from purely results-based ing individual or individuals to spread the m essage internally.
com pensation to a balanced-scorecard com pensation structure A number of senior industry executives pointed to the discon
is that it requires insight into how em ployees perform their role. nect between regulation and societal expectations on the one
This means that m anagers must have enough tim e and m an hand, and em ploym ent and privacy laws on the other. D eal
agem ent acumen to understand what actions and decisions are ing rapidly and forcefully with egregious breaches of conduct
required in different circum stances and w hether the em ployee can be difficult, especially in certain jurisdictions with strong
did in fact exhibit these behaviors. A lso, because com pensation em ployee protection. In the current climate of social justice
is such a blunt (and limited) instrum ent for influencing behav cam paigns and activist investors, ethical and legal consider
ior, organizations that value the "ho w " as much as the "w hat" ations need to be aligned.
need to minimize reliance on com pensation as a m anagem ent
tool. Com pensation has a role to play, but more im portant is Staff Development and Promotions
the role of leadership. O ne institution we interview ed trains
m anagers to look for real-time coachable moments to drive Training programs on conduct and culture have expanded
em ployee behaviors rather than only ex-post com pensation in size and scope at most banks, often focusing on defining
m easures. specific expectations around behavior and helping em ployees
92 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
understand how abstract values and principles specifically trans ambiguous and com plex situations where the right answer is not
late into day-to-day responsibilities and expectations. This is a obvious.
very im portant elem ent of driving behavior; historically, while
A t the same tim e, some banks have seen that the increased
banks had value and mission statem ents, there was very little
level of training on all aspects of conduct can have a numbing
guidance for em ployees to translate highlevel statem ents into
effect on staff, where em ployees start to tune out and training
"w hat d o es this mean specifically for me in my everyday jo b
has the opposite effect than intended. It is im portant to have
to b e able to live up to the exp ectatio n s o f the institution?"
the right training for the right people at the right tim e and to
Banks are applying a variety of scenario-based/role-playing/
target the training and not push everyone through everything.
industrial theater approaches and using a combination of live
and web-based mechanisms to deliver content. As one industry Conduct screens are also increasingly being applied to prom o
leader put it, "w e n e e d to map the culture to the p ra ctica l," tion and external hiring decisions. Some banks have stepped up
providing actual exam ples of how the culture must be lived. their hiring practices to better assess new recruits' alignment
Another area of training is around the grey zones where ju d g with the organization's purpose, values, and expectations
ment is required. Banking is a com plex business where rules and on behavior; exam ples include conduct interview questions,
policies are not possible (or even desirable) for every situation. ethical screening, and various forms of personality assessm ents.
A principles-based culture requires that em ployees also have the Recent years have also seen active investm ent in surveil
knowledge, skills, and tools to face the multitude of decisions in lance technology at banks (see Box 5.5), typically beginning
94 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
covers people, process, and technology risks, conduct risk This is often due to the lack of clarity of how this risk should
can be viewed as an extension of those risk types. The down be defined and m anaged. It cannot be overstated that ulti
side is that operational risk is such a broad and still evolving mately, ownership and oversight for conduct and culture risk
area of risk m anagem ent that conduct risk may get lost in the m anagem ent needs to be owned by the Board, the C E O , and
fray and not receive the attention it needs. the heads of the business units. Defining conduct risk, incorpo
• More recently, some banks have moved conduct risk man rating it into the risk appetite statem ent, and developing risk
agem ent under enterprise risk. This can make sense for sev identification and auditing processes are all still very much a
eral reasons: it is closely linked to reputational risk, it requires work in progress. For instance, many institutions are still strug
a holistic understanding of risks across the enterprise, and it gling with the classification of conduct risk: is it its own risk type
entails significant reporting effort for the board and senior or a subset of another risk such as operational risk? As with all
m anagem ent. The downside is that the Enterprise Risk Teams other risk types (credit, m arket, and operational and reputa
in many banks may be too small and not have the capacity to tional risks), the m ethodologies and practices will mature over
undertake oversight of such a pervasive risk type. tim e. Formal risk m anagem ent routines will need to be agreed
and adopted for the effective functioning of the three lines
Furthering the dilemma on the organizational placem ent of
of defense.
second line conduct risk oversight is that many institutions do
not yet have full clarity on whether conduct, culture, and ethics
should be managed as one integrated function, or separately. Regulators, Supervisors, Enforcement
W hile the industry has not defined one agreed model for sec Authorities, and Industry Standards
ond line oversight of conduct and culture, there are two guiding
Regulators and supervisors across the globe have increased
principles that should be observed:
attention to and expectations regarding conduct and culture.
• W hichever function is selected as the responsible second Exam ples include:
line, it needs to be clear. W hile all the groups listed above
• UNITED KINGDOM: The FC A has been a driving force, issu
likely have a role to play in the oversight and governance of
ing the Fair and Effective M arkets Review in conjunction with
conduct and culture, there needs to be clarity on roles and
the Bank of England and Her Majesty's Treasury, and im ple
responsibilities; that is, which function is taking the lead and
menting regulations for benchm ark rates, foreign exchange
which functions are tasked with contributing input (and the
(FX) remediation programs, and the Senior Managers and
type of input) need to be explicitly stated. The risk respon
Certification Regime to increase individual accountability and
sibilities, policies, and appetite statem ents also need to be
governance via banks' senior leadership.
aligned.
• EUROZONE: European regulators have dialed up scrutiny of
• W hichever team is given second line oversight and gover
conduct issues, for instance, with the E C B /E B A releasing
nance responsibility also needs to be given proper power for
conduct-related guidelines on governance arrangem ents and
conduct initiatives to have teeth.
remuneration policies, and the De N ederlandsche Bank
Banks are also starting to further their thinking in term s of the (DN B, the Dutch central bank) conducting exam inations
third line's role in the m anagem ent of culture and conduct. A focusing on topics such as decision making, leadership, and
number of banks have explicitly structured culture audit pro com munication. Further, the EC B updated its Manual for
cesses, and in some cases, institutions have established audit A sset Quality Review in June 2018, incorporating the
team s specifically focused on culture auditing. implications of International Financial Reporting Standard 9
W hile second line placem ent is im portant for an effective (IFRS 9) and increasing the im portance of bank business
conduct risk m anagem ent program, most im portant for the models focused on investm ent services. Also, as part of its
long-term and perm anent success of culture and conduct Internal Capital A dequacy Assessm ent Process, DN B has
efforts is ownership by the frontline business. Progress has stated they will devote particular attention to strategic risks
been slow in em bedding ownership of conduct risk in the first to banks, including the gradual deterioration of a business
line, often due to a lack of understanding or experience by model.1
2
the first line m anagem ent and/or the view of culture and con
duct as a soft HR issue rather than a business im perative. Due
12 IFRS 9 was prom ulgated by the International Accounting Standards
to lack of first line ownership, some banks have seen first line
Board and addresses accounting for financial instrum ents. It covers the
responsibilities slip to the second line, which in turn rendered classification and m easurem ent of financial instrum ents, im pairm ent of
ineffective the second line's role of independent challenge. financial assets, and hedge accounting.
96 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BOX 5.6 HOLDIN G M AN AGERS A C C O U N TA B LE
First introduced in 2016 by the UK Financial Conduct Author effective Ju ly 2018; and most recently the M onetary Author
ity, Accountability Regim es already cover or will cover many ity of Singapore's proposed Individual Accountability and
major financial centers and financial business models. These Conduct Regime and guidance from the US Federal Reserve
regimes are a direct response to a call to amend professional Bank.
standards and the culture of the banking sector following a
In designing and implementing these regimes, supervisors
perceived lack of personal responsibility for m anagem ent fail
need to have a clear view of the intended outcom es of an
ings in the financial crisis.
Accountability Regim e, and design a regime that adheres
The UK Senior M anagers and Certification Regime (SM CR), to those outcom es, taking lessons learned from established
introduced a statutory duty of responsibility for a defined set regimes such as the F C A SM CR. Special attention should be
of senior individuals in a firm to dem onstrate that they have paid upfront to consider potential unintended consequences
taken reasonable steps to prevent prudential and conduct and design standards and principles that allow for flexible
failures. The regime has been recognized by many as a key application where appropriate.
driver of cultural and behavioral changes in senior managers
Firms them selves should avoid a pure com pliance-based
in banking. The SM CR was originally established for deposit
"tick-box" approach when responding to Accountability
takers and later extended to include investm ent firms and
Regimes and ideally use such regimes as an opportunity to
insurers and focused clearer articulation of senior roles,
drive and build on strengthening leadership behaviors and
responsibilities, and accountability, as well as individual con
overall culture in the organization, ensuring that em ployees
sequences extending to legal prosecution and sanction in the
have the resources and support to discharge their duties.
event of breaches by the firm.
Firms that need to respond to regimes in multiple jurisdic
Accountability Regim es have since em erged in several other tions will need to align on approaches, and navigating the
jurisdictions including Hong Kong Manager-in-Charge (M IC), minefield of unintended behavioral consequences will be key
effective O ctober 2017; the Australian Prudential Regulation for both firms and supervisors.
Authority's BEA R (Banking Executive Accountability Regime)
assessm ent. As Box 5.6 shows, in recent years, supervisory • The Financial Stability Board has since 2015 been
authorities in a number of countries have recognized this and coordinating international efforts around a w ork plan to
reinforced managerial responsibility for conduct and conduct reduce m isconduct risk, most recently publishing a to o l
failures with accountability regimes. kit for firm s and supervisors to strengthen governance
fram ew orks. The tools focus on m itigating cultural drivers
C ulture, on the other hand, is intangible and ubiquitous; as
of m isconduct, strengthening individual responsibility and
such, it requires deep understanding of the strategy, operating
accountability, and addressing the "rolling bad ap p les"
m odel, and values of the organization. In other w ords, conduct
phenom enon.
can be assessed as right or wrong, whereas culture is not
objectively right or wrong, it can only be assessed in term s of • The Bankers' Oath in the Netherlands is a legally required
its alignm ent to the strategy and values of the institution. ethics statem ent and code of conduct holding bankers to
standards of good behavior. To date, it has been taken by
In some m arkets, discussions on conduct and culture have
87,000 Dutch bank em ployees.16
moved beyond individual bank efforts to collaboration across
multiple players in the industry, including tools and practices • The Global Banking Education Standards Board recently
that are shared more broadly. Exam ples include: announced standards for ethics education and training for
professional bankers, with plans to develop further standards
• The Banking Standards Board in the UK conducts an annual in both general banker com petency and on the capabilities
assessm ent across banks on culture and conduct topics, pro required in credit products.
viding participating banks with useful benchmarking on how
they are doing relative to peers.
• The Fixed Income, Currencies and Commodities Markets
Standards Board has developed actionable standards on
behavior and statem ents of good practice that have been 16 "The Banker's O a th ," Tuchtrecht Banken, Am sterdam ; https://www
well received by industry participants. .tuchtrechtbanken.nl/en/the-bankers-oath.
First and forem ost, the board needs to be aware of and involved
1 Managing culture is not a one-off event, but a in defining and guiding the culture. The board's role is to define
continuous and ongoing effort that needs to be
purpose of the organization and ensure that all business levers
constantly reinforced and that must becom e a
perm anent way of doing business. are aligned with that purpose. Strategy, com m unications, poli
cies, processes, and practices must all align with the desired
2 Leadership always m atters; conduct and culture must
culture, and the board must oversee that alignment.
be em bedded from the top down throughout the firm,
starting with the board and senior m anagem ent but Senior leaders need to involve middle m anagem ent to further
also importantly including middle m anagem ent.
articulate and reinforce firm values and intended behaviors in
3 The scope of conduct m anagem ent is shifting from their respective areas of oversight. The day-to-day realities of
m isconduct to conduct risk m anagem ent more frontline staff are most profoundly impacted by their immediate
broadly. manager rather than by the C E O or other senior executives. As
4 Managing culture requires a multipronged approach such, leadership modeling must flow all the way through the
and the simultaneous alignm ent of multiple cultural organization and cannot only be seen at the senior levels. This is
levers.
especially difficult for large, multi-geography and multi-business-
5 Ten years out from the financial crisis, there is strong unit banks. A direct m anager that does not model the values
recognition that a more diverse set of views and voices of the firm can easily undermine any exam ple or m essage com
in senior m anagem ent will lead to better (and more
municated by the C E O ; as such, many banks are shifting away
sustainable) outcom es for all stakeholders.
from focusing mainly on tone from the top, to tone from above.
6 W hile cultural norms and beliefs cannot be explicitly W hile the tone and direction of the culture message needs to be
m easured, the behaviors and outcomes that culture
consistent across all leaders, it also needs to be flexible enough
drives can and should be m easured.
to be aligned with the different styles of each leader.
7 Regulation has a limited role in rule setting and man
dating culture. LESSON 3. The scope of conduct management is shifting from
misconduct to conduct risk management more broadly. Conduct
8 Restoring trust will benefit the industry as a whole; as
such, industry-wide dialogue and best practices shar is not just about purposeful misbehavior driven by an employee's
ing are im portant elem ents in the journey toward a desire for personal gain or to meet performance targets (for exam
stronger and healthier banking sector. ple, rogue traders); rather, it should be considered more broadly.
For example, a bank's decisions— in the form of such things as
A discussion of each of these lessons follows.
business targets, product design, and automated processes— can
LESSON 1. Managing culture is not a one-off event, but a sometimes have unintended consequences and harm clients, cus
continuous and ongoing effort that needs to be constantly rein tomers, and/or colleagues even in the absence of bad intentions.
forced, and it needs to be perm anent (see Box 5.7). Banks need
In many institutions, conduct has been defined to include intent,
to not only find ways to keep culture discussions from becom
negligence, and failure of judgm ent. The definition is also
ing stale or repetitive, but also to ensure that culture efforts are
broadening to cover all stakeholders, having shifted from only
responsive to potential changes in the desired outcom es them
market and custom er im pact to also include harm to colleagues.
selves as the industry evolves (for exam ple, digitization). This
In this context, rather than just focusing on how to reduce bad
is particularly im portant as changes to conduct and culture are
conduct, it may be useful to consider the mirror image ques
further em bedded throughout the organization. It is also impor
tion of how to promote good conduct that aligns and furthers
tant to rem em ber that culture is not (and should not be) static;
the organization's purpose and values. It is also im portant to
it will evolve as the business evolves, custom er needs change,
consider the full potential consequences and implications of all
and com petitive forces modify. As such, the firm must constantly
business decisions.
and deliberately adapt culture to align to a changing strategy
and business conditions. Constant nudges and reinforcem ent of LESSON 4. Managing culture requires a multipronged approach
expectations are needed in everyday life as training alone is not and the simultaneous alignment of multiple cultural levers. C ul
enough to shift behavior. ture is not empirically good or bad, but it must be right for the
98 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BOX 5.7 LESSO N S FROM O TH ER IN DUSTRIES
Banks can learn from other high-risk, asset-intensive indus the customer, and to mitigate those hazards so that the cus
tries that have worked for years to em bed responsibility for tom er is not harmed. Such analyses, applied to banking and
managing behaviors throughout the organization. Exam ples other financial products, could help banks think more rigor
include the following. ously about product features, even those commonly taken for
granted, and build in appropriate safeguards against poten
Oil and gas: Com panies have established specific guidance
tial custom er misuse.
on behavior (for exam ple, Shell's "Life-Saving Rules") that sets
clear expectations on acceptable vs. unacceptable behavior. Pharmaceuticals: Healthcare professionals abide by a phi
Also, firms use a buddy system to encourage employees, losophy of "right patient, right m edication, right tim e"* to
upon observing non-compliant behavior by peers, to intervene ensure patient safety and reduce errors in drug adm inistra
with each other without the need to escalate the issue up tion.** A banking analog (for exam ple, articulated as "right
the management chain. This helps create an environment of customer, right product, right need") of this philosophy could
trust and psychological safety where employees look after the help guide retail sales staff in recommending appropriate
well-being of the firm and of each other. Banks could consider products for custom ers, reduce mis-selling incidents, and ulti
applying similar approaches to clarify behavioral expectations mately improve custom er satisfaction and outcom es.
and foster a speaking-up culture. A speaking-up culture could * Some versions also specify, for exam ple, right dose, right route,
also mean speaking out to a colleague through mentoring and right reason, right docum entation, and right response.
coaching rather than only via escalation measures.
** W hile considered a useful rule of thum b, this is not a foolproof
Medical devices: "Hazard analysis" (also known as risk analy guideline; see "Th e Five Rights: A Destination without a M ap," by
sis) is a mandatory step in the design of medical devices, to M atthew Grissinger, P& T 35 (10) (O ctober): 542, 2010; https:\\w w w
consider the possible consequences of inadvertent misuse by .ncbi.nlm .nih.gov/pm c/articles/ PM C2957754.
organization based on its values, strategy, and business model. concrete, relatable exam ples around behavior in real-life situ
And the various levers of culture must be aligned with the desired ations that em ployees may face. W hile values and principles
outcomes. Cultural levers include structural elements such as provide direction, on their own they are often too abstract
policies, organization, processes, and technology, as well as intan to be directly useful in gray-zone situations. This can be best
gibles such as tone from the top, beliefs, and perceptions. achieved through tailored trainings across levels and more
open communication from senior leadership.
Em bedding culture is not about changing specific cultural levers
in isolation, but about achieving alignm ent throughout, that is, LESSON 5. Ten years out from the financial crisis, there is strong
a clearly stated (and believed) purpose that flows into strategy, recognition that a more diverse set of views and voices in senior
policies, behaviors, governance m odels, processes, perform ance m anagem ent will lead to better (and more sustainable) out
m easurem ent, and incentive schem es. Tone from the top and comes for all stakeholders. Many of the industry leaders inter
leading by exam ple are necessary for initiatives to have credibil viewed pointed to group-think as a contributing cause of the
ity, but they are not sufficient. Processes and structural elem ents behaviors leading to the financial crisis and many of the scandals
are also critical for enabling messaging to cascade uniformly that have occurred since.
and effectively throughout the organization, especially for larger Diversity in thinking, problem solving, and leadership styles
banks. Small changes in everyday decisions ultimately add up to will help organizations achieve better results through greater
big changes over tim e. Implications of this lesson include: questioning, challenging, creativity, and innovation. Diverse
leadership team s can also help em ployees (especially diverse
• Along the lines of "every organization is perfectly designed
em ployees) feel safer in raising concerns and escalating issues.
to get the results it g ets," a bank's various culture elem ents
are a reflection of its true (which may differ from its stated) Many leaders stated that their institutions have recently placed
values and priorities. Banks should think carefully about how greater focus and im portance on hiring, retaining, and em pow
each culture elem ent came to be designed/im plem ented/ ering diverse em ployees. These leaders recognize that suc
perceived in its current form , and make necessary adjust cessful, innovative, and learning organizations are ones that are
ments to ensure that it is aligned with the organization's diverse— at all levels of the organization. As one senior industry
desired values and priorities. leader stated, "everything changes for the b e tte r when you
• Beyond articulating purpose and values, banks need to pro have critical mass o f wom en in the C-Suite and the B oardroom ."
vide practical, actionable guidance to help staff make deci But results on this front are slow, and achieving truly diverse
sions. This means clear communication of expectations, and team s (especially at the senior levels) will require intentional
30
25 I
? 20%
20 18%
? -f— 16%^
15 14% 13% 14%
B o a rd
10 ExC o
In te rq u a rtile ra n g e
(25th to 75th
p e rce n tile )
0
2003 2008 2013 2016
F ia u re 5.5 Percentage of board and Executive Committee (ExCo) members in major
financial services organizations who are women.
Sou rce: O liver W ym an analysis of organization disclosures across 381 financial services organizations in 32 countries
("W om en in Financial Services," O liver W ym an, New York, 2016).
100 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
There is no silver bullet for measuring and reporting conduct metrics do not identify issues per se; rather, they identify
and culture, but several key design principles are critical to where to look for potential issues. The metrics don't tell you
building a culture dashboard that provides useful and actionable what went wrong, they just tell you where to look. In that
insights, as shown in Figure 5.6. same vein, as banks refine their approach to selecting and
calibrating metrics, they often struggle with many false posi
The more mature banks in term s of culture and conduct report
tives. Getting the right metrics and inferring the right insights
ing provide the following lessons learned:
will take time and should be piloted/tested over a period of
• The report should focus on metrics that are meaningful to tim e.
the purpose and values of the firm. Also im portant in metric
• The reporting should focus on conduct rather than nar
selection is having both leading and lagging metrics: the
rowly on m isconduct. When banks start down the culture
forward-looking metrics are key to identify what might hap
and conduct m easurem ent path, many focus their efforts
pen rather than only reporting on what did happen.
on m isconduct— intentional actions that are clear breaches
• To be truly valuable, the metrics should be seen over time of policies. However, culture and conduct reporting should
and analyzed as a trend rather than a single number or also include outcom es driven by unintentional behaviors and
point in tim e. In addition, the analysis should not just look unintended consequences, such as flawed product design
at individual metrics in isolation but rather assess how the that does not m eet custom er needs. Furtherm ore, to provide
data interact. Metrics from across strategy, governance, HR, a truly com prehensive and balanced view of com pany culture
service, operations, product, sales, and clients should come and conduct, the scope of m easurem ent should cover p o si
together to form the full narrative on culture and conduct. tive conduct and associated indicators such as em ployee
• The details are critical, and the board and senior m anage volunteer hours, em ployee satisfaction survey results, sustain
ment should focus on the anom alies, exceptions, and the tail, ability efforts, and social im pact investm ents.
given that in the summary view, the issues can be buried and • The reporting tool should be flexible and provide multiple
lead to a false sense of com placency. views, levels of granularity, geographic focus, and types of
• The report should include com m entary and explanation of metrics needed to meet the needs of multiple audiences (for
the data, and the reporting operating model should also example, the board, senior management, business heads, and
include the ability to do further analysis and investigation various second line functions). A number of institutions are start
where needed. With culture and conduct reporting, the ing to develop dynamic web-based reporting views (Figure 5.7).
O Has direct link to firm values 0 Displays trends over time © Provides granular results
and risk appetite framework for each indicator a cro ss lines of business
Leading
Value Metric vs. lagging
Company R e v e n u e a n d c o s t a g a in s t ta rg e t L e a d in g
landscape E f fic ie n c y ratio L e a d in g
In v o lu n ta ry tu rn o v e r, b y ty p e (e .g . S a le s L e a d in g
Our People
P r a c t ic e s , F ra u d , e t c .)
S a le s tra in in g c o m p le tio n r a t e s , b y ty p e L e a d in g
Customers C u s t o m e r c o m p la in t s b y ty p e L a g g in g
# o r % o f p r o d u c t s o n ly a p p ro p ria te fo r a L a g g in g
s m a ll s u b s e t o f c u s t o m e r s
% o p e n is s u e s ra is e d b y a u d it L a g g in g
O v e rd u e c u s t o m e r a p p r o p r ia t e n e s s r e v ie w s L a g g in g
N u m b e r o f c o m p lia n c e b r e a c h e s L a g g in g
1
S u p e r v is o r s ,
r e g u la to r s , a n d Feb 2, 2018
g o v e rn m e n ts
Customer Complaints
Status: Resolved
Metric
Overall
status
LOB 1 LOB2 LOB3 Employee turnover F
Em ployee hotline volume and whistleblower case s
Status: Open ▼
Add an update
U
l
Fiq u re 5 .7 Sample conduct and culture dashboards: Board view and detailed view.
S o u r c e : O li v e r W y m a n .
L E S S O N 7 . Regul ation has a limited role to play given that response, undermining the clarity of the m essage that culture is
culture cannot be mandated or defined by rules; that is, good a m atter for banks' boards and executives, creating a mindset
culture cannot be regulated into existence. A number of indus of outsourcing good judgm ent, and forcing disengagem ent
try leaders raised concerns related to the potential downsides of from activities that may expose banks to future financial pen
overly prescriptive regulation, such as encouraging a box-ticking alty. Having said that, regulatory agencies are responsible for
102 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BO X 5.8 SKILLS AND CA PA BILITIES R EQ U IR ED O F REGULATO RS
To effectively assess banks and assist them in effecting last well-intentioned manner. Further, supervision of conduct and
ing conduct and culture changes, supervisors them selves culture will involve greater resources and time com mitment
will need to evolve in order to be properly equipped with relative to traditional supervisory activities, requiring ongoing
the right skills and capabilities. As one senior industry leader dedication, careful planning, and a deeper understanding of
stated, "a supervisor w ould not undertake the review o f a each bank's business model and strategy.
financial m odel w ithout financial m odeling e xp e rtise ; how
O ver tim e, some supervisors may find them selves needing
can they en g a g e in dialogue and review o f culture w ithout
to reassess their internal governance structure, operating
the skills in behavioral d rive rs?"
model, and rules of engagem ent. It goes without saying that
Supervisory team s should be com posed of experienced there should be no conduct issues among those tasked with
individuals who understand banks' business models and strat evaluating conduct. Finally, supervisors should consider lever
egy, and can engage in judgm ent-based, forward-looking aging additional expertise from external experts (for exam
discussions with boards and senior executives about con ple, behavioral scientists, governance experts) to bolster the
duct m atters. These team s must be adept at leveraging new quality of assessm ents and strengthen supervisors' knowl
types of assessm ent m ethodologies and be able to identify edge and capabilities going forward.
potential issues and behavioral outliers in a constructive and
safeguarding the safety and soundness of the financial services carry out their responsibilities on a daily basis (that is, they
industry. As such, these agencies cannot be excluded from the are more involved in and aware of the activities and decisions
dialogue and monitoring. being carried out in their organizations). See Box 5.8 for a
discussion of the skills and capabilities required of regulators.
The industry continues to explore effective approaches to regu
lation and supervision; while there is not yet a consensus view, • SUPERVISION: Supervision has an im portant role in engag
agreem ent is beginning to em erge in some areas, including: ing in a dialogue with the industry and holding up a mirror
to the institution. Supervisors can ask questions of the board
• REGULATION: Reg ulation can be an effective tool to focus
and m anagem ent to ensure an appropriate focus on culture
banks' attention on specific and tangible areas of persis
and conduct topics, and can also share industry best prac
tent conduct failures (for exam ple, conflicts of interest, risk
tices and learnings. It is im portant that supervisors share
incentives, and custom er protection), in such cases clearly
culture insights that they have gleaned from their work across
outlining basic principles while leaving room for banks to
multiple institutions and in their dialogue with regulatory
own and drive the specifics of im plem entation. The approach
bodies from around the world.
of principles-based regulation has recently proven effective
in two areas: increasing accountability of senior leadership Supervisors can also help in anticipating future sources of
(FCA 's Senior M anagers and Certification Regim e [SM&CR]) potential m isconduct given their broader industry-wide view.
and aligning remuneration policies to drive better conduct Trust, transparency, and open dialogue between banks and
(FC A /E B A guidance on remuneration). Regulatory bodies can supervisors will be critical to allow for this, and to enable
also outline requirem ents in term s of claw-back practices, early intervention to prevent serious issues before they
including defining the appropriate tim e period for deferrals m aterialize.
and clawbacks, which may be too short in some cases today.
• SYSTEMIC ISSUES: System ic issues such as the "rolling bad
The various senior accountability regimes seen in some juris apples" problem cannot be addressed by individual bank
dictions are one way regulation has impacted bank culture. efforts and require collective response across the industry
W hile the specifics differ, increasingly supervisors are incor and regulatory/supervisory b o d ies.17
porating individual accountability for breaches of conduct L E S S O N 8. Restoring trust will benefit the industry as a whole;
in the mandate of their senior m anagem ent regimes. These as such, industry-wide dialogue and best practices sharing are
are leading to changes in the roles and responsibilities of im portant elem ents in the journey toward a stronger and health
senior leaders and directors, and are also affecting how ier banking sector. The banking industry in major markets should
banks recruit, appoint, train, and com pensate their most
senior leaders. It is of course also having a direct im pact on 17 Although this must be done within the constraints of local legislation
the mindset and actions of these individuals and on how they and em ployee protection laws.
seriously consider mechanisms of collaboration (for exam ple, evaluating their own firm's practices and collaborating with and
through industry standards organizations) to develop cross supporting other banks in identifying changes in conduct and
industry com parisons regarding their progress on culture and culture.
conduct. Even though culture is unique to each institution, col
The Fixed Income, Currencies and Com m odities M arket Stan
laboration and com parisons can benefit the industry by provid
dards Board also provides good exam ples of behavioral patterns
ing banks with a view, considered by some to be more honest
evident in m isconduct in its Ju ly 2018, Behavioural C luster Anal-
than that collected in-house, into their own culture relative to A Q
104 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Risk Culture
A fter com pleting this reading you should be able to:
Com pare risk culture and corporate culture and explain • Describe characteristics of a strong risk culture and
how they interact. challenges to the implementation of an effective risk
culture.
Explain factors that influence a firm's corporate culture
and its risk culture. Assess the relationship between risk culture and business
perform ance.
Describe methods by which corporate culture and risk
culture can be m easured.
Excerp t is Chapter 2 from Risk Culture in Banking, b y A lessandro Carretta, Franco Fiordelisi and Paola Schwizer.
6.1 IN T R O D U C T IO N the organization's specific way to perceive, think, and feel in
relation to problem s (Schein 2010). Organizational culture deals
Studies on corporate culture have been carried out for a long with different approaches. One takes into account external out
tim e. Corporate culture has been a popular m anagem ent tool puts: environm ental, architectural, technological, office layout,
since the early 1980s and, more recently, an intense activity dress code, behavioral standards (visible and audible aspects),
of research on this subject (arisen from the failure of tradi official docum ents (statutes, regulations, and internal com m u
tional cultural models) turned cultural explanations into a more nication), and sym bols. Such an analysis is the necessary basis
valuable asset than a simple m atter of "claim ing the residuals" for investigating principles, know ledge, and experiences that
(Zingales 2015). guide attitudes and behavior. These aspects reflect the internal
ized core values of the organization and justify the behavior of
In the last decades, the m arket saw a clear evolution of the
individuals. In fact, basic assum ptions which underlie actions are
role of banks, passed from public institutions to profit-driven
often hidden or even unconscious: beliefs determ ine the way
private entities. A new com petitive environm ent, in term s
in which group m em bers perceive, think, feel, and therefore,
of actors, rules, geography, and products, produced an
act but are difficult to observe from an outside perspective
evolution of corporate culture in banking. In this fram ew ork,
(Carretta 2001).
risk culture can be seen as a subculture with a central role
in financial institutions. This C hap ter provides an introduc Culture is more com plex than other organizational variables: it
tion to the concept of risk culture, focusing on its definition, can be extrem ely effective and at the same tim e resistant to the
im portance, and effects on bank com petition and financial need for change dictated by the environment (Fahlenbrach et al.
stability. It includes an in-depth analysis of the relevant litera 2012). Culture is, in fact, "w hat you do and how you do it when
ture and of good/bad practices. This C hap ter is structured as you are not thinking about it". If well governed over tim e, it can
follow s: be the glue that holds together a company.
• Definition and m easurem ent of corporate culture and its Culture has always been considered a key tool affecting cor
impact on corporate behaviors; porate behavior, but authors do not agree on how this occurs.
Some consider culture as a fixed effect on firm perform ance,
• Presentation of the scope and alternative definitions of Risk
while others argue that it is a variable that can be managed over
culture;
tim e. Viewing culture as a variable is a quite recent fact, and
• Analysis of drivers and effects of risk culture on sound and
several institutions have developed proper m anagem ent tools
prudent m anagem ent of financial institutions;
and fram eworks to measure and manage it.
• Discussion on main challenges in deploying an effective risk
The discussion is still going on, but, in principle, a culture suitable
culture.
for being applied to a business formula makes a significant con
tribution to business performance. A suitable culture implies that
6.2 W H AT C O R P O R A T E C U LT U R E people "m ake use" of the same assumptions and adopt behavior
inspired by the company's values; this increases the market value
IS A N D W H Y IT M A T T ER S ?
of the company identity. In business, the importance of main
taining behavior consistent with corporate culture needs to be
Literally speaking, there are many thousands of definitions of
constantly stressed, especially by "lead ers", at all levels of the
corporate culture, all sounding subtly different. Literature often
organization. The management should always remind the staff of
refers to corporate culture as the missing link to fully under
the underlying cultural contents and their positive impact on indi
stand how organizations act (Kennedy and Deal 1982). Culture
vidual and organization performance, by setting good exam ple
is the result of shared values, basic, underlying assum ptions and
and communication. According to economic literature, culture
business experiences, behavior and beliefs, as well as strategic
is a mechanism in such a way that makes the corporation more
decisions. Culture is much more than a m anagem ent style: it
efficient through simplified communication and decision-taking
is a set of experiences, beliefs and behavioral patterns. It is
process. From this perspective, a strong culture has high fixed
created, discovered or developed when a group of individuals
costs but reduces its marginal costs (Stulz 2014).
learn to deal with problem s of adaptation to the outside world
and internal integration. Individuals develop a system of basic The fact that culture can be structured as artifacts, values, and
assum ptions proven to be valid by past experience. M em bers assum ptions im plies different levels of analysis and assess
of the same group assim ilate these assum ptions, which becom e ment. The purpose of analysis requires a specific level of
106 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
assessm ent and the most appropriate m ethodology. However, ethnographic analysis and the case study, which allow an in-
researchers should keep in mind that the study of only the vis depth investigation, but at the same tim e limit the com parability
ible m anifestations of culture is likely to describe "how " but of results. According to Schneider (2000), direct observation is
not "w hy" (Carretta 2001). And as noted by Karolyi, there is a the only way to understand culture, since many of its aspects are
fragility in the measures of the cultural values available to us silent. In addition, people within an organization are not aware
(Karolyi 2015). of how many assumptions affect their behavior and take for
granted that it applies to everyone in the sector. Furtherm ore,
A number of survey methods and metrics are used, among
cognitive beliefs of researchers may influence their evaluation
others, by firms to investigate the mind-sets underlying culture
capacity. As a consequence, a problem of objectivity prevents
(See Box 6.1).
the possibility for other researchers to replicate the analysis and
In academ ic literature, there are some relatively well-established confirm its results.
approaches to measuring culture. Q ualitative methods are the
On the other hand, quantitative methods use standardized
approaches of analysis through statistical tools. These methods
do not provide in-depth observations but are more objective
BO X 6.1 M EASURIN G CULTURE AND and allow the comparison of different situations.
CULTURAL PR O G R ESS: RA N G E OF The goal should be to create a homogenous method within
A P P R O A C H ES USED BY FIRMS organizations or groups of interm ediaries, capable of reflecting
Employee engagement and culture survey the needs of com panies and of the environm ent. This would
result in a com parable approach com pliant with the regulatory
Most firms use annual em ployee engagem ent surveys,
supplem ented by culture and climate surveys or modules environment. Q uantitative methods have been primarily used
added to the regular engagem ent survey to evaluate culture indirectly, by observing developm ents in risk
governance and the link between risk governance and the com
Customer perceptions and outcomes pany's risk- return com binations (Ellul and Yerramilli 2013; Lingel
According to some firms, the real test of culture consists and Sheedy 2012; A ebi et al. 2012).
in the outcom es it generates. The focus is particularly on
custom er satisfaction scores, while other firms even try to A new and dynamic environm ent, in term s of actors, rules, geog
test outcom es (e.g ., mystery shopping or regular online raphy, and products has produced an evolution of corporate
panels of customers) culture in the banking sector. In the last century the market saw
Indicator dashboard a clear evolution of the role of banks, passed from public institu
tions to profit-driven private entities. For some countries, this
Several firms use a range of indicators, som etim es consoli
shift was very difficult and driven by an incisive, market-oriented
dated into "culture dashboards", including:
intervention by regulators, especially in Europe, where the final
• Custom ers: satisfaction scores, complaints
goal was the creation of a common market. Prudent regulation
• Em ployees: engagem ent scores, speaking up scores,
has increased the range of banking services offered and, indi
turnover, absence rates, grievances, use of w histleblow
rectly, com petition. In order to prevent excessive risk-taking, the
ing lines
Basel Com m ittee has promoted the " self-regulation" of inter
• Conduct and risk: conduct breaches, clawbacks, m ate
rial events, and escalations m ediaries, setting up a system of internal controls and a new
com pliance function. The new culture of supervisors is based
Validation on the collaboration with banks and this relationship may have
Firms use a range of methods to validate progress or per positive effects in term s of bank perform ances (Carretta et al.
form ance and confirm understanding: 2015). The financial behavior of fam ilies and firms, traditionally
• Consultancy firms' benchmarking exercises the main banking clients, has also undergone rapid changes.
• O ther external benchm arks Family propensity to save has decreased. Families today tend to
• Internal Audit assessm ents invest more in financial instruments inside or outside their home
• Triangulation across various data sources, e.g . staff and countries, while firms are adopting new forms of financing, by
custom er surveys acting directly on the capital markets.
Sou rce: A dapted from Banking Standards Board (2016). These underlying shifts dem onstrate the im portance of study
ing the effect of corporate culture on banks' perform ance and
108 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
discuss, and act on the risks» (IRM 2012). So, RC is related to
BO X 6.2 RISK CULTURE «risk awareness, risk-taking and risk m anagem ent, and controls
D EFIN ITIO N S that shape decisions on risks», which act at all levels of the insti
tution «during the day-to-day activities and have an impact on
Risk culture can be defined as the norms and traditions
of the behavior of individuals and of groups within an the risks they assume)) (FSB 2014).
organization that determ ine the way in which they identify,
understand, discuss, and act on the risks the organization
confronts and the risks it takes (Institute o f International 6 .4 R ISK C U LT U R E : D R IV ER S
Finance 2009).
AND EFFECTS
«A bank's norms, attitudes, and behavior related to risk
awareness, risk-taking and risk management and controls First of all, RC depends on national culture and environment.
that shape decisions on risks. Risk culture influences the
As far as culture is concerned, some countries are more homo
decisions of management and employees during the day-
geneous than others, even though som etim es, areas having
to-day activities and has an impact on the risks they assume»
(Financial Stability Board 2014; Basel Com m ittee 2015). a similar culture are part of different nations. Despite these
limitations, comparing national cultures is still a meaningful and
«Risk Culture is a term describing the values, beliefs,
knowledge, and understanding about risk shared by a revealing venture and has becom e part of the main social sci
group of people with a common purpose, in particular, the ences. Research by Hofstede has shown that national cultures
em ployees of an organization or of team s or groups within differ particularly at the level of habitual, unconscious values
an organization)) (Institute o f Risk M anagem ent 2012). held by the majority of a population. According to Hofstede, the
«Barclays risk culture is the set of objectives and practices, dimensions of national cultures are rooted in our unconscious
shared across the organization, that drive and govern risk values. Provided that these values are acquired in childhood,
m anagem ent (Barclays P LQ . national cultures are rem arkably stable over tim e; changing
Num ber of levers are used to reinforce the risk culture, national values is a m atter of generations. Instead, practices
including tone from the top, governance and role change in response to the changing circum stances: symbols,
definition, capability developm ent, perform ance
heroes, and rituals change, but underlying values are largely
m anagem ent and reward)) (Lloyds Banking Group).
untouched. For this reason, differences between countries have
«Risk culture is characterized by a holistic and integrated such a rem arkable historical continuity.
view of risk, perform ance, and reward, and through full
com pliance with our standards and principles)) (UBS). Similarly, culture is very much a product of the environment
«lt can be defined as the system of values and behavior (Lo 2015). The International M onetary Fund has published
present throughout an organization that shapes risk deci empirical evidence covering about 50,000 firms in 400 sectors
sions. Risk culture influences the decisions of m anagem ent in 51 countries, according to which firms operating in countries
and em ployees, even if they are not consciously weighing characterized by lower aversion to uncertainty, greater indi
risks and benefits)). (Farrel and Hoon 2009)
vidualism and sectors with a strong opacity of information such
«The behavioral norms of a company's personnel with as the financial world have a more aggressive risk culture, and
regard to the risks presented by strategy execution and "even in a highly-globalized world with sophisticated m anagers,
business operations. In other words, it is a key elem ent
culture m atters" (Li et al. 2013). Furtherm ore, these aspects will
of a company's enterprise risk m anagem ent fram ework,
albeit one that exists more in practice than in codification)) be discussed in the following subsections: the im pact of regula
(Smith-Bingham 2015). tion and its underlying culture (Carretta et al. 2015), as well as
supervision pervasiveness of a company's risk culture (Power
«Risk culture encom passes the general awareness,
attitudes, and behavior of an organization's em ployees et al. 2013). In the financial system , supervisors and supervised
toward risk and how risk is managed within the parties can collaborate in order to improve the culture of risk,
organization. Risk culture is a key indicator of how widely fully aware that it is a sensitive area requiring tim e and resources
an organization's risk m anagem ent policies and practices (Senior Supervisors Group 2009; Group of Thirty 2008).
have been adopted)) (D eloitte Australia 2012).
Culture directly impacts on corporate risk-taking not merely
through indirect channels such as the legal and regulatory
fram eworks (Mihet 2012).
Concluding, RC is com posed of underlying assumptions and the
way they turn into norms, values, and artifacts. Not all assum p Risk culture also impacts on characteristics and behavior of a
tions are relevant, but only those about risk or, more precisely, firm and at the same tim e is an expression of them . O ver time
those that affect «the way in which they identify, understand, (Fahlenbrach et al. 2012), it can regulate the possibility for
businesses to adapt to the changing environm ent, but it may bank's overall corporate governance (i.e. shareholders, board of
also change if it is no longer able to solve an organization's directors, m anagem ent, and auditors).
problems (Richter 2014). Therefore, it will only affect the role
Subcultures may exist depending on the different contexts within
of risk m anagem ent in the organization; even in case of highly
which parts of an institution operate (See Box 6.3). However,
sophisticated and form alized risk governance, risk culture is still
subcultures should adhere to the high-level values and elements
in charge of deciding which rules and behavior are important
that support an institution's overall risk culture. A dynamic bal
(Roeschmann 2014; Stulz 2014). As a mechanism of control over
ance is required between the value generated by the differences
behavior, risk culture can impact on results, and if it is strong
in risk perception and that generated by a unitary risk approach.
and in a stable environm ent, it can becom e more persistent over
time (Sorensen 2014).
The organization is perhaps the "elem entary unit" for the analy
6.5 C H A N G E A N D C H A L L E N G E :
sis of culture (Carretta 2001) and risk culture, but the individual D E P L O Y IN G A N E F F E C T IV E R ISK
is the unit in term s of personal integrity and propensity towards C U LT U R E
risk. High levels of perceived integrity are positively correlated
with good incomes, in term s of higher productivity, profitability, Risk culture is not a static thing but a formal and informal process
better industrial relations, and a higher level of attractiveness continuously repeating and renewing itself. Risk culture, as well
to prospective job applicants (Guiso et al. 2015), but individual as corporate culture, evolves over time in relation to the events
behavior appears to be influenced by both context and profes that affect an institution's history (such as mergers and acquisi
sional identity which, once more, confirm the key im portance of tions ) and to the external context within which it operates.
the organization (Villeval 2014).
Building a sound risk culture is a collective process, not simply a
Obviously, risk culture can appear in different forms as sub m atter of improving technical skills. Risk culture shall be a part
cultures, or even conflicting countercultures, in the following of a business and not simply of the supervision, which is not
areas: type of risk (i.e., credit or market), business functions and necessarily a good proxy. Therefore, it concerns decisions and
families in which it develops, prevailing business m odels, roles in actions on a daily basis, such as the way information is shared,
110 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
of a com plex organization like a bank is possible, but difficult
BO X 6.4 "U SIN G " CULTURE and requires the awareness of the need for change, many
resources, and a long tim e. In fact, relationships between
Although its influence on firm behavior has long been
clear, culture has only recently been discovered as a m anagem ent actions and culture are not necessarily linear, as
dependent variable of planning by m anagem ent litera there are m ultiple, com plex issues relating to proportionality
ture. In theory, culture suited to the type of enterprise can and accountability of individuals versus institutions that require
make a significant contribution to firm success. This means consideration by enforcem ent agencies (Group of Thirty 2015).
that people "m ake use of" culture, that their behavior
A major im provem ent in culture can be secured by focusing on
is inspired by com pany values, and that they have com
municated com pany values to the m arket, emphasizing values and conduct, which are the building blocks of culture.
the positive aspects of its culture (Hofstede 1983). It is (2) Change necessitates a system ic approach to all subjects
necessary for the "bosses" at all levels to continuously involved, by taking into account their mutual roles. A sustained
em phasize the im portance that behavior adheres to com focus on conduct and culture shall be carried out by banks
pany culture, repeat and strengthen its basic contents and
(board and m anagem ent), and the banking industry. All is
remind people that it has a positive impact on people and
needed to make major im provem ents in culture within the bank
com pany perform ance.
ing industry and individual institutions (Group of Thirty 2015).
Addressing cultural issues must of necessity be the responsibility
of the board and m anagem ent of firms. Supervisors and regula
the people being asked, when something went wrong, the
tors cannot determ ine culture, but the form er has an important
capacity to represent risk inside the organization and the under
monitoring function. (3) In order to be successful, the new cul
standing and correct use of docum ents. It also includes what
ture has to be profitable and create real value for all subjects,
"w o rked " in the past. With the changing of both external and
institutions, and individuals which present forms on their own
internal conditions, culture too changes along with a strategic
motivations explaining their possibly diverging behavior (Lo
change (See Box 6.4). O bsolete business culture is an obstacle
2015). The effect of all this should be the creation of a com peti
to improving perform ance.
tive advantage for firms with better cultures and conducts, with
The Group of Thirty (2015) states that culture and behavior respect to client reputation and the ability to attract staff and
in today's financial systems and institutions are inadequate. investors. Banks will only succeed if they accept that culture is
An im portant finding is that a suitable culture, with particular core to their business models and if they decide that fixing cul
regard to risk, is not a critical success factor but is displayed ture is key to their econom ic sustainability (Dickson 2015).
only to m eet the expectations of a public, custom ers or norms
The assessm ent of a bank's risk culture and the perception
at particular tim es. It is not central to governance organs or
of its possible distance from a culture that can be considered
senior m anagem ent. It is not sufficiently rewarded in perfor
adequate to context, business model, and governm ent require
mance m anagem ent and does not feature in bank personnel
ments are matters for the individual bank according to its char
training. It does not dialogue with three lines of risk defense,
acteristics. In fact, there is no doubt that risk culture is widely
(business, supervision and risk m anagem ent, auditing). In the
inadequate today and that there is a need to move from "form
United Kingdom , the Banking Standard Board has been set up
to substance". The attitude "I have complied with the regula
by seven big banks in response to the findings of a Parliam en
tions" needs to be replaced by "I have done everything possible
tary Com m ission. The Board aims to raise and spread behavioral
to prevent and resolve problem s". Ju st because it is legal it
standards inside the British financial system , thus contributing to
does not mean that it is right (See Box 6.5).
the continuous im provem ent in bank behavior and cu ltu re s
A process of cultural change is ambitious as it involves many
The main changes since 2008 in the risk culture scenario are
players. It is the case that bank shareholders, m anagem ent,
enforcem ent in legislation, growth of the risk function, introduc
bank staff, parliament, governm ent, legal system , supervision
tion of balanced scorecards replacing sales staff perform ance
authorities, media, education system , and custom ers are respon
indicators, shift in focus from com pliance to conduct, and cul
sible for the current unsatisfactory situation to various degrees.
ture becoming a board issue (Cass Business School 2015).
W hat matters today is that all these forces are involved in a
So how can a renewed culture be fully developed and spread in common effort to promote a new banking culture shared by
a bank today? both banking authorities and clientele. And, importantly banks
them selves shall play an active role in this new cultural change.
Theory and cross-industry experiences clearly dem onstrate
that three mechanisms are critical for achieving the cultural Risk culture is a sensitive area and cannot be dealt with on the
transform ation of the banking sector. (1) Changing the culture single dimension of lowering risk propensity by strengthening
supervision. The most fundam ental issue in the risk culture m anagem ent tool and need to be explained in detail for a cor
debate is the trade-off between risk-taking and control (Power rect balance between risk-taking and the maintaining of an
et al. 2013). appropriate level of control. "Bad apples" in a bank shall not be
allowed to take the blame for specific behavior which reflects
As reported in the Financial Tim es, the C E O of UBS recently
a weak risk culture. Rather than a lack of personal integrity or a
com m ented that: "M istakes are ok . . . try to eliminate all risk
"natural" tendency towards dishonesty, non-compliant behavior
taking and threaten to punish all mistakes and the ensuing
is, in fact, the outcom e of exogenous environmental and com
culture of fear will limit the pursuit of legitimate business." The
pany factors which deform the sound conversion of individual
controversy caused by these comments showed that seeking
values into behavior and actions, which, in other words, reflect
to com pletely eliminate risk, which after all underpins all finan
a firm's unsatisfactory risk culture. An experim ent recently per
cial interm ediation, is unrealistic. Instilling into the personnel
form ed on a sample of bank managers com pared with other
the fear of making mistakes can only lead to immobility. In the
sectors aiming to test their propensity to lie yielded interesting
context of a robust and sound culture of risk, mistakes are a
112 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
findings. The propensity to lie is similar in different sectors and Carretta, A ., Farina, V., Schwizer, P. "Cultural Fit and Post-merger
in normal conditions, but rises significantly for managers, whose Integration in Banking M & As". Journal o f Financial Transforma
work environm ent (in this case the bank) is mentioned (Cohn tion 33 (2007): 137-155.
et al. 2014).
Cass Business School. "A Report on the Culture of British Retail
Risk culture is definitively 100% com patible with risk-taking and Banking". London, UK: New City Agenda and Cass Business
profit-making. A sound risk culture helps ensure that activities School, Novem ber 24, 2014.
beyond the institution's risk appetite are recognized, assessed,
Cohn, A ., Fehr, E., M arechal, M. A . "Business Culture and
escalated, and addressed in a tim ely manner (Dickson 2015).
Dishonesty in the Banking Industry". Nature 516 (2014): 86-89.
strengthen their core skills, and turn risks into opportunities. mance During the Recent C risis". Journal o f Finance 67 (2012):
2139-2185.
They are required to com mit, to more effectively improving their
culture. The banks which are successful at doing this with consis Farrel, J . M ., Hoon, A . What's Your Com pany Risk C ulture? US:
tency, awareness, and determ ination in strategic decisions will KPM G US Lip., May, 2009.
raise and consolidate their market reputation.
Financial Stability Board, FSB. G uidance on Supervisory Interac
tion with Financial Institutions on Risk Culture. A Fram ew ork
for A ssessin g Risk Culture, FSB Publications, Policy Docum ents,
B IB L IO G R A P H Y
April 7, 2014.
A ebi, A . B., Sabato, G ., Schmid, C . "Risk M anagem ent, C o rp o Financial Stability Board, FSB. M easures to R ed u ce M isco n d u ct
rate, Governance and Bank Perform ance in the Financial C risis". Risk, FSB Publications, Progress Reports, Novem ber 6, 2015.
Journal o f Finance and Banking 36 (2012): 3213-3226.
Group of Thirty. Banking C on du ct and Culture. A Call for Su s
Basel Com m ittee on Banking Supervision, BSC BS Publications. tained and C om prehensive Reform , W ashington D C , US: Group
C orp ora te G overnance Principles for Banks. G uidelines, 2015. of Thirty, Ju ly, 2015.
Banking Standards Board. Annual Review 2015/2016, London, Guiso, L., Sapienza, P., Zingales, L. "The Value of Corporate
March 8, 2016. C ulture". E IE F W orking p a p e r 27 (2013).
Boot, A . W. A . "Relationship Banking: W hat Do We Know?" Hofstede, G . H. "The Cultural Relativity of Organizational Prac
Journal o f Financial Interm ediation 9 (2000): 7-25. tices and Th eo ries". Journal o f International Business Studies
14 (1983): 75-89.
Carretta, A ., Farina, V., Fiordelisi, F., Schwizer, P., Stentella
Lopes, F. S. "D on't Stand So Close to Me: The Role of Supervi Institute of International Finance(IIF). Reform in the Financial
sory Style in Banking Stability". Journal o f Finance & Banking Services Industry: Strengthening Practices for a M ore Stable Sys
52 (2015): 180-188. tem , Report of the I IF Steering Com m ittee on Im plem entation,
2009.
Carretta, A . (ed.). II g o vern o d el cam biam ento culturale in
banco: m odelli di analisi, strum enti operativi, valori individual'!, Institute of Risk M anagem ent. Risk Culture U nder the
Rome, ITA: Bancaria Editrice (2001). M icro sco p e G uidance for Board, 2012.
Kennedy, A . A ., Deal, T. E. C orporate C ultures: The Rites and Schneider, B. The Psychological Life o f Organizations in Hand
Rituals o f C orporate Life, New York, US: Perseus Books (1982). b o o k o f Organizational Culture and Clim ate, eds. Ashkanasy,
Neal, M ., W ilderom , C eleste, P. M., W ilderom and Peterson,
Li, K., Griffin, D ., Zhao, L. "H ow Does Culture Influence C o rp o
Mark. F., London, Thousand O aks, New Delhi, UK, US, IND:
rate Risk-taking?" Journal o f C orporate Finance 23 (2013): 1-22.
Sage (2000).
Lingel, A ., Sheedy, E. A . "The Influence of Risk Governance on
Senior Supervisors Group. Risk M anagem ent Lesson s from
Risk O utcom es— International Evid en ce". M acquarie A p p lie d
Financial Crisis 2008, 2009.
Finance C entre Research P aper 37 (2012).
Sheedy, E ., and Griffin, B. Em pirical Analysis o f Risk Culture in
Lo, A . W. "The Gordon Gekko Effect: The Role of Culture in the
Financial Institutions: Interim R ep ort, Sydney, A U : M acquarie
Financial Industry". N B ER W orking Papers 21267 (2015).
University (2014).
Mihet, R. "Effects of Culture on Firm Risk-Taking: A Cross-country
Smith-Bingham, R. Risk Culture: Think o f the C o n seq u en ces,
and Cross-industry Analysis". IM F Working Paper 210 (2012).
New York, US: Risk M anagem ent Insights, Marsh & Me Lennan
Power, M ., Ashby, S., and Palerm o, T. Risk Culture in Financial Com panies, O liver Wyman (2015).
O rganizations: A Research R ep ort, London, UK: London School
Sorensen, J . B. "The Strength of Corporate Culture and the
of Econom ics (2013).
Reliability of Firm Perform ance". Adm inistrative Scien ce
Richter, C. "D evelopm ent of a Risk Culture Intensity Index to Q uarterly 47 (2014): 70-91.
Evaluate the Financial M arket in G erm any". P ro ceedin g s o f
Stulz, R. M. "G overnance, Risk M anagem ent, and Risk-Taking in
FIK U SZ Sym posium for Young R esearcher 14 (2014): 237-248.
Banks". Finance W orking Paper 427 (2014).
Roeschman, A . Z. "Risk Culture: W hat it is and how it Affects an
Villeval, M. C. "Behavioural Econom ics: Professional Identity Can
Insurer's Risk M anagem ent. Risk M anagem ent and Insurance".
Increase D ishonesty". Nature 516 (2014): 48-49.
Risk M anagem ent and Insurance R eview 17 (2014): 227-296.
Zingales, L. "The 'Cultural Revolution' in Finance". Journal o f
Schein, E. H. "Organizational Culture". The Am erican Psychologist
Financial Econom ics 117 (2015): 1-4.
Association 45 (1990): 109-119.
114 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
OpRisk Data and
Governance
Learning Objectives
A fter com pleting this reading you should be able to:
Describe the seven Basel II event risk categories and iden Describe and assess the use of scenario analysis in m anag
tify exam ples of operational risk events in each category. ing operational risk, and identify biases and challenges
that which can arise when using scenario analysis.
Summarize the process of collecting and reporting
internal operational loss data, including the selection of Com pare the typical operational risk profiles of firms in
thresholds, the tim efram e for recoveries, and reporting different financial sectors.
expected operational losses.
Explain the role of operational risk governance and
Explain the use of a Risk Control Self Assessm ent (RCSA) explain how a firm's organizational structure can impact
and key risk indicators (KRIs) in identifying, controlling, risk governance.
and assessing operational risk exposures.
E x c e rp t is C hapter 2 o f Fundam ental A spects of O perational Risk and Insurance Analytics: A Handbook of O perational Risk,
b y M arcelo G. Cruz, Gareth W. P eters, and Pavel V. Schevchenko.
115
7.1 IN T R O D U C T IO N producing a classification. For exam ple, the fact that dolphins
live in the sea and look like a fish does not make them a fish as
One of the first and most im portant phases in any analytical pro many of their characteristics made biologists classify them as
cess, and this is certainly no different when developing O pRisk "m am m als". Taxonomy basically encom passes description, iden
m odels, is to cast the data into a form am enable to analysis. This tification, nom enclature, and classification. Therefore, taxonom y
is the very first challenge that an analyst or quant faces when has becom e an interesting and a popular turn in risk m anage
determ ined to model, measure, and even manage O pRisk. A t ment industry as new risks are being encountered at regular
this stage, there is a need to establish how the information avail intervals.
able can be modeled to act as an input in the analytical process Before getting onboard the risk taxonom y bandwagon, a firm
that would allow proper risk assessm ent to be used in risk man must perform a com prehensive risk mapping exercise. This
agem ent and mitigation. In risk m anagem ent, and particularly in means going through, in excruciating details, every major pro
O pRisk, this activity is today quite regulated and the entire data cess of the firm. For exam ple, let us imagine the equity trading
process, from collection to m aintenance and use, has strict rules, process. Analyzing this process would mean going through the
which in a way reduces the variance in the use of the data across risks since the custom er places an order until the transaction
the industry. gets fully settled with exchanges of paym ent and securities
The O pRisk fram ework starts by having solid risk taxonom y so delivered. Those will be the basic risks that unlikely would
risks are properly classified. Firms also need to perform a com change, unless there is a change in the process. From this pro
prehensive risk mapping across their processes to make sure cess, a risk manager should also be able to point out where
that no risk is left out of the m easurem ent process. This is a key losses are coming from and develop mechanisms to collect
process to be accom plished and where a number of firms should them . The outcom e of this exercise would be the building block
be paying more attention. of any risk classification study.
In this chapter, we lay the ground for the basic building blocks It is interesting to note that even today firms are struggling
of O pRisk m anagem ent. First we describe how risk taxonom y with basic risk classification, which is the base of the risk man
works, classifying loss events into the major risk categories. Then agem ent pyram id, the very first building block of a robust risk
we describe the four major data elem ents that should be used m anagem ent fram ework. Mistakes made in the past years in
to measure and manage O pRisk: internal loss data, external classifying a risk will have repercussions in the risk m anagem ent
loss data, scenario analysis, and business and control environ and on the communication of risks, at a minimum, to outside
ment factors. When these risk m apping, taxonom y, and data parties like regulators, and might com prom ise any good work
building blocks are reasonably structured, it becom es important done elsewhere in the fram ework. There are roughly three
to configure the organization of the O pRisk departm ent and a ways that firms drive this risk taxonom y exercise: cause-driven,
firm's risk governance. Even a very efficient and well-developed im pact-driven, and event-driven. In many firms, risk taxonom y
O pRisk fram ework would fail if the proper organization and poli is a mixture of these three making it even more difficult to get
cies are not in place. it right. Let us discuss these three methods. In the cause-driven
m ethod, the risk classification is based on the reasons that cause
operational losses. This usually follows the old O pRisk definition
7.2 O P R IS K T A X O N O M Y (which most firms use in their annual reports) in which O pRisk is
defined as a function of "people, system s, and external events".
The term "taxonom y" has becom e quite popular in the risk Some risk types in this classification would be, for exam ple,
m anagem ent industry. In most conferences and industrial w ork "lack of skills in trade control" or "inappropriate access control
shops, and most certainly among consultants, the term "risk to system s". Although there are some advantages in this type of
taxonom y" has becom e a regular mantra. So, what is risk taxon classification, as a "root cause" is pretty much em bedded into
omy? Taxonomy is actually a term borrowed from biology. One the risk classification, challenges arise when multiple causes exist
of the missions of the biologist is to discover new species on or the cause is not im m ediately clear. If this cause-driven risk
remote places of the planet and it would make their work easier classification is applied to a process in which operational losses
if they could classify a new species into a new group based have high frequency, it would be very difficult for risk m anag
on some characteristics. So taxonom y means the conception, ers to correctly classify every single loss, and the attrition within
naming, and classifying organisms into groups. It is a common the business and within the departm ent is likely to be high.
practice in biology to group individuals into species, arranging Another way to perform this classification exercise is through an
species into larger groups, and giving those groups names, thus impact-driven method. In this m ethod, the classification is made
116 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
according to the financial impact of operational losses. Most OpRisk framework, firms need to be very careful. In the following
firms that follow this type of classification do not invest heavily sections, all seven Basel II event types required for the advanced
in O pRisk m anagem ent; they just use this type to retrieve data measurement approach (AMA) are defined and discussed in
from their systems. This is quite common in sm aller firms. In this detail; detailed breakdown into event types at level I, level 2, and
type of classification, it is quite difficult to manage O pRisk as, activity groups is provided in BCBS (2006, pp. 305-307).
although the exposures are known, it is difficult to understand
what is driving these losses. Execution, Delivery, and Process
The event-driven risk classification is probably the most common Management
one used by large firms. It classifies risk according to O pRisk
EDPM loss event type is one of the most prominent in the
events. This is the classification used by the Basel Com m ittee.
O pRisk profile of firms or business units with heavy transaction
It is interesting to know that during the Basel II discussions,
processing and execution businesses. It encom passes losses
when this type of risk taxonom y was presented, most of the
from failed transaction processing, as well as problem s with
industries were reluctant to accept it. A number of firms, even
counterparties and vendors. Table 7.1 describes the Basel event-
today, follow their own classification initially and map to the
type breakdown for this risk.
Basel event-type category later. W hat is interesting in this clas
sification is that the definition is rather broad which should make Losses of this event type are quite frequent as these can be
it easier to accept changes in the process. For exam ple, under due to human errors, miscom munications, and so on, which are
"Executio n, Delivery, and Process M anagem ent" (EDPM ), which very common in an environm ent where banks have to process
is the level-1 event type, there is a category named "Transaction millions of transactions per day. A typical exam ple of execution
Capture, Execution, and M aintenance" that can be an umbrella losses might help to illustrate how frequent these losses can be.
for a number of event types. For exam ple, if the equity trading
Consider the following deal: A foreign exchange (FX) trader
process changes from an old-fashioned phone-based system to
bought USD 100,000,000 for €90,000,000 (i.e., USD 1 = € 0 .9 0 )
online high-frequency trading, using this classification would be
and then sold USD 100,000,000 for €90,050,000 (i.e.,
easy to define the taxonom y of these risks.
USD 1 = € 0 .9 0 0 5 ) with a trading initial profit of €50,000. Both
Given how new risks emerge in OpRisk, and also the breadth of its transactions were made almost at the same tim e, and the trader
scope, the concept and the ideas behind risk taxonomy in OpRisk was obviously very satisfied with a profit of €50,000. In his/her
sound quite appealing. However, as this is a building block of the excitem ent at the successful deal, however, there were some
Table 7.1 Execution, Delivery & Process Management (EDPM) Event-Type Defined as Losses from Failed
Transaction Processing or P rocess M anagem ent, from Relations with Trade C ounterparties and Vendors. Basel II
event type classification as provided in BCBS (2006, pp. 30 5-30 7)
Execution, Delivery & Transaction Capture, Execution M iscommunication; data entry, m aintenance or loading error;
Process M anagem ent and M aintenance missed deadline or responsibility; model/system m isoperation;
accounting error/entity attribution error; other task m isperform ance;
delivery failure; collateral m anagem ent failure; reference data
maintenance
Monitoring and Reporting Failed mandatory reporting obligation; inaccurate external report
(loss incurred)
Custom er Intake and Client perm issions/disclaim ers missing; legal docum ents missing/
Documentation incom plete
Custom er/Client Account Unapproved access given to accounts; incorrect client records
M anagem ent (loss incurred); negligent loss or dam age of client assets
snags in the back-office with some confusion on where to remit settlem ent) are not linked back to the underlying cause. The
the payments of one leg of the deal, and the transaction was error goes to an "error account" or the like and, in term s of
finally settled 3 days later than it should have been. O pRisk m anagem ent, those who are responsible for the errors
are never identified; even worse is that the real profitability of
In FX transactions trading tickets are usually larger to compensate
individual transactions is rarely understood. The cost side (and
for the low margins. Similar situations as described earlier may lead
the O pRisks involved) is in general ignored.
to errors. The counterparties obviously would have demanded a
compensation as the settlement has been delayed for 3 days, and Knowing where these errors occur is very im portant for O pRisk
the bank would also have paid a penalty, in the form of interest m anagem ent.
claims of €55,000. Therefore, any error has the potential to be big
ger than a transaction's eventual economic profit.
Clients, Products, and Business Practices
The overall scenario is alarming. There was a loss of €5,000 on
the aggregate due to operational errors {€50,000 transaction Loss events under Clients, Products and Business Practices
profit less €55,000 interest claims due for late payment). This (CPBP) risk type are usually the largest, particularly in the US.
is the reality a trading environm ent faces on the day-to-day. These events encom pass losses, for exam ple, from disputes with
The actions of traders are recognized at the closing of the deal, clients and counterparties, regulatory fines from im proper busi
and errors coming to light at a later time (e.g ., mis-pricing, late ness practices, or wrongful advisory activities. Table 7.2 presents
Table 7.2 CPBP Event-Type Defined as Lo sses A rising from an Unintentional or N eglig en t Failure to M e e t a
Professional O bligation to S p e cific Clients (including fiduciary and suitability requirem ents) o r from the Nature or
Design o f a P ro d u c t Basel II event type classification as provided in BCBS (2006, pp. 305-307)
Clients, Products, and Suitability, Disclosure, Fiduciary breaches/guideline violation; suitability/disclosure issues (e.g .,
Business Practices and Fiduciary KYC ); retail custom er disclosure violations; breach of privacy; aggressive
sales; account churning; misuse of confidential information; lender liability
Improper Business or Antitrust; im proper trade/m arket practices; m arket manipulation; insider
M arket Practices trading (on firm's account); unlicensed activity; money laundering
Selection, Sponsorship, Failure to investigate client per guidelines; exceeding client exposure
and Exposure limits
118 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
REA L O PR ISK EV EN T S: SBC W ARBURG (IN VESTM EN T BANK), O C T O B ER 1996
The Securities and Futures Authority in the UK (the form er the 12:30 pm deadline, SBC W arburg traders sought to sell
City of London regulator since superseded by the Financial some of the same shares they were about to get from Kepit
Services Authority) released partial details in March 1997 in order to reduce the risk (this process is known as short sell,
of an investigation that had com m enced in O ctober 1996 and it is accepted as a normal practice in a program trade, as
into rogue trading in a program trade in SB C W arburg. (A long as the price does not fall too much).
program trade is a transaction where one agent, generally a
Elsewhere at SBC W arburg, a trader was running an arbitrage
fund, chooses another agent, generally a bank or a broker,
position on Kepit, seeking to make money by exploiting
to sell part of its shares in the market in a determ ined day
differences between Kepit's own share price and the price
and hour determ ined by market prices.) The program trading
of the shares the bank owned. SFA investigators were told
error that made SB C Warburg the subject of the investiga
that in the minutes before the 12:30 pm deadline, the SBC
tion is thought to have cost it no more than £5 million. Nev
Warburg trader running the arbitrage position was seen on
ertheless, this program trade was one of the largest ever to
the trading floor making gestures with his hands for traders
be awarded to SB C W arburg, and the SFA investigation has
to get the price of the shares down. N evertheless, a mistake
clearly em barassed it. The investigation relates to a mistake
by one of the SBC W arburg's Paris-based traders attracted
made during the execution of a £300 million program trade
the attention of SFA. Instead of selling as much as he could
for an investm ent trust which caused the price of a number
before 12:30 pm, SFA investigators have been told that the
of French stocks to fall sharply. The investigation is being
trader m isunderstood his instructions and instead attem pted
extended whether this bank made a similar error when selling
to sell at the strike tim e. The trader also failed to put a so-
Spanish shares as part of the same program deal.
called down limit on his proposed share sales, effectively
The SFA investigation focused on a 30-min period on O cto turning it into an unlimited sell order.
ber 30, 1996. A t some time around mid-day. SBC Warburg In the tapes passed to the SFA (all conversations on the trad
traders learnt that the bank had been awarded three con ing desk are recorded), the London-based trader is heard
tracts by Kleinwort Benson European Privatization Investment talking with a colleague about how the price of the French
(Kepit) to execute a series of share sales (the so-called pro shares had fallen much further than they had planned. The
gram trade) on its behalf. Contracts for programme trades trader com plained that a colleague had just told him, in hind
are often awarded just before the deal takes place, and the sight after the share prices had collapsed, that they should
Kepit deal was no different. It involved SBC Warburg taking only have pushed the prices down by 1%. SBC adm itted in
the £300 million-worth of shares onto its books just minutes March 1997 that its short selling had contributed to adverse
later, at 12:30 pm, and paying Kepit, the mid-market prices price movements and dismissed several em ployees involved
for each share at that tim e. In the remaining minutes before in the trade.
the Basel event-type breakdown and definition for this risk closed, they need to make requests to their counterparties to
type. This is a specific and an im portant risk type for firms with allow them special conditions; however, the rates in which they
operations in the US where litigation is very common. As seen capture these funds are higher than the daily average. This
in recent regulatory fines imposed on French banks and other extra cost, although due to a system failure and, therefore,
foreign banks operating in US jurisdiction, this loss type can also should be classified as BDSF, would hardly be captured at all.
be significant to off-shore entities. Table 7.3 presents the formal Basel definition and breakdown
of this risk type.
Internal Fraud
Employment Practices and Workplace
Internal frauds are frauds com m itted or attem pted by a firm's
Safety
own em ployees. It is one of the less frequent types of O pRisk
loss. Given the sophisticated controls that most institutions have Em ploym ent Practices and W orkplace Safety (EPW S) type of risk
this would be unlikely. However, events such as traders mismark- is more prominent in the Am ericas than Europe or Asia as either
ing positions, particularly in assets that are hard to establish an the labor laws are old-fashioned and/or there is more a culture
Table 7.5 Internal Fraud Event Risk Type Defined as Lo sses Due to A c ts o f a Type In ten d ed to D efraud,
M isappropriate P ro p erty or Circum vent Regulations, the Law or Com pany Policy, Excluding D iversity/
Discrim ination Even ts, Which Involves at Lea st O ne Internal Party. Basel II event type classification as provided in
BCBS (2006, pp. 305-307)
Internal fraud Unauthorised/Activity Transactions not reported (intentional); transaction type unauthorised
(w/monetary loss); mismarking of position (intentional)
120 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 7.6 EPWS Event Risk Type Defined as Lo sses 7.3 T H E E L E M E N T S O F T H E O P R IS K
A rising from A c ts Inconsistent with Em ploym ent, FRA M EW O RK
Health or S a fety Laws or A g reem en ts, from Paym ent o f
Personal Injury Claims, or from Diversity/Discrim ination The four elem ents that should be used in any O pRisk fram ework
Even ts. Basel II event type classification as provided in are as follows:
BCBS (2006, pp. 30 5-30 7)
• Internal loss data;
Category Category • Business environment and internal control factors;
(Level 1) (Level 2) Activity Examples
• External loss data:
Em ploym ent Em ployee Com pensation, benefit, • Scenario analysis.
Practices and relations termination issues;
W orkplace organised labor activity We provide a description of each of these elem ents in the fol
Safety lowing text.
Safe General liability (e.g ., slip
environment and fall); em ployee health
and safety rules events; Internal Loss Data
workers compensation
Operational loss means a gross monetary loss (excluding insur
Diversity and All discrimination types
ance or tax effects) resulting from an operational loss event. An
discrimination
operational loss includes all expenses associated with an opera
tional loss event except for opportunity costs, forgone revenue,
and costs related to risk m anagem ent and control enhance
of litigation against the em ployers (Table 7.6). For exam ple,
ments im plem ented to prevent future operational losses.
some large banks in Brazil would count em ploym ent litigation on
the tens of thousand and it is one of the main OpRisks for banks. Having a robust historical internal loss database is the basis of
In some lines of business like investm ent banking em ploym ent any O pRisk fram ework. These losses need to be classified into
issues are also quite important. As these lines of business mostly the Basel categories (and internal if different than the Basel) and
provide advisory to large corporations and the key personnel mapped to a firm's business units. Given their im portance for
is highly com pensated, litigation against some of these key the O pRisk fram ework, the collection and maintenance of these
em ployees and losing them can cost millions of dollars. data are heavily regulated. Basel II regulation says that firms
need to collect at least 5 years of data, (B C B S, 2006), but most
decided not to discard any loss even when these are older than
Damage to Physical Assets this limit. Since losses are difficult to acquire and take years to
Dam age to Physical Assets (DPA) is another O pRisk event type. build up a reliable and informative loss database, consequently
The most common method to assess the exposure to this risk is most firms even pay to supplem ent internal losses (see the
through scenario analysis using insurance in form ation. Very few external loss database). Hence, it is clear that it would not make
firms actively collect losses on this risk type as these are usually sense to discard losses that took place in the firm unless the
either too small or incredibly large. The formal Basel definition business in which this loss took place was sold. There are a num
and breakdown of this risk type is presented in Table 7.7. ber of issues that can come from internal data modeling that are
worth com ments and are listed below.
Category Category
(Level 1) (Level 2) Activity Examples
Setting a Collection Threshold and
Possible Impacts
Dam age to Disasters and Natural disaster losses;
physical assets other events human losses from external Most firms set a threshold for loss collection as allowed by Basel.
sources (e.g ., terrorism , However, this decision can have significant impact in establish
vandalism) ing the risk profile of a business unit. This is usually the case
Loss Brackets (USD) Number of Losses Total (USD) Accumulated Total (USD)
in businesses that have heavy transaction execution like asset expensive parts of the entire data collection process, but the out
m anagem ent or equities. See the exam ple in Table 7.8. If the come can be decisive in making an O pRisk project successful and
O pRisk departm ent had chosen USD 100,000 as the threshold, increasing confidence in the com pleteness of the loss database.
usually under the argument that only tail events drive O pRisk
This OpRisk filter will vary from bank to bank depending on their
capital, that firm would think that its total loss in that year was
systems, but in all cases it works like a conduit between systems,
USD 49 million. If the threshold choice was USD 20,000, the total
collecting every cancellation or alteration made to a transaction or
losses would be USD 53 million. However, most losses are due
any differences between the attributes of a transaction in one sys
to compensating retail clients whose orders are usually ranging
tem compared to its attributes in another system. The transaction
from USD 1,000 to USD 50,000. The sum of the losses under
flow starts at the front-office system that registers the transaction
USD 50,000 is about USD 20 million, which is almost equivalent
passing it to the accounting and clearing systems. Any discrep
to the losses above USD 5 million. For this particular firm, setting
ancy, alteration, or cancellation must be extracted by the OpRisk
the loss collection threshold at USD 100,000 would show total
filter. Also, abnormal inputs (e.g., a lower volatility in a deriva
losses for the year as USD 49 million. However, if this firm had
tive) can be flagged and investigated. The filter will calculate the
not set a loss collection threshold they would observe that their
OpRisk loss event and several other impacts in the organization.
actual losses were USD 71 million, a very different risk profile.
Completeness of Database that can happen once every thousand years, it would not make
sense to start applying mitigating factors to reduce the losses
(Under-Reporting Events)
and eventually reducing also capital. For this reason, gross losses
In gathering data from disparate sources, we need to avoid an should be considered for O pRisk calculation purposes.
O pRisk in collecting the O pRisk data. Such risks and subsequent
The only exception is on rapidly recovered loss events but even
losses may arise, for exam ple, the em ployee responsible for
this exception is not accepted everywhere. Rapidly recovered
reporting losses does not send the loss information to the cen
loss events are O pRisk events that lead to losses recognized in
tral database, whether accidental or not. The Basel II docum ent
financial statem ents that are recovered over a short period. For
BOBS (2006) refers to this scenario with the possible conse
instance, a large internal loss is rapidly recovered when a bank
quence being that an institution that could not prove that loss
transfers money to a wrong party but recovers all or part of the
data is flowing with a high degree of reliability to the central
loss soon thereafter. A bank may consider this to be a gross loss
database(s) is likely to be disallowed to em ploy more advanced
and a recovery. However, when the recovery is made rapidly, the
techniques for assessing the levels of risk.
bank may consider that only the loss net of the rapid recovery
The developm ent of filters that capture operational issues constitutes an actual loss. When the rapid recovery is full, the
and calculate an eventual operational loss is one of the most event is considered to be a "near m iss".
122 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Time Period for Resolution of Operational Recently, with the issuing of IAS37 by the International A ccount
Losses ing Standards Board, W ittsiepe (2008), the rules have becom e
clearer as to what might be subject to provisions (or not). IAS37
Some O pRisk events, usually some of the largest, will have a establishes three specific applications of these general require
large tim e gap between the inception of the event and the final ments, namely:
closure, due to the com plexity of these cases. A s an exam ple,
• a provision should not be recognized for future operating
most litigation cases that came up from the financial crisis in
losses;
2007/2008 were only settled by 2012/2013. These legal cases
• a provision should be recognized for an onerous contract— a
have their own life cycle and start with a discovery phase in
which lawyers and investigators would argue if the other party contract in which the unavoidable costs of meeting its obliga
tions exceeds the expected econom ic benefits;
has a proper case to actually take the action to court or not. A t
this stage, it is difficult to even come up with an estim ate for • a provision for restructuring costs should be recognized only
eventual losses. Even when a case is accepted by the judge it when an enterprise has a detailed formal plan for restructur
might be several years until lawyers and risk managers are able ing and has raised a valid expectation in those affected.
to estim ate properly the losses. Firms can set up reserves for
These provisions should not include costs, such as retraining
these losses (and these reserves should be included in the loss or relocating continuing staff, marketing or investing in new
database), but they usually do that only for a few weeks before system s and distribution networks; the restructuring does not
the case is settled to avoid disclosure issues (i.e., the coun
necessarily entail that.
terparty eventually knows the amount reserved and uses this
information in their favor). This creates an issue for setting up IAS37 requires that provisions should be recognized in the bal
ance sheet when, and only when, an enterprise has a present
O pRisk capital because firms would know that they are going to
undergo a large loss and yet are unable to include it in the data obligation (legal or constructive) as a result of a past event. The
base; the inclusion of this settlem ent would cause some volatility event must be likely to call upon the resources of the institution
to settle the obligation, and, more importantly, it must be pos
in the capital. The same would happen if a firm set a reserve of,
for exam ple, USD 1 billion for a case, and then a few months sible to form a reliable estimate of the amount of the obligation.
Provisions should be measured in the balance sheet at the best
later, if a judge decides to remove the loss in favor of the firm.
For this reason, firms need to have a clear procedure on how to estimate of the expenditure required to settle the present obliga
handle those large, long-duration losses. tion at the balance sheet date. Any future changes, like changes
in the law or technological changes, may be taken into account
where there is sufficient objective evidence that they will occur.
Adding Costs to Losses IAS37 also indicates that the amount of the provision should not
As said earlier, an operational loss includes all expenses associ be reduced by gains from the expected disposal of assets (even
if the expected disposal is closely linked to the event giving rise
ated with an operational loss event except for opportunity costs,
to the provision) nor by expected reimbursements (arising from,
forgone revenue, and costs related to risk management and con
for exam ple, insurance contracts or indemnity clauses). When
trol enhancements implemented to prevent future operational
and if it is virtually certain that reimbursement will be received
losses. Most firms, for exam ple, do not have enough lawyers on
payroll (or expertise) to deal with all the cases, particularly some should the enterprise settle the obligation, this reimbursement
should be recognized as a separate asset.
of the largest or those that demand some specific expertise and
whose legal fees are quite expensive. There are cases in which the
firm wins in the end, maybe due to some external law firms, but
the cost can reach tens of millions of dollars. In such cases, though 7 .4 B U S IN E S S E N V IR O N M E N T A N D
the firm wins a court victory, there will be an operational loss. IN T E R N A L C O N T R O L E N V IR O N M E N T
F A C T O R S (B EIC Fs)
Provisioning Treatment of Expected
One can see O pRisk as a function of the control environment.
Operational Losses
If the control environment is fair and under control, large
Unlike credit risk, the calculated expected credit losses might operational losses are not likely to take place and O pRisk is con
be covered by general and/or specific provisions in the bal sidered to be under control. Therefore, understanding the firm's
ance sheet. For O pRisk, due to its multidimensional nature, the business processes, mapping the risks on these processes, and
treatm ent of expected losses is more com plex and restrictive. assessing the control of these processes are the fundamental
124 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
that the person who does the assessm ent would have a m otiva confirm ations older than 30 days increases to over a certain
tion to improve their ratings so as to reduce their capital. p ercent of the total population, and the num ber of rep u d i
ated trad es increases, one m ight say th at this process is
Key Risk Indicators facing challenges that need to be ad d ressed .
Th ese indicato rs/facto rs are m ostly quantitative and are Th e process of KRI collection d eserves special attentio n. It is
used as a proxy for the quality of the control environm ent im portant th at these data are ab so lutely reliab le, in order to
of a business. For exam p le, in order to report the quality display relationships betw een KRIs and losses. A utom ating
of the processing system s of an investm ent bank, we m ight the collection straight from the firm 's operational system s
design facto rs such as "system d o w n tim e" (m easuring the m ight help to create a more realistic reflection of the true
num ber of m inutes that a system stayed offline), and "sy s profile of the infrastructure of a certain business. Th ere are
tem slow tim e " (counting the m inutes that a system was many stages in establishing these links and of course there
overload and running slow ). Th ese KRIs can be extrem ely is a cost associated with the im plem entation of the KRI
im portant in O p R isk m easurem ent as they can allow O p R isk program , but probably no other typ e of data will be more
m odels to behave very sim ilarly to those in m arket and pow erful than KRIs for m anaging and m easuring operational
cred it risks. risk. It is much easier to explain O p R isk as a function of the
control environm ent in which a firm exists than to say that
G oing back to the equity settlem en t exam p le, instead of
O p R isk capital is m oving up or down because of past losses
using RAG se lf-a sse ssm e n t, a b etter w ay to assess the
or changes in scenarios.
quality of these processes is to establish a few KRIs that
provide an accurate picture of the control environm ent as The first stage of the KRI collection process is trying to establish
seen in Figure 7 .2 . As an exam p le, on the trad e confirm ation assumptions on the O pRisk profile of a certain business. For
stage of the settlem en t p ro cess, if the num ber of unsigned exam ple, we might assume that execution errors in the equi
ties division can be explained by the trade volume on the day
the number of securities that failed to be received or delivered,
the head count available on the trading desk and the back
office, and system downtim e (measured by minutes offline).
• Daily trade volume
• Late booking trades
The decision to be made is: at what organizational level should
Trade capture
this relationship be m easured? Equities division as a whole?
and execution
J Should we break down the equities division into cash equities,
listed derivatives and O T C derivatives, or along any other lines?
>v Should we consider breaking it down along regional lines? All
• Unsigned confirmation > 30 days these questions are fundamental for the success of the analysis.
• Repudiated trades
Trade • Breaks If loss data and KRIs are co llected at cost center level (the
matching and
\ confirmation J J low est possible level), it becom es possible to perform this
d isag g reg atio n . In g en eral, the low er the level you model the
A
causal relationship , the b etter the chances that you will find
higher level fits to the m odel. Put this another w ay, it is easier
• Breaks
to find strong causal relationships, if you m odel, for exam p le,
• Disputed collateral calls
Custody and the US cash eq uities d ep artm en t than m odeling at the global
control
J eq uities division level, as the low er level would b etter capture
local nuances, id io syncrasies, and trend s.
\\y / N
Th e m odeler m ight also consider using external facto rs such
• Fails as equity indexes and interest rates. It is com m on to find
• Breaks (agent cash, agent stock) strong relationships betw een a stock m arket index and o p era
C lear and settle
trades
J tional losses, for exam p le, higher vo latility on stock m arkets
is usually associated with high trading volum es, which in turn
is highly associated with execution losses in O p R isk. Table 7.9
presents few exam p les of Business Environm ent and Internal
Fiaure 7.2 Equity settlement process. Control Facto rs (B E IC F s) used in few environm ents.
7.5 E X T E R N A L D A TA B A SES loss experience in their portfolio, but while this loss experience
is not available, the best way to start the business is using this
According to the Basel Accord, O pRisk m odelers need to cal external database. As the insurer starts building up their own
culate regulatory capital at the 99.9% confidence level, which is loss experience, it can start weighting the im portance of the
equivalent to finding enough capital to protect against losses in external database in their premium through credibility theory
the worst year in a 1,000 year period. O ne way to try to over methods.
come these challenges is through using other firm s' loss exp eri Similarly, banks and other financial firms might struggle to come
ences. This is common in insurance. For exam ple, suppose that a up with reasonable measures for some types of risk because
US insurer wants to expand to a new state, say New Je rse y. This they were never exposed to large losses, but, despite that, they
insurer does not have experience in New Je rse y; New Jersey understand that they are still under the risk that such a loss
has different characteristics, for exam ple it may have much more would happen eventually. These loss-gathering databases can
cars per square foot than other states and hence the accident be very useful in these cases.
ratio is known to be higher. How can this insurer price correctly
There are basically three ways to get hold of these databases
its premium in New Je rsey? The most used alternative is to start
as seen in Table 7.10. The best choice for a firm would depend
with a local database of car accidents. This database is available,
significantly on how their fram ework is structured and how the
with considerable details, for insurance com panies to acquire.
m odeler expects to use these losses.
Obviously, this database would never replace the insurer's own
Internally developed Firm gathers these losses from Cheapest way It might not be com prehensive
news feeds and magazines enough and may miss losses in
many industries and jurisdictions
Consortia The most popular is O RX which Loss reporting threshold is No details on the losses. It can
has some of the largest banks in €20,000 only be used for measurement
the industry
Vendors There are a number of vendors More detailed analysis on Loss threshold is usually high
like IBM OpVantage and SAS the loss. It can be used for (USD 1 million). Loss details
m anagem ent or scenarios might not be accurate as these
were taken from newspapers
126 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
7.6 SCENARIO ANALYSIS 161
14-
Another im portant tool in O pRisk m anagem ent and m ea 12 -
6
through expert opinions, where these experts (or a group
-
or KRIs and internal loss trends, see for instance discussions Structured Survey Individualized O ther
workshops discussions
on scenario analysis for O pRisk in Rippel and Teply (2008).
Alderw eireld et. al. (2006) and Huffman (2002). Figure 7.3 Survey on how US banks run scenarios.
1
appropriate statistical structures for surveys in such w ork
-
are a few ways to do so, but the most frequent is through gath particular experience or risk. For exam ple, if the expert has
Common Issues and Bias in Scenarios. Because scenarios are 100-500 30 29.4
usually based on expert opinion, they present a number of
50-100 40 39.2
biases, see for exam ple, a demonstration of such features in the
Total 102
experim ents designed by Lin and Bier (2008). This is one of the
information or engage meaningfully in the workshop or may the fixed income desk decided to get three different perspec
seek to influence the outcom es; tives: from the front desk (traders), from the finance group,
and from the operations group. Each one of these areas has
• Over/under confidence bias. This bias involves over/under-
a different perspective on what risks would be and how many
estimation of risk due to the available experience and/or
losses would happen. As the estim ates from each of the three
literature on the risk being limited;
areas were very different, a separate scenario workshop was
• Inexpert opinion. In many firms, scenario workshops do not perform ed in each departm ent and the participants were elic
attract the expert (or the expert is not identified) and a more ited to estim ate extrem e losses. A t the end, a final number was
junior em ployee or som eone with much less experience ends agreed by the three areas and all recognized that trem endous
up participating in the workshop and providing inaccurate education took place as traders, for exam ple, did not have the
estim ates; perspective of losses due to settlem ent failures. Delphi tech
• Context bias. This bias arises when framing in a certain man nique (Dalkey and Helmer, 1963) has a number of stages:
ner alters the response of experts, that is, color their opinion;
1. In the first step, the subject under discussion should be
see discussion in Fischhoff et. al. (1978).
explored with as many individuals contributing additional
A fundam ental problem that scenario analysis programs face is information;
the disparity of understanding and opinions on losses' sizes and
2. Given the information from step 1, a feedback and a
frequencies. To circum vent some of these problem s, application
description of the issues are provided to the group;
of the Delphi technique may be of help. The Delphi technique,
3 . (Optional) Bring out the possible differences found in step 2
as Linstone and Turoff (1975) defined, . . may b e characterized
as a m eth od for structuring a group com m unication p ro ce ss so and evaluate them ; and
that the p ro ce ss is effective in allowing a group o f individuals, as 4. A final evaluation occurs when all the previously gathered
a whole, to deal with a com plex p ro b le m ." information has been initially analyzed and the evaluations
have been fed back to the respondents for consideration.
The Delphi concept is a spin off from defense research. "Project
D elphi" is the name given to an Am erican Air Force project, Finally, we would like to mention that ideas from works on
started in the early 1950s, that made use of expert opinion (see expert elicitation processes were im plem ented in a freely avail
Dalkey and Helmer, 1963). The objective of the original study able toolkit known as the Sheffield Elicitation Fram ework
was to "obtain the m ost reliable consensus o f opinions within a (SH ELF)1, which is covered under copyright when it comes to
group o f e x p e rts" by a series of intensive questionnaires inter
spersed with controlled opinion feedback. 1 S H E LF is available at http://w w w .tonyohagan.co.uk/shelf/
128 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
commercial usage; see details on the associated w ebsite. In Table 7.12 Trading and Sales OpRisk Profile
agreem ent with the standard industrial practice of structured
workshops, the SH ELF fram ework is developed to be performed Event Type Frequency (%) Severity (%)
with a group elicitation in mind and com prises a fram ework for Internal Fraud 1.0 11.0
eliciting beliefs of one or more experts as a group.
External Fraud 1.0 0.3
A fter deciding the form of the operational loss data model and Dam age to Physical 0.4 0.2
Assets
the types of losses that need to be reported, it is useful to split
the financial institution into different business lines, given that Business Disruption 5.0 1.8
the O pRisk profile is generally very diverse across different busi and System Failures
nesses within a financial institution. W hile an asset m anagem ent Execution, Delivery & 76.7 55.3
unit is more inclined to have legal/liability problems (although Process M anagement
still having a few transaction processing problem s, in general, Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra
asset managers hold their positions longer than treasury), the tional Risk, see B C B S (2009b).
and Settlem en t, A g e n cy Services, A sse t M anagem ent, and Retail disputes with clients for arguably poor advice when, for exam
Brokerage. These are business units at level 1 as suggested ple, IPOs go wrong; see Table 7.13.
Execution, Delivery & 20.6 21.4 and Affordable Care A ct (signed into law by US President
Process M anagem ent Barack Obam a on March 23, 2010, and commonly referred to as
Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra
"O b am acare"), are in much better shape than their counterparts
tional Risk, see B C B S (2009b). with a better perspective ahead of them .
losses are due to external frauds that are daily events for these differences between Europe and the US. In Europe, a process
firms. Execution comes in a far second. However, when looking similar to Basel II was developed by insurance regulators, called
at severity, the largest risk exposure is due to litigation once Solvency 2. Two key them es have dom inated regulatory dis
again. cussions in the past year: supervisory focus on risk and capital
m anagem ent and concerted efforts to move toward a consistent
approach to cross-territory supervision of insurance groups.
Insurance These initiatives underscore the im portance of em bedding
strong risk m anagem ent principles throughout an enterprise and
For those not fam iliar with this industry, this sector can be
moving beyond just "tick the box" com pliance, similar to what
actually divided into three types given the significant differ
Basel II has been influencing in the banking industry.
ences: life insurance, health insurance, and property/casualty
or "P& C " insurance (or general insurance as known in Europe). In the US, the regulatory environment also has been changing
To put it very simply, life insurers basically charge a premium as State insurance departm ents and rating agencies, in addition
from individuals in exchange to providing a sum of money to National Association of Insurance Com m issioners (N AIC), are
when they die. Life insurers also offer retirem ent and income- also influencing the direction of solvency regulation. W hile these
protection products. Health insurers provide medical and hos varied initiatives place differing degrees of emphasis on capital
pital coverage. P&C insurers offer coverage against dam age to requirem ents, reporting standards and risk m easures, a common
properties caused by fire, natural disasters, theft, etc. They also them e is their intensified focus on clearly articulating an insurer's
offer protection against liabilities (e.g ., directors being sued and risk profile. To prepare and address the regulatory pressures to
professional errors). The actuarial calculation used in the P&C enhance risk m anagem ent, insurers must significantly enhance
insurance is very similar to the one used in O pRisk capital calcu their data m anagem ent, reporting and analytical resources, and
lation. Most operational risk capital techniques are derived from their organizations' ability to integrate risk data across disci
P&C actuarial techniques, and there are many articles in the plines. The US insurance industry is also anticipating potential
Journal o f O pR isk that were written by P&C actuaries. im pacts of Dodd-Frank legislation, including in the system ically
im portant financial institution (SIFI) designation and the Federal
Regarding the sector's overall current financial situation, sim i
Insurance Office's (FIO) pending report to Congress on the state
lar to most of the financial sectors, the effects of the financial
of US insurance regulation, which in practice creates a national
crisis still lingers. Life insurers started to feel the consequential
insurance regulator.
effects from the long low-interest rate environm ent, which
affects their profitability and com pany valuations and also, as Regarding O pRisk more specifically, insurers are still in the early
consumers struggle, declining sales and revenue. If interest stages of the developm ent of their O pRisk fram eworks. This
rates continue to stay low, and it appears likely that they will for comes somehow as a surprise as insurers suffered several large
130 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
operational losses that were very public and reported in the seen their AUM go down by 30 or 40% , not only because of
media. Some of the exam ples over the last decade2 are the USD the drop in asset prices but also because clients are w ithdraw
250 million loss that a large US insurer suffered a few years ago ing funds, either out of necessity to cover debts, because they
for discrimination (i.e., allegedly pricing their policies differently fear that the stock markets will take a long tim e to recover, or
according to race); a large European reinsurer lost USD 3.5 billion som etim es even out of concern for the financial well-being of
for not having final contracts in place on the 9/11 terror attacks some asset managers. The crisis also showed historic regulatory
inflicting damages to clients; a large US auto insurer lost USD failures, like the Bernie Madoff case, in which he created a Ponzi
1 billion for using low-quality auto parts in vehicle repairs; a large schem e, that was discovered during the 2008 financial crisis, and
US life insurer lost USD 2 billion for abusive sales practices and lost USD 6 billion from investors (this case is one of the largest
illegal sales of securities and the list goes on and on. O pRisk events in history). Many investors close to retirem ent
lost their pensions not only because of the market conditions
Insurers face a number of O pRisks; some of these are mis-selling
but also because of a lack of caution and risk m anagem ent from
their products to clients. A number of insurers worldwide got
pension fund managers.
severe penalties for these sales practices. As with any retail
sector, insurers are exposed to bad faith claims (i.e., frauds by This long-lasting dire econom ic environment forces asset man
custom ers)— Hollywood has a number of movies on these inter agers to develop a much more careful discipline around costs,
esting stories. More recently, the issue of unclaimed property risk m anagem ent, and productivity. Each of these factors has
has becom e a concern for insurers as public officials are now received widespread attention in the specialized media.
focusing much more on the issue than they did in the past.
The industry has reacted quickly to this new reality. For exam
Given these pressures, insurers have been more diligent to catch
ple, a large independent US asset m anager has already put in
up with banks in developing more robust O pRisk fram eworks.
place several measures to reduce costs, by sharing services in
However, they have a long road ahead of them .
its distribution and administration departm ents to reduce costs
across geographical areas. This same firm has also launched an
Asset Management initiative to reduce its N C E by 20% in 2009, with the develop
ment of an inter-company com m ittee to determ ine the expenses
The financial crisis brought to the global asset m anagem ent
that have to be elim inated.
industry challenges it has not seen in decades as the industry
was accustom ed to high margins and substantial profits (par A European-based global firm decided to reduce the number of
ticularly in the years 2000-2007 due to the availability of excess products it offered and the developm ent efforts for a few prod
liquidity). As the financial markets climbed regularly over the ucts where it can build competitive advantage on a global scale.
last 30 years, occasional dips notwithstanding, asset managers This firm also decided to immediately implement a plan, which
becam e used to the steady increases in their assets under man had been on the shelf for many years, to streamline its operational
agem ent (AUM) and easy profits. However, in the wake of the platforms on a global basis. Currently, each geographical location
biggest downturn since the G reat Depression, a slow recovery (and sometimes within the same country) has its own platform
has left many firms struggling. Even in 2012, most of the growth with different vendors and frameworks to process securities.
of the asset m anagem ent came from market appreciation and
A sset managers are susceptible to all forms of risks, namely
not due to increase in flow of resources from clients.
m arket, credit, and O pRisks. However, due to the characteristics
This new environm ent changed the asset m anagem ent indus of their business (and perhaps helped by a historic disregard
try. During the precrisis "golden years" of abundant liquidity, for strong controls), O pRisk is typically the largest risk exposure
most asset managers were not overly worried about the costs an asset m anager has. M arket and credit risk associated losses
incurred in running their operations and did not pay close would usually have an indirect impact on the asset manager's
attention to the risks involved, since the continuous growth in revenue, as any loss to the client funds entails lower com m is
personal wealth steadily increased their AU M , covering for these sions. However, these losses are usually borne by the fund's
expenses. Errors and high operating costs were buried under clients, not the asset m anager as a financial institution. These
the increased revenues from a larger asset base and the profits market and credit risk losses would im pact the quotas and
that came from high returns in the world m arkets. Postcrisis, the NAVs, so the client would take a direct hit; the asset manager
situation has changed dram atically. Large asset managers have would just have less fee revenue in these cases, an indirect
impact. O pRisk can be manifested in many different ways for
an asset m anager as, for exam ple, in errors in processing trans
2 To preserve confidentiality, the com pany names are not m entioned. actions or a system failure that can cause severe dam age and
Internal Fraud 1.5 11.1 brick-and-mortar brokers are mostly a division of larger financial
institutions and tend to focus on a wealthier custom er base that
External Fraud 2.7 0.9
would pay for high fees they charge, advice from financial advi
Em ploym ent Practices 4.3 2.5 sors, etc.
and W orkplace safety
O ver the past decade, the industry had a dram atic transform a
Clients, Products, and 13.7 30.8
tion with the proliferation of sophisticated, high-speed trading
Business Practices
technology that has changed the way broker-dealers trade for
Dam age to Physical 0.3 0.2 their own accounts and as agent for their custom ers. In addi
Assets
tion, custom ers of these broker-dealers— particularly leading-
Business Disruption 3.3 1.5 edge institutions— have them selves begun using technological
and System Failures tools to place orders and to trade on markets with little or no
Execution, Delivery & 74.2 52.8 substantive intermediation of their broker-dealers. This, in turn,
Process M anagem ent has given rise to the increased use and reliance on "direct mar
Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra ket access" or "sponsored access" arrangem ents. Under these
tional Risk, see B C B S (2009b). arrangem ents, the broker-dealer allows its custom ers— whether
an institution such as a hedge fund, mutual fund, bank or insur
ance com pany, an individual, or another broker-dealer— to
impact the balance sheet of the asset manager. A sset managers
use the broker-dealer's market participant identifier ("M PID ")
are also regularly sued for poor perform ance by clients. Consis
or other mechanism for the purposes of electronically access
tently failing to com ply with local regulations, or with very basic
ing the exchange. With "direct market access", as commonly
business ethics, can generate very large operational losses and
understood, the customer's orders first flow through the
subsequent reputational dam age. A number of exam ples are
broker-dealer's system s and then enters the m arkets, while with
available in the media for large losses in each of these cases
"sponsored access", the customer's orders flow directly into the
(Table 7.15).
markets without passing through the broker-dealer's systems.
Coming to realize the need to focus on O pRisk, asset m anag In all cases, irrespectively, whether the broker-dealer is trading
ers have been setting up O pRisk departm ents at a fast speed in for its own account, is trading for custom ers through more tra
the last few years. The higher focus from regulators on hedge ditionally interm ediated brokerage arrangem ents, or is allowing
funds also made these more sophisticated asset managers to set custom ers direct market access or sponsored access, the broker-
up better O pRisk procedures around their operations. This new dealer with m arket access is legally responsible for all trading
focus on control and risks would actually facilitate a more stable activities that occur under its MPID. In some cases, the broker-
growth, with less bumps, when the econom ic environment even dealer providing sponsored access may not utilize any pretrade
tually improves. risk m anagem ent controls (i.e., "unfiltered" or "naked" access),
and thus could be unaware of the trading activity occurring
under its market identifier and has no mechanism to control it.
Retail Brokerage
Nowadays, order placem ent rates can exceed 1000 orders per
For O pRisk practitioners, this sector is possibly one of the most
second with the use of high-speed, automated algorithms. If,
interesting. Although we obviously need to consider that risk
for exam ple, an algorithm such as this malfunctions and places
profiles would vary significantly between institutions given their
repetitive orders with an average size of 300 shares and an
different business strategies, broker-dealers risk profile is usually
average price of USD 20, a two-minute delay in the d etec
dom inated by O pRisk, which accounts for at least 60-70% of the
tion of the problem could result in the entry of, for exam ple,
total risk capital in these firms. This O pRisk type becom es clear
120,000 orders that values USD 720 million. In sponsored access
when we review the sector.
arrangem ents, as well as other access arrangem ents, appro
Broker-dealers of these days can be roughly classified into priate pretrade risk controls could prevent this outcome from
online and brick-and-mortar brokers. Although what separa occurring by blocking unintended orders from being routed
tion then cannot be precisely defined, the custom er focus of to an exchange. Incidents involving algorithm ic or other trad
these brokers is different. W hile online brokers tend to com pete ing errors in connection with market access occur with some
132 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
regularity. For exam ple, it was reported that, on Septem ber Table 7.16 Asset Management OpRisk Profile
30, 2008, trading in G oogle becam e extrem ely volatile toward
the end of the day, dropping 93% in value at one point, due to Event Type Frequency (%) Severity (%)
an influx of erroneous orders onto an exchange from a single Internal Fraud 5.8 18.1
market participant. As a result, Nasdaq had to cancel numerous
External Fraud 2.3 1.4
trades, and adjust the closing price for G oogle and the closing
value for the Nasdaq 100 Index. In addition, it was reported Em ploym ent Practices 4.4 6.3
that, in Septem ber 2009, Southwest Securities announced a and W orkplace safety
USD 6.3 million quarterly loss resulting from deficient market Clients, Products, and 66.9 59.5
access controls with respect to one of its correspondent brokers Business Practices
that vastly exceeded its credit limits. Despite receiving intra-day Dam age to Physical 0.1 0.1
alerts from the exchange, Southwest Securities' controls proved Assets
insufficient to allow it to respond in a tim ely manner, and trading Business Disruption 0.5 0.2
by the correspondent continued for the rest of the day, result and System Failures
ing in a significant loss. Another exam ple that highlights the
Execution, Delivery & 20.0 14.4
need for appropriate controls in connection with market access Process M anagement
occurred in D ecem ber 2005, when Mizuho Securities, one of
Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra
Japan's largest brokerage firms, sustained a significant loss due tional Risk, see B C B S (2009b).
to an erroneous manual order entry that resulted in a trade that,
under the applicable exchange rules, could not be canceled.
Specifically, it was reported that a trader at Mizuho Securities In this section, we provide an overview of how risk is organized
intended to enter a custom er sale order for one share of a secu in financial firms, how policies are structured, and the importance
rity at a price of 610,000 Yen, but the numbers were mistakenly of a solid committee and governance structure. Sound internal
transposed and an order to sell 610,000 shares of the security at governance forms the foundation of an effective O pRisk m anage
a price of 1 Yen was entered instead. A system -driven, pretrade ment fram ework. Although internal governance issues related
control reasonably designed to reject orders that are not rea to the management of operational risk are not unlike those
sonably related to the quoted price of the security would have encountered in the management of credit or market risk, OpRisk
prevented this order from reaching the market. management challenges may differ from those in other risk areas.
As these exam ples show, broker-dealers are intensively exposed
to O pRisk that usually occupies the headlines of most of the
Organization of Risk Departments
newspapers and media. Brokers usually do not hold large pro
prietary positions and lending, particularly after the 2008 crash, One cannot downplay the role of an organization in any large
has been limited; therefore, most exposure comes from poten business. Although many times the focus is on the measurement
tially explosive system issues, execution errors, litigation with models with its complex formulas, most of the times the success of
retail custom ers, fraud com m itted by clients, etc. (Table 7.16) implementing an OpRisk framework lies in having the right organi
zation. The organizational design would usually hint at the strength
and degree of development of an OpRisk framework at a firm. In
7.8 R IS K O R G A N IZ A T IO N A N D the following text, we show a few organizational designs and the
beliefs that firms need to have to make them work. Usually firms
G O VERN A N CE
start with Design 1 and go to Design 4 presented in Figure 7.5.
Developing a solid risk organization is a key part of the fram e • Design 1— Central Risk Function as Coordinator. In this
work. Understanding the reporting lines and establishing the organizational design, risk m anagem ent role is more of a
position of this organization on the firm would have probably facilitator. Usually in this structure, risk m anagem ent gathers
as much importance as having a good measurement system. information and reports to the C E O or the Board. Sometim es
Also having proper organizational involvement in O pRisk issues risk m anagem ent would add some layer of analysis, but in
where key stakeholders are regularly informed and oversee risk most cases, the Central Risk group would be a small group.
is fundamental for success. Developing a fram ework in a silo O ne of the issues with this structure is that the regulators dis
that no one sees or cares is nor a desirable situation. The OpRisk like the idea that risk managers report to revenue generating
manager needs to be integrated to the rest of the organization. businesses;
Design 4
Structuring a Firm Wide Policy: Example
of an OpRisk Policy
Exam ple of a policy is presented in Table 7.17. A policy defines
a firm's operational risk m anagem ent fram ework, which includes
governance structure, roles and responsibilities, and standards
for O pRisk m anagem ent and m easurem ent. It also describes
the O pRisk m anagem ent programs, which are the functional
activities requiring guidelines for consistent firm wide execution
Designs 1-4. (e.g ., loss capture program, risk control self-assessm ent, and
scenario analysis).
design, risk managers have a dotted line to the Central Risk and
function; however, they are appointed by the Business Units • An independent review (usually internal audit).
134 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 7.17 Example of an OpRisk Policy
Content Description
Policy statem ents Provide a quick definition of the standards that will be used across the policy
Risk taxonom y Categorize O pRisk in different risk types. It can follow the Basel categories, but if it does not, it
usually provides a mapping of internal categories to the Basel-defined categories
Loss collection Defines what losses or incidents should be reported. Discuss concepts of "near m isses" and
describes recoveries
Risk assessm ent Usually describes other programs used to supplem ent internal loss data collection like scenario
analysis or risk factor analysis
Risk m easurem ent Describes the basic fram ework for measuring O pRisk, which types of data are used, and how
capital is calculated (overall view of the building blocks not a detailed manual)
Validation Describes how the risk assessm ent and m easurem ent are validated, how frequent validation
takes place, and which departm ents are responsible for the validation
Policy assurance and testing Determ ines which departm ent(s) in the firm will be responsible for assurance that the policy is
being followed and the reports that assure this firm-wide com pliance
Governance Describes where this policy is situated, which com m ittee approves it, and how the O pRisk
governance works
References Determ ine on which regulations, external standards, and/or other firm policies this was based
upon
Depending on the bank's nature, size and com plexity, and the The regulators also reinforce the role of the board of direc
risk profile of a bank's activities, the degree of form ality of how tors. In the US and UK it is common that the regulators meet
these three lines of defense are im plem ented will vary. In all separately with financial firms' board of directors regularly to
cases, however, a bank's O pRisk governance function should be discuss their expectations regarding risk m anagem ent. The
fully integrated into the bank's overall risk m anagem ent gover board of directors should take the lead in establishing a strong
nance structure and the regulators closely monitor this. risk m anagem ent culture. The board of directors and senior
m anagem ent should establish a corporate culture that is guided
If OpRisk governance utilizes the three lines of defense model
by strong risk m anagem ent and that supports and provides
(i.e., the business is the first line of defense, risk management is
appropriate standards and incentives for professional and
the second line, and internal audit being the third), the structure
responsible behavior. In this regard, it is the responsibility of the
and activities of the three lines often vary, depending on the
board of directors to ensure that a strong O pRisk m anagem ent
bank's portfolio of products, activities, processes, and systems;
culture exists throughout the whole organization and this will be
the bank's size; and its risk management approach. Strong risk cul
closely monitored by regulators.
ture and good communications among the three lines of defense
are important characteristics of good OpRisk governance.
Describe model risk and explain how model risk can arise Explain best practices for the developm ent and
in the implementation of a model. implementation of a model.
Describe elem ents of an effective process to manage Describe elem ents of a strong model validation process
model risk. and challenges to an effective validation process.
E x c e rp t is rep rin ted from Financial Institution L e tte r FIL-22-2017 p u b lish ed b y the Fed eral D ep o sit Insurance C orporation.
137
8.1 IN T R O D U C T IO N m anagem ent; however, sound developm ent, im plem entation,
and use of models are also vital elem ents. Furtherm ore, model
Banks rely heavily on quantitative analysis and models in most risk m anagem ent encom passes governance and control m echa
aspects of financial decision m aking.1 They routinely use models nisms such as board and senior m anagem ent oversight, policies
for a broad range of activities, including underwriting credits; and procedures, controls and com pliance, and an appropriate
valuing exposures, instruments, and positions; measuring risk; incentive and organizational structure.
managing and safeguarding client assets; determining capital Previous guidance and other publications issued by the FD IC on
and reserve adequacy; and many other activities. In recent years, the use of models address aspects of model risk m anagem ent
banks have applied models to more com plex products and with for specific types of models or pay particular attention to model
more ambitious scope, such as enterprise-wide risk m easure validation.2 Based on supervisory and industry experience over
ment, while the markets in which they are used have also the past several years, this docum ent expands on existing
broadened and changed. Changes in regulation have spurred guidance— most importantly by broadening the scope to
some of the recent developm ents, particularly the U.S. regula include all aspects of model risk m anagem ent. Many banks may
tory capital rules for market, credit, and operational risk based already have in place a large portion of these practices, but
on the fram ework developed by the Basel Com m ittee on Bank banks should ensure that internal policies and procedures are
ing Supervision. Even apart from these regulatory considerations, consistent with the risk m anagem ent principles and supervisory
however, banks have been increasing the use of data-driven, expectations contained in this guidance. Details may vary from
quantitative decision-making tools for a number of years. bank to bank, as practical application of this guidance should be
The expanding use of models in all aspects of banking reflects customized to be com m ensurate with a bank's risk exposures, its
the extent to which models can improve business decisions, but business activities, and the com plexity and extent of its model
models also come with costs. There is the direct cost of devot use. For exam ple, steps taken to apply this guidance at banks
ing resources to develop and im plem ent models properly. There using relatively few models of only m oderate com plexity might
are also the potential indirect costs of relying on m odels, such as be significantly less involved than those at a bank where use of
the possible adverse consequences (including financial loss) of models is more extensive or com plex.
decisions based on models that are incorrect or misused. Those
consequences should be addressed by active m anagem ent of
model risk. 8.3 O V E R V IE W O F M O D E L R ISK
This guidance describes the key aspects of effective model
M A N A G EM EN T
risk m anagem ent. Section II explains the purpose and scope of
For the purposes of this docum ent, the term m odel refers to a
the guidance, and Section III gives an overview of model risk
quantitative m ethod, system , or approach that applies statistical,
m anagem ent. Section IV discusses robust model developm ent,
econom ic, financial, or mathematical theories, techniques, and
implementation, and use. Section V describes the components of
assumptions to process input data into quantitative estim ates.
an effective validation framework. Section VI explains the salient
A m odel consists of three com ponents: an information input
features of sound governance, policies, and controls over model
com ponent, which delivers assumptions and data to the model;
developm ent, implementation, use, and validation. Section VII
a processing com ponent, which transform s inputs into estim ates;
concludes.
and a reporting com ponent, which translates the estim ates into
useful business information. Models meeting this definition
might be used for analyzing business strategies, informing
8.2 P U R P O S E A N D S C O P E
9
The purpose of this docum ent is to provide com prehensive For instance, the FD IC has addressed aspects of model risk m anage
ment in guidance related to different activities; see Jo in t A gency Policy
guidance for banks on effective model risk m anagem ent.
Statem ent on Interest Rate Risk (FIL-52-96), F F IE C A dvisory on Interest
Rigorous model validation plays a critical role in model risk Rate Risk M anagem ent (FIL-2-2010), Interagency Advisory on Interest
Rate Risk M anagem ent Frequently Asked Q uestions (FIL-2-2012),
FD IC's C redit Card A ctivities Manual (https://w w w .fdic.gov/regulations/
1 Unless otherw ise indicated, banks refers to state non-member banks, exam inations/credit_card/), and Supervisory Guidance on Implementing
state savings associations, and all other institutions for which the Fe d Dodd-Frank A ct Com pany-Run Stress Tests for Banking Organizations
eral D eposit Insurance Corporation is the primary supervisor. It is not W ith Total Consolidated Assets of More Than $10 Billion but Less Than
expected that this guidance will pertain to FDIC-supervised institutions $50 Billion (79 FR 14153). In addition, the advanced-approaches risk-
with under $1 billion in total assets unless the institution's model use is based capital rules (12 C FR 325, A p p en d ix D) contain explicit validation
significant, com plex, or poses elevated risk to the institution. requirem ents for subject banking organizations.
138 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
business decisions, identifying and measuring risks, valuing • The model may be used incorrectly or inappropriately. Even
exposures, instruments or positions, conducting stress testing, a fundam entally sound model producing accurate outputs
assessing adequacy of capital, managing client assets, measuring consistent with the design objective of the model may
com pliance with internal limits, maintaining the formal control exhibit high model risk if it is misapplied or misused. Models
apparatus of the bank, or meeting financial or regulatory report by their nature are sim plifications of reality, and real-world
ing requirements and issuing public disclosures. The definition of events may prove those sim plifications inappropriate. This
m odel also covers quantitative approaches whose inputs are is even more of a concern if a model is used outside the
partially or wholly qualitative or based on expert judgm ent, environm ent for which it was designed. Banks may do this
provided that the output is quantitative in nature.3 intentionally as they apply existing models to new products
or m arkets, or inadvertently as market conditions or customer
M odels are sim plified representations of real-world relationships
behavior changes. Decision makers need to understand the
among observed characteristics, values, and events. Sim plifi
limitations of a model to avoid using it in ways that are not
cation is inevitable, due to the inherent com plexity of those
consistent with the original intent. Limitations come in part
relationships, but also intentional, to focus attention on particu
from weaknesses in the model due to its various shortcom
lar aspects considered to be most im portant for a given model
ings, approxim ations, and uncertainties. Limitations are also
application. Model quality can be measured in many ways:
a consequence of assumptions underlying a model that may
precision, accuracy, discrim inatory power, robustness, stability,
restrict the scope to a limited set of specific circum stances
and reliability, to name a few. Models are never perfect, and the
and situations.
appropriate metrics of quality, and the effort that should be put
into improving quality, depend on the situation. For exam ple, Model risk should be managed like other types of risk. Banks
precision and accuracy are relevant for models that forecast should identify the sources of risk and assess the magnitude.
future values, while discrim inatory power applies to models that Model risk increases with greater model com plexity, higher
rank order risks. In all situations, it is im portant to understand a uncertainty about inputs and assumptions, broader use, and
model's capabilities and limitations given its sim plifications and larger potential impact. Banks should consider risk from indi
assumptions. vidual models and in the aggregate. A ggregate model risk is
affected by interaction and dependencies among m odels; reli
The use of models invariably presents model risk, which is the
ance on common assumptions, data, or m ethodologies; and
potential for adverse consequences from decisions based on
any other factors that could adversely affect several models and
incorrect or misused model outputs and reports. Model risk
their outputs at the same tim e. With an understanding of the
can lead to financial loss, poor business and strategic decision
source and magnitude of model risk in place, the next step is to
making, or dam age to a bank's reputation. Model risk occurs
manage it properly.
primarily for two reasons:
A guiding principle for managing model risk is "effective
• The model may have fundamental errors and may produce
challenge" of m odels, that is, critical analysis by objective,
inaccurate outputs when viewed against the design objective
inform ed parties who can identify model lim itations and
and intended business uses. The mathematical calculation
assum ptions and produce appropriate changes. Effective
and quantification exercise underlying any model generally
challenge depends on a com bination of incentives, com pe
involves application of theory, choice of sam ple design and
tence, and influence. Incentives to provide effective challenge
numerical routines, selection of inputs and estim ation, and
to m odels are stronger when there is greater separation of
im plem entation in information system s. Errors can occur at
that challenge from the model developm ent process and
any point from design through im plem entation. In addition,
when challenge is supported by w ell-designed com pensa
shortcuts, sim plifications, or approxim ations used to manage
tion practices and corporate culture. C om petence is a key to
com plicated problem s could com prom ise the integrity and
effectiveness since technical know ledge and m odeling skills
reliability of outputs from those calculations. Finally, the qual
are necessary to conduct appropriate analysis and critique.
ity of model outputs depends on the quality of input data
Finally, challenge may fail to be effective without the influence
and assumptions, and errors in inputs or incorrect assum p
to ensure that actions are taken to address model issues. Such
tions will lead to inaccurate outputs.
influence com es from a com bination of exp licit authority, stat
ure within the organization, and com m itm ent and support from
3 W hile outside the scope of this guidance, more qualitative approaches higher levels of m anagem ent.
used by banking organizations— i.e ., those not defined as models
according to this guidance— should also be subject to a rigorous control Even with skilled modeling and robust validation, model risk
process. cannot be elim inated, so other tools should be used to manage
140 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
im pact of assumptions and identify situations where the model realities. Model users can provide valuable business insight
performs poorly or becom es unreliable. Testing should be during the developm ent process. In addition, business m anag
applied to actual circum stances under a variety of market condi ers affected by model outcom es may question the methods or
tions, including scenarios that are outside the range of ordinary assumptions underlying the m odels, particularly if the managers
expectations, and should encom pass the variety of products or are significantly affected by and do not agree with the outcom e.
applications for which the model is intended. Extrem e values for Such questioning can be healthy if it is constructive and causes
inputs should be evaluated to identify any boundaries of model model developers to explain and justify the assumptions and
effectiveness. The im pact of model results on other models design of the models.
that rely on those results as inputs should also be evaluated.
However, challenge from model users may be weak if the model
Included in testing activities should be the purpose, design, and
does not m aterially affect their results, if the resulting changes
execution of test plans, summary results with com m entary and
in models are perceived to have adverse effects on the business
evaluation, and detailed analysis of informative sam ples. Testing
line, or if change in general is regarded as expensive or difficult.
activities should be appropriately docum ented.
User challenges also tend not to be com prehensive because
The nature of testing and analysis will depend on the type of they focus on aspects of models that have the most direct
model and will be judged by different criteria depending on the impact on the user's measured business perform ance or com
context. For exam ple, the appropriate statistical tests depend pensation, and thus may ignore other elem ents and applications
on specific distributional assumptions and the purpose of the of the m odels. Finally, such challenges tend to be asym m etric,
model. Furtherm ore, in many cases statistical tests cannot unam because users are less likely to challenge an outcom e that
biguously reject false hypotheses or accept true ones based on results in an advantage for them . Indeed, users may incorrectly
sam ple information. Different tests have different strengths and believe that model risk is low simply because outcom es from
weaknesses under different conditions. Any single test is rarely model-based decisions appear favorable to the institution. Thus,
sufficient, so banks should apply a variety of tests to develop a the nature and motivation behind model users' input should be
sound model. evaluated carefully, and banks should also solicit constructive
suggestions and criticism from sources independent of the line
Banks should ensure that the developm ent of the more ju d g
of business using the model.
mental and qualitative aspects of their models is also sound. In
some cases, banks may take statistical output from a model and Reports used for business decision making play a critical role in
modify it with judgm ental or qualitative adjustm ents as part of model risk m anagem ent. Such reports should be clear and com
model developm ent. W hile such practices may be appropriate, prehensible and take into account the fact that decision makers
banks should ensure that any such adjustm ents made as part of and m odelers often come from quite different backgrounds and
the developm ent process are conducted in an appropriate and may interpret the contents in different ways. Reports that pro
system atic manner, and are well docum ented. M odels typically vide a range of estim ates for different input-value scenarios and
are em bedded in larger information system s that manage the assumption values can give decision makers im portant indica
flow of data from various sources into the model and handle the tions of the model's accuracy, robustness, and stability as well as
aggregation and reporting of model outcom es. Model calcula information on model limitations.
tions should be properly coordinated with the capabilities and
An understanding of model uncertainty and inaccuracy and a
requirements of information system s. Sound model risk m anage
demonstration that the bank is accounting for them appropri
ment depends on substantial investm ent in supporting systems
ately are im portant outcom es of effective model developm ent,
to ensure data and reporting integrity, together with controls
im plem entation, and use. Because they are by definition imper
and testing to ensure proper implementation of m odels, effec
fect representations of reality, all models have some degree of
tive systems integration, and appropriate use.
uncertainty and inaccuracy. These can som etim es be quantified,
for exam ple, by an assessm ent of the potential impact of factors
that are unobservable or not fully incorporated in the model, or
Model Use
by the confidence interval around a statistical model's point esti
Model use provides additional opportunity to test whether a mate. Indeed, using a range of outputs, rather than a simple
model is functioning effectively and to assess its performance point estim ate, can be a useful way to signal model uncertainty
over tim e as conditions and model applications change. It can and avoid spurious precision. A t other tim es, only a qualitative
serve as a source of productive feedback and insights from a assessm ent of model uncertainty and inaccuracy is possible. In
knowledgeable internal constituency with strong interest in hav either case, it can be prudent for banks to account for model
ing models that function well and reflect econom ic and business uncertainty by explicitly adjusting model inputs or calculations
142 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
those staff report should have sufficient influence or stature based on its underlying assumptions, theory, and m ethods. In
within the bank to ensure that any issues and deficiencies are this way, it provides information about the source and extent
appropriately addressed in a tim ely and substantive manner. of model risk. Validation also can reveal deterioration in model
Such influence can be reflected in reporting lines, title, rank, or perform ance over tim e and can set thresholds for acceptable
designated responsibilities. Influence may be dem onstrated by a levels of error, through analysis of the distribution of outcomes
pattern of actual instances in which m odels, or the use of m od around expected or predicted values. If outcom es fall consis
els, have been appropriately changed as a result of validation. tently outside this acceptable range, then the models should be
redeveloped.
The range and rigor of validation activities conducted prior to
first use of a model should be in line with the potential risk pre
sented by use of the model. If significant deficiencies are noted
as a result of the validation process, use of the model should
Key Elements of Comprehensive
not be allowed or should be perm itted only under very tight Validation
constraints until those issues are resolved. If the deficiencies are An effective validation fram ework should include three core
too severe to be addressed within the model's fram ework, the
elem ents:
model should be rejected. If it is not feasible to conduct neces
sary validation activities prior to model use because of data • Evaluation of conceptual soundness, including developm en
paucity or other limitations, that fact should be docum ented tal evidence
and com m unicated in reports to users, senior m anagem ent, and • Ongoing monitoring, including process verification and
other relevant parties. In such cases, the uncertainty about the benchmarking
results that the model produces should be mitigated by other • O utcom es analysis, including back-testing
com pensating controls. This is particularly applicable to new
models and to the use of existing models in new applications. Evaluation of Conceptual Soundness
Validation activities should continue on an ongoing basis after This elem ent involves assessing the quality of the model design
a model goes into use, to track known model limitations and and construction. It entails review of documentation and empiri
to identify any new ones. Validation is an im portant check on cal evidence supporting the methods used and variables selected
model use during periods of benign econom ic and financial con for the model. Documentation and testing should convey an
ditions, when estim ates of risk and potential loss can become understanding of model limitations and assumptions. Validation
overly optim istic, and when the data at hand may not fully should ensure that judgm ent exercised in model design and con
reflect more stressed conditions. Ongoing validation activities struction is well informed, carefully considered, and consistent
help to ensure that changes in m arkets, products, exposures, with published research and with sound industry practice. D evel
activities, clients, or business practices do not create new model opmental evidence should be reviewed before a model goes into
limitations. For exam ple, if credit risk models do not incorporate use and also as part of the ongoing validation process, in particu
underwriting changes in a tim ely manner, flawed and costly busi lar whenever there is a material change in the model.
ness decisions could be made before deterioration in model
A sound developm ent process will produce docum ented evi
perform ance becom es apparent.
dence in support of all model choices, including the overall
Banks should conduct a periodic review— at least annually but
theoretical construction, key assumptions, data, and specific
more frequently if warranted— of each model to determ ine
mathematical calculations, as mentioned in Section IV. As part
whether it is working as intended and if the existing valida of model validation, those model aspects should be subjected
tion activities are sufficient. Such a determ ination could simply
to critical analysis by both evaluating the quality and extent of
affirm previous validation work, suggest updates to previous developm ental evidence and conducting additional analysis and
validation activities, or call for additional validation activities.
testing as necessary. Com parison to alternative theories and
Material changes to models should also be subject to validation.
approaches should be included. Key assumptions and the choice
It is generally good practice for banks to ensure that all models of variables should be assessed, with analysis of their im pact on
undergo the full validation process, as described in the following
model outputs and particular focus on any potential limitations.
section, at some fixed interval, including updated docum enta The relevance of the data used to build the model should be
tion of all activities.
evaluated to ensure that it is reasonably representative of the
Effective model validation helps reduce model risk by identify bank's portfolio or market conditions, depending on the type of
ing model errors, corrective actions, and appropriate use. It model. This is an especially im portant exercise when a bank uses
also provides an assessm ent of the reliability of a given model, external data or the model is used for new products or activities.
The second core elem ent of the validation process is ongoing Sensitivity analysis and other checks for robustness and stability
monitoring. Such monitoring confirms that the model is appro should likewise be repeated periodically. They can be as useful
priately im plem ented and is being used and is performing as during ongoing monitoring as they are during model development.
intended. If models only work well for certain ranges of input values, market
conditions, or other factors, they should be monitored to identify
Ongoing monitoring is essential to evaluate whether changes
situations where these constraints are approached or exceeded.
in products, exposures, activities, clients, or market conditions
necessitate adjustm ent, redevelopm ent, or replacem ent of the Ongoing monitoring should include the analysis of overrides
model and to verify that any extension of the model beyond its with appropriate docum entation. In the use of virtually any
original scope is valid. Any model limitations identified in the model, there will be cases where model output is ignored,
developm ent stage should be regularly assessed over tim e, as altered, or reversed based on the expert judgm ent of model
part of ongoing monitoring. Monitoring begins when a model users. Such overrides are an indication that, in some respect, the
is first im plem ented in production system s for actual business model is not performing as intended or has limitations. Banks
use. This monitoring should continue periodically over tim e, with should evaluate the reasons for overrides and track and analyze
a frequency appropriate to the nature of the model, the avail override perform ance. If the rate of overrides is high, or if the
ability of new data or modeling approaches, and the magnitude override process consistently improves model perform ance,
of the risk involved. Banks should design a program of ongo it is often a sign that the underlying model needs revision or
ing testing and evaluation of model perform ance along with redevelopm ent.
144 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Benchmarking is the comparison of a given model's inputs and com plexity, data availability, and the magnitude of potential
outputs to estim ates from alternative internal or external data model risk to the bank. O utcom es analysis should involve a
or m odels. It can be incorporated in model developm ent as range of tests because any individual test will have weaknesses.
well as in ongoing monitoring. For credit risk models, exam ples For exam ple, some tests are better at checking a model's abil
of benchm arks include models from vendor firms or industry ity to rank-order or segm ent observations on a relative basis,
consortia and data from retail credit bureaus. Pricing models whereas others are better at checking absolute forecast accu
for securities and derivatives often can be com pared with alter racy. Tests should be designed for each situation, as not all will
native models that are more accurate or com prehensive but be effective or feasible in every circum stance, and attention
also too time consuming to run on a daily basis. W hatever the should be paid to choosing the appropriate type of outcom es
source, benchm ark models should be rigorous and benchmark analysis for a particular model.
data should be accurate and com plete to ensure a reasonable
Models are regularly adjusted to take into account new data or
com parison.
techniques, or because of deterioration in perform ance. Parallel
Discrepancies between the model output and benchmarks outcom es analysis, under which both the original and adjusted
should trigger investigation into the sources and degree of models' forecasts are tested against realized outcom es, provides
the differences, and examination of whether they are within an an im portant test of such model adjustm ents. If the adjusted
expected or appropriate range given the nature of the com model does not outperform the original model, developers,
parison. The results of that analysis may suggest revisions to the users, and reviewers should realize that additional changes— or
model. However, differences do not necessarily indicate that the even a wholesale redesign— are likely necessary before the
model is in error. The benchm ark itself is an alternative predic adjusted model replaces the original one.
tion, and the differences may be due to the different data or
Back-testing is one form of outcomes analysis; specifically, it
methods used. If the model and the benchmark match well, that
involves the comparison of actual outcomes with model forecasts
is evidence in favor of the m odel, but it should be interpreted
during a sample time period not used in model development and
with caution so the bank does not get a false degree of com fort.
at an observation frequency that matches the forecast horizon or
performance window of the model. The comparison is generally
Outcomes Analysis done using expected ranges or statistical confidence intervals
The third core elem ent of the validation process is outcomes around the model forecasts. When outcomes fall outside those
analysis, a comparison of model outputs to corresponding actual intervals, the bank should analyze the discrepancies and inves
outcom es. The precise nature of the comparison depends on tigate the causes that are significant in terms of magnitude or
the objectives of a model, and might include an assessm ent of frequency. The objective of the analysis is to determine whether
the accuracy of estim ates or forecasts, an evaluation of rank differences stem from the omission of material factors from the
ordering ability, or other appropriate tests. In all cases, such model, whether they arise from errors with regard to other aspects
com parisons help to evaluate model perform ance, by establish of model specification such as interaction terms or assumptions of
ing expected ranges for those actual outcom es in relation to linearity, or whether they are purely random and thus consistent
the intended objectives and assessing the reasons for observed with acceptable model performance. Analysis of in-sample fit and
variation between the two. If outcom es analysis produces evi of model performance in holdout samples (data set aside and not
dence of poor perform ance, the bank should take action to used to estimate the original model) are important parts of model
address those issues. O utcom es analysis typically relies on sta development but are not substitutes for back-testing.
tistical tests or other quantitative measures. It can also include
A well-known exam ple of back-testing is the evaluation of
expert judgm ent to check the intuition behind the outcomes value-at-risk (VaR), in which actual profit and loss is com pared
and confirm that the results make sense. When a model itself
with a model forecast loss distribution. Significant deviation in
relies on expert judgm ent, quantitative outcom es analysis helps expected versus actual perform ance and unexplained volatility
to evaluate the quality of that judgm ent. O utcom es analysis in the profits and losses of trading activities may indicate that
should be conducted on an ongoing basis to test whether the
hedging and pricing relationships are not adequately measured
model continues to perform in line with design objectives and by a given approach. Along with measuring the frequency of
business uses.
losses in excess of a single VaR percentile estimator, banks
A variety of quantitative and qualitative testing and analytical should use other tests, such as assessing any clustering of
techniques can be used in outcomes analysis. The choice of exceptions and checking the distribution of losses against other
technique should be based on the model's m ethodology, its estim ated percentiles.
146 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
a weak governance function will reduce the effectiveness of over the bank's relative com plexity, business activities, corporate
all model risk management. A strong governance framework pro culture, and overall organizational structure. The board or its
vides explicit support and structure to risk management functions delegates should approve model risk m anagem ent policies and
through policies defining relevant risk management activities, review them annually to ensure consistent and rigorous prac
procedures that implement those policies, allocation of resources, tices across the organization. Those policies should be updated
and mechanisms for evaluating whether policies and procedures as necessary to ensure that model risk m anagem ent practices
are being carried out as specified. Notably, the extent and remain appropriate and keep current with changes in market
sophistication of a bank's governance function is expected to conditions, bank products and strategies, bank exposures and
align with the extent and sophistication of model usage. activities, and practices in the industry. All aspects of model risk
m anagem ent should be covered by suitable policies, including
model and model risk definitions; assessm ent of model risk;
Board of Directors and Senior acceptable practices for model developm ent, im plem entation,
Management and use; appropriate model validation activities; and gover
nance and controls over the model risk m anagem ent process.
Model risk governance is provided at the highest level by the
board of directors and senior m anagem ent when they establish Policies should em phasize testing and analysis, and promote
a bank-wide approach to model risk m anagem ent. As part of the developm ent of targets for model accuracy, standards for
their overall responsibilities, a bank's board and senior man acceptable levels of discrepancies, and procedures for review
agem ent should establish a strong model risk m anagem ent of and response to unacceptable discrepancies. They should
fram ework that fits into the broader risk m anagem ent of the include a description of the processes used to select and retain
organization. That fram ework should be grounded in an under vendor m odels, including the people who should be involved in
standing of model risk— not just for individual models but also such decisions.
in the aggregate. The fram ework should include standards for The prioritization, scope, and frequency of validation activities
model developm ent, im plem entation, use, and validation. should be addressed in these policies. They should establish
W hile the board is ultimately responsible, it generally delegates standards for the extent of validation that should be performed
to senior m anagem ent the responsibility for executing and before models are put into production and the scope of ongo
maintaining an effective model risk m anagem ent fram ework. ing validation. The policies should also detail the requirements
Duties of senior m anagem ent include establishing adequate for validation of vendor models and third-party products. Finally,
policies and procedures and ensuring com pliance, assigning they should require m aintenance of detailed docum entation of
com petent staff, overseeing model developm ent and im plem en all aspects of the model risk m anagem ent fram ework, including
tation, evaluating model results, ensuring effective challenge, an inventory of models in use, results of the modeling and vali
reviewing validation and internal audit findings, and taking dation processes, and model issues and their resolution.
prompt remedial action when necessary. In the same manner
Policies should identify the roles and assign responsibilities
as for other major areas of risk, senior m anagem ent, directly within the model risk m anagem ent fram ework with clear detail
and through relevant com m ittees, is responsible for regularly on staff expertise, authority, reporting lines, and continuity. They
reporting to the board on significant model risk, from individual should also outline controls on the use of external resources for
models and in the aggregate, and on com pliance with policy. validation and com pliance and specify how that work will be
Board members should ensure that the level of model risk is
integrated into the model risk m anagem ent fram ework.
within their tolerance and direct changes where appropriate.
These actions will set the tone for the whole organization about
the im portance of model risk and the need for active model risk Roles and Responsibilities
m anagem ent.
Conceptually, the roles in model risk m anagem ent can be
divided among ownership, controls, and com pliance. W hile
Policies and Procedures there are several ways in which banks can assign the responsi
bilities associated with these roles, it is im portant that reporting
Consistent with good business practices and existing
lines and incentives be clear, with potential conflicts of interest
supervisory expectations, banks should form alize model risk
identified and addressed.
m anagem ent activities with policies and the procedures to
im plem ent them . Model risk m anagem ent policies should be Business units are generally responsible for the model risk asso
consistent with this guidance and also be com m ensurate with ciated with their business strategies. The role of model owner
148 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
should be able to understand and evaluate the results of valida with policy transparent, and helps track recom m endations,
tion and risk-control activities conducted by external resources. responses, and exceptions. D evelopers, users, control and
The internal party is responsible for: verifying that the agreed com pliance units, and supervisors are all served by effective
upon scope of work has been com pleted; evaluating and docum entation. Banks can benefit from advances in information
tracking identified issues and ensuring they are addressed; and and knowledge m anagem ent system s and electronic docum en
making sure that com pleted work is incorporated into the bank's tation to improve the organization, tim eliness, and accessibility
overall model risk m anagem ent fram ework. If the external of the various records and reports produced in the model risk
resources are only utilized to do a portion of validation or com m anagem ent process.
pliance work, the bank should coordinate internal resources to
Docum entation takes time and effort, and model developers
com plete the full range of work needed. The bank should have a
and users who know the models well may not appreciate its
contingency plan in case an external resource is no longer avail
value. Banks should therefore provide incentives to produce
able or is unsatisfactory.
effective and com plete model docum entation. Model develop
ers should have responsibility during model developm ent for
thorough docum entation, which should be kept up-to-date as
Model Inventory
the model and application environment changes. In addition,
Banks should maintain a com prehensive set of information for the bank should ensure that other participants in model risk
models im plem ented for use, under developm ent for im ple m anagem ent activities docum ent their work, including ongoing
m entation, or recently retired. W hile each line of business monitoring, process verification, benchm arking, and outcomes
may maintain its own inventory, a specific party should also be analysis. Also, line of business or other decision makers should
charged with maintaining a firm-wide inventory of all models, docum ent information leading to selection of a given model and
which should assist a bank in evaluating its model risk in the its subsequent validation. For cases in which a bank uses models
aggregate. Any variation of a model that warrants a separate from a vendor or other third party, it should ensure that appro
validation should be included as a separate model and cross- priate docum entation of the third-party approach is available so
referenced with other variations. that the model can be appropriately validated.
W hile the inventory may contain varying levels of inform ation, Validation reports should articulate model aspects that were
given different model com plexity and the bank's overall level reviewed, highlighting potential deficiencies over a range of
of model usage, the follow ing are som e general guidelines. financial and econom ic conditions, and determ ining whether
The inventory should describe the purpose and products adjustments or other com pensating controls are warranted.
for which the model is designed, actual or exp ected usage, Effective validation reports include clear executive summaries,
and any restrictions on use. It is useful for the inventory to with a statem ent of model purpose and an accessible synopsis
list the type and source of inputs used by a given model and of model and validation results, including major limitations and
underlying com ponents (which may include other m odels), as key assumptions.
well as model outputs and their intended use. It should also
indicate w hether m odels are functioning properly, provide
a description of when they w ere last updated, and list any
C O N C L U S IO N
excep tio ns to policy. O ther items include the names of individ
uals responsible for various aspects of the model developm ent
This docum ent has provided com prehensive guidance on effec
and validation; the dates of com pleted and planned valid a
tive model risk m anagem ent. Many of the activities described
tion activities; and the tim e fram e during which the model is
in this docum ent are common industry practice. But all banks
exp ected to remain valid.
should confirm that their practices conform to the principles in
this guidance for model developm ent, im plem entation, and use,
as well as model validation. Banks should also ensure that they
Documentation
maintain strong governance and controls to help manage model
W ithout adequate docum entation, model risk assessm ent and risk, including internal policies and procedures that appropri
m anagem ent will be ineffective. Docum entation of model devel ately reflect the risk m anagem ent principles described in this
opm ent and validation should be sufficiently detailed so that guidance. Details of model risk m anagem ent practices may vary
parties unfamiliar with a model can understand how the model from bank to bank, as practical application of this guidance
operates, its limitations, and its key assumptions. Docum enta should be com m ensurate with a bank's risk exposures, its busi
tion provides for continuity of operations, makes com pliance ness activities, and the extent and com plexity of its model use.
Identify the most common issues that result in data errors. Describe the operational data governance process, includ
ing the use of scorecards in managing information risk.
Explain how a firm can set expectations for its data quality
and describe some key dimensions of data quality used in
this process.
E x c e rp t is C hapter 3 o f Risk M anagem ent in Finance: Six Sigma and O ther N ext Generation Techniques, by A nthony Tarantino and
D eborah Cernauskas.
151
It would not be a stretch of the imagination to claim that Business Impacts of Poor Data Quality
most organizations today are heavily dependent on the use
of information to both run and im prove the ways that they Many data quality issues may occur within different business
achieve their business objectives. That being said, the reliance processes, and a data quality analysis process should incorpo
on dependable information introduces risks to the ability of rate a business im pact assessm ent to identify and prioritize risks.
a business to achieve its business goals, and this means that To simplify the analysis, the business impacts associated with
no enterprise risk m anagem ent program is com plete without data errors can be categorized within a classification scheme
instituting processes for assessing, m easuring, reporting, intended to support the data quality analysis process and help
reacting to, and controlling the risks associated with poor data in distinguishing between data issues that lead to material busi
quality. ness impact and those that do not. This classification scheme
defines six primary categories for assessing either the negative
However, the consideration of information as a fluid asset,
im pacts incurred as a result of a flaw, or the potential opportuni
created and used across many different operational and ana
ties for im provem ent resulting from improved data quality:
lytic applications, makes it difficult to envision ways to assess
the risks related to data failures as well as ways to monitor 1. Financial im pacts, such as increased operating costs,
conform ance to business user expectations. This requires some decreased revenues, missed opportunities, reduction or
exploration into types of risks relating to the use of information, delays in cash flow, or increased penalties, fines, or other
ways to specify data quality expectations, and developing a data charges.
quality scorecard as a m anagem ent tool for instituting data gov 2. Confidence-based im pacts, such as decreased organiza
ernance and data quality control. tional trust, low confidence in forecasting, inconsistent
In this chapter we look at the types of risks that are attributable operational and m anagem ent reporting, and delayed or
to poor data quality as well as an approach to correlating im proper decisions.
business impacts to data flaws. Data governance (DG) 3. Satisfaction impacts such as customer, em ployee, or sup
processes can contribute to the description of data quality plier satisfaction, as well as general market satisfaction.
expectations and the definition of relevant metrics and
4. Productivity impacts such as increased workloads,
acceptability thresholds for monitoring conform ance to those
decreased throughput, increased processing tim e, or
expectations. Com bining the raw metrics scores with measured
decreased end-product quality.
staff perform ance in observing data service-level agreem ents
contributes to the creation of a data quality scorecard for 5. Risk impacts associated with credit assessm ent, investment
managing risks. risks, com petitive risk, capital investm ent and/or develop
ment, fraud, and leakage.
ness's financial, co n fid en ce, and com pliance activities, yet all principal executive officer or officers and the principal finan
business im pact categ o ries deal with en terp rise risk. Th ere cial officer or officers certify the accuracy and correctness of
are tw o aspects of looking at inform ation and risk; the first financial reports.
looks at how flaw ed inform ation im pacts organizational risk, • Basel II Accords provide guidelines for defining the regula
w hile the other looks at the typ es of data failures that create tions as well as guiding the quantification of operational
the exp o su re. and credit risk as a way to determ ine the amount of capital
152 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
financial institutions are required to maintain as a guard Employee Fraud and Abuse
against those risks.
In 1997, the D epartm ent of D efense G uidelines on Data
• The Gram m -Leach-Bliley A ct of 1999 mandates financial
Q uality categorized costs into four areas: prevention, appraisal,
institutions with the obligation to "respect the privacy of its
internal failure, and external failure. In turn, the im pacts were
custom ers and to protect the security and confidentiality of
evaluated to assess costs to correct data problem s as opposed
those custom ers' nonpublic personal inform ation."
to costs incurred by ignoring them . Further assessm ent looked
• Credit risk assessm ent, which requires accurate docum enta at direct costs (such as costs for appraisal, correction, or
tion to evaluate an individual's or organization's abilities to
support) versus indirect costs (such as custom er satisfaction).
repay loans.
That report docum ents exam ples of how poor data quality
• System developm ent risks associated with capital investment im pacts specific business processes: " . . . the inability to match
in deploying new application systems em erge when moving payroll records to the official em ploym ent record can cost
those system s into production is delayed due to lack of trust millions in payroll overpaym ents to deserters, prisoners, and
in the application's underlying data assets. 'ghost' soldiers. In addition, the inability to correlate purchase
W hile the sources of these areas of risk differ, an interesting orders to invoices is a major problem in unm atched
d isb u rsem en ts."1
similarity em erges: not only do these mandate the use or pre
sentation of high-quality information, they also require means of The 2006 Association of Certified Fraud Exam iners Report to
dem onstrating the adequacy of internal controls overseeing that the Nation1
23details a number of methods that unethical
quality to external parties such as auditors. This means that not em ployees can use to modify existing data to commit fraudulent
only must financial institutions manage the quality of organiza payments. Invalid data is dem onstrated to have significant busi
tional information, they must also have governance processes in ness impacts, and the report details median costs associated
place that are transparent and auditable. with these different types of im proper disbursem ents.
Information Flaws
Underbilling and Revenue Assurance
The root causes for the business impacts are related to flaws in
N TL, a cable operator in the United Kingdom , anticipated
the critical data elem ents upon which the successful com ple
tion of the business processes depend. There are many types of business benefits in improving the efficiency and value of an
operator's network through data quality im provem ent. Invalid
erred data, although these common issues lead to increased risk:
data translated into discrepancies between services provided
• Data entry errors
and services invoiced, resulting in a waste of unknown excess
• Missing data capacity. Their data quality im provem ent program was, to some
• Duplicate records extent, self-funded through the analysis of "revenue assurance
to detect under billing. For exam ple, . . . results indicated leak-
• Inconsistent data
age of just over 3 percent of total revenue."
• Nonstandard form ats
9.3 DATA Q U A L IT Y E X P E C T A T IO N S
Insurance Exposure
These exam ples are not unique, but instead dem onstrate pat
A 2008 Ernst & Young survey on catastrophe exposure data terns that commonly em erge across all types of organizations.
quality highlighted that "shortcom ings in exposure data quality Knowledge of the business impacts related to data quality issues
are com m on," and that "not many insurers are doing enough to is the catalyst to instituting data governance practices that can
correct these shortcom ings," which included missing or inaccu oversee the control and assurance of data validity. The first step
rate values associated with insured values, locations, building toward managing the risks associated with the introduction of
class, occupancy class, as well as additional characteristics.5 flawed data into the environment is articulating the business user
expectations for data quality and asserting specifications that can
154 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
data values drawn from separate data sets must not conflict The principal concept is that the selected dimensions character
with each other, or define more com plex com parators with a set ize aspects of the business user expectations and that they can
of predefined constraints. More formal consistency constraints be quantified using a reasonable m easurem ent process.
can be encapsulated as a set of rules that specify relationships
between values of attributes, either across a record or m essage,
9.4 MAPPING BUSINESS POLICIES
or along all values of a single attribute.
TO DATA RULES
However, be careful not to confuse consistency with accuracy
or correctness. Consistency may be defined between one set of Having identified the dimensions of data quality that are relevant
attribute values and another attribute set within the same record to the business processes, we can map the information policies
(record-level consistency), between one set of attribute values and their corresponding business rules to those dimensions. For
and another attribute set in different records (cross-record con exam ple, consider a business policy that specifies that personal
sistency), or between one set of attribute values and the same data collected over the web may be shared only if the user has
attribute set within the same record at different points in time not opted out of that sharing process. This business policy defines
(temporal consistency). information policies: the data model must have a data attribute
specifying whether a user has opted out of information sharing,
Reasonableness and that attribute must be checked before any records may be
shared. This also provides us with a measurable metric: the count
This dimension is used to measure conform ance to consistency
of shared records for those users who have opted out of sharing.
expectations relevant within specific operational contexts. For
exam ple, one might expect that the total sales value of all the The same successive refinem ent can be applied to almost every
transactions each day is not expected to exceed 105 percent of business policy and its corresponding information policies. As
the running average total sales for the previous 30 days. we distill out the information requirem ents, we also capture
assertions about the business user expectations for the result
156 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Drilling down through this view sheds light on the root causes of is em ployed, each is supported by describing, defining, and
im pacts of poor data quality, as well as identifying "rogue pro managing base-level and com plex metrics such that:
cesses" that require greater focus for instituting monitoring and
• Scorecards reflecting business relevance are driven by a hier
control processes.
archical rollup of metrics.
• The definition of metrics is separated from its contextual
Business Process View use, thereby allowing the same m easurem ent to be used in
different contexts with different acceptability thresholds and
O perational managers overseeing business processes may be
weights.
interested in a scorecard view by business process. In this view,
the operational m anager can exam ine the risks and failures • The appropriate level of presentation can be materialized
preventing the business process's achievem ent of the expected based on the level of detail expected for the data consumer's
results. For each business process, this scorecard schem e con specific data governance role and accountability.
sists of com plex metrics representing the impacts associated
with each issue. The drill-down in this view can be used for
isolating the source of the introduction of data issues at specific SUMMARY
stages of the business process as well as informing the data
Scorecards are effective m anagem ent tools when they can sum
stewards in diagnosis and remediation.
marize im portant organizational knowledge as well as alerting
the appropriate staff members when diagnostic or remedial
Business Impact View actions need to be taken. Part of an information risk m anage
ment program would incorporate a data quality scorecard that
Business impacts may have been incurred as a result of a num
supports an organizational data governance program; this
ber of different data quality issues originating in a number of
program is based on defining metrics within a business context
different business processes. This reporting schem e displays
that correlate the metric score to acceptable levels of business
the aggregation of business impacts rolled up from the dif
perform ance. This means that the metrics should reflect the
ferent issues across different process flows. For exam ple, one
business processes' (and applications') dependence on accept
scorecard could report rolled-up metrics documenting the accu
able data, and that the data quality rules being observed and
mulated im pacts associated with credit risk, com pliance with
monitored as part of the governance program are aligned with
privacy protection, and decreased sales. Drilling down through
the achievem ent of business goals.
the metrics will point to the business processes from which the
issues originate; deeper review will point to the specific issues These processes simplify the approach to evaluating risks to
within each of the business processes. This view is suited to a achievement of business objectives, how those risks are associated
more senior m anager seeking a high-level overview of the risks with poor data quality and how one can define metrics that cap
associated with data quality issues, and how that risk is intro ture data quality expectations and acceptability thresholds. The
duced across the enterprise. impact taxonomy can be used to narrow the scope of describing
the business impacts, while the dimensions of data quality guide
the analyst in defining quantifiable measures that can be cor
Managing Scorecard Views
related to business impacts. Applying these processes will result
Essentially, each of these views composing a data quality score- in a set of metrics that can be combined into different scorecard
card require the construction and m anagem ent of a hierarchy of schemes that effectively address senior-level manager, operational
metrics related to various levels of accountability for support the manager, and data steward responsibilities to monitor information
organization's business objectives. But no matter which scheme risk as well as support organizational data governance.
Explain the process of model validation and describe best Describe challenges related to data quality and explain
practices for the roles of internal organizational units in steps that can be taken to validate a model's data quality.
the validation process.
Explain how to validate the calibration and the discrim ina
Com pare qualitative and quantitative processes to vali tory power of a rating model.
date internal ratings, and describe elem ents of
each process.
E x c e rp t is C hapter 5 o f Developing, Validating and Using Internal Ratings: M ethodologies and Case Studies, by G iacom o De
Laurentis, Renato M aino and Luca M olteni.
S e e bibliography on p p . 411-413.
159
10.1 VALIDATION PROFILES and qualitative validation should be correlated with the type of
credit portfolios exam ined, the overall com plexity of the bank,
Ratings system s validation scopes and steps are presented in and the stability of markets.
this chapter. As a rating system 'com prises all of the methods, Rating system s must undergo a validation process consisting of
processes, controls, and data collection and IT system s that sup a set of formal activities, instruments, and procedures for assess
port the assessm ent of credit risk, the assignm ent of internal ing the accuracy of the estim ates of all material risk com ponents
risk ratings, and the quantification of default and loss estim ates' and the predictive power of the overall perform ance system.
(Basel Com m ittee, 2004, §394), it is clear that the validation The Basel II regulation states that: 'The institution shall have a
scope is quite wide. regular cycle of model validation that includes monitoring of
The validation of internal ratings is strictly required by the Basel model perform ance and stability, review of model relationships,
Com m ittee (2004, §530) for banks willing to opt for Internal Rat and testing of model outputs against outcom es.' (Basel Com m it
ing Based (IRB) approaches: 'banks must have a robust system in tee, 2004, §417). However, the same regulation underlines that
place to validate the accuracy and consistency of their internal the validation process lies not only on statistical com parisons of
models and modeling processes. A bank must dem onstrate actual risk measures against the ex ante estim ates, checking of
to its supervisor that the internal validation process enables it param eter calibrations, benchmarking and stress tests, but also
to assess the performance of its internal model and processes involves analyses of all the com ponents of the internal rating
consistently and meaningfully'. However, the validation of an system , including operational processes, controls, docum enta
internal rating system is critical to the validation of the whole tion, IT infrastructure, as well as an assessm ent of their overall
credit risk m anagem ent system of a bank, both from a regulatory consistency. Therefore, validation also requires the assessm ent
point of view and from a business m anagem ent point of view. of the model developm ent process, with particular reference to
the underlying logical structure and the methodological criteria
It is crucial to the form er perspective because capital adequacy
supporting the risk param eter estim ates.
depends on rating systems for banks adopting Internal Rat
ing Based Approaches according to the Basel II regulation (the Validation includes, too, the critical verification that the rat
use of IRB approaches for the purposes of calculating capital ing system is actually used (and how) in the various areas of
requirem ents is subject to an explicit approval by national super bank operations. This is known as the 'use test', also required
visory authorities and follows a 'supervisory validation' of rating by Basel II and better specified in Basel Com m ittee (2006).
systems). In addition, it is critical because Pillar 2 of Basel II is The results of the validation process need to be adequately
focused on the adequacy of risk m anagem ent system s in order docum ented and periodically subm itted to the internal control
to safely and rationally manage the bank. It is also critical from functions and the governing bodies. The reports shall specifi
the latter perspective because key decisions concerning indi cally address any problem areas.
vidual loans underwriting decisions as well as credit portfolio Figure 10.1 gives an overview of the essential steps of rating
m anagem ent decisions depend on rating system s. system s validation.
Therefore, the difference in scope of 'regulatory validation' and
of 'internal validation' is more apparent than real. In addition,
consider that in order to be validated for regulatory purposes,
a system has to be previously internally validated; on top of
that, the technical contents of validation processes are very
similar in both cases. These are reasons why we are going to use
almost indifferent regulatory requirements as internal validation
requirements.
160 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
In summary, the validation process has the key role of reviewing In perform ing these tasks, senior m anagem ent must consider
model building steps and application choices, detecting w eak recom m endations produced by the validation process and
nesses and limitations, verifying the proper use of the system, review reports produced by the internal audit unit.
and last, but not least, analyzing contingent solutions planned
The validation process is perform ed by a specific organi
in case the robustness of the model falls or is lacking. Best
zational unit that may partially leverage on the support of
practices have to be monitored to minimize misalignments of
operational units in perform ing its activities. In sm aller banks,
the whole process of internal credit risk m anagem ent.
the least that is needed is the appointm ent of a m anager
devoted to coordinate and oversee these activities.
10.2 ROLES O F INTERNAL
To perform these tasks, the validation unit has to be inde
VALIDATION UNITS pendent of other functions devoted to develop and to main
tain model tools and to handle credit risk processes and
The Basel II regulation is particularly innovative in term s of
procedures. It is advisable that the validation unit is also inde
organizational requirem ents and internal controls. The rules lay
pendent from those involved in assigning ratings and lending.
down essential notions and criteria that banks must adopt in
Specifically, persons in charge of the function should not be
developing their rating system s. They also set down the orga
subordinate to persons responsible for such activities.
nizational and quantitative requirem ents banks must com ply
with for recognition of their m ethods for capital adequacy pur Specific attention has to be paid to ensure the appropriate skills
poses. The organizational requirem ents set rules which govern of human resources em ployed.
organization and controls, internal validation of rating system s,
W here com pliance with this requirem ent would prove to be
characteristics of rating system s (e .g ., replicability, integrity,
excessively burdensom e, the validation unit may be involved in
and consistency), their use in operations (use test), inform a
the rating system design and developm ent process, provided
tion system s and data flow s. The quantitative requirem ents
that appropriate organizational and procedural, precautions
regard the structure of rating system s, the determ ination of
are adopted and respected. In such a case, the internal audit
risk param eters, stress tests, and the use of m odels developed
function should verify that these activities are perform ed in an
by third-party vendors.
independent manner, fully achieving the intended objectives.
Specific requirem ents are set for the senior m anagem ent and The validation unit should also be independent from the inter
those who have roles in corporate governance and oversight. nal audit function, which should review the validation process
'All m aterial aspects of the rating and estim ation processes and findings.
must be approved by the bank's board of directors or a d es In short, validation and control processes and organizational
ignated com m ittee th ereo f and senior m anagem ent. These roles involved are depicted in Table 10.1.
parties must possess a general understanding of the bank's risk
rating system and detailed com prehension of its associated A lso, the internal audit function is deeply involved in validation
m anagem ent reports. Senior m anagem ent must provide notice processes, including the continued analysis of the com pli
to the board of directors or a designated com m ittee th ereo f of ance in the use of rating system s with internal and regulatory
m aterial changes or exceptions from established policies that requirem ents. In particular, it is necessary to audit the inde
will m aterially im pact the operations of the bank's rating sys pendence of the validation unit and the quality of resources
tem ' (Basel Com m ittee, 2004, §438). involved.
'Senior m anagem ent also must have a good understanding of Validation is mostly performed on the basis of the docum enta
the rating system 's design and operation, and must approve tion received by functions in charge of the model developm ent
m aterial differences betw een established procedure and actual and implementation in banks' credit processes. Therefore, the
practice. M anagem ent must also ensure, on an ongoing basis, scope, transparency, and com pleteness of docum entation are
that the rating system is operating properly. M anagem ent essential; these characteristics are im portant validation criteria.
and staff in the credit control function must m eet regularly to Banking groups with significant cross-border operations may
discuss the perform ance of the rating process, areas needing have different organizational structures in different countries.
im provem ent, and the status of efforts to im prove previously Nevertheless, in all cases the parent company has to ensure
identified deficiencies' (Basel C om m ittee, 2004, §439). Inter that the organization of the validation and review functions
nal ratings must also be an essential part of the reporting to within the group enable the unified m anagem ent and control of
these parties. models and rating systems.
Basic Controls Task: model develop Task: credit Task: operations Task: lending policy
ment and back testing risk procedures maintenance applications
Owner: credit risk maintenance Owner: lending units/ Owner: central and
models developm ent Owner: lending units/ IT/internal audit decentralized units/
unit internal control units internal control units
Third controls layer Risk m anagem ent/CRO O rganisation/CO O Lending unit/C LO /C O O Lending unit/CLO /CRO
C R O : C red it Risk O fficer; C L O : C h ief Lending O fficer; C O O : C h ief O perating O fficer; IT: Information Technology D epartm ent.
10.3 QUALITATIVE AND rating approach for specific rating segm ents has to be assessed.
A number of other areas must be investigated:
QUANTITATIVE VALIDATION
• consistency of model developm ent processes and
There are two main areas of validation: qualitative and quanti m ethodologies,
tative. Q ualitative validation ensures the proper application of
• adequate calibration of model output to default probabilities,
quantitative methods and the proper usage of ratings. Q uanti
• proper docum entation of all model functions,
tative validation com prises all validation procedures of ratings
in which statistical indicators are calculated and interpreted on • analytical description of the rating process, with duties and
the basis of an empirical dataset. In recent years, many books responsibilities of key personnel,
and articles have dealt with this topic, included among which • the robust procedures in place for validation and regular review.
are Engelmann and Rauhm eier (2006) and Christodoulakis and
In addition, there are im portant organizational profiles of rating
Satchell (2008).
system s' qualitative validation; they concern the link between
Qualitative and quantitative validation com plem ent each other. the model, process, procedures, approval powers, and con
A rating procedure should only be applied in practice if it trols. Even the best model does not produce the expected
receives a positive assessm ent in the qualitative area. A positive added value to bank lending if it is m isunderstood or if it is not
assessm ent by the quantitative validation is not sufficient p e r adequately supported in daily applications. In this perspective,
se. Conversely, a negative quantitative assessm ent should not adequate education, clear procedures, proper guidelines, and
be considered decisive because statistical estim ates are subject support in tackling exceptions are fundam ental. The assessm ent
to random fluctuations and a certain degree of tolerance in the of the actual use of rating systems in credit approval processes
interpretation of results should be allowed. It is, therefore, nec is a key com ponent of qualitative validation. In fact, the model
essary to place em phasis on qualitative validation. must not only be a formal requirem ent for capital adequacy
purposes or portfolio decisions; it must be fully integrated in
the decision making process concerning single loans. If the bank
Qualitative Validation
credit culture does not accept the new model-based rating
Rating Systems Design assignm ent processes, the risk of having two different processes
(one being formal but inactive and the other informal but used
Rating system s design concerns the proper choice of the models
in daily lending decisions) is very high. The validation has to
architecture in relationship to the market segm ents in which the
detect these situations and suggest how to overcom e them .
model is going to be used. It is necessary to ensure the trans
parency of the assumptions and/or evaluations which form the In the earlier stages of rating system s developm ent in a bank, it
basis of the rating models design. The general suitability of a commonly happens that credit risk functions spend a lot of time
162 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
on model building, number crunching, statistical testing, and so model in order to increase the com pleteness of the relevant risk
on. Procedural aspects are underestimated in term s of the tim e, factors should be verified. Usually, the computer-based pro
resources, and investments needed, as they are erroneously cessing of information enables expert system s and fuzzy logic
considered less problem atic and easier to overcom e. Since these system s to take a larger number of characteristics into consider
early stages, the role of the validation unit in detecting the orga ation, meaning that such system s can be more com prehensive if
nizational readiness to accept and to correctly apply the new properly m odeled.
rating system is essential. The validation unit should have great
Rating system o b je c tiv ity A good rating system needs pro
visibility to top m anagem ent and should lever on it in order to
cedures that capture creditworthiness factors clearly and also
ask enough resources to properly take off the new process.
minimize room for interpretation. Achieving high discriminatory
The essential requirem ents of rating system s that need to be power of ratings requires that they are assigned as objectively
checked in qualitative validation can be summarized in the fol as possible, minimizing biases. In judgm ent-based approaches
lowing five main features: this can only be ensured by precise and plausible guidelines,
common cultural backgrounds, appropriate training, ongoing
• obtaining probabilities of default benchm arking, and adequate organizational choices (team work,
• com pleteness supervision, balancing individual analysts' specialization by sec
• objectivity tor, and analysts' team s' cross-sector mix). In statistical models,
borrowers' characteristics are selected and weighed using an
• acceptance
empirical dataset and objective methods; therefore, we can
• consistency.
regard these models as the most 'objective' rating procedures.
O btaining p ro b a b ilities o f d efa u lt Ratings are the basis for When the model is fed by the same information, unavoidably
alm ost all risk m anagem ent applications once they have been the same results are obtained. This is also the case for expert
quantified and probabilities of default have been obtained. In system s and neural networks, where borrowers' creditworthiness
this perspective, different methods of rating assignm ent pro is determ ined using defined algorithms and rules.
duce PDs in distinctive ways. Statistical models are developed Rating system acceptance Rating system s have also to be
on the basis of an empirical dataset, which makes it possible accepted by users, above all, internal users such as credit ana
to determ ine the PD for individual rating classes by calibrat lysts, credit officers, and loan officers. Therefore, some require
ing results with the empirical data. Logistic regression enables ments are necessary:
the direct calcu latio n of default probabilities, while for other
a. The rating system should not produce classifications that
methods (e.g ., discriminant analysis) a specific adjustm ent is
are very often too far from those expected by bank analysts
needed. Likewise, it is possible to validate the calibration of the
and officers;
rating model (ex post) using data gathered from the operational
deploym ent of the model. Using this data, the default param b. For small and medium enterprises, mechanical rating m od
eter can be constantly monitored and validated over tim e to els often have higher discrim inatory power than a poorly
maintain PDs aligned with real world outcom es. structured judgm ent-based approach developed by poorly
experienced and trained credit officers. However, they
Rating sy ste m co m p leten ess Com pleteness is the next impor are less easily accepted because many actors do not have
tant feature of an internal rating system . In order to ensure enough technical knowledge to understand them . Hence,
the com pleteness of credit rating procedures, banks need to an adequate education and level of disclosure on model
take all available information into account when assigning rat fram eworks for all actors involved in the lending process are
ings to borrowers or transactions (Basel Com m ittee, 2004, indispensable.
§417). The nature of the chosen rating assignm ent approach
Therefore, the validation process has to verify that rating models
strongly impacts on this feature. Many default risk models use
are well understood and shared by the users.
a small number of characteristics of the borrower to infer its
creditworthiness. For this reason, it is im portant to verify the Different rating approaches have different degrees of acceptabil
com pleteness of factors used to determ ine a counterpart's ity. Generally speaking, as heuristic models are designed on the
creditworthiness, at least in model building stages and/or in the basis of experts' experience in lending, these models are more
operational use (for instance, analyzing the scope of overrides easily accepted; their credit assessments are considered warm er
proposed by a credit analyst). In the estimation of statistical- by end-users because they replicate their common culture. The
based m odels, as a large number of borrowers' characteristics acceptance of fuzzy logic systems may be lower as they require
can be tested, the possibility to force variables to enter into the a greater degree of technical knowledge due to their fuzzy
O ther requirem ents of §417 are as follows: 'the burden is on Data Quality
the bank to satisfy its supervisor that a model or procedure has In statistical m odels, data quality is essential. Good data give
good predictive power and that regulatory capital requirements outstanding results also using simple m odels, whereas the most
will not be distorted as a result of its use. The variables that are advanced models cannot overcom e poor data quality. Th ere
input to the model must form a reasonable set of predictors. fore, a com prehensive dataset is an essential prerequisite for
The model must be accurate on average across the range of quantitative validation. In this context, a number of qualitative
borrowers or facilities to which the bank is exposed and there aspects have to be considered:
must be no known material biases. The bank must have in place
• com pleteness of data,
a process for vetting data inputs into a statistical default or loss
prediction model which includes an assessm ent of the accuracy, • volume of available data,
com pleteness and appropriateness of the data specific to the • representativeness of sam ples used for model developm ent
assignm ent of an approved rating. The bank must dem onstrate and validation,
164 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• consistency and integrity of data sources,
• adequacy of procedures used to ensure data cleansing and,
in general, data quality.
ideally, a sam ple has to be generated from a unique popula dataset to the m arket the bank potentially confronts with.
tion using the same procedures, criteria, and m ethodology over Sam ples used in model building should have some desirable
the tim e. In other words, the sam ple must be generated by the technical properties (low heteroscedasticity, no abnormal values,
same 'lending technology'. This is the set of information, rules, and so forth). Actual populations do not share these properties.
contracts, and policies applied to credit origination and moni The best way to extend a model's findings to populations is to
toring; changing one or more of these com ponents changes apply a proper calibration and to perform out-of-sam ple analy
the credit portfolio generation and the borrowers' profile in the ses. These analyses are based on observations that are gener
dataset (Berger and Udell, 2006) and can harm the consistency ated by the same lending technology but that were not included
between the model developm ent dataset and the population to in the developm ent sam ple. As a result, it is advisable to build
which the model is operationally applied to. various sam ples, one dedicated to support model building and
A further profile of data quality is the time span to which data others used for out-of-sample, out-of-time, and out-of-universe
refers. Ideally, the dataset should be generated by considering validations of a model's perform ance.
an entire credit cycle; otherwise, estimates will be dependent on The validation unit has an essential role in assessing two critical
specific favorable or unfavorable cycle stages. Macroeconomic aspects: (i) stability of the lending technology behind data and
conditions are one of the most important determinants of default (ii) proper model calibration in order to generalize results from
rates. If we miss a good representation of the credit cycle we sample to population. The two issues overlap, to some extent. If
miss something really relevant in describing default probability. the observed in-sample default rate diverges from the total pop
The combination of the last two mentioned conditions (lending ulation, then calibration should reflect this divergence because
technology stability and credit cycle coverage) proves to be very the sample's central tendency would be different from the popu
restrictive. We rarely observe procedures and processes that lation's central tendency. This may simply be due to the fact that
remain constant for five or more years of an entire credit cycle bank's lending technology is selecting borrowers better or worse
(the last started in 2002 and ended in 2008). Changes are more than com peting banks. This circumstance may also occur when
frequent because of the increasing technological opportuni lending technology changes: if the model is not re-calibrated, it
ties to speed up processes and efficiency, discontinuities in the continues to apply old criteria to new states of business. This is
econom ic environm ent that lead to radically modifying credit typically the case when m ergers, acquisitions, dem ergers and so
policies, and new market segm ents becoming relevant; banks' forth determ ine a change in the bank's lending technology.
mergers and acquisitions strongly im pact on many aspects of The validation unit should be fully aware of the consequences
the lending technology, too. of lending technology changes as well as of misalignments
The validation process also has to pay attention to preliminary between borrowers' profiles in the original sam ple and popula
data treatm ent activities (such as finding and managing outliers, tion's profiles. If the rupture is significant, an extraordinary phase
missing values, and poor data representativeness for some cus of model revision would be needed, at least in term s of model
tom ers' segm ents). calibration.
Data quality is so relevant that the validation unit has to dedi Focus on calibration. Suppose that we use a balanced sam
cate specific attention to these aspects. Figure 10.2 depicts the ple (50% perform ing, 50% defaulting borrowers) for model
Fiqure 10.3 Calibratio n effects on m odel score In conclusion, the validation unit has an im portant role in verify
estim ated PD s using different long term averag e ing the central tendency over tim e through back testing and
default rates. stress testing. It should carefully monitor m arket prices, signals
from marketing people, results of big ticket transactions (syndi
cated loans, securities placing, securitisation, and so forth) and
developm ent in order to assure the best conditions for applying
fully exploit any other opportunity to benchm ark the bank (and
statistical methods: luckily, real banks' loan portfolios are much
models used) against direct com petitors.
less risky. In other words, a normal long term annual default rate
may be close to 2.5% ; this value is far away from the 50% of the
balanced sam ple. Moreover, defaults cluster together during the Quantitative Validation
credit cycle with significant changes in default co-dependencies.
Q uantitative validation covers four main areas:
The impact on calibration is significant; even small changes in
model calibration have a big influence on a model's cut-off and 1. Sample representativeness of the reference population at
on estim ated default rates. the time of the estim ates and in subsequent periods.
Figure 10.3 illustrates estim ated PDs in a balanced sam ple, in a 2. Discriminatory power: the accuracy of ratings assignments
population where the default rate is 2.4% , and in a population in term s of the m odels' ability to rank obligors by risk levels,
whose default rate is 1%. both in the overall sample and in its different breakdowns
(for exam ple, based on business sector, size and location).
An inaccuracy in determ ining the long term average annual
default rate modifies default probability measures. In fact, the 3. Dynamic properties: the stability of rating system s and
properties of migration matrices.
lending process is relatively slow in producing evident results,
also due to credit cycle m ovem ents. A credit cycle lasts years, 4. Calibration: the predictive power concerning probabilities
not days or w eeks. The central tendency (in statistics) is the of default.
average value to which population characteristics converge after
We have already dealt with the issues of data quality exten
many repetitions of the same process (this is the law of large
sively. Here we consider the perspective of sam ples size. N owa
numbers). Think about tossing a coin: after a few tosses, we
days, the real constraint is usually given by the subsam ple size
cannot understand if the coin has been manipulated or not; we
of defaulted firms, as some loan portfolios are characterized by
need a large number of trials in order to be sure that the coin is
very few defaults. As risks of these 'low-default portfolios' have
m anipulated. The statistical repetitions in lending activities are
to be assessed in any case, rating system s have to be developed
relatively limited and it takes tim e to directly assess the effects
and validated. A set of principles should be taken into consid
of an incorrect parameter. Normally, a robust check on the
eration. Firstly, we cannot exclude exposures from the scope of
validity of the central tendency is only possible after 18 or 36
application of the rating model simply because insufficient data
months, depending on m arkets, types of facilities, and custom
are available to validate the risk param eter estim ates on a sta
ers' segm ents.
tistical basis. In these cases, the validation unit has to contribute
In any case, the central tendency is a compromise between to set an adequate margin of conservatism in the assumption
having long empirical series of observations and constant lend of risk param eters. Moreover, validation has to pay particular
ing technology. Therefore, to set the central tendency is a very attention to analysis techniques adopted in this estimation
166 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
process and to their limitations. Many statistical tests depend zero' and from the collection tim e of data which feeds model
on the amount of available information. For instance, for the explanatory variables.
Chi-square test to give accurate results when dealing with con
On the basis of the resulting sam ple, various analyses of the
tingency tables cross-tabulating a dichotomous variable, such
rating discrim inatory power are possible. The list of methods in
as default/non-default with many rating classes, no more than
Basel Com m ittee (2005a) is:
20% of cells should contain expected default frequencies less
than five and no cells should have expected frequencies less • statistical tests such as Fisher's r2, W ilks' A,
than one. In many cases, minimum sam ple size requirements Hosmer-Lemeshow;
are not achieved, mainly due to the small number of defaults. • migration matrices;
This is particularly true when we are building models for market
• accuracy indexes such as Lorentz's concentration curves
'niches' or for specific industries (that are maybe im portant for and Gini ratios (in different variants, for instance RO C and
their econom ic im pact but that are com posed by few com A uR O C );
petitors and counterparties). In these cases, we need to apply
• classification tests (binomial test, type 1 and type 2 errors, x 2
specific techniques to give more robustness to our estim ates
test, normality test and so forth).
(Wehrspohn 2004, Basel Com m ittee 2005b, Pluto and Tasche,
2004); among them , 'bootstrap procedures' have an important The frequency distribution of good and bad cases is particularly
place. These procedures randomly generate many samples. important. In fact, error rates are the best way to offer a glimpse
Retaining the number of (the few) available defaults, many bal on model perform ances. The validation unit has to carefully
anced sam ples can be iteratively generated by extracting an verify the cut-off choice, its calibration, and its consequence in
equal number of units from the non-defaulted group, without daily operations (as 'false good' cases create loss given default,
re-introduction. On each of these sam ples the rating model is and 'false bad' cases cause opportunity costs).
com pletely re-assessed, extracting the entire set of statistical
Ratings stability can be assessed by observing 'migration
information (variables selected, means, standard deviations, like
m atrices'. They can be built once the rating system has been
lihood tests, and so on). The set of models is then analyzed. If
operational for at least two years. Desirable properties of annual
a clear convergence on a final stable result (i.e., same final vari
migration matrices are:
able selected, equivalent param eters, and so on) is found, we
can infer that the model solution is stable and robust enough. • Transition rates to default should be in ascending order as
If not, there would be a severe risk of instability and a more rating classes worsen.
in-depth analysis would be needed. A way to overcom e these • High values should be on the diagonal and low values off-
problems is to find more homogenous subsets (applying cluster diagonal, which would signal that ratings are stable over
analysis, for instance). The model could be adapted to the sp e tim e. This is also an indication of a through-the-cycle rating
cific features of these subsets, adopting different calibrations model, as opposed to point-in-time ratings, which are much
or integrating a specific successive qualitative analysis, maybe more dynamic during the credit cycle, moving frequently
based on experts' judgm ents. from one class to another.
The term 'discrim inatory power' refers to the fundam ental ability • Off-diagonal values should be in descending order when
of a rating model to differentiate between defaulting and per departing from the diagonal. That is to say, migration rates of
forming borrowers over the forecasting horizon. Note that the plus or minus one class should be higher than migration rates
forecasting horizon is usually set at 12 months for PD estimation of plus or minus two classes, and so forth. This means that
(this also is a Basel II requirement) but the relevant tim e horizon rating movements are gradual whereas sudden leaps of many
for rating validation is the one set for rating assessm ent: in this classes at one tim e are not that frequent.
last case, Basel II also requires a longer time horizon. Therefore, These properties have to also hold for longer time horizons
it is necessary to use longer forecasting horizons in order to than one year, despite a natural reduction in on-diagonal values
validate discrim inatory power. For exam ple, the discriminatory and an increase in off-diagonal values. This means that ratings
power of a scoring model for installment loans is often calcu change over time but without large leaps.
lated for the entire period of the credit transaction.
If analyses of firms' fundam entals are dominant in rating assign
The discrim inatory pow er of a model can only be review ed ment, ratings change slowly over tim e because they are less
ex post using data on defaulted and non-defaulted cases sensitive to credit cycles and to transitory circum stances. Th ere
(back testing). Therefore, using a longer tim e horizon means fore, stability of the migration m atrix is generally assumed as an
using an 'observation period' that is more distant from 'tim e indicator of an analytical process which is mainly centered on
Back testing (accuracy of risk param eter estim ates when com Effective and simple representation of this data is im portant to
pared with ex p o st em pirical evidence), benchmarking (relative com m unicate to top managers and other bank personnel as
perform ance of system s and risk param eter estim ates against well. Table 10.4 and Figure 10.4 illustrate a comparison between
benchm arks), and stress testing (adequacy of models when expected and actual default rates per rating classes. Deviations
stress tests are applied) are three fundam ental activities for vali from means are highly frequent, mainly because of the effects
dating rating systems. of credit cycles. In periods of econom ic expansion, lower quality
168 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 10.2 Internal Rating Classification
Probability of Default (%) Range (%)
Rating Class Min Mean Max Lower Bound Upper Bound
1 0.01 0.03 0.04 - 0.02 0.01
2 0.04 0.05 0.06 - 0.01 0.01
3 0.06 0.07 0.08 - 0.01 0.01
4 0.08 0.10 0.12 - 0.02 0.02
5 0.12 0.15 0.19 - 0.03 0.04
6 0.19 0.25 0.30 - 0.05 0.05
7 0.30 0.40 0.50 - 0.10 0.10
8 0.50 0.60 0.75 - 0.10 0.15
9 0.75 0.90 1.15 - 0.15 0.25
10 1.15 1.35 1.70 - 0.20 0.35
11 1.70 2.00 2.50 - 0.30 0.50
12 2.50 3.00 3.75 - 0.50 0.75
13 3.75 4.50 5.50 - 0.75 1.00
14 5.50 7.00 8.50 - 1.50 1.50
15 8.50 10.00 13.00 - 1.50 3.00
16 13.00 15.00 20.00 - 2.00 5.00
17 20.00 25.00 50.00 - 5.00 25.00
&
Q.
c 10 .0 %
a>
-
Credit
3
restriction/
classes perform better than expected; the reverse would be true
CT
recall/
ro
r, 5.0% - withdrawal
<
3
When classes have few units, unexpected events hugely effect Type 2 errors ■ ■ ■ Actual default frequency
relative deviations but have a small econom ic impact (see class 3 Type 1 errors Actual non-default frequency
for instance). The opposite is true for larger classes: even small Figure 10.5 D efault rates and lending policy.
170 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the frequency distributions of actual defaulted and non-defaulted aggressive marketing is around 700 clients (the first 5% of the
counterparts are shown. O f course, the two groups have different portfolio) but three defaults were experim ented (the first 1.1%
distributions and there is a large overlapping area. Rating classes of total defaults); see the gray area on the left in Figure 10.5. A t
are often the main drivers for bank lending policies. Different the same time, if we withdraw credit to the worst three classes,
commercial policies are put into practice in respect of counter 130 defaults could be avoided but business with 1200 clients
party's credit risk, favoring aggressive marketing for safer clients would be lost (gray area on the right in Figure 10.5).
and conservative lending behaviors for riskier ones. Suppose that
The im portance of a model's discrim inatory power and ade
aggressive marketing is pursued for better classes up to class 6,
quate calibration becom es evidently clear. The usefulness of
while a conservative approach is recommended from class 14
having clues on these perform ance measures of rating systems
onwards. This policy neither protects against defaults in classes
becom es apparent. Also, the value of a prompt detection of
that benefit from aggressive marketing, nor avoids restricting
fading discrim inatory power and calibration becom es evident.
lending to solvent counterparties. In our exam ple, the target for
Describe ways that errors can be introduced into models. Explain major defects in model assumptions that led
to the underestimation of system atic risk for residential
Explain how model risk and variability can arise through m ortgage backed securities (RMBS) during the 2007-2009
the im plem entation of VaR models and the mapping of financial downturn.
risk factors to portfolio positions.
E x c e rp t is from C hapter 11 o f Financial Risk M anagem ent: M odels, History, and Institutions, by Allan M. Ma/z.
VaR has been subjected to much criticism . Previously we structured credit products, and was revealed during the sub
reviewed the sharpest critique: that the standard normal return prime crisis. The press reported in May 2008 that Moody's had
model underpinning most VaR estimation procedures is simply incorrectly, given their own ratings m ethodology, assigned A A A
wrong. But there are other lines of attack on VaR that are rele ratings to certain structured credit products using materially
vant even if VaR estim ates are not based on the standard model. flawed program m ing. Another exam ple occurred when A X A
This chapter discusses three of these viewpoints: Rosenberg Group LLC, an asset-m anagem ent subsidiary of the
French insurance com pany A X A , using a quantitative investment
1. The devil is in the details: Subtle and not-so-subtle differ
approach, discovered a programming error in its models that
ences in how VaR is com puted can lead to large differences
had likely induced losses for some investors.1
in the estim ates.
2. VaR cannot provide powerful tests of its own accuracy. These episodes also provide exam ples of the linkages between
different types of risk. In the Moody's case, the model risk was
3. VaR is "philosophically" incoherent: It cannot do what it
closely linked to the reputational and liquidity risks faced by
purports to be able to do, namely, rank portfolios in order
Moody's. The error had been discovered by Moody's before
of riskiness.
being reported in the press, but had coincided with changes in
We will also discuss a pervasive basic problem with all models, the ratings m ethodology for the affected products, and had not
including risk models: the fact that they can err or be used resulted in changes in ratings while still known only within the
inappropriately. firm. Moody's therefore, once the bugs becam e public knowl
edge, came under suspicion of having tailored the ratings model
to the desired ratings, tarnishing its reputation as an objective
11.1 M O D E L R ISK ratings provider. W ithin a few days of the episode being
reported, S&P placed Moody's-issued commercial paper on
The basic modeling problem facing VaR is that the actual dis negative watch, illustrating the econom ic costs that reputational
tribution of returns doesn't conform to the model assumption risk events can cause. In the A X A Rosenberg episode, the dis
of normality under which VaR is often com puted. Using a VaR covery of the error had not been communicated in a tim ely fash
implementation that relies on normality without appreciating ion to investors, resulting in loss of assets under m anagem ent,
the deviations of the model from reality is an exam ple of m odel an S EC fine, and considerable overall reputational dam age.
risk. Models are used in risk m easurem ent as well as in other
Even when software is correctly program m ed, it can be used in
parts of the trading and investm ent process. The term "m odel
a way that is inconsistent with the model that was intended to
risk" describes the possibility of making incorrect trading or risk
be im plem ented in the software. O ne type of inconsistency that
m anagem ent decisions because of errors in models and how
arises quite frequently concerns the mapping of positions to risk
they are applied. Model risk can manifest itself and cause losses
factors, which we'll discuss in a moment. Such inconsistencies
in a number of ways. The co n seq u en ces of model error can be
can contribute to differences in VaR results.
trading losses, as well as adverse legal, reputational, accounting,
and regulatory results.
All social science models are "w ro ng ," in the sense that model
Valuation Risk
assumptions are always more or less crude approxim ations to Model errors can occur in the valuation of securities or in hedging.
reality. In Friedm an's (1953) view on the m ethodology of eco Errors in valuation can result in losses that are hidden within
nomics, deviation from reality is a virtue in a m odel, because the the firm or from external stakeholders. A portfolio can be more
model then more readily generates testable hypotheses that exposed to one or more risk factors than the portfolio manager
can be falsified em pirically, adding to knowledge. The so-called realizes because of hedging errors.
Black-Scholes biases provide very useful insights into return
Valuation errors due to inaccurate m odels are exam ples of
behavior, and yet are defined as violations of the model predic
m arket risk as well as of operational risk. As a m arket risk phe
tions. A model may, however, be inherently wrong, in that it is
nom enon, they lead, for exam ple, to buying securities that
based on an incorrect overall view of reality. The data inputs can
are thought to be cheaply priced in the m arket, but are in fact
be inaccurate, or may be inappropriate to the application.
174 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
fairly priced or overpriced. A s an operational risk phenom enon, of view. Netting arrangem ents, for exam ple, may differ for
the difficulty of valuing some securities accurately m akes it pos trades with different entities. Such issues becom e crucial if
sible to record positions or trades as profitable that have in fact counterparties file for bankruptcy. O ne im portant exam ple
lost money. from the subprim e crisis: Recovery by Lehman's counterpar
ties depended in part on which Lehman subsidiary they had
Model errors can, in principle, be avoided and valuation risk
faced in the transactions.
reduced, by relying on market prices rather than model prices.
There are several problems with this approach of always Position data must be verified to match the firm's books and
marking-to-market and never m arking-to-m odel. Some types records. Position data may have to be collected from many
of positions, such as longer-term bank commercial loans, have trading system s and across a number of geographical loca
always been difficult to mark-to-market because they do not tions within a firm.
trade frequently or at all, and because their value is determ ined
To com pute a risk measure, software is needed to correctly
by a com plex internal process of monitoring by the lender.
match up this data, and present it to a calculation engine. The
Accounting and regulatory standards mandating marking such
engine incorporates all the formulas or computation procedures
positions to market have been held responsible by some for
that will be used, calling them from libraries of stored proce
exacerbating financial instability.
dures. The calculations have to be combined with the data
appropriately. Results, finally, must be conveyed to a reporting
Variability of VaR Estimates layer that manufactures docum ents and tables that human man
agers can read. All of these steps can be carried out in myriad
VaR also faces a wide range of practical problems. To understand ways. We focus on two issues, the variability of the resulting
these better, we'll first briefly sketch the implementation process m easures, and the problem of using data appropriately.
for risk computation. This entire process and its results are some
The computation process we've just described applies to any
times referred to as the firm's "VaR m odel." We'll then discuss how
risk measure, not just to VaR, but for concreteness, we focus on
implementation decisions can lead to differences in VaR results.
VaR. The risk manager has a great deal of discretion in actually
Risk m anagem ent is generally carried out with the aid of com computing a VaR. VaR techniques— modes of computation and the
puter system s that automate to some extent the process of user-defined parameters— can be mixed and matched in different
combining data and com putations, and generating reports. ways. Within each mode of computation, there are major variants,
Risk-measurement system s are available com m ercially. Vendor for example, the so-called "hybrid" approach of using historical
system s are generally used by sm aller financial firms. Large firms simulation with exponentially weighted return observations. This
generally build their own risk-measurement system s, but may freedom is a mixed blessing. On the one hand, the risk manager has
purchase some com ponents com mercially. the flexibility to adapt the way he is calculating VaR to the needs of
One particular challenge of implementing risk-measurement sys the firm, its investors, or the nature of the portfolio. On the other
tem s is that of data preparation. Three types of data are involved: hand, it leads to two problems with the use of VaR in practice:
M arket data are time series data on asset prices or other data 1. There is not much uniformity of practice as to confidence
that we can use to forecast the distribution of future portfolio interval and time horizon; as a result, intuition on what con
returns. Obtaining appropriate tim e series, purging them stitutes a large or small VaR is underdeveloped.
of erroneous data points, and establishing procedures for 2. Different ways of measuring VaR would lead to different
handling missing data, are costly but essential for avoiding results, even if there were standardization of confidence
gross inaccuracies in risk m easurem ent. Even with the best interval and time horizon. There are a number of com puta
efforts, appropriate market data for some exposures may tional and modeling decisions that can greatly influence VaR
be unobtainable. results, such as
Security m aster data include descriptive data on securi • Length of time series used for historical simulation or to
ties, such as maturity dates, currency, and units. Corporate estim ate moments
securities such as equities and, especially, debt securities • Technique for estimating moments
present particular challenges in setting up security master • Mapping techniques and the choice of risk factors, for
databases. To name but one, issuer hierarchy data record exam ple, maturity bucketing
which entity within a large holding com pany a transaction is • Decay factor if applying EW M A
with. Such databases are difficult to build and maintain, but • In Monte Carlo simulation, randomization technique and
are extrem ely im portant from a credit risk m anagem ent point the number of simulations
for very generic types of bonds and hard to update regularly ers suffered large losses in a portfolio credit trade in which one
from observed market prices. Prior to the crisis, the spread vola dimension of risk was hedged in accordance with a model, while
tility of investm ent-grade securitizations was lower than those of another dimension of risk was neglected. We start by reviewing
the mechanics of the trade, which involved credit derivatives
corporate bonds with similar credit ratings. Yet during the finan
cial crisis, spreads on securitizations w idened, at least relatively, based on C D X .N A .IG , the investment grade CD S index.
176 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the equity tranche and buy protection on the junior mezzanine is —$6,880. The defaultOI of the mezzanine is —0.07212 times
tranche of the C D X .N A .IG . The trade was thus long credit and the notional value, so the defaultOI of a $1,000,000 notional
credit-spread risk through the equity tranche and short credit position is —$721. With a hedge ratio of about 9.54— that is,
and credit-spread risk through the mezzanine. It was executed by shorting $9,540,000 of par value of the mezzanine for every
using several C D X .N A .IG series, particularly the IG3 introduced $1,000,000 notional of long equity— we create a portfolio that,
in Septem ber 2004 and the IG4 introduced in March 2005. at the margin, is default-risk neutral.
The trade was designed to be default-risk-neutral at initiation, Figure 11.1 illustrates how the trade was set up. A t a default
by sizing the two legs of the trade so that their credit spread rate of 0.003, the portfolio has zero sensitivity to a small rise or
sensitivities were equal. The motivation of the trade was not decline in defaults. But the trade has positive convexity. The
to profit from a view on credit or credit spreads, though it was equity cheapens at a declining rate in response to spread w iden
primarily oriented toward market risk. Rather, it was intended ing. A noteworthy feature is that, because at low default rates,
to achieve a positively convex payoff profile. The portfolio of the mezzanine tranche has negative convexity, the short position
two positions would then benefit from credit spread volatility. adds positive convexity to the portfolio. The trade benefits from
In addition, the portfolio had positive carry; that is, it earned a changes in the default rate in either direction. The actual C D X
positive net spread. Such trades are highly prized by traders, for trade benefitted from large credit spread changes. It behaved,
whom they are akin to delta-hedged long option portfolios in in essence, like an option straddle on credit spreads. In contrast
which the trader receives rather than paying away time value. to a typical option, however, this option, when expressed using
the C D X standard tranches at the market prices prevailing in
To understand the trade and its risks, we can draw on the tools
early 2005, paid a premium to its owner, rather than having
we developed earlier. The securities in the extended exam ple
negative net carry.
are similar enough in structure to the standard tranches of the
C D X .N A .IG that we can mimic the trade and understand what In the actual standard tranche trade, the mechanics were
went wrong. Let's set up a trade in tranches of illustrative C LO slightly different. Since the securities were synthetic C D O
that is similar in structure and motivation to the standard tranche liabilities, traders used spread sensitivities; that is, spreadO ls
trade we have been describing. The trade takes a long credit or risk-neutral defaultO ls, rather than actuarial defaultO ls. The
risk position in the equity tranche and an offsetting short credit sensitivities used were not to the spreads of the underlying
position in the mezzanine bond. Bear in mind that
we would unlikely be able, in actual practice, to
take a short position in a cash securitization, since
the bond would be difficult to locate and bor
row. We might be able to buy protection on the
mezzanine tranche through a C D S, but the dealer
writing it would probably charge a high spread
to com pensate for the illiquidity of the product
and the difficulty of hedging it, in addition to the
default and correlation risk. The standard tranches
are synthetic C D S and their collateral pools also
consist of C D S. They are generally more liquid
than most other structured products, so it is eas
ier to take short as well as long positions in them .
178 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
generally used a normal copula. The cor
relation assumption might have been
based on the relative frequencies of dif
ferent numbers of joint defaults, or, more
likely, on equity return correlations or
prevailing equity implied correlations.
180 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Risk Capital
Attribution and
Risk-Adjusted
Performance
Measurement
Learning Objectives
A fter com pleting this reading you should be able to:
Define, compare, and contrast risk capital, economic capital, Calculate the hurdle rate and apply this rate in making
and regulatory capital, and explain methods and motivations business decisions using R A R O C .
for using economic capital approaches to allocate risk capital.
Com pute the adjusted RA RO C for a project to determ ine
Describe the RA RO C (risk-adjusted return on capital) its viability.
m ethodology and its use in capital budgeting.
Explain challenges in modeling diversification benefits,
Com pute and interpret the RA R O C for a project, loan, or including aggregating a firm's risk capital and allocating
loan portfolio, and use RA RO C to com pare business unit econom ic capital to different business lines.
perform ance.
Explain best practices in implementing an approach that
Explain challenges that arise when using RA RO C for uses RA RO C to allocate econom ic capital.
perform ance m easurem ent, including choosing a time
horizon, measuring default probability, and choosing a
confidence level.
E x c e rp t is C hapter 17 o f The Essentials of Risk M anagem ent, S e co n d Edition, by M ichel Crouhy, Dan Galai, and R o b ert Mark.
181
This chapter takes a look at the roles of risk capital and at how The new regulatory capital requirem ents imposed by Basel III
risk capital can be attributed to business lines as part of a risk- make it likely that for some activities, such as securitization,
adjusted perform ance m easurem ent (RAPM) system . RAPM rep regulatory capital may end up much higher than econom ic capi
resents a key challenge for financial institutions and nonfinancial tal. Still, econom ic capital calculation is essential for senior man
firms around the world today. Only by forging a connection agem ent as a benchm ark to assess the econom ic viability of the
between risk m easurem ent, risk capital, risk-based pricing, and activity for the financial institution. When regulatory capital is
perform ance m easurem ent can firms ensure that the decisions much larger than econom ic capital, then it is likely that over time
they take reflect the interests of stakeholders such as bondhold the activity will migrate to the shadow banking sector, which can
ers and shareholders. price the transactions at a more attractive level.
1 This leads to various conundrum s in allocating capital and capital costs 2 In reality, risk capital model suffers from the model risks we discussed
to business lines. For exam ple, some practitioners square the circle by in C hap ter 10, and the results require careful interpretation. Most firms
allocating the higher of regulatory capital or econom ic capital to the use the output of their capital model as one key input into a w ider set of
business line. judgm ents about the amount of capital the firm should hold.
182 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BO X 12.1 W HY IS EC O N O M IC CAPITAL SO IMPORTANT TO FIN A N C IA L
IN STITU TIO N S?
Allocating risk capital using econom ic capital approaches is with a poor credit rating will find itself excluded from many
im portant for financial institutions for at least four reasons. m arkets. Maintaining good creditworthiness is therefore an
ongoing cost of doing business for a bank.
First, capital is primarily used in a financial institution not only
to provide funding for investments (as for a manufacturing Third, although bank creditworthiness is critical, banks are
corporation) but also to absorb risk. The fundamental reason also highly opaque institutions. Banks use proprietary tech
for this is that financial institutions can leverage them selves nology for pricing and hedging financial instruments, esp e
to a much higher degree than other corporations at a much cially com plex financial transactions. A typical bank's balance
lower cost without raising equity, by taking retail deposits sheet is relatively liquid and can change very quickly. Any
or issuing debt securities. (Their debt-to-equity ratio might outside assessm ent of the creditworthiness of a bank is there
be as high as 20 to 1, com pared to perhaps 2 to 1 for an fore difficult to develop and rapidly becom es obsolete (as
industrial corporation.) Moreover, many activities undertaken the risk profile of the bank keeps on changing). Maintaining
by financial institutions, such as derivatives trading, writing enough risk capital and implementing a strong risk m anage
guarantees, issuing letters of credit, and other contingent ment culture allows the bank to reduce these "agency costs"
com m itm ents, do not require significant financing. Yet all by convincing external stakeholders, including rating agen
these activities draw to some extent on the bank's stock of cies, of the bank's financial integrity.
risk capital, and therefore a risk capital cost must be imputed
Fourth, banks operate in highly com petitive financial mar
to each activity.
kets. Increasingly, this makes bank profitability very sensitive
This brings us to the second reason: a bank's target solvency to the bank's cost of capital. Banks don't want to carry too
is a vital part of the product the bank is selling. In contrast much risk capital, because risk capital represents the money
to an industrial com pany, the primary custom ers of banks invested in the bank that does not have to be repaid under
and other financial institutions are also their primary liabil any fixed contractual agreem ent (e.g ., equity capital). This
ity holders— e .g ., depositors, derivatives counterparties, flexibility, which allows risk capital to act as a safety buffer for
insurance policy holders, and so on. These custom ers are the bank if tim es are hard, means that risk capital is relatively
concerned about default risk on contractually promised pay expensive to raise and hold (e.g., com pared to debt capital).
ments. Custom ers make deposits with the expectation that But banks can't carry too little risk capital, for reasons w e've
the safety of their deposits does not depend on the eco already made clear. So understanding the dynamic balance
nomic perform ance of the bank. In over-the-counter markets, between the capital the bank carries and the riskiness of its
institutions are concerned about counterparty risk: a bank activities is very important.
o
other financial institutions. (Box 12.1 explains why risk-based numbers can be used as part of scorecards to com pensate
calculations are so im portant for financial institutions.) These the senior m anagem ent of particular business lines, as well as
new uses include: the infrastructure group, for their contribution to shareholder
value. Since the 2007-2009 financial crisis, firms have laid a
• Perform ance m easurem ent and incentive com pensation at
greater emphasis on com pensation schem es that adjust for
the firm, business unit, and individual levels. Risk capital can
risk in some manner (as well as on com plem entary m echa
be plugged into risk-based capital attribution system s, often
nisms such as deferral periods and clawbacks).
grouped together under the acronym RAPM (risk-adjusted
perform ance measurement) or RA R O C (risk-adjusted return • A ctive portfolio m anagem ent for entry/exit decisions. The
on capital). These system s, a key focus of this chapter, pro decision to enter or exit a particular business should be
vide both m anagem ent and external stakeholders with a risk- based on both risk-adjusted perform ance m easurem ent and
adjusted measure of perform ance of various businesses. The the "risk diversification effect" of the business. For exam ple,
measure can be used to com pare the econom ic profitability, a firm that is focused on corporate lending in a particular
as opposed to the accounting profitability (such as return on region is likely to find that its returns fluctuate in accordance
book equity) of different activities. A t the same tim e, RA RO C 3 with that region's business cycle. Ideally, the firm might
diversify its business geographically or in term s of business
activity. Capital m anagem ent decisions seek an answer to the
3 For an informal survey of how firms use econom ic capital and R A R O C ,
question, "H ow much value will be created if the decision is
see T. Baer et. al., The Use o f E co n o m ic Capital in Perform ance M an
a g em en t fo r Banks: A P ersp ective, M cKinsey W orking Papers on Risk, taken to allocate resources to a new or existing business, or
No. 24, January 2011. alternatively to close down an activity?"
184 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• S (Sharpe ratio) = (e x p e c te d return — risk-free rate)/ ventures in which the expected cash flows over the life of
volatility. The ex post Sharpe ratio— i.e., that based on the project can be easily identified.
actual returns rather than expected returns— can be • EVA (econom ic value added), or N IA C C (net incom e after
1
shown to be a multiple of RO C. capital charge), is the after-tax adjusted net income less
• N PV (n et p re se n t value) = d isco u n ted value o f future a capital charge equal to the amount of econom ic capital
e x p e c te d cash flow s, using a risk-adjusted expected rate attributed to the activity, tim es the after-tax cost of equity
of return based on the beta derived from the C A PM , capital. The activity is deem ed to add shareholder value,
where risk is defined in term s of the covariance of changes or is said to be EVA positive, when its N IA C C is positive
in the market value of the business with changes in the (and vice versa). An activity whose RA R O C is above the
value of the market portfolio. In the C A PM , the definition hurdle rate is also EVA positive.1
of risk is restricted to the system atic com ponent of risk
that cannot be diversified away. For RA RO C calculations,
the risk measure captures the full volatility of earnings, 1 See David Shim ko, "See Sharpe or Be Flat," Risk 10(6), 1997, p. 33.
system atic and specific. NPV is particularly well suited for 2 EVA is a registered tradem ark of Stern Stew art & Co.
12.4 RAROC FOR CAPITAL BUDGETING • Transfers correspond to transfer pricing m echanisms, primar
ily between the business unit and the treasury group, such as
The decision to invest in a new project or a new business ven charging the business unit for any funding cost incurred by
ture, or to expand or close down an existing business line, its activities and any cost of hedging interest rate and cur
has to be made before the true perform ance of the activity is rency risks; it also includes overhead cost allocation from the
known— no m anager has a crystal ball. When implementing the head office.
generic after-tax RA R O C equation for capital budgeting, indus • Econom ic capital is the sum of risk capital and strategic capi
try practice therefore interprets it as meaning tal where
expected revenues - costs - expected losses strategic risk capital = goodwill + burned-out capital
RA RO C - ~~ taxes + return on risk capital + / - transfers Our last bullet point deserves some explanation. Risk capital is the
economic capital
capital cushion that the bank must set aside to cover the worst-
where case loss (minus the expected loss) from market, credit, opera
tional, and other risks, such as business risk and reputation risk, at
• E x p e c te d revenues are the revenues that the activity is
the required confidence threshold (e.g., 99 percent). Risk capital is
expected to generate (assuming no losses).
directly related to the value-at-risk calculation at the one-year time
• C osts are the direct expenses associated with running the horizon and at the institution's required confidence level.
activity (e.g ., salaries, bonuses, infrastructure expenses, and
so on). Strategic risk capital refers to the risk of significant investments
about whose success and profitability there is high uncertainty.
• E x p e c te d losses, in a banking context, are primarily the
If the venture is not successful, then the firm will usually face
expected losses from default; they correspond to the loan
a major write-off, and its reputation will be dam aged. Cur
loss reserve that the bank must set aside as the cost of doing
rent practice is to measure strategic risk capital as the sum of
business. Because this cost, like other business costs, is
burned-out capital and goodwill. Burned-out capital refers to
priced into the transaction in the form of a spread over fund
the idea that capital is spent on, say, the initial stages of start
ing cost, there is no need for risk capital as a buffer to absorb
ing up a business but the business may ultimately not be kicked
this risk. Expected losses also include the expected loss from
off due to projected inferior risk-adjusted returns. It should be
other risks, such as market risk and operational risk.
viewed as an allocation of capital to account for the risk of stra
• Taxes are the expected amount of taxes imputed to the activ tegic failure of recent acquisitions or other strategic initiatives
ity using the effective tax rate of the company. built organically. This capital is am ortized over tim e as the risk of
• Return on risk capital is the return on the risk capital allo strategic failure dissipates. The goodwill elem ent corresponds
cated to the activity. It is generally assumed that this risk to the investm ent premium— i.e., the amount paid above
capital is invested in risk-free securities, such as governm ent the replacem ent value of the net assets (assets — liabilities)
bonds. when acquiring a company. (Usually, the acquiring company is
186 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BO X 12.3 RISK TYPES AND TIM E HORIZON S
Risk capital can be characterized as the one-year value-at-risk Figure 12B.1 illustrates the calculation of risk capital when
exposure of the firm, at a confidence level consistent with the the core risk level is lower than the current risk position.
firm's target credit risk rating. But how does the time horizon in
Across every bank, there are many other activities that must
this characterization relate to the risk measurement approaches
be allocated capital in a way that is sensitive to time horizons.
for market risk, for credit risk, and for operational risk?
For exam ple, the bank should allocate capital to cover the
For credit risk, there is a straightforward equivalence risk of options that are em bedded in many of its products.
between the one-year VaR produced by credit portfolio The option to prepay a m ortgage is one obvious exam ple,
m odels, such as CreditM etrics or KMV, and risk capital. The but there are many subtle twists on the risks generated by
same is also true for operational risk: most internal models different types of products. For exam ple, m ortgage port
used by institutions have a one-year horizon. Therefore, for folios in Canada often incur com mitment risks. These arise
both credit risk and operational risk, there is no need for any because the consum er autom atically receives the lowest
adjustm ent in the one-year VaR to determ ine risk capital. m ortgage rate looking backward over a prescribed com m it
ment period, as a function of the specific type of m ortgage.
However, this is not the case for m arket risk. For trading
In effect, the consum er has what derivatives practitioners call
businesses, market risk is measured using only short-term
a "look-back option." The seriousness of the com mitment
horizons— one day for risk monitoring on a daily basis and 10
risk is governed by the length of the com m itm ent period; it
days for regulatory capital. So how do we translate a one-day
represents the com ponent that cannot be entirely eliminated
risk measure into one-year risk capital attribution?
by delta hedging (e.g ., the basis risk between the w hole
O ne approach might be to use what is commonly called the sale rates and the m ortgage rate). All these considerations
"square root of tim e" rule. That is, the risk analyst might need to be taken into account in determining the risk capital
approxim ate the one-year VaR by multiplying the one-day needed to support a Canadian m ortgage business.
VaR by the square root of the number of business days in one
year— e .g ., 252 days. If we did this, however, w e'd be miss
ing the point of risk capital. Risk capital is there to limit the VaR
risk of failure during a period of crisis, when the bank has
suffered huge losses. As a worst-case scenario unfolds, the
bank will naturally reduce its risk exposures in any way that
it can. In the case of a proprietary trading desk, with highly
liquid positions and no clients to service, this risk reduction
can take place very quickly indeed. For other activities, risk
can often be reduced only to a core risk level for the remain
der of the year, defined as the minimum realistic size at
which the business can be considered to be a going concern
(i.e., can maintain its franchise).
discusses one problem that this brings up: how to harmonize the However, the choice of a risk horizon for RA R O C is som ewhat
different time horizons used to measure credit, m arket, and arbitrary. O ne could choose to measure the volatility of risk and
operational risk. Practitioners usually adopt a one-year tim e hori returns over a longer period of tim e, say 5 or 10 years, in order
zon, as this corresponds to the business planning cycle and is to capture the full effect of the business cycle in measuring risk.
also a reasonable approxim ation of the length of tim e it might Calculating econom ic capital over a longer period of tim e does
take to recapitalize the com pany if it were to suffer a major not necessarily increase capital, as the level of confidence in any
unexpected loss. firm's solvency that we require decreases as the tim e horizon
credit risk. A through-the-cycle (TTC) PD, which is largely the where rf is the risk-free rate, RM is the expected return on
approach taken by the rating ag encies, is more reasonable for the market portfolio, and fSCE is the firm's common equity
market beta.
calculating econom ic cap ital, current profitability, and stra te
gic decisions regarding products, geo graphies, and new busi
ness ventures.
188 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
taking into account all the correlation effects between market
BO X 12.5 A D JU STIN G RAROC risk, credit risk, and operational risk across all the business units
FO R THE RISK O F RETURNS of a com pany. Instead, banks tend to adopt a bottom-up decen
tralized approach, under which distinct risk models are run for
Ideally, we would like to adjust the traditional RA RO C
calculation to obtain a RA R O C measure that takes into each portfolio or business unit.
account the system ic riskiness of returns, and for which the For capital adequacy purposes, running these business-specific
hurdle rate (the critical benchm ark above which a business
models at the confidence level targeted at the top of the house,
adds value) is the same across all business lines. To correct
the inherent limitations of the traditional RA R O C measure, for exam ple 99.97 percent, produces an unnecessarily large
let's adjust the RA RO C ratio as follows: amount of overall risk capital, precisely because it neglects
diversification effects (across both risk types and business
Adjusted RARO C s RARO C - p£(/?M- rf )
activities). It is therefore common practice to adjust for the
where RM is the expected rate of return on the market diversification effects by lowering the confidence level used
portfolio, rf denotes the risk-free interest rate— say, the at the business level to, say, 99.5 percent or lower— an adjust
interest rate paid on three-month Treasury bills— and /3e is
ment that is necessarily more of an educated guess than a strict
the beta of the equity of the firm. The new decision rule is:
risk calculation.
Accept (reject) projects whose adjusted
RARO C is greater (sm aller) than rf If this sounds unsatisfactory, we can at least put some boundar
ies around the problem. The aggregate VaR figure obtained
The risk adjustm ent, /3(RM — rf), is the excess return above
by this approach should fall in between the two extrem e cases
the risk-free rate required to com pensate the sharehold
of perfect correlation and zero correlation between risk types
ers of the firm for the nondiversifiable system atic risk they
bear when investing in the activity, assuming that the and across businesses. For exam ple, ignoring business risk,
shareholders hold a well-diversified portfolio. When the reputation risk, and strategic risk, for illustrative purposes, sup
returns are thus adjusted for risk, the hurdle rate becomes pose that w e've calculated the risk capital for each type of risk
the risk-free rate. as follows:
X X $40
ginal risk capital for X (assuming that Y already exists) is $30
$60
($100 — $70), and the marginal risk capital for Y (assuming
Y $70 Y $30
that X already exists) is $40 ($100 — $60). In the case where
Diversification $30 Total $70
Effect more than two activities are included in the business unit BU,
marginal capital is calculated by subtracting the risk capital
Fiqure 12.2 Diversification effect. required for the BU without this business from the risk capital
required for the full portfolio of businesses. Note that the
summation of the marginal risk capital, $70 in our exam ple, is
volatility whose earnings move in a countercyclical fashion. less than the full risk capital of the BU.
Bringing together countercyclical business lines produces stable
As this exam ple shows, the choice of capital measure depends
earnings for the firm as a whole; the firm can then operate to
on the desired objective. Fully diversified measures should be
the same target credit rating with less risk capital.
used for assessing the solvency of the firm and minimum risk
In truth, institutions continue to struggle with the problem of pricing. Active portfolio m anagem ent or business mix decisions,
attributing capital back to business lines, and there are diverg on the other hand, should be based on marginal risk capital,
ing views as to the appropriate approach. For the moment, as a taking into account the benefit of full diversification. Finally,
practical solution, most institutions allocate the portfolio effect perform ance m easurem ent should involve both perspectives:
pro rata with the stand-alone risk capital. stand-alone risk capital for incentive com pensation, and fully
Diversification effects also com plicate matters within busi diversified risk capital to assess the extra perform ance gener
ness units. Let's look at this and other issues in relation to an ated by the diversification effects.
exam ple business unit, BU, which com prises two activities, X However, we must be cautious about how generous we are in
and Y (Figure 12.2). W hen calculating the risk capital of the busi attributing diversification benefits.7 Correlations between risk
ness unit, let's assume that the firm's risk analysts have taken factors drive the extent of the portfolio effect, and these corre
into account all the diversification effects created by combining lations tend to vary over tim e. During market crises, in particular,
activities X and Y and that the risk capital for BU is $100. The correlations som etim es shift dram atically toward either 1 or —1,
complication starts when we try to allocate risk capital at the reducing or totally eliminating portfolio effects for a period
activity level within the business unit. There are three different of tim e.
measures of risk capital:
the individual constituents of the business unit is generally business, and in the pricing of transactions. It also plays a critical
higher than the stand-alone risk capital of the business unit role in the incentive com pensation plan of the firm. Adjusting
itself (it is equal only in the case of perfectly correlated activi incentive com pensation for risk in this way is important, because
ties X and Y) . managers tend to align their perform ance to maximize whatever
perform ance measures are imposed on them .
• Fully diversified capital is the capital attributed to each
activity X and Y, taking into account all diversification N eedless to say, in firms in which RA RO C has been im ple
benefits from combining them under the same leader m ented, business units often challenge the risk m anagem ent
ship. In our exam ple, the overall portfolio effect is $30 function about the fairness of the amount of econom ic capital
($60 + $70 — $100). Allocating the diversification effect is attributed to them . The usual com plaint is that their econom ic
an issue here. Following our earlier discussion, we'll allocate
the portfolio effect pro rata with the stand-alone risk capital,
7 For a discussion of the common econom ic capital aggregation tech
$30 X 60/130 = $14 for X and $30 X 70/130 = $16 for Y, so
niques and how they capture diversification benefits, see Range o f
that the fully diversified risk capital becom es $46 for X and Practices and Issues in Eco n o m ic Capital Fram ew orks, BIS, March 2009,
$54 for Y. pp. 24-31.
190 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
capital attribution is too high (never that it is too low!). Another down when the credit environment improves and goes up
com plaint is that econom ic capital attribution is som etim es too when it deteriorates)? For market risk, volatility and correla
unstable— the numbers can move up and down in a way that is tion param eters should be updated at least every month,
disconcerting for a business trying to hit a target. using standard statistical techniques. O ther key factors, such
as the core risk level and "tim e to reduce" (see Box 12.3),
The best way to defuse this debate is for the RA RO C group to
should be reviewed on an annual basis. For operational risk,
be transparent about the m ethodology used to assess risk and
the risk measurement approach is currently more judgmental
to institute forums where the issues related to the determination
and, as such, more open to heated discussions!
of econom ic capital can be debated and analyzed. From our
own experience, the VaR m ethodologies for measuring market 4 . Maintaining the integrity o f the process. As with other risk
risk and credit risk that underpin RA R O C calculations are gener calculations, the validity of RARO C numbers depends critically
ally well accepted by business units (although this is not yet true on the quality of the data about risk exposures and positions
for operational risk). It's the setting of the param eters that feed collected from the management systems (e.g., in a trading
into these models, and that drive the size of econom ic capital, business, the front- and back-office systems). Only a rigorous
that causes acrimony. process of data collection and centralization can ensure accu
rate risk and capital assessment. The same rigor should also
Here are a number of recom m endations for implementing a
be applied to the financial information needed to estimate the
RA RO C system:
adjusted-return element of the RARO C equation. Data collec
1. Sen ior m anagem ent com m itm ent. Given the strategic tion is probably the most daunting task in risk management.
nature of the decisions steered by a RA RO C system , the But the best recipe for failure in implementing a RARO C sys
marching orders must come from the top m anagem ent of tem is to base calculations on inaccurate and incomplete data.
the firm. Specifically, the C E O and his or her executive team The RARO C group should be accountable for the integrity of
should sponsor the im plem entation of a RA R O C system and the data collection process, the calculations, and the report
should be active in the diffusion, within the firm, of a new ing process. The business units and the finance group should
culture in which perform ance is measured in term s of con be accountable for the integrity of the specific data that they
tribution to shareholder value. The m essage to push down produce and feed into the RARO C system.
to the business lines is this: W hat counts is not how much
5 . C om bine R A R O C with qualitative factors. Earlier in this
income is generated, but how well the firm is com pensated
chapter, we described a simple decision rule for project
for the risks that it is taking on.
selection and capital attribution— i.e ., accept projects where
2 . Com m unication and education. The RA RO C group should the RA R O C is greater than the hurdle rate. In practice,
be transparent and should explain the RA RO C m ethodol other qualitative factors should be taken into consideration.
ogy not only to the business's heads but also to the busi All the business units should be assessed in the context of
ness line managers and the C FO 's office, in order to gain the two-dimensional strategic grid shown in Figure 12.3.
acceptance of the m ethodology throughout all the m anage The horizontal axis of this figure corresponds to the RA RO C
ment layers of the firm.
3 . O ngoing consultation. The firm should institute a forum such Q uality of Earnings: Strategic Im portance/Long-Term Grow th Potentia
as a "param eter review group" that periodically reviews the
key param eters that drive risk and economic capital. This
group, composed of key representatives from the business
units and the risk m anagem ent function, will bring legiti
macy to the capital allocation process. For credit risk, the
param eters that should be reviewed include probabilities
of default, credit migration frequencies, loss given default,
and credit line usage given default. These parameters evolve
over the business cycle and should be adjusted as more
data become available. An important issue to settle is the
choice of a historical period over which these parameters
are calibrated— i.e., should this be the whole credit cycle (in
order to produce stable risk capital numbers) or a shorter
period of time to make capital more procyclical (capital goes Figure 12.3 Strategic grid.
192 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Range of Practices
and Issues in
Economic Capital
Frameworks
Learning Objectives
A fter com pleting this reading you should be able to:
Within the econom ic capital implementation fram ework Explain benefits and im pacts of using an econom ic capital
describe the challenges that appear in: fram ework within the following areas:
Defining and calculating risk measures Credit portfolio m anagem ent
Risk aggregation ■ Risk based pricing
Validation of models Custom er profitability analysis
■ Dependency modeling in credit risk M anagem ent incentives
Evaluating counterparty credit risk
Assessing interest rate risk in the banking book Describe best practices and assess key concerns for the
governance of an econom ic capital fram ework.
Describe the BIS recom m endations that supervisors
should consider to make effective use of internal risk m ea
sures, such as econom ic capital, that are not designed for
regulatory purposes.
E x c e rp t is rep rin ted by perm ission from the Basel C om m ittee on Banking Supervision.
193
13.1 EXECUTIVE SUMMARY Therefore it covers issues related to the use and governance
of economic capital, the choice of risk measures, aggregation
Economic capital can be defined as the methods or practices of risk, and validation of economic capital. In addition, three
that allow banks to consistently assess risk and attribute capital important building blocks of economic capital (dependency
to cover the economic effects of risk-taking activities. Economic modelling in credit risk, counterparty credit risk and interest
capital was originally developed by banks as a tool for capital rate risk in the banking book) are examined in separate, stand
allocation and performance assessment. For these purposes, alone annexes. This list of building blocks is chosen due to the
economic capital measures mostly need to reliably and accu significance and complexity of the topics, and (with the excep
rately measure risks in a relative sense, with less importance tion of counterparty credit risk) partly because the topics are not
attached to the measurement of the overall level of risk or capi covered in Pillar 1 of the Basel II Framework. This list is by no
tal. Over time, the use of economic capital has been extended means exhaustive.
to applications that require accuracy in estimation of the level of
capital (or risk), such as the quantification of the absolute level Use o f Economic Capital and Governance
of internal capital needed by a bank. This evolution in the use of
economic capital has been driven by both internal capital man The robustness of economic capital and the governance and
agement needs of banks and regulatory initiatives, and has been controls surrounding the process have become more critical as
facilitated by advances in risk quantification methodologies and the use of economic capital has extended beyond relative risk
the supporting technological infrastructure. measurement and performance to the determination of the
adequacy of a bank's absolute level of capital.
While there has been some convergence in the understand
ing of key concepts of economic capital across banks with such The viability and usefulness of a bank's economic capital pro
frameworks in place, the notion of economic capital has broad cesses depend critically on the existence of a credible com
ened over time. This has occurred in terms of the underlying mitment or "buy-in" on the part of senior management to the
risks (or building blocks) that are combined into an overall eco process. In order for this to occur, it is necessary for senior
nomic capital framework and also in terms of the relative accep management to recognise the importance of using economic
tance and use of economic capital across banks. capital measures in conducting the bank's business. In addition,
adequate resources are required to ensure the existence of a
Economic capital can be analysed and used at various levels— strong, credible infrastructure to support the economic capital
ranging from firm-wide aggregation, to risk-type or business-line process. Economic capital model results should be transparent
level, and down further still to the individual portfolio or expo
and taken seriously in order to be useful for business decisions
sure level. Many building blocks of economic capital, therefore, and risk management. At the same time, management should
are complex and raise challenges for banks and supervisors. fully understand the limitations of economic capital measures.
In particular, Pillar 2 (supervisory review process) of the Basel
Moreover, senior management needs to take measures to help
II Framework may involve an assessment of a banks' economic ensure the meaningfulness and integrity of economic capital
capital framework. Accordingly, this paper makes recommen measures. It should also seek to ensure that the measures com
dations of particular interest to supervisors and bankers where
prehensively capture all risks and implicit and/or explicit man
economic capital models are used in the supervisory dialogue.
agement actions embedded in measurement processes are both
In addition, supervisors have an interest in promoting robust, realistic and actionable.
transparent and effective risk management, which in many cases
requires an understanding of banks economic capital frame
works. Nevertheless, it is recognised that economic capital is a Risk Measures
business tool developed and used by individual institutions for
Banks use a variety of risk measures for economic capital pur
internal risk management purposes.
poses with the choice of risk measure dependent on a number
This paper emphasises the importance of understanding the of factors. These include the properties of the risk measure, the
relationship between overall economic capital and its building risk- or product-type being measured, data availability, trade
blocks, as well as ensuring that the underlying building blocks offs between the complexity and usability of the measure, and
(individual risk assessments) are measured in a consistent and the intended use of the risk measure. While there is general
coherent fashion. The main body of the paper focuses on issues agreement on the desirable properties a risk measure should
associated with the overall economic capital process, rather have, there is no singularly preferred risk measure for economic
than on the component risks measured by economic capital. capital purposes. All risk measures observed in use have
194 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
advantages and disadvantages which need to be understood a com plex model works satisfactorily. Moreover, a model may
within the context of their intended application. em body assumptions about relationships between variables or
about their behaviour that may not hold in all circumstances
(e.g ., under periods of stress). Validation can provide a degree
Risk Aggregation
of confidence that the assumptions are appropriate, increasing
O ne of the more challenging aspects of developing an eco the confidence of users (internal and external to the bank) in
nomic capital fram ework relates to risk aggregation. the outputs of the model. Additionally, validation can be also
useful in identifying the limitations of econom ic capital models,
Practices and techniques in risk aggregation are generally less
i.e., where em bedded assumptions do not fit reality.
sophisticated than the m ethodologies that are used in measur
ing individual risk com ponents. They rely heavily on ad-hoc The validation of econom ic capital models is at a very prelim i
solutions and judgm ent without always being theoretically nary stage. There exists a wide range of validation techniques,
consistent with the m easurem ent of the com ponents. Most each of which provides evidence for (or against) only some of
banks rely on the summation of individual risk com ponents the desirable properties of a model. Moreover, validation tech
either equally-weighted (i.e., assuming no diversification or a niques are powerful in some areas such as risk sensitivity but not
fixed percentage of diversification gains across all components) in other areas such as overall absolute accuracy or accuracy in
or weighted by an estim ated variance-covariance matrix that the tail of the loss distribution. Used in com bination, particularly
represents the co-m ovem ent between risks. Few banks attem pt in combination with good controls and governance, a range of
technically more sophisticated aggregation methods such as validation techniques can provide more substantial evidence for
copulas or even bottom-up approaches that build overall eco or against the perform ance of the model. There appears to be
nomic estim ates from the common relationship of individual risk scope for the industry to improve the validation practices that
com ponents to underlying factors. shed light on the overall calibration of models, particularly in
cases where assessm ent of overall capital is an im portant appli
Validation is a general problem with aggregation techniques.
cation of the model.
Diversification benefits em bedded in inter-risk aggregation
processes (including in the estimation of entries in the variance-
covariance matrix) are often based on (internal or external)
Dependency Modelling in Credit Risk
"exp ert judgm ent" or average industry benchm arks. These have Portfolio credit risk models form a significant com ponent of
not been (and very often cannot be) com pared to the actual his most econom ic capital fram eworks. A particularly im portant and
torical or expected future experience of a bank, due to lack of difficult aspect of portfolio credit risk modelling is the modelling
relevant data. of the dependency structure, including both linear relationships
Since individual risk com ponents are typically estim ated without and non-linear relationships, between obligors. Dependency
much regard to the interactions between risks (e.g ., between modelling is an im portant link between the Basel II risk weight
market and credit risk), the aggregation m ethodologies used function (with supervisory imposed correlations) and portfolio
may underestim ate overall risk even if "no diversification" credit risk models which rely on internal bank modelling of
assumptions are used. Moreover, harmonisation of the m easure dependencies. Understanding the way dependencies are mod
ment horizon is a difficult issue. For exam ple, extending the elled is im portant for supervisors when they exam ine a bank's
shorter horizon applied to market risk to match the typically- internal capital adequacy assessm ent process (ICAAP) under
used annual horizon of econom ic capital assessm ents for other Pillar 2, since these dependency structures are not captured in
types of risk is often performed by using a square root of time regulatory capital measures.
rule on the econom ic capital measure. This simplification can The underlying m ethodologies applied by banks in the area of
distort the calculation. Similar issues arise when risk measured dependency modelling in credit risk portfolios have not changed
at one confidence level is then scaled to becom e (nominally) much over the past ten years. Rather, im provem ents have been
com parable with other risk com ponents measured at a different made in the infrastructure supporting the m ethodologies (e.g.,
confidence level. improved databases) and better integration with internal risk
m easurem ent and risk m anagem ent. The main concern in this
area of econom ic capital continues to centre on the accuracy
Validation
and stability of correlation estim ates, particularly during tim es of
Econom ic capital models can be com plex, embodying many stress. The correlation estim ates provided by current models still
com ponent parts and it may not be im m ediately obvious that depend heavily on explicit or implicit model assumptions.
196 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
risks. The bank's board of directors should also be able to 6 . R isk ag g re g a tio n . A bank's aggregation methods should
dem onstrate conceptual awareness and understanding of address the implications stemming from the definition and
the gap between gross (stand alone) and net enterprise m easurem ent of individual risk com ponents. The accuracy of
wide (diversified) risk when they define and communicate the aggregation process depends on the quality of the mea
measures of the bank's risk appetite on a net basis. surem ent of individual risk com ponents, as well as on the
2 . S en io r m an ag em en t. The viability, usefulness, and ongoing interactions between risks em bedded in the m easurem ent
refinem ent of a bank's econom ic capital processes depend process. Aggregation of individual risk com ponents often
critically on the existence of credible com mitment or "buy- requires the harmonisation of risk m easurem ent param eters
in" on the part of senior m anagem ent to the process. In such as the confidence level or m easurem ent horizon.
order for this to occur, senior m anagem ent should recog Care must be taken to ensure that the aggregation m eth
nise the im portance of using econom ic capital measures odologies used (e.g ., variance-covariance m atrices, use of
in conducting the bank's business and capital planning, broad market proxies, and simple industry averages of cor
and should take measures to ensure the meaningfulness relations) are, to the extent possible, representative of the
and integrity of econom ic capital measures. In addition, bank's business composition and risk profile.
adequate resources should be com m itted to ensure the
7 . V alid atio n . Econom ic capital model validation should be
existence of a strong, credible infrastructure to support the
conducted rigorously and com prehensively. Validation of
econom ic capital process.
econom ic capital models should be aimed at dem onstrating
3 . Tran sp are n cy and in te g ra tio n into decisio n-m aking. A that the model is fit for purpose. Evidence is likely to come
bank should effectively docum ent and integrate econom ic from multiple techniques and tests. To the extent that a
capital models in a transparent way into decision-making. bank uses models to determ ine an overall level of economic
Econom ic capital model results should be transparent and capital, validation tools should dem onstrate to a reason
taken seriously in order to be useful to senior m anagem ent able degree that the capital level generated by the model
for making business decisions and for risk m anagem ent. is sufficient to absorb losses over the chosen horizon up to
A bank should take a careful approach to its use of eco the desired confidence level. The results of such validation
nomic capital in internal assessm ents of capital adequacy. work should be com m unicated to senior m anagem ent to
For this purpose, greater emphasis should be placed on enhance econom ic capital model usage.
achieving robust estim ates of stand-alone risks on an abso
8 . D ep en d en cy m odelling in cre d it ris k . Since the depen
lute basis, as well as developing the flexible capacity for
dency structures em bedded in portfolio credit risk models
enterprise-wide stress testing.
have an im portant im pact on the determ ination of eco
4 . R isk id e n tifica tio n . Risk m easurem ent begins with a robust, nomic capital needs for credit risk, banks should carefully
com prehensive and rigorous risk identification process. If assess the extent to which the dependency structures they
relevant risk drivers, positions or exposures are not cap use are appropriate for their credit portfolio. Banks should
tured by the quantification engine for econom ic capital, identify and understand the main limitations of their credit
there is great room for slippage between inherent risk and portfolio models and their im plem entation. They should
measured risk. address those limitations by using adequate supplem entary
Not all risks can be directly quantified. Material risks that risk m anagem ent approaches (e.g ., sensitivity analysis, sce
are difficult to quantify in an econom ic capital fram ework nario analysis, tim ely review of param eters).
(e.g ., funding liquidity risk or reputational risk) should be 9 . C o u n te rp a rty cre d it risk . A bank should understand the
captured in some form of com pensating controls (sensitivity trade-offs involved in choosing between the currently used
analysis, stress testing, scenario analysis or similar risk con methodologies for measuring counterparty credit risk. Com
trol processes). plementary measurement processes such as stress testing
5 . R isk m easu res. All risk measures observed in use have should also be used, though it should be recognised that such
advantages and disadvantages which need to be under approaches may still not fully cover all counterparty credit
stood within the context of their intended application. risk exposures. The measurement of counterparty credit risk
There is no singularly preferred risk measure for economic is com plex and entails unique market and credit risk related
capital purposes. A bank should understand the limitations challenges. A range of aggregation challenges needs to be
of the risk measures it uses, and the implications associated overcome before a firm can have a bank-wide view of coun
with its choice of risk measures. terparty credit risk for economic capital purposes.
198 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The main body of this paper focuses on aspects of the overall m easurem ent and pricing profitability analysis followed by
architecture of economic capital models. First, the paper cov (ii) enterprise-wide relative perform ance m easurem ent that
ers the use of economic capital models and the governance and migrates to capital budgeting/planning, acquisition/divestiture
control framework. Second, it reviews the range of risk measures analysis, external reporting and internal capital adequacy assess
used by banks in their economic capital models. Next, it cov ment processes.
ers the range of practice in risk aggregation methods before
the paper moves to issues arising in the validation of economic
capital models. The main body of the paper therefore focuses on Business-Level Use
issues that are at a level above that of individual risks. The paper The effective use of econom ic capital at the business-unit level
does not discuss the estimation of important building blocks of
depends on how relevant the econom ic capital allocated to
economic capital models, such as the estimation of probability or absorbed by a business unit is with respect to the decision
of default (PD), loss given default (LGD) and exposure at default making processes that take place within it. Frequently, the
(EAD) in credit risk models. This is not to say that estimation of
success or failure of an econom ic capital fram ework in a bank
these parameters is simple or without issues. Rather, these issues can be assessed by looking at how business line managers
are outside the scope of this work and have been covered in
perceive the constraints econom ic capital imposes and the
detail in other publications. Nevertheless, the annexes to this opportunities it offers in the following areas: (i) credit portfolio
chapter discuss three building blocks of economic capital models, m anagem ent; (ii) risk-based pricing; (iii) custom er profitability
namely dependency modelling in credit risk, counterparty credit
analysis, custom er segm entation, and portfolio optim isation;
risk and interest rate risk in the banking book. These topics are and (iv) m anagem ent incentives.
given closer attention in this paper due to a combination of their
significance, inherent challenges and (with the exception of coun Credit Portfolio Management
terparty credit risk) partly because the topics are not covered in
Pillar 1 (minimum capital requirements) of the Basel II Framework. Credit portfolio m anagem ent refers to activities in which banks
Should the need arise, further work on other significant elements assess the risk/return profiles of credit portfolios and enhance
of economic capital may be undertaken in the future. their profitability through credit risk transfer transactions and/
or control of the loan approval process. In credit portfolio man
Finally, it is worth noting that this work was initiated well before
agem ent, the creditworthiness of each borrower is assessed in
the market turmoil that began in August 2007. This paper there a portfolio setting. A loan with a higher stand-alone risk does
fore exam ines general issues that are deem ed to be relevant for
not necessarily contribute more risk to the portfolio. A loan's
econom ic capital modelling. It does not attem pt to analyse or
marginal contribution to the portfolio, as a result, is critical to
assess the perform ance of econom ic capital models during the assessing the concentration of the portfolio. Econom ic capital
market turmoil.
is a m easurem ent of the level of concentration. It is one of the
factors used to determ ine which hedging facilities to employ
in reducing concentration. According to the results presented
1 3 .4 U S E O F E C O N O M IC C A P IT A L in Rutter Associates LLC (2004), the use of credit portfolio
M EA SU RES AN D G O V ER N A N C E m anagem ent for reducing econom ic capital seem s to be less
dominant than for "m anagem ent of concentrations" and for
In order to achieve a common measure across all risks and busi "protection against risk deterioration."
nesses, econom ic capital is often param eterised as an amount
of capital that a bank needs to absorb unexpected losses over Risk-Based Pricing
a certain tim e horizon at a given confidence level. Because
The relevance of allocated econom ic capital for pricing certain
expected losses are accounted for in the pricing of a bank's
products (especially traditional credit products) is widely recog
products and loan loss provisioning, it is only unexpected losses
nised. In theory, under the assumption of com petitive financial
that require econom ic capital. Econom ic capital analysis typically
m arkets, prices are exogenous to banks, which act as price-
involves an identification of the risks from certain activities or
takers and assess the expected return (ex ante) and/or perfor
exposures, an attem pt to measure and quantify those risks, the
mance (ex post) of deals by means of risk-adjusted perform ance
aggregation of those risks, and an attribution or allocation of
m easures, such as the risk-adjusted return on capital (RARO C).
capital to those risks.
In practice, however, markets are segm ented. For exam ple, the
Historically, banks have followed a path in their use of eco market for loans can be viewed as com posed of a wholesale
nomic capital that begins with (i) business unit-level portfolio segm ent, where banks tend to behave more as price-takers,
200 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
and/or prepare contingency funding plans (e.g ., liquidity risk). Capital Budgeting, Strategic Planning, Target
Consequently, capital typically is not allocated for such risks. Setting and Internal Reporting
Many banks allocate (hypothetical) capital to each business unit
Relative Performance Measurement
in their budgeting process, where econom ic capital measures
In order to assess relative perform ance on a risk-adjusted basis, play an im portant role. This process is also part of strategic
banks calculate risk-adjusted perform ance m easures, where eco planning (e.g ., defining the bank's risk appetite) and target
nomic capital measures play an im portant role. The most com setting (e.g ., profit, capital ratio or external rating). In order to
monly used risk-adjusted perform ance measures are facilitate business growth that improves risk-adjusted profit
risk-adjusted return on capital (RARO C) and shareholder value ability, while operating within an overall risk appetite set by
added (SVA). Many banks calculate these measures at various the board, many banks have established internal reporting/
levels of the enterprise (e.g ., entity level, large business unit monitoring fram eworks.
level and portfolio level). The major difference between these
G enerally, banks have a num ber of ways to conduct capital
two measures is that RA RO C is a relative measure, while SVA is
planning, most of which are not em pirically-based, but instead
an absolute measure. RA R O C provides information which is use
are based on judgm ent and stress testing exercises. These
ful in comparing the perform ances of two portfolios with the
include scenario analysis and sensitivity analysis, which intro
same amount of econom ic net incom e, but with substantially
duce forward-looking elem ents into the capital planning pro
different econom ic capital measures.
cess. That is, banks place more em phasis on qualitative rather
O ne of the key issues in using both RA RO C and SVA for perfor than quantitative tools and exp ect to rely on m anagem ent
mance m easurem ent is how to set the hurdle rate that reflects actions to deal with future events. It seem s that banks take only
the bank's cost of capital. In this regard practices vary across a rough, judgm ental approach to reviewing the perform ance
banks. Some banks set a single cost of capital (e.g ., weighted and interaction of econom ic capital "dem and" figures and
average cost of capital or target return on equity— ROE) across available capital "sup p ly" figures during tim es of stress. It does
all business units, while other banks set required returns that not appear that banks have a rigorous process for determ ining
vary according to the risks of the business units. their capital buffers, although some banks system atically set
Some banks use lower confidence levels for perform ance assess their capital buffers at levels above regulatory minimums (about
ment of business units than for their enterprise-wide capital 120% -140% ). Banks' capital planning scenarios differ by chosen
adequacy assessm ent. This approach is based on the view tim e horizon, with some choosing one year, and others choos
that econom ic capital measures calculated at high confidence ing three to five years. Banks usually look at adverse events
levels focus on extrem e events and do not always provide that would affect the bank individually or would affect m arkets
appropriate information for senior m anagem ent. Calculation more broadly (a pandem ic is one scenario chosen by some
of risk-adjusted perform ance measures at the large business banks for the latter). Some banks stress certain param eters in
unit levels (e.g ., wholesale banking, trading) is more commonly their econom ic capital m odels (e .g ., they shock PDs based on
observed than at the sm aller business unit levels. In calculating a severe recession scenario) to assess the potential im pact on
econom ic net income, one of the challenges is how to allocate econom ic capital.
profits and costs to each unit, if more than one unit contrib
utes a profit-generating transaction or benefits from a cost Acquisition/Divestiture Analysis
generating activity.
In corporate developm ent activities, such as mergers and acqui
Banks use risk-adjusted perform ance measures in their perfor sitions, some banks use the targets' econom ic capital measures
mance assessm ent (e.g ., comparing perform ance with a target, as one of the factors in conducting due diligence. However, the
analysing historical performance) and com pensation setting. number of banks using econom ic capital measures for corporate
Use of econom ic capital measures for risk-adjusted perform ance developm ent activities is relatively sm aller than the number of
measures in a capital budgeting process is much more common those using econom ic capital measures for the other purposes
practice than incorporating econom ic capital measures into the described above. According to the results of the IFRI and C RO
determ ination of com pensation for business managers and staff.3 Forum (2007) survey, only 25% of participating banks use eco
nomic capital measures for corporate developm ent activities,
such as mergers and acquisitions. On the other hand, it seem s
3 There are other risk-adjusted performance measures that could be that this approach is more often used for mergers and acquisi
used. Some of these measures include RORAC (return on risk-adjusted
capital), ROCAR (return on capital at risk) and RAROA (risk-adjusted tions in emerging m arkets, where information on the targets'
return on risk-adjusted assets). See Crouhy et. al. (2006). market values is far less readily available.
202 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Unit Involved in the Economic Capital Process and accurately conveying the actual financial condition of banks to
Its Level of Knowledge the m arket. In addition to quantitative econom ic capital m ea
sures, qualitative information on the governance surrounding
There is a wide range of organisational governance structures
the econom ic capital fram ework of banks is becoming more
responsible for the econom ic capital fram ework at banking insti
important, since external market participants take into account
tutions. These governance structures range from involving highly
the sophistication of the econom ic capital fram ework and bank
concentrated responsibilities to involving highly decentralised
m anagem ent in their assessm ents of banks.
responsibilities. For exam ple, some banking institutions house a
centralised econom ic capital unit within corporate Treasury, with
Policies, Procedures, and Approvals Relating to
formal responsibilities. However, com ponents of the overall eco
Economic Capital Model Development, Validation,
nomic capital model or some param eters are outside the direct
On-Going Maintenance and Ownership
control of the econom ic capital owner. O ther banks share
responsibility for the econom ic capital fram ework between the Most banks have form alised policies and procedures for eco
risk function and the finance function, while others have a more nomic capital governance and analytics to ensure the consistent
decentralised structure, with responsibilities spread among a application of econom ic capital across the enterprise. For those
w ider range of units.5 banks that have adopted enterprise-wide policies and proce
dures, it is the responsibility of the business units to ensure that
O nce capital has been allocated, each business unit then man
those policies and procedures are being followed. Some insti
ages its risk so that it does not exceed its allocated capital. In
tutions that do not have formal policies and procedures have
defining units to which capital is allocated, banks som etimes
econom ic capital processes and analytics (e.g ., coverage of off-
take into account their governance structure. For exam ple,
balance sheet items, confidence level and holding period) that
banks that delegate broader discretion to business unit heads
are inconsistent across organisational units.
tend to allocate capital to the business unit, leaving the business
unit's internal capital allocation within the business line's control. Change-control processes for econom ic capital models are
On the other hand, m anagem ent is likely to be more involved in generally less form alised than for pricing or risk m anagem ent
the allocation of capital within business units if the bank's gov models. They typically leverage off change-control processes of
ernance structure is more centralised. There seem s to be diver the underlying models and param eters. Changes to econom ic
gence in the approach to this process. Some banks prefer rigid capital-specific m ethodologies (e.g ., aggregation m ethodolo
operation, where allocation units adhere to the original capital gies) are managed by the bank's econom ic capital owner, and
allocation throughout the budgeting period. On the other hand, may not be the same as the change control processes in other
other banks prefer a more flexible fram ework, allowing reallo areas on the banking institution. Diagnostics procedures are
cation of capital during the budgeting period, som etim es with typically run after an econom ic capital model change. Some
thresholds that trigger reallocation before consuming all the banks require responsible parties to sign-off on any changes to
allocated capital. m ethodology. However, form alised validation processes after
changes, or internal escalation procedures in the event of unex
Frequency of Economic Capital Measurements pectedly large differences in the econom ic capital numbers,
and Disclosure are uncommon.
Econom ic capital calculations have a strong manual com ponent Some banks specifically name an owner of the econom ic capi
and data quality is a prominent concern. Hence, most banks cal tal model. Typically, the owner provides oversight of the eco
culate econom ic capital on a monthly or quarterly basis. nomic capital fram ework. However, few formal responsibilities
are assigned the owner other than ensuring reports from all
Implementation of Basel II has fostered public disclosure of
model areas are received in a tim ely manner and mechanically
quantitative information on econom ic capital measures among
aggregating the individual com ponents of the econom ic capital
banks. Although disclosure of quantitative econom ic capital
fram ework into a report.
measures is not m andatory under Pillar 3 (market discipline) of
Basel II, the aim of Pillar 3 is to encourage market discipline by
Supervisory Concerns Relating to Use of
5 According to the IFRI and CRO Forum (2007) survey, about 80% of the
Economic Capital and Governance
economic capital work is undertaken centrally, and about 20% by the
business units. About 60% of the banks participating in the survey have Senior m anagem ent needs to ensure that there are robust con
economic capital functions that report directly to the Chief Risk Officer,
while others have reporting lines to the Chief Financial Officer or the trols and governance surrounding the entire econom ic capital
Corporate Treasury. process. There are several supervisory concerns relating to the
The types of risk that are included in econom ic capital models Finally, banks do not seem to take into account constraints that
and the IC A A P vary across banks in a given country as well as could im pede the effective implementation of m anagem ent
across countries (partly because some risk types are more pro actions. Such constraints may relate to legal issues, reputa
nounced in some countries). Risks that the econom ic capital tional effects, and cross-border operations. Further analysis
model cannot easily measure may be considered as a separate of the range and plausibility of these built-in assumptions
judgm ental adjustm ent in the ICAAP. W hether a risk type is about m anagem ent action, particularly in tim es of stress, may
included in the IC A A P may depend on the risk profile of the be warranted.
individual bank, and whether the individual bank regards these
risks as material. Role of Stress Testing
There can be variation between banks in the risks covered by Currently, many banks apply stress tests, including scenario
their econom ic capital m odels, since an identically named risk analysis and sensitivity analysis, to individual risks, although the
type may be defined differently across banks and across coun fram ework and procedures still need to be im proved. The use
tries. The term business risk, for exam ple, is som etim es con of integrated stress tests is gradually becoming more w ide
fused with or lumped together with less quantifiable legal and spread in the industry, probably reflecting the need to assess
reputational risk. the impact of stress events on overall econom ic capital m ea
sures and to provide com plem entary estim ates of capital needs
Diversification Assumptions in the context of IC A A R A t present, there exists wide variation
among banks in the level and extent of integrated stress tests
In most cases, intra-risk diversification assumptions are built into
being utilised. In general however, practices are still in the
the models for individual risk types. For inter-risk diversification
developm ent stage.
assumptions, current practices vary among banks and the bank
ing industry does not seem to have agreed on best practices. Stress test results do not necessarily lead to additional capital.
Thus, the methods remain preliminary and require further analy Rather, it seem s more common that stress tests are used to
sis. In light of the uncertainty in estimating diversification effects, confirm the validity of econom ic capital m easures, to provide
especially for inter-risk diversification, due consideration for con com plem entary estim ates of capital needs, to consider contin
servatism may be important. The issue of inter-risk diversification gency planning and m anagem ent actions, and gradually to for
is addressed in detail later in the chapter and intra-risk diversifica mulate capital planning. In some cases, banks use stress tests to
tion (within portfolio credit risk modelling) is discussed in Annex I. determ ine the effects of stressed market conditions on earnings
rather than on econom ic capital measures.
Assumptions about Management Actions
In some banks, potential m anagem ent actions are taken into
Economic Capital Should Not Be the Sole
account in econom ic capital m odels. However, one of the
Determinant of Required Capital
main reasons that banks do not include m anagem ent actions In general, both rating agencies and shareholders influence
in their econom ic capital models is that these actions are the level of a bank's capital, with the form er stressing higher
204 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
capital for solvency and the latter lower capital for profitability. Senior Management Commitment to the
Banks also look to peers in targeting their capital ratios. Nearly Economic Capital Process
all large, internationally active banks set their economic capital
The viability and usefulness of a bank's econom ic capital pro
solvency standard at a level they perceive to be required to
cesses depend critically on the existence of credible com m it
maintain a specific external rating (e.g ., A A ). Banks tend to look
ment or "buy-in" on the part of senior m anagem ent to the
to peers in choosing external ratings and associated solvency
process. In order for this to occur, senior m anagem ent must
standards. There is not a lot of evidence that bank counterparties
recognise the im portance of using econom ic capital measures in
have an impact on capital levels, other than indirectly through
conducting the bank's business and capital planning. In addition,
the need to deal with institutions having an acceptably high
adequate resources must be com mitted to ensure the existence
external rating. Many banks claim to target a high external rating
of a strong, credible infrastructure to support the econom ic
because of their desire to access capital and derivatives markets.
capital process.
206 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 13.1 Risk Measures
S p e ctra l and D isto rte d
S tan d ard D eviatio n VaR E xp e c te d S h o rtfa ll R isk M easu res
S tab le No, depends on No, depends on Depends on the loss Depends on the loss
assumptions about loss assumptions about loss distribution distribution
distribution distribution
Sim p le and m eaningful Sim ple, but not very Not sim ple, might Relatively simple and Relatively simple and
risk d eco m p o sitio n meaningful induce distorted choices meaningful meaningful
Calculation of Risk Measures target rating, with overlaps between different rating classes.
For exam ple, the IFRI and C R O Forum (2007) survey found that
Confidence Level PDs mapped to a A A target rating range from two to seven
In their internal use of risk m easures, banks need to deter basis points, while the range for an A target rating is four to ten
mine an appropriate confidence level for their econom ic capi basis points.
tal models that may vary for different business models. The Apart from considerations about the link to a target rating, the
banks' target rating plays an im portant role in the choice of choice of a confidence level might differ based on the question
confidence level. to be addressed. On the one hand, high confidence levels reflect
The link between a bank's target rating and the choice of con the perspective of creditors, rating agencies and supervisors in
fidence level may be interpreted as the amount of econom ic that they are used to determ ine the amount of capital required
capital that must be exceeded by available capital resources to to minimise bankruptcy risk. On the other hand, banks may use
prevent the bank from eroding its capital buffer at a given con lower confidence levels for m anagem ent purposes in order to
fidence level. According to this view, which can be interpreted allocate capital to business lines and/or individual exposures and
as a going concern view, capital planning is seen more as a to identify those exposures that are critical for profit objectives
dynamic exercise than a static one, where it is the probability in a normal business environment. Consequently, banks typically
of eroding such a buffer (rather than all available capital) that is use different confidence levels for different purposes.
linked to the target rating. This would reflect the expectation (by
Another interesting aspect of the internal use of different risk
analysts, rating agencies and the market) that the bank operates
measures is that the choice of risk measure and confidence
with capital that exceeds the regulatory minimum requirem ent.
level heavily influences relative capital allocations to individual
Establishing the link between a bank's target rating and the exposures or portfolios. In short, the farther out in the tail of
choice of confidence level, however, is far from being an easy a loss distribution, the more relative capital gets allocated to
exercise. It involves the mapping between ratings and PDs, concentrated exposures. As such, the choice of the risk measure
which can change, depending on the rating agency scale as well as the confidence level can have a strategic impact since
adopted, and it suffers from significant statistical noise, espe some portfolios might look relatively better or worse under risk-
cially at the higher rating grades which are typically targeted by adjusted perform ance measures than they would based on an
banks. Banks can use a range of confidence levels for the same alternative risk measure.
From a supervisory point of view, there is no obvious prefer In contrast to classification along organisational lines, which
ence for one risk measure over another among the measures presents few conceptual difficulties, classification along risk
most widely used for calculating econom ic capital. Rather, types can be im precise. Definitions of risk types may differ
208 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
across institutions, or even across portfolios within a single bank beyond balance-sheet items to fee-generating services, such as
ing organisation, often reflecting the nature of the bank's busi origination, cash m anagem ent, asset m anagem ent, securities
ness or the degree of sophistication of its risk m easurem ent. As underwriting and client advisory services.
discussed below, this imprecision has implications for the aggre
For business or (local) regulatory reasons, some banks may
gation process.
select to distinguish individual types of risk within the listed cat
The following list provides a brief description of the main cat egories. For exam ple, they may isolate real estate risk, or pen
egories into which the typical fram ework classifies risks. sion risk. Some banks may also distinguish other risk types such
as liquidity risk and legal risk.
M arket risk: Refers to portfolio value changes due to changes
in rates and prices that are perceived as exogenous from the
Range of Practices in the Choice of Risk Types
viewpoint of the bank. These com prise exposures to asset
classes such as equities, com m odities, foreign exchange and All the risk types discussed above can be sim ultaneously pres
fixed-incom e, as well as to changes in discount factors such as ent in a bank's portfolio. For exam ple, a traded bond portfolio
the risk-free yield curve and risk premiums. A specific type of will have an im portant credit and market risk com ponent, as well
market risk is IRRBB, which stem s from repricing risk (arising as operational risk related to the efficiency of trading execution
from differences in the maturity and repricing term s of custom er and settlem ent. In practice, however, risks are often measured
loans and liabilities), yield curve risk (stemming from asym m etric by reference to different lines of business and/or portfolios.
movements in rates along the yield curve), and basis risk (arising A loan portfolio that is held to maturity and managed on an
from im perfect correlation in the adjustm ent of the rates earned accrual accounting basis is often considered as representing
and paid on different financial instruments with otherwise similar credit risk and not market risk. By contrast, a trading portfolio
repricing characteristics). IRRBB also arises from the em bed of credit derivatives is often taken to represent mainly market
ded option features of many financial instruments on banks' risk by virtue of it containing actively traded exposures that are
balance sheets. marked-to-market.
C red it risk: Refers to portfolio value changes due to shifts in the The majority of banks prefer to aggregate risk initially into silos
likelihood that an obligor (or counterparty) may fail to deliver by risk-type across the entire bank before combining the silos.
cash flows (principal and interest) as previously contracted. The This approach, however, is by no means the only approach fol
distinction between market and credit risk, while fairly clear lowed, with the business unit silo approach preferred by other
on the surface, is less so in practice since individual exposures banks. Some banks use a mixed approach, which combines
typically contain elem ents of both risks. For exam ple, prices of elem ents of both approaches. This practice is observed where
corporate bonds can vary because of changes in the perceived either particular business units or risk exposures are too small to
likelihood of issuer default but also because shifts in the risk-free be meaningfully measured separately.
yield curve. In addition, credit and market risk factors can inter Grouping of risks first across hom ogeneous risk types has a
act in ways that com plicate the distinction between the two (see benefit of addressing these questions at a single stage and in
the next section). a centralised and potentially more consistent way. By com pari
O perational risk: Refers to the risk of loss associated with human son, grouping risks first by business unit leverages the existing
or system failures, as well as fraud, natural disaster and litiga organisational structures within the bank and deals with inter
tion. W hile not a pure econom ic risk it does represent losses risk relationships at an earlier stage of aggregation.
(either outright outlays or foregone earnings) from all types of
activity where banks engage, and it is indirectly linked to the
level, intensity and com plexity of these activities.
Aggregation Methodologies
The risk aggregation m ethodology used by a bank has two
Business risk: Captures the risk to the firm's future earnings, divi
(interrelated) com ponents: the choice of the unit of account and
dend distributions and equity price. In leading practice banks,
the approach taken to combining risk com ponents.
business risk is more clearly defined as the risk that volumes
may decline or margins may shrink, with no opportunity to offset
the revenue declines with a reduction in costs. For exam ple,
The Unit of Account
business risk measures the risk that a business may lose value Before risk types are aggregated into a single measure, they
because its custom ers sharply curtail their activities during a need to be expressed in com parable units, often referred to as a
market down-turn or because a new entrant takes market share common risk currency. Meaningful aggregation requires that the
away from the bank. Moreover, this risk increasingly extends underlying risk measures conform to each other, especially when
12 Even with the same tim e horizon for default, the practice of active 14 See Breuer et. al. (2008) for further details. The forthcom ing working
credit portfolio m anagem ent can result in the use of point-in-time paper on the "Interactions betw een m arket and credit risk" produced by
default probabilities for day-to-day risk m anagem ent with through-the- the Research Task Force of the Basel Com m ittee also offers an elabora
cycle estim ates for econom ic capital com putations. tion on this set of issues.
210 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
"wrong-way" interactions could occur in the context of portfolio (iv) C opulas: This is a much more flexible approach to com bin
positions that may be sim ultaneously affected by directional ing individual risks than the use of a covariance matrix. The
market moves and the failure of counterparties to a hedging copula is a function that com bines marginal probability
tr
position. From a more "m acro" perspective, asset price volatil distributions into a joint probability distribution. The choice
a
ity often interacts with the risk appetite of market participants of the functional form for the copula has a material effect
and feeds back to market liquidity leading to a magnification of on the shape of the joint distribution and can allow for rich
risk rather than diversification. interactions between risks.
A final issue that relates to the degree of diversification has to (v) Full modelling of common risk drivers across all portfolios:
do with the granularity of the classification system of risks. The This represents the theoretically pure approach. Common
more granular the classification system (i.e., the finer the system underlying drivers of risk are identified and their interac
of categories where risk is slotted) the more reduced should be tions m odelled. Simulation of the common drivers (or
the scope for intra-risk diversification and the higher the scope scenario analysis) provides the basis for calculating the dis
for inter-risk diversification. For exam ple, holding everything tribution of outcom es and econom ic capital risk measure.
else equal, some of the overall diversification between the retail Applied literally, this method would produce an overall risk
and wholesale credit portfolio of a bank will be subsumed in measure in a single step since it would account for all risk
the measure of overall credit risk for a bank that does not dis interdependencies and effects for the entire bank. A less
tinguish between the two types of risks in its econom ic capital com prehensive approach would use estim ated sensitivities
fram ework, while it will be picked up by the aggregation pro of risk types to a large set of underlying fundamental risk
cess in the case that the bank maintains a separation between factors and construct the joint distribution of outcomes
the two com ponents until the final aggregation stage. by tracking the effect of simulating these factors across all
portfolios and business units.
Typically Used Aggregation Methodologies
Table 13.2 provides a summary of the trade-offs between
Banks differ in their choice of m ethodology for the aggregation numerical accuracy, m ethodological consistency, intuitive
of econom ic capital. The list below provides an overview of the appeal, practicality, flexibility, and resource implications associ
main approaches followed by a brief discussion of their advan ated with each of the aggregation m ethodologies.
tages and disadvantages. The approaches are listed in increas
ing order of com plexity (decreasing order of restrictiveness). Although the m ost restrictive of the alternative m ethod
o logies, the main advantages of the sum m ation and fixed
(i) Sim ple sum m ation: This simple approach involves adding
diversification m ethodologies are sim plicity in term s of data
the individual risk com ponents. Typically, this is perceived
and com putational requirem ents, and ease of com m unica
as a conservative approach since it ignores potential diver
tion about the m ethod and interpretation of the outcom e.
sification benefits and produces an upper bound to the
A b stractin g from the possibility of m ism easurem ent and
true econom ic capital figure. Technically, it is equivalent
negative correlation betw een the underlying risk com ponents,
to assuming that all inter-risk correlations are equal to one
the sim ple sum m ation approach could also produce a conser
and that each risk com ponent receives equal weight in the
vative m easure of overall risk (i.e ., o verstatem ent of risk). The
summation.
degree of conservatism associated with the fixed d ive rsifica
(ii) Applying a fixe d diversification percentage: This approach
tion m ethod depend s on the chosen diversification param
is essentially the same as the simple summation approach
eter. Both m ethods are relatively crude and do not allow for
with the only difference that it assumes the sum delivers a
m eaningful interactions betw een risk typ es or for differences
fixed level of diversification benefits, set at some pre-speci-
in the w ay these risk typ es may create diversification benefits.
fied level of overall risk.
In addition, both m ethods ignore com plications stem m ing
(iii) Aggregation on the basis of a risk variance-covariance from using different confidence levels in m easuring individual
m atrix: The approach allows for a richer pattern of inter risk com ponents.
actions across risk types. However, these interactions are
The use of a variance-covariance m atrix (or correlation matrix)
still assumed to be linear and fixed over tim e. The overall
diversification benefit depends on the size of the pairwise which sum marises the interdependencies across risk types
provides a more flexible fram ework for recognising diversifica
correlations between risks.
tion benefits, while still maintaining the desirable features of
being intuitive and easy to com m unicate. The correlation matrix
1^
See A nnex 2 on counterparty credit risk for a fuller discussion. between risks is of key im portance. This m atrix can vary across
Summation: Adds together individual Simplicity It does not discrim inate across risk types;
capital com ponents Typically considered to be conservative imposes equal weighting assumption
Does not capture nonlinearities
Constant diversification: Similar Sim plicity and recognition of The fixed diversification effect is not
to summation but subtracts fixed diversification effects sensitive to underlying interactions between
percentage from overall figure com ponents.
Does not capture nonlinearities
Variance-Covariance: W eighted sum Better approxim ation of analytical method Estim ates of inter-risk correlations difficult
of com ponents on basis of bilateral Relatively simple and intuitive to obtain
correlation between risks Does not capture nonlinearities
Copulas: combine marginal More flexible than covariance matrix Param eterisation very difficult to validate
distributions through copula functions Allows for nonlinearities and higher order Building a joint distribution very difficult
dependencies
Full modelling/Simulation: Simulate Theoretically the most appealing method Practically the most demanding in term s of
the impact of common risk drivers on Potentially the most accurate method inputs
all risk com ponents and construct the Intuitive Very high dem ands on IT
joint distribution of losses Tim e consuming
Can provide false sense of accuracy
banks reflecting differences in their business mix, and the cor Range of Practices in the Choice of
relations that reflect these institution-specific characteristics
Aggregation Methodology
can be difficult as well as costly to estim ate and validate. This
is particularly true for operational risk, where data are scarce Currently, there is no established set of best practices con
and do not cover long time periods. In addition, by focusing on cerning risk aggregation in the industry. G enerally the cho
average covariance between risks, the linearity assumption will sen approaches tend to be towards the sim pler end of the
tend to underestim ate dependence in the tail of loss distribu spectrum , with very few (typically large) banks using the more
tions and underestim ate the effects of skewed distributions and sophisticated m ethodologies. The vast majority of banks use
non-linear dependencies. some form of the summation approach, where risks are either
explicitly w eighted, as in the case of the variance-covariance
Copulas offer even greater flexibility in the aggregation of risks
approach, or implicitly weighted (as in the case of simple aggre
and promise a better approxim ation of the true risk distribu
gation). The IFRI and C RO Forum (2007) survey suggests that
tion. This com es at the expense of more dem anding input
more than 60% of banks use the variance-covariance approach
requirem ents: com plete distributions of the individual risk
while less than 20% use the simulation approaches. Reportedly,
com ponents rather than sim ple sum mary statistics (such as VaR)
the stability of the latter approach over tim e is an attractive
and at least as much data as the variance-covariance approach
aspect from a governance perspective, since it leads to a more
for estim ating the copula param eters. As for the variance-
stable allocation of diversification benefits back to individual
covariance m ethod, these estim ates are hard to derive and to
business units.
validate. Many of the same draw backs apply to the case of full
m odels of econom ic capital, including full simulation m ethods. Banks use a variety of approaches in setting values for the inter
The input requirem ents in term s of data on exposures and risk variance-covariance matrix. These approaches include direct
underlying risk factor dynam ics, as well as the com putational estimation using historical time series on underlying risks, expert
dem ands associated with large scale sim ulations represent a judgm ent, and industry benchmarks (frequently supplied by con
strain for most banks, especially those banks with more com sulting firms). The estimation based on internal data is arguably
plex business risk profiles. more appropriate since it reflects the actual experience of the
212 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
bank and is more directly applicable to its business and risk pro sophisticated econom ic capital m ethodologies to follow a prin
file. As suggested above, the interactions between risk com po ciple of conservatism in their approaches.
nents can be com plex, non-linear, tim e varying, and dependent
W hatever the method and the estim ates used, there are a num
on m easurem ent choices. If the bank possesses relevant data of
ber of com m onalities in the assumptions made by banks. For
sufficient quality and length, these data should provide the most
instance, a high correlation between market and credit risks is
appropriate indicators of inter-risk dependencies. These data
usually assum ed, a lower correlation between business risk and
can be related to the perform ance of portfolios (P&L, earnings,
credit or m arket risk, and a very low correlation between opera
loss history, etc.). Often risks that present greater quantification
tional risk and all other risks.
challenges need to be approxim ated by banks with less well
developed IT system s. In these cases, the correlation between Related to the calibration of the covariance m atrix of risks is
risk com ponents is in practice often approxim ated by the co the overall level of diversification across risk types. A cco rd
m ovem ent of asset price indices representative of these risk fac ing to the IFRI and C R O Forum (2007) survey, the estim ated
tors, or similar proxies. range of inter-risk diversification is 10% to 30% for banking
organisations (with 40% of banks reporting gains between 15%
Very often bank-specific data are simply not available or of poor
and 20%). This range depends on the m ethod used by banks
quality. In this case the entries in the variance-covariance matrix
in order to take into account inter-risk diversification and the
are filled on the basis of expert judgm ent, in the form of param
varying estim ates of correlation betw een risk types. A cadem ic
eters that reflect the consensus of risk officers and business
studies on this issue indicate that this range can vary very sub
managers within the firm, and this is frequently com plem ented
stantially depending on the applied m ethodology and the data
with input from external consultants and industry benchm arks.
used. Rosenberg and Schuerm ann (2006) estim ate this diver
This is particularly true when it applies to some risk com po
sification at more than 40% at the 99.9% confidence level but
nents such as operational risk or business risk. The reliance on
underscore that this might vary depending on the specific port
externally supplied inputs may be a necessity for medium and
folio com position. Dim akos and Aas (2004) on the other hand
small-sized institutions that lack the capacity, scope and scale
find only 10%—12% diversification at confidence intervals of
econom ies to develop risk correlation measures based on their
95% to 99% , but a num ber closer to 20% at confidence interval
own experience. The same applies to proportionately small
of 99.97% .
exposures in the case of larger institutions.
18 From the 2005 Validation principles: "In the context of rating system s,
the term 'validation' encom passes a range of processes and activities
17 A working paper of the Basel Com m ittee's W orking Group on the that contribute to an assessm ent of w hether ratings adequately differen
Interaction of M arket and C red it Risk contains a more in-depth discus tiate risk, and w hether estim ates of risk com ponents (such as PD, LG D or
sion of these issues and references to relevant papers. EAD ) appropriately characterise the relevant aspects of risk."
214 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
predicted forecast against which actual outcom es may be com would be covered by our broad definition of validation, creating
pared. Econom ic capital models are conceptually similar to VaR a layered approach. The more layers that can be provided, the
m odels, though the long tim e horizon, high confidence levels, more com fort that validation is able to provide evidence for or
and the scarcity of data force validation methods to differ in against the perform ance of the model. Conversely, where few er
practice to those used for VaR. Full internal econom ic capital layers of validation are used, the level of com fort diminishes.
models are not used for Pillar 1 minimum capital requirem ents, Second, that each validation process provides evidence for (or
and so fitness for purpose needs to cover a range of uses, most against) only some of the desirable properties of a model. The
of which and perhaps all are internal to the firm in question. It list presented below moves from the more qualitative to the
should also be noted that econom ic capital models and regula more quantitative validation processes, and the extent of use is
tory capital serve different objectives and so may reasonably dif briefly discussed.
fer in some of the details of their implementation for these
differing purposes. Qualitative Processes
Principle 1 of the Basel Com m ittee's validation principles refers (i) Use test. The philosophy of the use test has been fully
to assessm ent of the predictive ability of credit rating system s.192
0 incorporated into the Basel II Fram ework. Its relevance as a
The em phasis is on the perform ance of forecasts generated by tool of validation is straightforward. If a bank is actually
the model. As it stands, Principle 1 is about rating system s: the using its risk m easurem ent system s for internal purposes,
natural developm ent of this principle for econom ic capital m od then supervisors can place more reliance on the system s'
els is that validation is concerned with the predictive properties outputs for regulatory capital. Applying the use test suc
of those models. Econom ic capital models em body forward- cessfully will entail gaining a careful understanding of which
looking estim ates of risk and their validation is intimately bound model properties are being used and which are not.21
up with assessing those estim ates and so this (re-stated) princi (ii) Qualitative review. Banks tend to subject their models to
ple remains appropriate. The validation processes as set out in some form of qualitative assessm ent process. This process
this paper are, in their different ways, all providing insight into could entail review of docum entation, review of develop
the likely predictive ability of the m odel, interpreted broadly. ment work, dialogue with model developers, review and
The other Basel II principles related to validation principles are: derivation of any form ulae, comparison with what other
the bank has primary responsibility for validation; validation is an firms are known to do, comparison with publicly avail
iterative process, there is no single m ethod, validations should able information. Qualitative review is best able to answer
encom pass both quantitative and qualitative elem ents; and questions such as: Does the model work in theory? Does it
validation processes and outcom es should be subject to inde incorporate the right risk drivers? Is any theory underpin
pendent review. The notion of validation expressed in this paper ning it conceptually well-founded? Is the m athem atics of
is consistent with these principles. Our discussion of validation the model right?
does not address, however, the question of who needs to per (iii) System s im plem entation. Production-level risk m easure
form the model assessm ent or which party needs to be satisfied ment system s should go through extensive testing prior to
by that model assessm ent. im plem entation, such as user acceptance testing, check
ing of model code, etc. These processes could be viewed
as part of the overall validation effort, since they would
What Validation Processes Are in Use? assist in evaluating whether the model is im plem ented with
Most of this section describes the types of validation processes integrity.
that are in use or could be used. The list is not com prehensive,
and it is not suggested that all techniques should be used by
banks. O ther surveys that provide fuller descriptions of tech-
on 21 Paragraph 4 of the Basel Com m ittee's validation principles sets out
niques are available. O ur purpose is to make two points. First,
some of the uses of capital m odels. In discussing the use test for IRB,
to dem onstrate that there is a wide range of techniques that the paper notes " . . . as a quality check of IRB com ponents and under
lying processes, the use test is a necessary supplem ent to the overall
validation process. . . . the use test plays a key role in ensuring and
encouraging the accuracy, robustness and tim eliness of a bank's IRB
19 Principle 1 reads: "Validation is fundam entally about assessing the
com ponents, confirms the bank's trust in those com ponents and allows
predictive ability of a bank's risk estim ates and the use of ratings in
supervisors to place more reliance on their robustness and thus on the
credit processes."
adequacy of regulatory cap ital." We think that this philosophy still holds
20 See B C B S (2005b). true when considering internal capital m odels.
216 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
technique is a powerful one and can be adapted to anal system s in use whose outputs cannot be interpreted in
yse many of the preferred model properties such as rank this way. Exam ples could include rating system s, sensitivity
ordering and relative risk quantification. But there are also tests and aggregated stress losses. Such risk m easurem ent
limitations. In particular, benchmarking can only compare approaches might nevertheless be valuable tools for banks.
one model against another and may provide little assurance The role of backtesting for such m odels, if they were to be
that the model accurately reflects reality or about the abso used, would need elaboration.
lute levels of model output. In a benchmarking exercise, In practice, backtesting is not yet a key com ponent of
there may be good reasons why models produce outliers. banks' validation practices for econom ic capital purposes.
They may, for exam ple, be designed to perform well under
(v) Profit and loss attribution. Analysis of profit and loss on
differing circum stances, or may be conservatively param-
a regular basis (e.g ., annually) and comparison between
eterised, or may differ in their econom ic foundations, all of
causes of actual profit and loss and the risk drivers in the
which com plicate interpretation of the results.
model. Attribution is not widely used except for m arket risk
Benchmarking is a commonly used form of quantitative pricing models.
validation. Com parisons are made with industry survey
(vi) Stress testing. This covers both stressing of the model and
results, against alternative models such as a rating agency
comparison of model outputs to stress losses.
model, industry-wide m odels, consultancy firms, academ ic
papers and regulatory capital models. However, as a valida The outputs of the model might be exam ined under conditions
tion technique, benchmarking has limitations, providing of stress, where model inputs and model assumptions might be
comparison of one model against another or one calibration stressed. This process can reveal model limitations or highlight
to others, but not testing against "reality." It is therefore capital constraints that might only becom e apparent under
difficult to assess the degree of com fort provided by such stress. Stress testing of regulatory capital m odels, particularly
benchmarking m ethods, as they may only be capable of IRB m odels, is undertaken by banks but there is more limited
providing broad com parisons confirming that input param evidence of stress testing of econom ic capital models.
eters or model outputs are broadly com parable. Through a com plem entary programme of stress testing, the
(iv) Backtesting. Backtesting addresses the question of how bank may be able to quantify the likely losses that the firm
well the model forecasts the distribution of outcom es. Back would confront under a range of stress events. Com parison of
testing may take many forms and there is a wide literature stress losses against model-based capital estim ates may provide
on the subject. All backtesting approaches entail some a m odest degree of com fort of the absolute level of capital.
degree of comparison of outcomes to forecasts, and there Banks report some use of this stress testing technique to vali
is a wide literature on the subject. date the approxim ate level of model output.
For portfolio credit m odels, the weak power of backtesting Internal audit is not included in the above list, however vali
is noted in BC BS (1999). As has been suggested by some dation of the overall implementation fram ework and process
authors, there are variations to the basic backtesting should also be subject to independent and periodic review and
approach which can increase the power of the tests. Exam this work should be made by parties within the banking organ
ples include: performing backtesting more frequently over isation that are independent of those accountable for the design
shorter holding periods (e.g ., using a one-day market risk and implementation of the validation process. O ne possibility
backtesting standard versus the 10-day regulatory capital could be that internal audit would be in charge of undertaking
standard); using cross-sectional data by backtesting on a this review process. As such it could be viewed as comprising
range of reference portfolios;222
3using information in fore- a part of the m anagem ent oversight process listed above. The
casts of the full distribution; testing expected losses only; paper does not otherwise discuss the role of internal audit in the
and comparing outcom es against the expected values of validation process.
distributions as opposed to high quantiles. The list of validation tools does not address the issue of ad e
Backtesting is useful principally for models whose outputs quate standards. Banks may operate internal standards that are
can be characterised by a quantifiable metric with which relevant for validation. For exam ple, a description of the issues
to com pare an outcom e. There may be risk m easurem ent that need to be addressed as part of validation, the standards
that capital models are expected to achieve, a series of quanti
tative thresholds that models need to m eet, warning indicators
22 See Lopez and Saidenberg (1999). for particular monitoring metrics, assessm ent against model
23 See Frerichs and Loffler (2002) and Berkowitz (2000). developm ent standards.
Cover? lio credit risk models. There is some evidence that banks wish to
ensure that models are sensitive to the expected drivers of risk,
The validation steps presented above can be used in assessing and that models generate outputs that perm it adequate evalu
most of the desirable properties of models. This is an encourag ation of the relative risk between business lines and to provide
ing observation and stands in contrast to the fairly negative view suitable trend analysis. Although there is scope for practices to
of validation taken in BC BS (1999). improve further, the signs of progress in these areas are moder
ately encouraging.
Opinions may reasonably differ about the strength or weakness
of any particular process in respect of any given property. The In other respects industry validation practices are weak, par
properties that could be assessed using a powerful tool and ticularly when the total capital adequacy of the bank and the
hence that are capable of robust assessm ent include: integrity of overall calibration of the model is an im portant consideration. It
im plem entation; grounded in historical experience; risk sensitiv is recognised that this validation task is intrinsically difficult since
ity; sensitivity to the external environm ent; good marginal prop it will typically require evaluation of high quantiles of loss distri
erties; rank ordering; and relative quantification. The properties butions over long periods combined with data scarcity coupled
for which only w eaker processes are available include: concep with technical difficulties such as tail estim ation. Moreover, it is
tual soundness; forward-looking; and absolute risk quantifica recognised that validation practices will depend on what the
tion. Again, it is im portant to stress the judgm ental evaluation of model is being used for. N evertheless, difficult as the validation
the power of individual tests and to acknowledge that views as task might be, weaknesses in validation practices targeted at
to strength and weakness are likely to differ. evaluation of overall perform ance might result in banks operat
The difficulty of validating the conceptual soundness of a capital ing with inappropriately calibrated models. This could be of con
model needs some elaboration. In developing a model, sev cern if assessm ent of overall capital adequacy is an im portant
eral assumptions about the model and its inputs are likely to application of the model. Improvements in these areas could
be made. These could include assumptions about the family of include further benchmarking and industry-wide exercises, back
testing, profit and loss analysis and stress testing.
statistical distributions, the econom ic processes driving default
or loss, the dependency structure among defaults or losses, Additionally, institutions should recognise clearly that when vali
the likely behaviour of m anagem ent or other econom ic agents, dation is difficult and has limitations, i.e., when for one reason or
and the extent to which these vary over tim e. Moreover, some another models cannot be appropriately validated, users of those
internal capital models are risk aggregation m odels, where risk models and senior management should be informed that full
estim ates for individual categories (e.g ., m arket, credit and validation could not be conducted. Such communication is nec
operational risk) are aggregated to generate a single total eco essary so that model users and senior management understand
nomic capital figure, with the method of aggregation relying on that there is greater uncertainty around the output from models
some underpinning assumptions. These assumptions, however, that have not been validated and that such model output should
may be untestable. As a result it may be impossible to be cer generally be treated with extra conservatism. In that vein, model
tain that a model is conceptually sound. W hile the conceptual users and senior management should understand and explore the
underpinnings may appear coherent and plausible, they may in potential costs of using models that have not been fully validated
practice be no more than untested hypotheses. (i.e., if key assumptions in the models prove to be inaccurate).
Supervisory Concerns Relating to risk modelling is the modelling of the dependency structure
between borrowers. This encom passes linear and non-linear
Validation
dependency relationships between obligors. Dependency
Com pared to practice at the time of the BC BS (1999) report, modelling is im portant because it forms an im portant distinc
there is greater em phasis currently on the validation of mod tion between the Basel II risk w eight function (with supervisory
els. The main areas of im provem ent are in benchmarking of imposed correlations) and portfolio credit risk models which rely
model param eters and the conduct of cross-firm com parisons of on banks' internal modelling of dependencies.
218 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Understanding the way dependencies are modelled is im portant
for supervisors when they assess a bank's IC A A P under Pillar 2, BO X 13.1 CO N TAG IO N APPRO ACH
since internal bank modelling of portfolio credit risk may be an
Motivated by the financial crises in South East Asia and
im portant elem ent of a bank's IC A A P and can generate the big the US in the 1990s, and the Enron default crisis in late
gest reduction of capital needs in comparison with the Pillar 1 2001, where the downfall of a small number of firms had
minimum capital requirem ent for credit risk. an economy-wide impact, academ ic researchers have
attem pted to incorporate counterparty relationships, or
This annex briefly describes the main methods used for m odel microstructure correlation, into portfolio credit models
ling credit dependencies and discusses progress since the pub (Davis and Lo (2001), and Jarrow and Yu (2001)). The com
lication of the BC BS (1999) report. It also discusses the impact mon feature of contagion models is that they distinguish
that different methods have on banks' econom ic capital, and between macrostructure and microstructure dependencies.
In contrast to macrostructure dependencies, microstruc
makes some observations linked to recent developm ents in
ture dependencies attem pt to capture business relation
dependency m odelling. Finally, it raises some supervisory con ships and legal dependencies within and across sectors.
cerns about the current state of industry practice. This approach is also relevant for pricing C D Ss, C D O s, and
basket derivatives, since the prices for these products are
influenced by dependencies between the firms in a basket,
Types of Models a business (e.g ., suppliers and com petitors), etc.
The majority of banks use one of three types of credit models. The microstructure contagion effect can be integrated
using different approaches, (e.g ., reduced-form models).
These m odels, often referred to by their commercial names, are
The idea behind contagion models is that contagion risk
M oody's/KM V (M KM V), CreditM etrics, and C red itR isk+ . The produces upward jum ps in the default intensity of non-
annex follows the same convention even though other vendors defaulted firms, implying a higher conditional default
offer similar models and some banks have developed their own probability for these firms given additional information
internal models that are consistent with the structure of one of on other firm s' defaults. The driving principle behind
such modelling is that considering only m acroeconom ic
these model typ es.24
dependencies for a portfolio subject to microstructure
Most models of credit portfolio risk estim ate asset correla dependencies could potentially underestim ate credit
tions among obligors in term s of common dependence on risk. By integrating microstructure dependencies into the
model, the standard deviation of rating changes over time
system atic risk factors. The assumption is that these underlying
is increased, even for well-diversified credit portfolios with
factors— e .g ., country, region, or industry of a borrower— fluctu
m oderate microstructure dependencies.
ate over tim e and typically follow a (joint) normal distribution. All
Generally, the contagion approach is supposed to be con
borrowers are linked to these underlying system atic risk factors
servative since it lengthens the tail of the loss distribution
to varying degrees and tend to move in a correlated way. Thus, and therefore increases the capital needed to cover credit
by modelling dependencies, banks account implicitly for con risk. However, it is difficult to gauge whether the increase
centration (both single name and sectoral) because large parts in capital is sufficient to capture the risk dependencies.
of their books are subject to the same underlying risk factors or Additionally, practical and theoretical issues need to be
addressed, such as the reliability of the required expert
to multiple risk factors.
judgm ent and ability to identify the frailty/contagion factors.
Extensions of the three credit portfolio models are used by
some banks. For exam ple, this is the case for a few banks with
specialised portfolios (e.g ., small and medium-size European portfolios that are linked to bank specific portfolio concentration
corporate loans) which have integrated a contagion approach and exposure mix.
into variants of the standard credit portfolio models (see
In addition, few banks model dependencies using copulas (see
Box 13.1). By integrating information on business relationships
Box 13.2), at least for their econom ic credit risk m odelling. This
among borrowers into the credit portfolio model, this approach
technique can be used to capture several alternative general
tries to address the clustering of defaults observed within their
types of dependencies, as opposed to the more restrictive
Gaussian copula m odels.25*
Some banks also use models that are based on the asym ptotic
24 The discussion of these model types is descriptive and is not intended single-risk-factor (ASRF) model, which is the basis for the Basel II
as an endorsem ent of any of the vendor m odels. Reference to these
prototype m odels should not be construed as an endorsem ent of these
m odels, or as an indication of their standing relative to other models
0^
that might be used by banks or offered by other vendors. See for exam ple Hull (2007) for a discussion of copulas.
For a collection of random variables with given marginal If the distributions of these time-to-default variables are
distributions (the univariate probability distribution of each com bined using a copula, a joint distribution function for the
random variable) a copula specifies how these random vari time-to-default variables is obtained. Taking random samples
ables combine into a multivariate distribution, and thus speci from this joint distribution, and given a specified tim e hori
fies the dependencies between the random variables. Some zon, each sam ple from the distribution will translate into a set
copulas like the Gaussian copula are characterised by a corre of defaulting and non-defaulting obligations within the port
lation matrix, while other copulas describe dependencies that folio over that tim e period.
are non-linear or too com plicated to be accurately described
The first copula to be widely used in the context of credit
by correlation param eters. A copula is a mapping that trans
modelling was the Gaussian copula. O ne im portant short
forms the marginal distributions for a collection of random
coming of the Gaussian copula is that it displays zero tail
variables into a joint distribution for all the random variables.
dependence. Besides the Gaussian copula, copulas based
W hen copulas are used in credit risk m odelling, the underly on other multivariate distributions (particularly the Student-t
ing random variables of interest may be the time to default distribution) are often used with the goal of capturing depen
of each obligation in a portfolio, or in Merton type m odels, dencies between defaults that have a stronger impact on the
the asset values of the obligors. In the latter case, the obligor tail of the loss distribution. For exam ple, the t-copula has a
defaults when its asset value falls below a certain threshold. param eter for "tail association" or dependence. The distribu
These underlying variables are continuous random variables, tions produced by copulas are usually not tractable analyti
and they express the likelihood of default in a different way cally, and as a result, copulas are most frequently used in
from the more fam iliar (discrete) indicator random variables, running portfolio default simulations.
risk weights for credit risk. Within this modelling approach, what extent the economic capital estimates produced by the
banks may use their own estim ates of correlations or may use models differ from each other. To shed some light on this empiri
multiple system atic risk factors in order to address concentra cal question, the International Association of Credit Portfolio
tions. Such a modelling approach raises several supervisory con Managers (IACPM ) and International Swaps and Derivatives Asso
cerns about the method used to calibrate the correlations and ciation (ISDA) conducted a study in 2006 to explore the economic
the ways in which the bank addresses the infinite granularity and credit capital models in use by their member institutions.
single-factor structure of the A SR F model.
The IACPM and ISDA (2006) study evaluated the degree of con
Under the impetus of the Basel II Fram ework, banks have also vergence of econom ic capital estim ates across commercially
increased their use of bottom-up approaches in their credit risk available credit portfolio models and across internally developed
dependency m odelling. As a result, credit portfolio models are credit risk models im plem ented by banks. Given that most
much more integrated into daily risk m easurem ent and m anage banks use one of the three main com mercially available credit
ment than was the case in 1999. risk models mentioned above or internally developed im ple
mentations of the same types of m odels, the study was effec
The IACPM and ISDA Study tively a comparison of the econom ic capital estim ates generated
by these com mercially available m odels, run either in default
Given the differing approaches to modelling dependencies
mode or in mark-to-market m ode.27 The study applied the
between borrowers described above, the question arises as to
26 The A S R F model is also referred to as a single-factor Gaussian copula 27 C redit Risk-t- is exclusively a "default m ode" m odel. Default mode
m odel. For this m odel, the capital charge for an exposure depends on refers to the situation where credit losses arise only if a borrower
the risk characteristics of this exposure only (i.e ., PD, LG D , EA D , matu defaults within the planned tim e horizon. M ark-to-market credit losses
rity) and does not depend on the com position of the portfolio to which can arise in response to deterioration in an asset's credit quality before
the exposure is added. the end of the planning horizon.
220 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
different credit models to a representative portfolio of transac Supervisory Concerns Relating to
tions that was assem bled with pre-specified data assumptions
Currently Used Credit Portfolio Models
regarding risk characteristics. By eliminating different data char
acteristics and portfolio composition as sources of potential dif Shortcomings of Dependency Modelling
ferences in econom ic capital estim ates, remaining differences
Regarding dependency assumptions used in credit portfolio
are largely due to differences in the modelling approaches. O ut m odels, supervisors can question the accuracy and robustness
com es of the study may also be dependent on the composition of correlation estim ates used by banks since these estim ates
and characteristics of the test portfolios used in the study.
depend heavily on (explicit or implicit) model assumptions and
The study showed significant differences in econom ic capital can significantly influence econom ic capital calculations. These
estim ates between the different m odels, in default-only mode assumptions are even more problem atic when the dependency
as well as in mark-to-market mode. The differences in econom ic modelling and calibration methods used are em bedded in pro
capital estim ates between the models can be explained in prietary third-party vendor credit risk models, which essentially
term s of the following factors: correlation structure; treatm ent can be viewed as "black boxes."
of interest payments due between tim e zero (point of valua
Beyond the issues raised by the basic approaches used in struc
tion) and the tim e horizon (point of default) and whether this tural and reduced-form credit portfolio m odels, the validity of
was accounted for in the definition of loss; and other modelling
several other assumptions has been exam ined in the academ ic
differences.
literature. For exam ple, the validity of the following assum p
O f special interest in the context of this annex is the question: tions has been drawn into question: the asym ptotic single-factor
How much of the difference in econom ic capital is due to corre Gaussian copula approach; the normal distribution for the vari
lation structure/dependency modelling assumptions? In default- ables driving default; the stability of correlations through tim e;
only mode, the differences could be explained to a large extent and the joint assumptions of correctly specified default probabil
by the different treatm ent of interest payments (i.e., by the dif ities and doubly-stochastic processes, which imply that default
ference in definition of loss), with the correlation structure play correlation is adequately captured by common risk factors.
ing only a minor role. However, in mark-to-market mode, where Several academ ic papers question the ability of some models
changes in revaluations at the horizon for non-defaulted assets
using such assumptions to explain the time-clustering of defaults
may also be correlated, and where the impact of differences in that is observed in some m arkets. This in turn, when combined
the modelling of correlations is larger, roughly a quarter of the
with inadequately integrating the correlation between PD and
observed difference in econom ic capital estim ates is attributable
LGD in the models and inadequately modelling LGD variability,
to correlation assumptions. can lead to an underestimation of econom ic capital needed. In
Another issue involves the sensitivity of econom ic capital esti addition, it will make it difficult to identify the different sources
mates to changes in portfolio concentrations and model param of correlations and the clustering of defaults and losses.
eters. Sensitivity analysis perform ed in the IACPM and ISDA For exam ple, Das et. al. (2007) found that U.S. corporate default
study showed that a change in the sector or country com posi
rates between 1979 and 2004 vary beyond what can be
tion of the representative portfolio had a large impact on eco
explained by a model that only includes observable covariates.
nomic capital estim ates.28 Furtherm ore, the im pact differed Moreover, Duffie et. al. (2006) found evidence of the presence
between the different types of credit risk m odels. This evidence among U.S. corporate default rates of one or more unobserv
provides empirical support for the notion that the output of able common sources of default risk that increase default corre
credit risk models significantly depends on the underlying corre
lation and extrem e portfolio loss beyond that implied by
lation structure. Differences in correlations could be structural in observable common and correlated m acroeconom ic and firm-
nature since different models may use different data to calibrate
specific sources of default risk.30 However, there are practical
correlations (e.g ., historical equity returns versus default rate limitations of the "frailty approach" (i.e., modelling default clus
data), or could be due to time-varying correlations.29
tering with latent risk factors) including the computational cost,
and the failure to identify the frailty factor, hampering the ability
28 For exam ple, it could double the am ount of econom ic capital for
credit risk.
29 The IACPM and ISD A study concludes that when loss assum ptions are 30 As pointed out by Das et. al. (2007) and others, known factors
aligned across both vendor and internal credit portfolio m odels, esti account for a very large fraction of the default correlation observed in
mates of econom ic capital for credit risk can be shown to converge for the data. As a result, a practical approach to overcom ing the shortcom
default-m ode m odels. D ifferences in the capital estim ates for mark-to- ing of the frailty factor is to use conservative estim ates of asset correla
m arket m odels can be reduced, but not elim inated. tions and to conduct stress testing.
222 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
13.9 A N N EX 2: COUNTERPARTY which measures the exposure if the counterparty were to default
today, and potential exp o su re, which measures the potential
CREDIT RISK increase in exposure that could occur between today and some
time horizon in the future. One feature of derivatives and securi
Counterparty credit risk (CCR) at large, com plex banks centres
ties financing relationships is that, while the amount of current
on the m easurem ent and m anagem ent of financial exposure
exposure to a counterparty is known, the amount of potential
and the resulting credit risk associated with core credit exten
exposure to a counterparty is an unknown quantity (in fact,
sion activities of these financial institutions to a wide range of
given the nature of derivatives contracts and securities financing
counterparty types. Counterparty credit risk takes a variety of
arrangem ents, there may be no exposure to the financial institu
form s, including credit risk emanating from activities in O T C and
tion at the tim e of a counterparty default). Therefore, counter
exchange-traded derivatives, from securities financing activities,
party credit exposure is generally measured as some statistic
and from foreign exchange settlem ents. The counterparties to
(such as a mean or a percentile) of the distribution of possible
these financial institutions take a wide variety of forms, ranging
future exposures to the counterparty.
from sovereigns and local governm ent entities, to regulated
financial concerns and potentially unregulated financial parties The second part of the counterparty credit m easurem ent is
such as hedge funds, to corporate entities (both investment- converting the exposure to a risk amount for econom ic capital
grade and below-investm ent-grade). purposes or risk m anagem ent purposes more generally (for
exam ple, to inform a counterparty credit risk limit system). The
This annex is organized in two sections. The first section high
risk m easurem ent will be a function of the probability of default
lights the challenges that the industry faces in quantifying coun
(PD) for the counterparty, the loss given default (LGD) for the
terparty credit risk for econom ic capital purposes, while the
exposure, and the exposure m easurem ent, which is effectively
second section addresses the range of practices that financial
the exposure at default (EAD) value. The EAD value is driven by
institutions undertake in quantifying this risk. The primary focus
market-risk-related factors (the volatility and correlation among
is on modelling challenges in the quantification of counterparty
market risk factors and how they affect the derivative contract
credit risk, and thus there is no explicit consideration of the
or valuation of the securities being financed), while the PD and
com prehensive set of risk m anagem ent practices that are meant
LGD are effectively determ ined by firm's assessm ent of the
to mitigate risks or to provide com pensating controls for model
credit quality of the counterparty.
deficiencies, unless those practices (such as initial margin and
ongoing collateral practices related to counterparty credit risk) Counterparty credit risk measurement, therefore, necessarily
directly influence the quantification of risk. combines the tools from standard market risk measurement with
the tools from standard credit risk determination. Market risk mea
surement practices are used, for example, in mapping derivatives
Counterparty Credit Risk Challenges
exposures to a set of market risk factors, simulating those factors
M easurem ent of counterparty credit risk represents a com plex out to a forward-looking time horizon, and determining the distri
exercise, as it involves gathering data from multiple systems; bution of the level of exposures over various risk factor realisations
measuring exposures from potentially millions of transactions in the simulation. Separately, standard credit risk processes provide
(including an increasingly significant percentage that exhibit assessments of the credit quality of the counterparty, frequently
optionality) spanning variable time horizons ranging from over resulting in a credit rating of the counterparty, both from the PD
night to thirty or more years; tracking collateral and netting and LGD perspectives. Counterparty credit risk measurement
arrangem ents; and categorising exposures across thousands of offers unique challenges related to both the market-risk-related
counterparties. The com plexities of the processes highlighted and the credit-risk-related processes, which are described next.
below indicate a need for institutions to have specialised pro
cesses and personnel to tackle these issues and challenges. Market-Risk-Related Challenges to Counterparty
EAD Estimation
Measuring Exposure and Measuring Risk
Counterparty credit exposure m easurem ent requires simulation
A bank's counterparty credit m easurem ent can be conceptually of market risk factors and the revaluation of counterparty posi
broken down into two distinct steps. First is the m easurem ent tions under the simulated risk factor shocks, much like a value-
of counterparty cred it exposure— that is, how much money the at-risk (VaR) model requires. Two unique challenges present
counterparty will owe the bank in the event of default. This them selves when attem pting to leverage a VaR model technol
exposure number is further broken down into current exposure, ogy for counterparty credit exposure m easurem ent.
224 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
be captured within an operational risk quantification process. Aggregation Challenges
O perational risks related to counterparty risk that are particu
W hile calculation of counterparty credit risk for an individual
larly difficult to quantify involve risks of new or rapidly growing
counterparty has its challenges, these challenges are magnified
businesses, risks in new products or processes, risks in intraday
when attem pting to get a firm-wide view of risk for economic
extensions of credit which are not properly captured in systems
capital purposes. Independently of the challenges in arriving at
designed for end-of-day exposure capture, and risks in areas
a counterparty credit risk econom ic capital measure outlined
where there have been few historical instances of losses but
above, this risk measure must be aggregated in a sensible, rigor
where potential "tail events" may have severe consequences.
ous, and risk-sensitive way with other exposures at the financial
firm in order for the overall econom ic capital measure to be a
Differences in Risk Profiles between Margined reliable indicator of the aggregate inherent risk-taking by the
and Non-Margined Counterparties firm. If a single counterparty has both derivatives and securities
O ne im portant input in the m easurem ent of counterparty financing transactions, the firm may face challenges in aggrega
credit risk among firm s' counterparties is w hether the coun tion across the counterparty's exposures, as the various models
terp arty is a m argined counterparty or not. A m argined coun and system s architectures may not be conducive to aggregation.
terp arty has agreed to post collateral, either in the form of Furtherm ore, a firm's counterparty credit risk must be aggre
cash or securities, when their exposure to the financial firm is gated with other credit risk-taking activities of the firm , both in
positive. W hile there are w ide variations in the practices sur term s of loans in the banking book and credit risk in the trading
rounding margining of counterparties (minimum thresholds book. Finally, these more com prehensive credit risk measures
before a margin call is m ade, the frequency of margin calls, must be aggregated with overall m arket and operational risk in
the treatm ent of valuation of illiquid products, etc.), an im por order to arrive at the final econom ic capital measure.
tant distinction in the m odelling approaches must be made A related challenge involves the ability of the counterparty credit
betw een counterparties who have agreed to margining (also risk system to allow risk management to have a detailed under
known as "having a C S A " — a credit support annex to the standing of the various breakdowns of risk that are common in
m aster netting agreem ent that lays out the term s of the mar the market risk world. Breakdowns by product, by risk factor, by
gining agreem ent) and those who have not. Frequently, the geography, by business line, or by legal entity are difficult for
m odelling difference betw een these classes of counterparties many firms to produce, for a variety of reasons. The computation
surrounds the treatm ent of the look-ahead forecasting period: intensity of the calculations makes the provision of such "drill
For m argined counterparties, the forecasting period is short, down capabilities" expensive in terms of time to produce on a
associated with a reasonable "cure p eriod " betw een when a daily basis. Fragm ented com puter systems and IT infrastructures,
counterparty misses a margin call and when the underlying frequently driven by a variety of legacy infrastructures from
positions can be closed out; for non-margined counterparties, merger and acquisition activity, are frequently cited culprits to
the forecasting period is generally much longer, as long as the the limitations associated with counterparty credit risk systems'
life of the contract. The variation in m odelling horizons makes lack of flexibility. The IT requirements associated with Basel
the aggregation of risk across these two classes of counterpar M's internal models approach to the use of counterparty credit
ties a challenge, as most risk m odelling approaches take a sin risk for regulatory capital purposes were often mentioned as a
gle m odelling horizon (e .g ., one day for VaR m odels, one year possible mechanism to address some of the existing systems'
for econom ic capital m odels) for all positions. A ggregation is rigidities, but it remains uncertain how much of the planned IT
further com plicated if, for a given counterparty, som e positions investments will address the existing systems' limitations.
are m argined but others are not.
Note that there still is a gap risk, even for margined counterpar
Range of Practices
ties, which needs to be m odelled and accounted for. In stress
situations that adversely affect the assets being financed, there Given the variation in size and com plexity of counterparty credit
could be a risk of market gapping and rapid loss of value. Banks exposures across large financial firm s, these institutions display
may need to take possession of collateral at a tim e when its a range of practices in measuring C C R for econom ic capital pur
value is deteriorating and the market for it may be illiquid. This poses. Firms em ploy one of two general modelling approaches
risk may be am plified by the presence of exposure concentra to quantify the counterparty credit risk exposures. W hile these
tions within the firm, or by "crow ded trad es," where several models may be supplem ented with com plem entary m easure
firms may be taking possession of similar collateral and seeking ment processes, firms typically have adopted one of two m ea
to liquidate it at the same tim e. surem ent "eng ines":
226 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Haircut Determination for Securities Financing An indirect effect can also occur, which is linked to the impact
Activities that rate changes can have on business volum es. Although inter
est rate risk in the banking book is a normal part of financial
The processes for determ ining haircuts for securities financing
interm ediation, excessive interest rate risk poses a significant
activities generally do not consider stressful market conditions,
threat to an institution's earnings and capital adequacy.
but are based on the range of historical experience, including
normal market environm ents. When econom ic capital is calcu The main challenges in the calculation of econom ic capital for
lated for these positions, however, the market risk factors are interest rate risk in the banking book come from the long hold
shocked to a stressed level, and the risks beyond the haircut are ing period assumed for a bank's structural balance sheet and the
included in the determination of econom ic capital of the securi need to model indeterm inate cash flows on both the asset and
ties financing activity. liability side due to the em bedded optionality of many banking
book items.
Counterparty Credit Risk Model Validation Many banks use some type of internal transfer funds pricing
Counterparty credit risk models for econom ic capital purposes to move structural interest rate into a centralised place within
generally do not have specialised validation processes associ the organisation, typically the bank's treasury unit, in order to
ated with them , but rather use the results of validation work achieve matched funds transfer pricing between all other busi
done by others, such as by risk m anagem ent, to support the use ness units of the bank. This unit is responsible for interest rate
of the counterparty credit risk model. When there is a difference modelling and maintaining gap positions within agreed upon
between the counterparty credit risk model for econom ic capital risk limits.
purposes and the counterparty credit risk model for risk man
agem ent purposes (for exam ple, the holding period may vary),
Sources of Interest Rate Risk
there appears to be little additional testing or validation to
support the difference, as the differences are generally viewed The main sources of interest rate risk in the banking book
as m echanic differences in implementation and not as separate are repricing risk (arising from differences in the m aturity and
models requiring separate validation. For exam ple, backtesting, repricing term s of custom er loans and liabilities), yield curve
an established practice for market risk exposures, is still in the risk (stem m ing from asym m etric m ovem ents in rates along
early stages of developm ent for counterparty credit risk models. the yield curve), and basis risk (arising from im perfect cor
relation in the adjustm ent of the rates earned and paid on
different financial instrum ents with otherw ise sim ilar repricing
13.10 A N N EX 3: INTEREST RATE RISK characteristics).
IN THE BANKING BO O K Interest rate risk in the banking book also arises from the option
features of many financial instruments. Retail products in the
Interest rate risk refers to the exposure of a bank's financial con
banking book that have em bedded options include bonds and
dition to adverse movements in interest rates. It should be inter
notes with call or put provisions, loans such as m ortgages which
preted for the purposes of this annex as the current or
give borrowers the option to prepay balances, adjustable-rate
prospective risk to both the earnings and capital of an institution
loans with explicit interest rate caps and floors that limit the
arising from adverse movements in interest rates, which affect
amount by which the rate may adjust, and various types of non
the institution's banking book. Changes in interest rates affect
maturity deposits which give depositors the option to withdraw
an institution's earnings by altering interest-sensitive income and
funds at any tim e often without penalty. If not adequately m ea
expenses, and the underlying value of an institution's assets, lia
sured and m anaged, the asymmetrical payoff characteristics of
bilities, and off-balance sheet instruments because the present
instruments with em bedded option features can pose significant
value of future cash flows changes when interest rates change.32*
interest rate risks.
32 Interest rate risk arises from the natural mismatch betw een repricing
characteristics desired by investors and depositors and those desired 33 According to Principle 16 of the Basel Com m ittee's Principles for the
by borrowers. A s such, interest rate risk derives from the mismatched M anagem ent and Supervision of Interest Rate Risk (B C B S, 2004), "An
m aturities or durations of assets which are typically longer than the additional and increasingly im portant source of interest rate risk arises
liabilities. A sudden change in the shape of the term structure will affect from the options em bedded in many bank assets, liabilities, and off-
the values of assets differently from those of liabilities. balance sheet portfolios."
and Indicators tions. In its dynamic version EV E may provide forward risk mea
sures that also take into account future growth in existing or
There are two basic techniques for assessing interest rate risk in new business activities.
the banking book: repricing schedules (gap and duration analy
W hen the EV E model is com plem ented with an estim ate of the
ses) and simulation approaches. Although commonly used, the
probabilities of the interest-rate scenarios used, the EV E model
simple structure and restrictive assumptions make repricing
becom es a value-at-risk (VaR) model, which builds a statistical
schedules less suitable for the calculation of econom ic capital.34
distribution of profit and losses that may occur over a specified
Most banks use simulation approaches for determ ining their
tim e horizon at a given confidence level owing to movements in
econom ic capital, based on estim ated losses occurring in case
interest rates. The method not only measures the magnitude of
of a set of worst case scenarios. The magnitude of such losses
the loss, but also the probability of the loss.
and their probability of occurrence determ ine the amount of
econom ic capital. In practice the calculation of econom ic capital follows three
steps: in the first step, the change in econom ic value of both
The banking book is traditionally based on accrual accounting
assets and liabilities is modelled as a result of changes in interest
and measures such as earnings volatility or Earnings at Risk (EaR)
rates and an EV E is derived. The second step involves modelling
are used. EaR measures the loss of net interest income result
the term structure of interest rates or the yield curve. Some
ing from interest rate m ovem ents, either gradual movements
banks model volatility changes over tim e, while other banks
or one-off large interest rate shock, over a given tim e horizon
assume volatility is constant. In the third step the economic
(typically one to two years). A disadvantage of the EaR method
value of assets and liabilities and the term structure of interest
is that it only measures the short-term earnings effect (accrued
rates are combined to produce the final value distribution which
interest) resulting from interest rate fluctuations and not the
can be used to com pute VaR or econom ic capital. It is worth
econom ic value effects (capital gains/capital losses).
mentioning that many of the assets and liabilities in the banking
Some banks have moved towards an econom ic value orientation book are not regularly traded and are therefore difficult to value
and measures based on Econom ic Value of Equity (EVE), VaR, at market prices. Most assets and liabilities are valued on a
and Extrem e Value Theory (EVT) are becoming popular. EV E, mark-to-model basis, using path-dependent projections of run
which is defined as the present value of assets minus liabilities, off and future cash flo w s.38
measures the change in the market value of equity resulting
In contrast to EV E, EVT is well suited to the estimation of
from interest rate shock scenarios, com pared with the market
extrem e probabilities and quantiles of a distribution. This
value of equity under a base scenario. It is a com prehensive risk
approach is based on the extrem e value theorem , which indi
measure, consistent with the Basel standard interest rate shock
cates what the limiting distribution of extrem e values should
used to identify outliers.353
*The accuracy of the valuation of bal
6
look like and im portantly dem onstrates that it is not the nor
ance sheet positions is strongly dependent upon the calculated
O / mal distribution. Drawbacks are the scarcity of extrem e value
cash flows and discount rates used. For practical purposes,
observations, and the model risk associated with EVT estim ates,
most EVE models use static or liquidation concepts, in the sense
which are usually very sensitive to the precise assumptions
that they show a snapshot in tim e of the risk based upon the
made by users.
current portfolio or balance sheet com position. In principle, EVE
The choice of techniques used in assessing interest rate risk
depends on the bank's orientation tow ards either econom ic
value or earnings, and also on the type of business model pur
34 Particularly for larger banks, gap analysis is nothing more than the first
sued by the bank. Some businesses, such as commercial lend
step (in this case, the distribution of the relevant assets and liabilities
according to maturity) in analyzing the interest rate risk in the banking ing or residential m ortgage lending, are managed on a present
book.
228 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
value approach, while others, such as credit cards, are managed and identically distributed over tim e. Factors to be taken into
on an earnings approach. This poses issues when the bank account in the calculation are that interest rates may be serially
wants to convert risk measures to a common m etric, for aggre correlated39 and that m anagem ent intervention may affect the
gation purposes. interest rate risk profile over the course of the tim e horizon.
Although most econom ic capital models are calibrated over a
one-year holding period, many banks that use simulations will
Modelling Issues run multi-year simulations in order to value those instruments
held at the one-year horizon which are not valued via closed
The main modelling issues involve the type of simulation, the
assumptions surrounding the timing of interest rate shocks, the form analytical form ula.
41 Extension risk is that part of prepaym ent risk that derives from the
increase in the duration of m ortgages and the reinvestm ent risk associ
ated with a rise in interest rates. Banks' Pricing Behaviour
42 Typically, they will choose to exercise this option when the rem ain An important aspect of interest rate risk modelling is the effec
ing loan balance exceed s the m arket value of the property. A s such, tive responsiveness of individual bank interest rates to changes in
m ortgage lenders are essentially selling em bedded Am erican straddle
market rates. The measurement of the interest rate risk of bank
options (i.e., com bined call and put options) to m ortgagors.
ing book items requires: (i) a model for the analysis of the persis
43 Holding other things equal, custom er's options have an im pact on
both principal and interest cash flow s, while issuer's options have a tence of the volumes of different non-maturity banking products;
direct im pact on interest cash flows only. and (ii) a model for the determination of bank interest rates,
230 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
taking into account general market conditions, customer relation system s with transparent interest rate shocks. As such, stress
ships, bank commercial power, and optimal commercial policies. test results serve as a benchmark risk m easure.49
The degree by which the interest rates set by banks react to Following the guiding principles of the Basel Com m ittee, the
market rates (interest rates pass-through) may depend on indi current regulatory choice of a stress scenario focuses on parallel
vidual bank characteristics and may differ for different products. shifts in the yield curve of + /— 200 basis points.50 The Com m it
Changes in market interest rates may also result in changes in tee acknowledges that the parallel shifts of + /— 200 basis points
banks' interest rate policy, driven by changes in the com petitive are relatively sim plistic, but it argues that these shocks appear
environm ent and the need to defend market share.44 to adequately cover volatilities across G 10 countries, even
though the appropriateness of the proposed shock needs to be
A typical finding in the literature is that banking interest rates
monitored on an ongoing basis, and recalibrated should the rate
pass-through is relatively slow and heterogeneous across both
environment shift m aterially.51
products and countries. It is slow er for retail banking products
(e .g ., deposits, consum er loans, m ortgages) than for corporate The benefits of using simple interest rate shocks of + /— 200
products; short-term products are more responsive than long basis points are that these shocks are very simple and easy to
term products.45 Individual bank characteristics, such as the communicate and that it is easier to com pare the im pact of
bank's liability structure, its liquidity, and capitalisation position these shocks on different portfolios. The drawbacks are that the
or the proportion of long-term lending, are also relevant for shocks are not probabilistic and hence very hard to integrate
interest rate determ ination; heterogeneity in the banking rates into econom ic capital models based on V aR;52 it is not
pass-through exists only in the short run.46 There is also some
evidence of asym m etries in the interest rate pass-through,
existing also in the short run: banks adjust their loan lending
49 The Com m ittee on Global Financial Stability survey on stress te st
rate faster during periods of m onetary tightening, and their ing (C G FS , 2005) reveals that a majority of banks run interest rates risk
deposit rates faster during periods of m onetary easin g .47 stress tests. Popular historical scenarios are the bond m arket sell-offs
in 1994 and 2003; the Asian crisis in 1997, LTCM and Russia in 1998,
A relevant aspect for determ ining bank interest rates is the pric or Septem ber 11, 2001. Hypothetical scenarios look at changes in the
ing for credit risk, which influences the duration of bank loans national or global econom ic outlook, increases in inflation expectations
or unexpected changes in m onetary policy. Scenarios generally cover
and represents a "spread duration" com ponent with a non-mar
environm ents where not only the level but also the slope and curvature
ginal effect on econom ic value, especially on longer term loans. of the yield curve are changing.
To determ ine the price of credit risk applied on different bank
50 The Basel Com m ittee (B C B S, 2004) has suggested several guiding
ing products would ultimately require a pricing rule that links principles for the selection of interest rate risk scenarios. The three most
the credit spread to changes in m acroeconom ic conditions and important are: the rate shock should reflect a fairly uncommon and stress
ful rate environment; the magnitude of the rate shock should be signifi
interest rate variations.48 This also indicates that interest rate
cant enough to capture the effects of em bedded options and convexity
risk on the banking book is not independent from credit risk, within bank assets and liabilities so that underlying risk may be revealed;
and that interest rate stress scenarios should also incorporate and the rate shock should be straightforward and practical to implement,
the possible interaction of interest rate and credit risk factors. and should be able to accom m odate the diverse approaches inherent in
single-rate-path simulation models and statistically driven value-at-risk
models for banking book positions. A s a practical guidance, in addition to
The Choice of Stress Scenarios considering 200 bps scenarios, the Com m ittee also suggests looking at
parallel shifts using the 1st and 99th percentile of observed interest rate
Stress testing is commonly used in interest rate modelling as a changes with a one year horizon and five years of data.
way to com plem ent the com plexities of interest rate risk
51 Further, the Com m ittee argues that, "w hile more nuanced rate
scenarios (such as twists and turns in the yield curve) might tease out
certain underlying risk characteristics, for the more m odest objectives
of supervisors in detecting institutions with significant levels of interest
44 A s such, some banks may not regard such policy changes as part of
rate risk, a sim ple parallel shock is adequate. Such an approach also
their interest rate risk, but rather as part of business risk.
recognises the potential for spurious precision that occurs when undue
45 For Europe, see Cam pa and Gonzales-M inguez (2006). attention to fine detail is placed on one aspect of a m easurem ent sys
tem without recognition that assum ptions em ployed for certain asset
46 G am bacorta (2007).
and liability categories, such as core deposits, are by necessity blunt
47 G am bacorta and lannotti (2007). and judgm ental. Such judgm ental aspects of an interest rate risk model
often drive the resulting risk measure and conclusion, regardless of the
48 The price of credit risk varies with the counterparty credit rating in
detailed attention paid to other aspects of the risk m easure."(A nnex 3,
a way which is also influenced by the level of interest rates and more
para7, B C B S , 2004).
generally by the position in the econom ic cycle, especially if the banks
adopt forward-looking econom ic capital calculations and provisioning 52 Even though the scenario has been calibrated on the 1°/99° percen
and pricing policies. tile of observed interest rate changes.
232 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
indication that credit risk and interest rate risk in the banking Bank of Japan (2005): A dvan cing In teg ra ted Risk M anagem ent,
book are interdependent.57 The integration of credit and interest htt p://w w w. b oj . o r.j p.
rate risk requires a sophisticated fram ework. First, the loss distri
Bank o f Japan (2007): Econom ic Capital W orkshop Sum m ary
bution of credit risk must condition on the macro and interest
R ecord, http://w w w .boj.or.jp.
rate environment. Second, decreased net interest income due to
default must be taken into account. Finally, for an earnings per Basel Com m ittee on Banking Supervision (1999): C redit risk
spective, future cash flows need to be simulated. This necessi m odelling: current practices and applications, Basel, April.
tates a robust fram ework to price assets in the future conditional — (2004): Principles for the m anagem ent and supervision o f
on the simulated macro and interest rate environment. interest rate risk, Basel, July.
does not preclude the possibility that the exposures in the trad in the trading book, Consultative Docum ent, Basel, January.
ing book and in the banking book offset each other. Berkowitz, J (2000): "Testing Density Forecasts, with A pp lica
In certain cases, the interest rate risk exposure of the trading tions to Risk M anagem ent", University o f California, Decem ber,
book com pensates partially the exposure of the banking book. mimeo.
For exam ple, it is possible that the trading book has a short Black, F, E Derman and W Toy (1990): "A one-factor model of
position with respect to interest rate shocks (in the sense that interest rates and its application to treasury bond options",
a rise in interest rates causes an increase in the econom ic value Financial Analysts Journal, vol 46.
of the trading book), while the position in the banking book is
Black, F and P Karasinski (1991): "Bond and Option Pricing when
long with respect to interest rate shocks (in the sense that a rise
Short Rates are Lognorm al", Financial Analysts Journal, vol 47.
in interest rates causes a decrease in the econom ic value of the
banking book). In cases such as this, it might be appropriate to Brace, A , D G atarek and M Musiela (1997): "The M arket Model
consider the net exposure of the entire balance sheet. of Interest Rate D ynam ics", M athem atical Finance, vol 7.
De N ederlandsche Bank (2005): G uidelines on Interest Rate Risk Hull, J C (2007): Risk m anagem ent and financial institutions,
Diebold, F X, G D Rudebush and S B Arouba (2006) "The IACPM and ISDA (2006): C on verg en ce o f C red it Capital M o d els.
macroeconom y and the yield curve: a dynamic latent factor IFRI and C R O Forum (2007): Insights from the Jo in t IFRI/CRO
approach", Journal o f Econ om etrics, vol 131. Forum Survey on Econ om ic Capital Practice and A pplications.
Dimakos X K and K Aas (2004): "Integrated risk m odelling", Sta Jarrow , R A and F Yu (1999): "Counterparty risk and the pricing
tistical M odelling 4, pp 265-277. of defaultable securities," Septem ber, mimeo.
Drehmann, M, S Sorensen and M Stringa (2008): "The inte Jarrow , R A and F Yu (2001): "Counterparty risk and pric
grated impact of credit and interest rate risk on banks: An ing of defaultable securities", Journal o f Finance, vol 53,
econom ic value and capital adequacy p ersp ective", Bank o f pp. 2225-2243.
England W orking Paper 339.
Lopez J A and M R Saidenberg (1999): "Evaluating Credit Risk
Duffie, D, A Eckner, G Horel and L Saita (2006): "Frailty corre M odel", Fed era l R eserve Bank o f San Francisco, Working paper
lated default", O ctober 19, mimeo. no 99-06.
Duffie, D and D Lando (2001): "Term structures of credit spreads M cNeil, A , R Frey and Em brechts (2005): Q uantitative Risk M an
with incom plete accounting inform ation", Econom etrica, vol 69, agem ent; C o n cep ts, Techniques, and Tools. Princeton Series in
no 3, pp 633-664. Finance.
Duffie, D, L Saita and K W an g (2005): "Multi-period corporate PriceW aterhouseCoopers (2005): Effective Capital M anagem ent:
default prediction with stochastic covariates", September, mimeo. Econom ic Capital as an Industry Standard?
Egloff, D, M Leippold and P Vanini (2004): "A simple model of Rosenberg J V and T Schuermann (2006): "A general approach
credit contagion", mimeo. to integrated risk m anagem ent with skew ed, fat-tailed risks",
Fabozzi, F (2000): B on d M arkets, Analysis and Strategies, Fourth Journal o f Financial Econom ics, vol 9, no 3, pp 569-614.
Edition, Prentice Hall, New Jersey. Rudebusch, G D and J C W illiams (2007): "Forecasting reces
Fender, I and J Kiff (2004): "C D O rating m ethodology: Some sions: The puzzle of the enduring power of the yield curve",
thoughts on model risk and its im plications", BIS W orking Paper, Fed era l R eserve Bank o f San Francisco, Working Paper, No
no 163, Basel, November. 2007-16.
Ferm anian, J D and M Sbai (2005): A com parative analysis of Rutter Associates LLC (2004): 2004 R utter A sso cia tes Survey o f
dependence levels in intensity based and Merton style credit C redit Portfolio M anagem ent Practices.
risk models.
Samuel (2008): "Disclosure of Econom ic C ap ital", Federal
Fiori, R and S lannotti S (2007): "Scenario based Principal C om R eserve Bank o f N ew York, Available from the author or Policy
ponent Value-at-Risk: an application to Italian banks' interest Departm ent, Federal Reserve Bank of New York, email: Jeffrey.
rate risk exposure", Journ al o f Risk, vol 9, no 3, pp 63-99. Sam uel@ ny.frb.org. April 18.
Frerichs, H and G Loffler (2002): "Evaluating credit risk models: Tarashev, N and H Zhu (2007): "Modelling and calibration errors in
A critique and a proposal", May, mimeo. measures of portfolio credit risk", BIS Working Paper, Number 230.
234 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Capital Planning at
Large Bank Holding
Companies
Supervisory Expectations and
Range of Current Practice
Learning Objectives
A fter com pleting this reading you should be able to:
Describe the Federal Reserve's Capital Plan Rule and Capital policy, including setting of goals and targets
explain the seven principles of an effective capital and contingency planning
adequacy process for bank holding com panies (BHCs) Stress testing and stress scenario design
subject to the Capital Plan Rule. Estimating losses, revenues, and expenses, including
quantitative and qualitative m ethodologies
Describe practices that can result in a strong and effective Assessing the impact of capital adequacy, including
capital adequacy process for a BHC in the following areas: risk-weighted asset (RWA) and balance sheet
■ Risk identification projections.
Internal controls, including model review and validation
■ Corporate governance
These initiatives have focused not just on the amount of capital practices considered to be stronger or leading practices at these
that a BH C has, but also on the internal practices and policies a firms. In addition, it identifies practices that the Federal Reserve
firm uses to determ ine the amount and composition of capital deem s to be weaker, or in some cases unacceptable, and thus in
that would be adequate, given the firm's risk exposures and cor need of significant im provem ent. However, practices identified
porate strategies as well as supervisory expectations and regula in this publication as leading or industry-best practices should
tory standards. BH Cs have long engaged in some form of capital not be considered a safe harbor. The Federal Reserve antici
planning to address the expectations of shareholders, creditors, pates that leading practices will continue to evolve as new data
custom ers, and other stakeholders. The Federal Reserve's inter becom e available, econom ic conditions change, new products
est in and expectations for effective capital planning reflect and businesses introduce new risks, and estimation techniques
the im portance of the ongoing viability of the largest BHCs advance further.
even under stressful financial and econom ic conditions. Even if W hile the supervisory scenarios and supervisory stress tests
current assessments of capital adequacy suggest that a BHC's that are required under the D odd-Frank A c t5 play an im portant
capital level is sufficient to withstand potential econom ic stress, role in C C A R ,6 they are not meant to be and should not be
robust capital planning helps ensure that this outcom e will con view ed as providing for an all-encom passing assessm ent of the
tinue to hold in the future. Robust internal capital planning can possible risks a BH C may face. A robust internal capital plan
also help ensure that BH Cs have sufficient capital in a broad ning process should include m odeling practices and scenario
range of future m acroeconom ic and financial m arket environ assum ptions that reflect BH C-specific factors. In certain
ments by governing the capital actions— including dividend pay instances, these practices and assum ptions may differ consider
ments, share repurchases, and share issuance and conversion— a ably from those used by the Federal Reserve. Indeed, design
BHC takes in these situations. ing an internal capital planning process that sim ply seeks to
The Federal Reserve's Capital Plan Rule requires all U.S.-domiciled, mirror the Federal Reserve's stress testing is a w eak practice.
top-tier BH Cs with total consolidated assets of $50 billion or
more to develop and maintain a capital plan supported by
a robust process for assessing their capital ad eq u acy.2
3 The plans of the remaining BH Cs subject to the Capital Plan Rule have
been assessed through a separate process (the Capital Plan Review).
Beginning in 2014, the capital plans of all BH Cs subject to the Capital
Plan Rule will be evaluated in a single, unified process through C C A R .
1 See SR Letter 12-17, "C onsolidated Supervision Fram ew ork for Large
4 See 76 Fed . R eg. 74631, 74634 (D ecem ber 1, 2011).
Financial Institutions," (D ecem ber 17, 2012), w w w .federalreserve.gov/
bankinforeg/srletters/sr1217.htm ; 12 C FR 225.8. 5 12 C FR part 225, subpart F.
236 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Figure 14.1 Seven principles of an effective capital adequacy process.
Many lagging practices identified in this publication involve and further recognizes that these BH Cs will continue to develop
modeling approaches or BH C stress scenarios that fail to reflect and enhance their capital planning system s and processes to
BH C-specific factors or that rely on generic assum ptions or m eet supervisory expectations.
"standard" modeling techniques, without sufficient consider
The purpose of this publication is two-fold. First, it is intended
ation of w hether those assum ptions or techniques are the most
to assist BHC m anagem ent in assessing their current capi
appropriate ones for the BH C.
tal planning processes and in designing and implementing
The supervisory expectations summarized here are broad and improvements to those processes. Second, it is intended to
reflect, at a general level, the key characteristics of a sound and assist a broader audience in understanding the key aspects of
robust internal capital planning process. W hile certain aspects capital planning practices at large, com plex U.S. BHCs and the
of the detailed discussion that follows may be less relevant to im portance the Federal Reserve puts on ensuring that these
individual BH Cs based on their business mix and risk profile, the firms have robust capital resources.
core tenets espoused are broadly applicable to all BH Cs subject
The sections that follow provide greater detail on supervisory
to the Capital Plan Rule.
expectations and the range of current practice across several
Importantly, the Federal Reserve has tailored expectations for dimensions of BH Cs' internal capital planning processes. The
BH Cs of different sizes, scope of operations, activities, and first section discusses foundational risk m anagem ent, including
system ic im portance in various aspects of capital planning. identification of risk exposures. The next two sections focus on
For exam ple, the Federal Reserve has significantly heightened controls and governance around internal capital planning pro
supervisory expectations for the largest and most com plex cesses. The fourth section covers expectations and the range of
BH Cs— in all aspects of capital planning— and expects these current practice concerning BH Cs' capital policies— the internal
BH Cs to have capital planning practices that are widely consid guidelines governing the capital action decisions made by a
ered to be leading practices. In addition, the Federal Reserve BHC under a range of potential future conditions for the firm
recognizes the challenges facing BH Cs that are new to C C A R and for the m acroeconom ic and financial market environments
7 1 2 C F R 225.8(d)(2).
8 12 C FR 225.8(e)(2). 9 12 C FR 225.8(d)(2).
238 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
planning that are not scenario-based, it should identify which
BO X 14.1 IN CO RPO RATIN G RISKS risks each of the m ethodologies covers, to facilitate com parabil
THAT A RE M ORE D IFFICU LT TO ity and informed decision-making with respect to overall capital
Q U A N TIFY adequacy. BHCs with lagging practice did not transparently link
their evaluation of capital adequacy to the full range of identi
Scenario-based stress testing is a critical elem ent of
fied risks. These BH Cs were not able to show how all their risks
robust capital planning. However, stress testing based on
a limited number of discrete scenarios cannot and is not were accounted for in their capital planning processes. In some
expected to capture all potential risks faced by a BH C, cases, staff responsible for capital planning operated in silos
and therefore, it should serve as one of several inputs to and developed standalone risk inventories not linked to the
the capital planning process. Given the scope of opera enterprise-wide risk inventory or to other risk governance func
tions at and the associated breadth of risks facing large,
tions within their BH Cs.
com plex BH Cs— including the risk of losses from exp o
sures and of reduced revenue generation— they are often
exposed to risks, other than credit or market risk, that are
either difficult to quantify or not directly attributable to 14.3 IN T E R N A L C O N T R O L S
any of the specific integrated firm-wide scenarios that are
evaluated as part of the BHC's scenario-based stress test As with other aspects of key risk-management and finance area
ing ("other risks"). Exam ples of these other risks include functions, a BHC should have a strong internal control fram e
reputational risk, strategic risk, and com pliance risk. As
work that helps govern its internal capital planning processes.
noted in the section on risk identification, a BH C should
These controls should include (1) regular and com prehensive
identify and assess all risks as part of its risk-identification
process and should capture the potential effect of all risks review by internal audit; (2) robust and independent model
in its capital planning process. A BHC's capital planning review and validation practices; (3) com prehensive docum enta
process should assess the potential im pact of these other tion, including policies and procedures; and (4) change controls.
risks on the BHC's capital position to ensure that its capital
provides a sufficient buffer against all risks to which the
BH C is exposed. Scope of Internal Controls
There is a wide range of practices around how BHCs
A BHC's internal control fram ework should address its entire
account for other risks as part of their capital planning
capital planning process, including the risk m easurem ent and
process. Many BH Cs used internal capital tar gets to
account for such risks, putting in place an incremental m anagem ent system s used to produce input data, the models
cushion above their targets to allow for difficult-to- and other techniques used to generate loss and revenue esti
quantify risks and the inherent uncertainty represented m ates; the aggregation and reporting fram ework used to pro
by any forward-looking capital planning process. O ther
duce reports to m anagem ent and boards; and the process for
BH Cs assessed the effect of in term s of some combination
making capital adequacy decisions. W hile some BH Cs may natu
of reduced revenue, added expenses, or a m anagem ent
overlay on top of loss estim ates. BH Cs with lagging prac rally develop com ponents of their internal capital planning along
tices did not even attem pt to account for other risks in separate business lines, the control fram ework should ensure
their capital planning process. that BH C m anagem ent reconciles the separate com ponents in a
To the extent possible, BHCs should incorporate the effect coherent manner. The control fram ework also should help assure
of these other risks into their projections of net income that all aspects of the capital planning process are functioning as
over the nine-quarter planning horizon. BH Cs should intended in support of robust assessm ents of capital needs.
clearly articulate and support any relevant assumptions
and the methods used to quantify the effect of other risks BH Cs with stronger control coverage reviewed the controls
on their revenue, expenses, or losses. around capital planning on an integrated basis and applied
For those BHCs that did not incorporate the potential them consistently. M anagem ent responded quickly and
impact of these other risks into their capital targets, stron effectively to issues identified by control areas and devoted
ger practices included a clear articulation of which risks appropriate resources to continually ensure that controls were
were being addressed by putting in place a cushion above functioning effectively.
the capital target, and how this cushion is related to identi
fied risks. BH Cs should clearly support the method they
used to measure the potential effect of such risks. Using Internal Audit
a simple rule (such as a percent of capital) or expert ju d g
ments to determ ine the cushion above the capital target, Internal audit should play a key role in evaluating internal capital
without providing analysis or support, is a lagging practice. planning and its various com ponents. Audit should perform a
review of the full process, not just of the individual com ponents,
Independent Model Review strengthening practices around model review and validation.
10 See 1 2 C F R 225.8(d)(1)(iii).
Policies and Procedures
11 See SR Letter 13-1, "Supplem ental Policy Statem ent on the Internal
A udit Function and Its O utsourcing," (January 23, 2013) www.feder- BH Cs should ensure they have policies and procedures covering
alrserve.gov/bankinforeg/srletters/sr1301.htm , for detailed guidance
the entire capital planning p ro cess.13 Policies and procedures
on expectations for the governance and operational effectiveness of an
institution's internal audit function. should ensure a consistent and repeatable process for all
sr1 107.htm . See FR Y-14A reporting form : Summary Schedule Instructions, pp. 5-7.
240 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
com ponents of the capital planning process and provide trans Many BH Cs have systems that are antiquated and/or siloed and
parency to third parties regarding this process. Policies should not fully com patible, requiring substantial human intervention to
be reviewed and updated at least annually and more frequently reconcile across systems.
when warranted. There should also be evidence that m anage
ment and staff are adhering to policies and procedures in prac
tice, and there should be a formal process for any policy
Documentation
exceptions. Such exceptions should be rare and approved by BH Cs should have clear and com prehensive docum entation for
the appropriate level of m anagem ent. all aspects of their capital planning processes, including their
risk-measurement and risk-management infrastructure, loss- and
resource-estimation m ethodologies, the process for making cap
Ensuring Integrity of Results
ital decisions, and efficacy of control and governance func
BH Cs should have internal controls that ensure the integrity of tio n s.15 Docum entation should contain sufficient detail,
reported results and the docum entation, review, and approval accurately describe BH Cs' practices, allow for review and chal
of all material changes to the capital planning process and its lenge, and provide relevant information to decision-m akers.16
com ponents. A BH C should ensure that such controls exist at all
levels of the capital planning process. Specific controls should
be in place to 1 4 .4 G O V E R N A N C E
• ensure that MIS are sufficiently robust to support capital
BH Cs should have strong board and senior m anagem ent over
analysis and decision-m aking, with sufficient flexibility to run
sight of their capital planning p rocesses.171
8This includes ensur
ad hoc analysis as needed;
ing periodic review of the BHC's risk infrastructure and loss- and
• provide for reconciliation and data integrity processes for all resource-estimation m ethodologies; evaluation of capital goals
key reports; and targets; assessm ent of the appropriateness of stress scenar
• address the presentation of aggregate, enterprise-wide ios considered; regular review of any limitations in key processes
capital planning results, which should describe any manual supporting internal capital planning, such as uncertainty around
adjustm ents made in the aggregation process and how those estim ates; and approval of capital decisions. Together, a BHC's
adjustm ents com pensate for identified w eaknesses; and board and senior m anagem ent should establish a com prehen
• ensure that reports provided to senior m anagem ent and the sive capital planning process that fits into broader risk-manage
board contain the appropriate level of detail and are accurate ment processes and that is consistent with the risk-appetite
and tim ely. The party responsible for this reporting should fram ework and the strategic direction of the BH C.
assess and report whether the BHC is in com pliance with its
internal capital goals and targets, and ensure the rationale for
Board of Directors
any deviations from stated capital objectives is clearly docu
mented and obtain any necessary approvals.14 A BHC's board of directors has ultimate oversight responsibility
and accountability for capital planning and should be in a posi
BH Cs with stronger practices in this area ensured that good
tion to make informed decisions on capital adequacy and capital
information flows existed to support decisions, with significant 1O
actions, including capital distributions. The board of directors
investm ent in controls for data and information. For exam ple,
should receive sufficient information to understand the BHC's
some BHCs had an internal audit group review the data for
material risks and exposures and to inform and support its deci
accuracy and ensured that any data reported to the board
sions on capital adequacy and planning. The board should
and senior m anagem ent were given extra scrutiny and cross
receive this information at least quarterly, or when there are
checking. In addition, BHCs with stronger practices had strong
material developm ents that affect capital adequacy or the man
MIS in place that enabled them to collect, synthesize, analyze,
ner in which it is assessed. Capital adequacy information
and deliver information quickly and efficiently. These systems
also had the ability to run ad hoc analysis to support capital
planning as needed without employing substantial resources.
O ther BH Cs, however, continue to face challenges with MIS. 15 See id.
16 See id.
17 See 12 C FR 225.8(d)(1)(iii)(A)-(B).
19 Id. 20 12 C FR 225.8(d)(2)(i)(A)-(D).
242 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
process to be sufficient. Furtherm ore, m anagem ent developed processes and links to and is supported by other policies (risk-
clear remediation plans with specific tim elines for resolving m anagem ent, stress testing, model governance, audit, and oth
identified w eaknesses. In some cases, based on its review of ers). A capital policy should provide details on how a BH C
the full capital planning process, senior m anagem ent made m anages, m onitors, and makes decisions regarding all aspects
more cautious or conservative adjustm ents to the capital plan, of capital planning. The policy should also address roles and
such as recommending less aggressive capital actions. M anage responsibilities of decision-m akers, process and data controls,
ment also included key assumptions and process weaknesses in and validation standards. Finally, the capital policy should
reports and specifically pointed them out to the board, in some explicitly lay out expectations for the information included in
cases providing analysis showing the sensitivity of capital to the BHC's capital plan.
alternative outcom es.
A capital policy should describe targets for the level and com po
sition of capital and provide clarity about the BHC's objectives
Documenting Decisions in managing its capital position. The policy should explain how
the BHC's capital planning practices align with the im perative of
BH Cs should docum ent decisions about capital adequacy and maintaining a strong capital position and being able to continue
capital actions taken by the board of directors and senior man to operate through periods of severe stress. It should include
agem ent, and describe the information used to reach those quantitative metrics such as common stock dividend (and other)
decisions.21 Final decisions regarding capital planning of the payout ratios as maximums or targets for capital distributions.
board or of a designated com m ittee thereof should be recorded The policy should include an explanation of how m anagem ent
and retained in accordance with the company's policies and concluded that these ratios are appropriate, sustainable, and
procedures. consistent with its capital objectives, business model, and capital
BH Cs with stronger docum entation practices had board minutes plan. It should also specify the capital metrics that senior man
that described how decisions were made and what inform a agem ent and the board use to make capital decisions. In addi
tion was used. Some docum entation provided evidence that tion, a capital policy should include governance and escalation
the board challenged results and recom m endations, including protocols that are clear, credible, and actionable in the event an
reviewing and assessing how senior m anagem ent challenged actual or projected capital ratio target is breached.
the same information. BH Cs with w eaker docum entation prac The policy should describe processes surrounding how common
tices had board minutes that were very brief and opaque, with stock dividend and repurchase decisions are made and how the
little reference to information used by the board to make its BHC arrives at its planned capital distribution amounts. Specifi
decisions. Some BH Cs did not form ally docum ent key decisions. cally, the policy should discuss the following:
• the main factors and key metrics that influence the size, tim
24 12 C FR 225.8(c)(4). 25 Id.
244 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Capital triggers should provide an "early w arning" of capital The range of observed practice for developing BHC stress sce
deterioration and should be part of a m anagem ent decision narios was broad. Some BH Cs designed stress scenarios using
making fram ework, which should include target ranges for a internal models and expertise. O ther BH Cs used vendor-defined
normal operating environment and threshold levels that trig m acroeconom ic scenarios or used vendor models to define
ger m anagem ent action. Such action should include escalation customized m acroeconom ic scenarios. For BHCs with internally
to the board, potential suspension of capital actions, and/or developed scenarios, those with stronger scenario-design prac
activation of a capital contingency plan. Triggers should also be tices used internal models in combination with expert judgm ent
established for other metrics and events that measure or affect rather than relying solely on either models or expert judgm ent
the financial condition or perceived financial condition of the to define scenario conditions and variables. Among BH Cs that
firm— for exam ple, liquidity, earnings, debt and credit default used third-party scenarios, those with stronger practices tai
swap spreads, ratings downgrades, stock perform ance, supervi lored third-party-defined scenarios to their own risk profiles and
sory actions, or general market stress. unique vulnerabilities.
Contingency actions should be flexible enough to work in a Regardless of the method used to develop the scenario, BHCs
variety of situations and be realistic for what is achievable during should have a scenario-selection process that engages a broad
periods of stress. The capital plan should be prepared recogniz range of internal stakeholders such as risk experts, business man
ing that certain capital-raising and capital-preserving activities agers, and senior management. Although they are required to sub
may not be feasible or effective during periods of stress. BHCs mit only one BHC stress scenario for C C A R, BHCs should develop
should have an understanding of market capacity constraints a suite of scenarios that collectively capture their material risks and
when evaluating potential capital actions that require accessing vulnerabilities under a variety of stressful circumstances and should
capital m arkets, including debt or equity issuance and also con incorporate them into their overall capital planning processes.
tem plated asset sales. Contingency actions should be ranked
according to ease of execution and their impact and should
incorporate the assessm ent of stakeholder reactions (e.g.,
Scenario Design and Severity
im pacts on future capital-raising activities). As indicated in the preamble to the Capital Plan Rule, "the bank
W eak capital contingency plans provided few options to address holding company-designed stress scenario should reflect an indi
contingency situations and/or did not consider the feasibility of vidual company's unique vulnerabilities to factors that affect its
options under stressful conditions. Plans with overly optim istic firm-wide activities and risk exposures, including macroeconomic,
assumptions or excessive reliance on past history (in term s of market-wide, and firm-specific even ts."27 Thus, BHC stress sce
both possible contingency situations and options to address narios should reflect macroeconomic and financial conditions that
those situations) were also considered w eak, as were plans that are tailored specifically to stress a BHC's key vulnerabilities and
lacked support for the feasibility and availability of possible idiosyncratic risks, based on factors such as its particular business
contingency actions. O ther w eak practices included establishing model, mix of assets and liabilities, geographic footprint, portfo
triggers based on actual results but not on projected results, or lio characteristics, and revenue drivers. A BHC stress scenario
based on minimum regulatory capital ratios only with no con that simply features a generic weakening of macroeconomic con
sideration of the expectations of other stakeholders including ditions similar in magnitude to the supervisory severely adverse
counterparties, creditors and investors, or of other metrics or scenario does not meet these expectations.
market indicators. BH Cs with stronger scenario-design practices clearly and
creatively tailored their BH C stress scenarios to their unique
business-model features, emphasizing im portant sources of risk
1 4 .6 B H C S C E N A R IO D E S IG N not captured in the supervisory severely adverse scenario. Exam
ples of such risks observed in practice included a significant
Under the Capital Plan Rule, a BH C is required to use a BHC-
counterparty default; a natural disaster or other operational-risk
developed stressed scenario that is appropriate for its business event; and a more acute stress on a particular region, industry,
model and portfolios.26 Accordingly, BH Cs should have a pro and/or asset class as com pared to the stress applied to gen
cess for designing scenarios for enterprise-wide scenario analy eral m acroeconom ic conditions in the supervisory adverse and
sis that reflects the BHC's unique business activities and severely adverse scenarios.
associated vulnerabilities.
The set of variables that a BHC includes in its stress scenario mon ratio and any additional capital measures deem ed relevant
by the BH C, over the planning horizon under expected condi-
should be sufficient to address all material risks arising from its o n
exposures and business activities. A business line could face tions and under a range of stressed scenarios.
246 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
em pirical evidence, and the entire estimation process should type, size, and composition of the BHC's portfolio. For exam ple,
be transparent and repeatable. The Federal Reserve generally a more diverse portfolio— both in term s of borrower risk char
expects BH Cs to use models or other quantitative methods as acteristics and perform ance— would generally require a greater
the basis for their estim ates; however, there may be instances number of segm ents to account for the heterogeneity of the
where a m anagem ent overlay or other qualitative approaches portfolio. However, when segm enting portfolios, it is important
may be appropriate due to data limitations, new products or to ensure that each risk segm ent has sufficient data observations
businesses, or other factors. In such instances, BH Cs should to produce reliable model estim ates.
ensure that such processes are well supported, transparent, and
As a general practice, BH Cs should separately estim ate losses,
repeatable over tim e.
revenues, or expenses for portfolios or business lines that are
sensitive to different risk drivers or sensitive to risk drivers in a
Establishing a Quantitative Basis m arkedly different way. For instance, losses on commercial and
for Enterprise-Wide Scenario Analysis industrial loans and commercial real estate (CRE) loans are, in
G enerally, BH Cs should develop and use internal data to esti part, driven by different factors, with the path of property values
mate losses, revenues, and expenses as part of enterprise-wide having a more pronounced effect on C R E loan losses. Similarly,
scenario analysis.29 However, in certain instances, it may be although falling property value affects both income-producing
more appropriate for BH Cs to use external data to make their C R E loans and construction loans, the effect often differs m ate
models more robust. For exam ple, BH Cs may lack sufficient, rel rially due to structural differences between the two portfolios.
evant historical data due to factors such as system s limitations, Such differences can becom e more pronounced during periods
acquisitions, or new products. W hen using external data, BHCs of stress. BHCs with leading practices have dem onstrated clearly
should take care to ensure that the external data reasonably the rationale for selecting certain risk drivers over others. BHCs
approxim ate underlying risk characteristics of their portfolios, with lagging practices used risk drivers that did not have a clear
and make adjustm ents to modeled outputs to account for iden link to results, either statistically or conceptually.
tified differences in risk characteristics and perform ance
Many models used for stress testing require a significant number
reflected in internal and external data.
of assumptions to im plem ent. Further, the relationship between
BH Cs can use a range of quantitative approaches to estim ate m acroeconom ic variables and losses, revenues, or expenses
losses, revenues, and expenses, depending on the type of port could differ considerably in the hypothetical stress scenario from
folio or activity for which the approach is used, the granularity what is observed historically. As a result, while traditional tools
and length of available tim e series of data, and the materiality for evaluating model perform ance (such as comparing projec
of a given portfolio or activity. W hile the Federal Reserve does tions to historical out-of-sample outcomes) are still useful, the
not require BHCs to use a specific estimation m ethod, each BHC Federal Reserve expects BH Cs to supplem ent them with other
should estim ate its losses, revenues, and expenses at sufficient types of analysis. Sensitivity analysis is one tool that some BHCs
granularity so that it can identify common, key risk drivers and have used to test the robustness of models and to help model
capture the effect of changing conditions and environments. developers, BH C m anagem ent, the board of directors, and
For exam ple, loss models should be estim ated at a sufficiently supervisors identify the assumptions and param eters that m ate
granular subportfolio or segm ent level so that they can capture rially affect outcom es. Sensitivity analysis can also help ensure
observed variations in risk characteristics and perform ance that core assumptions are clearly linked to outcom es. Using
across the subportfolios or segm ents and across tim e, and results from different estimation approaches (challenger models)
account for changing exposure or portfolio characteristics over as a benchm ark is another way BH Cs can gain greater comfort
the planning horizon. around their primary model estim ates, as the strengths of one
approach could potentially com pensate for the weaknesses of
W hile BH Cs often segm ent their portfolios and activities along
another. W hen using multiple approaches, however, it is impor
functional areas, such as by line of business or product type, the
tant that BH Cs have a consistent fram ework for evaluating the
leading practice is to determ ine segm ents based on common
results of different approaches and supporting rationale for why
risk characteristics (e.g ., credit score ranges or loan-to-value
they chose the methods and estim ates they ultimately used.
ratio ranges) that exhibit meaningful differences in historical per
form ance. The granularity of segm ents typically depends on the In certain instances, BH Cs may need to rely on third-party
models— for exam ple, due to limitations in internal modeling
capacity. In using these third-party models (vendor models or
29 BH Cs are required to collect and report a substantial amount of risk
information to the Federal Reserve on FR Y-14 schedules. These data consultant-developed models), BH Cs should ensure that their
may help to support the BH C's enterprise-w ide scenario analysis. internal staff have working knowledge and a good conceptual
248 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
anticipation of stressful conditions, such as preem ptively rebal to a given scenario and also improve the overall fit of the model.
ancing their portfolios or otherwise adjusting their risk profiles Any models used to produce additional risk drivers are key com
to mitigate the expected im pact. In the event of a downturn, ponents of the loss-estimation process and, therefore, should be
the future path or progression of econom ic and market condi included in BHCs' model inventories and receive the same model
tions would not be clearly known, and this uncertainty should be risk-management treatm ent as core loss-estimation models.
reflected in the capital plans.
Generally, BHCs sum up losses from various portfolios and
activities to produce aggregate losses for the enterprise-wide
Documentation of Estimation Practices scenario analysis. BHCs should have a repeatable process to
The Federal Reserve exp ects BH Cs to clearly docum ent their aggregate losses, particularly when they transform model esti
key m ethodologies and assum ptions used to estim ate losses, mates to combine disparate risk measures (such as accounting-
revenues, and e xp e n se s.323BH Cs with stronger practices pro based and econom ic loss concepts), different m easurem ent
vided docum entation that concisely explained m ethodologies, horizons, or otherwise dissimilar loss estim ates.
with relevant m acroeconom ic or other risk drivers, and dem on
BH Cs with leading practices used automated processes that
strated relationships betw een these drivers and estim ates.
showed a clear audit trail from source data to loss estimation
Docum entation should clearly delineate among model out
and aggregation, with full reconcilem ent to source systems and
puts, qualitative overlays to model outputs, and purely qualita-
regulatory reports and mechanisms requiring approval and log
tive estim ates. BH Cs with w eaker practices often had limited
ging of judgm ental adjustm ents and overrides. These systems
docum entation that was poorly organized and that relied
often leveraged existing enterprise-wide financial and regulatory
heavily on subjective m anagem ent judgm ent for key model
consolidation processes.
inputs with lim ited em pirical support for and docum entation of
these adjustm ents. BH Cs with lagging practices exhibited a high degree of manual
intervention in the aggregation process, and applied aggregate-
level m anagem ent adjustm ents that were not transparent or
Loss-Estimation Methodologies well supported.
250 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Rating Transition Models BH Cs with stronger practices typically had more granular ratings
system and accounted for limitations in their data and/or credit
Many BH Cs have used a rating transition-based approach
rating system s by making adjustm ents to model assumptions or
to produce a stressed rating transition m atrix for each quar
estim ates, or by supplem enting internal data with external data.
ter, which is then used to estim ate losses for their w holesale
portfolios under stress. These approaches used credit ratings BH Cs with w eaker practices often failed to dem onstrate that
applied to individual loans by the BH C and projected how supplem ented external data adequately reflected the ratings
these ratings would change over tim e given the m acroeco perform ance of the BHC's portfolio. BHCs with weaker practices
nomic scenario. Although the details of techniques used to link also som etim es relied on a risk rating process that historically
rating transitions to scenario conditions varied across firm s, resulted in lumpiness in rating upgrades and downgrades or
the process usually involved the following steps: (1) co nvert material concentrations in one or two rating categories. As
ing the rating transition m atrix into a single sum m ary m easure; a result, these BH Cs often produced transition matrices with
(2) estim ating a tim e-series model linking the sum m ary m ea limited sensitivity to scenario variables, and resulting estim ates
sure to scenario variables; (3) projecting the sum m ary measure were more consistent with long-term average default rates than
over the nine-quarter planning horizon, using the param eter with default rates that would be experienced under severe eco
estim ates from the tim e-series m odel; and (4) converting the nomic stress.
projected sum m ary m easure into a full set of quarterly transi
tion m atrices. BH Cs using such an approach should be able to
Roll-Rate Models
dem onstrate that the sum m ary m easure responds to changes Many BH Cs have used roll-rate models to estim ate losses for
in econom ic conditions as exp ected (that is, w orsens as the various retail portfolios. Roll-rate models generally estim ate
econom ic condition deteriorates) and results in projected rat the rate at which loans that are current or delinquent in a given
ing transition m atrices that are consistent with the severity of quarter roll into delinquent or default status in the next period.
scenario. Jud g m entally selecting transition m atrices from past As a result, they are conceptually similar to rating transition
stress periods is a w eak p ractice, as it may produce loss esti models. The Federal Reserve expects BH Cs that use roll-rate
m ates that are not consistent with a given scenario and fails to models to have a robust tim e series of data with sufficient gran
recognize that conditions in the future may not precisely mirror ularity. The robust tim e series data allow the BH C to establish
conditions observed by the BH C in the past. a strong relationship between roll rates and scenario variables,
while the availability of granular data enables BH Cs to model
Sound rating transition m odels require tw o fundam ental build
all relevant loan transitions and to segm ent the portfolio into
ing blocks: a robust tim e series of data and w ell-calibrated,
subportfolios that exhibit meaningful variations in perform ance,
granular-risk rating system s. The Federal Reserve expects
particularly during the period of stress. In general, BH Cs should
BH Cs that use rating transition m odels to have robust tim e
estim ate roll rates using models that are conditioned on sce
series of data that include a sufficient num ber of transitions,
nario variables. For certain transition states where statistical rela
which allows BH Cs to establish a statistically significant rela
tionships between roll rates and scenarios are weak (such as late
tionship betw een the transition behavior and m acroeconom ic
stage loan delinquency), BH Cs should incorporate conservative
variables. Data availability has been a w idespread constraint
assumptions rather than relying solely on statistical relationships.
inhibiting the developm ent of granular transition m odels
because a sufficient num ber of upgrades and dow ngrades are W hile roll-rate models have some advantages, including trans
necessary to preclude sparse m atrices. In order to overcom e parency and ease of use, they often have a weak predictive
these data lim itations, BH Cs have often relied on third-party power outside the near future, particularly if they are not prop
data to develop rating transition m odels. C onsistent with the erly conditioned on scenario variables. As a result, some roll-rate
Federal Reserve's general exp ectatio ns, when using third-party models have limited usefulness for stress testing over a longer
data, BH Cs should be able to dem onstrate that the transition horizon, such as the nine-quarter planning horizon required in
m atrices estim ated with external data are a reasonable proxy C C A R . Some BH Cs have used roll-rate models in conjunction
for the m igration behavior of their portfolios. Rating transition with other estimation approaches (such as a vintage model
m odels also require granular ratings system s that capture dif described below) that project losses for later periods. In general,
ferences in the potential for defaults and losses for a given set it is a w eaker practice to combine two different m odels, as it can
of exposures in various econom ic environm ents. BH Cs that lack introduce unexpected jum ps in estim ated losses over the plan
w ell-calibrated, granular credit-risk rating system s are often ning horizon, though some BH Cs have judgm entally weighed
unable to produce useful transition m atrices. two different estimation methods to smooth projected losses. If
252 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
O TTI processes for A FS and HTM securities portfolios varied in processes, people, or systems or from external events. Generally,
sophistication across BH Cs. BH Cs with leading practices used operational-risk events are grouped into one of several event-
estimation methods that capture both security-specific and type categories, such as internal fraud, external fraud, or damage
o r
country-specific perform ance data for relevant portfolios. For to physical assets. In general, BHCs should use internal
securitized products, they m odeled the credit risk of underlying operational-loss data as a starting point to provide historical per
exposures (e.g ., commercial real estate loans) to estim ate poten spective, and then incorporate forward-looking elem ents, idio
tial losses. W here BH Cs used m anagem ent judgm ent, it was lim syncratic risks, and tail events to estimate losses. Most BHCs
ited and well supported in the m ethodology docum entation. have supplem ented their internal loss data with external data
when modeling operational-risk loss estim ates and scaled the
In addition, BH Cs with leading practices chose conservative
losses to make the external loss data more commensurate with
approaches and assumptions for O TTI loss estim ation, such as
their individual risk profiles. The Federal Reserve expects such
recognizing losses in early quarters rather than over the entire
scaling approaches to be well supported. Few BHCs have incor
scenario horizon. Though, under current accounting rules, O TTI
porated business environment and internal control factors such
losses are recognized only up to the amount of unrealized
as risk control self-assessments and other risk indicators into their
losses, some BH Cs have taken a conservative approach to allow
operational-risk methodology. W hile the Federal Reserve does
O TTI losses to exceed projected unrealized losses.
not expect BHCs to use these qualitative tools as direct inputs in
BH Cs with lagging practices did not test all credit-sensitive a model, they can help identify areas of potential risk and help
securities for potential O TTI; rather, they tested only currently BHCs select appropriate scenarios that stress those risks.
impaired positions or securities that met a certain criteria (e.g .,
only securities rated below investm ent grade) for O TTI. BHCs Internal Data Collection and Data Quality
should not rely solely on a ratings-based threshold to deter
The Federal Reserve expects BH Cs to have a robust and com
mine O TTI for structured products. BHCs with lagging practices
prehensive internal data-collection method that captures key
had O TTI loss-estimation m ethodologies that did not capture
elem ents, such as critical dates (i.e., occurrence, discovery, and
appropriate risk drivers or scenario conditions and/or were not
accounting), event types, and business lines. In general, BHCs
applied at a sufficiently granular level. In some cases, BHCs
should use com plete data sets of internal losses when modeling,
excluded key explanatory variables for certain asset classes.
and not judgm entally exclude certain loss data.
For exam ple, the unem ploym ent rate was used to project O TTI
losses for non-agency residential m ortgage-backed securities Data quality and com prehensiveness have varied consider
(RM BS), but the housing price index (HPI) was excluded even ably across BHCs. BHCs with lagging practices often excluded
though the theory and empirical evidence points to a strong certain internal loss data from model input for various reasons.
relationship between m ortgage losses and housing prices. As a Exam ples include
result of these m ethodology deficiencies, these BH Cs projected
• excluding large items such as legal reserves and tax/ com pli
O TTI losses that were inconsistent with the risk characteristics of
ance penalties;
the portfolio and assumed scenario conditions.
• omitting losses from merged or acquired institutions mergers
or acquisitions due to com plications in collection and aggre
Operational Risk
gation; and
Best practices in operational-risk models are still evolving, and
• excluding loss data from discontinued business lines, even
the Capital Plan Rule does not require BH Cs to use advanced
though the loss events were reasonably generic and appli
m easurem ent approach (AM A) models for stressed operational-
cable to remaining business lines within the organization.
risk loss estim ation.34 However, BH Cs that have developed a
rich set of data to support the A M A should consider leveraging Some BHCs have addressed observed outliers by omitting them
the same data and risk-management tools to estim ate opera from the data set, modeling them separately, or applying an add
tional losses under a stress scenario, regardless of a particular on based on scenario analysis or management input. If BHCs do
m ethodology they choose to estim ate losses. not have the data from potential mergers and acquisitions, one
and m anagem ent input at a business-line level. Some BHCs of operational loss events for each defined unit of measure,
have used historical averages from internal loss data to estim ate whether it is a business line, an event type, or some combination
losses in the baseline scenario. of the two.
BHCs with stronger practices used a combination of approaches The estim ated frequency and severity distributions are then
to incorporate historical loss experience, forward-looking ele com bined, generally using a Monte Carlo simulation, to esti
ments, and idiosyncratic risks into their stressed loss projections. mate the probability distribution for annual operational-risk
Using a combination of approaches can help address model losses at each unit of measure.
and data limitations. Some BH Cs used separate models for For purposes of C C A R , LD A models have generally been used
certain events types such as fraud or litigation, and used other in one of two ways: (1) by using a lower confidence interval than
approaches (e.g ., using historical averages) for event types * the 99.9th percentile used by the A M A , or (2) by adjusting the
frequency based on outcom es of correlation analysis. BHCs
that modified the LD A by using a lower confidence interval
O /
254 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
typically have used either the mean or median for the baseline BH Cs should support the chosen tim e periods, thresholds,
estim ates and higher confidence intervals— typically ranging and any excluded or adjusted outliers and dem onstrate that
from 70th percentile to 98th percentile— for the stressed esti loss estim ates are consistent with what are expected in the
mates. Additionally, some BH Cs have used different confidence stress scenario.
intervals for different event types. The Federal Reserve does not
require BH Cs to use a particular percentile to produce stressed Legal Exposures
estim ates. However, it expects BH Cs to im plem ent a credible,
Since legal exposure represents a significant portion of opera
transparent process to select a percentile; be able to dem on
tional losses for many BH Cs, a number of BHCs have analyzed
strate why the percentile is an appropriate choice given the
and projected legal losses separately from non-legal losses. The
specific scenario under consideration; and perform sensitivity
Federal Reserve expects BH Cs to include all legal reserves and
analyses around the selection of a percentile to test the impact
settled legal losses in their total loss estim ate for operational
of this assumption on model outputs. Some BHCs modified the
risk. BH Cs have used various methods to estim ate legal losses,
LD A by adjusting frequency distributions based on the observed
such as applying a judgm ent-based add-on for significant losses;
correlation between m acroeconom ic variables and operational-
using legal reserves; using historical averages; or creating sepa
risk losses.
rate regression models for the clients, products, and business
practices event type. To estim ate litigation losses resulting from
Scenario Analysis
representations and warranties liabilities related to mortgage
Scenario analysis is a system atic process of obtaining opinions underwriting activities, some BH Cs have developed hazard-rate
from business managers and risk-management experts to assess models based on historical loan perform ance to estim ate default
the likelihood and loss im pact of plausible severe operational- rates and then estim ated repurchase claim rates.
loss events. Some BHCs have used this process to determ ine a
m anagem ent overlay that is added to losses estim ated using a Market Risk and Counterparty Credit Risk
model-based approach. BH Cs have used this overlay to incor
BH Cs that have sizeable trading operations may incur significant
porate idiosyncratic risks (particularly for event types where cor
losses from such operations under a stress scenario due to valu
relation was not identified) or to capture potential loss events
ation changes stemming from credit and/or market risk, which
that the BH C had not previously experienced. BH Cs should be
may arise as a result of moves in risk factors such as interest
able to dem onstrate the quantitative effect of the m anagem ent
rates, credit spreads, or equity and com m odities prices, and
overlay on final loss estim ates.
counterparty credit risk owing to potential deterioration in the
Scenario analysis, if used effectively, can help com pensate for credit quality or outright default of a trading counterparty.37
data and model limitations, and allows BH Cs to capture a wide BH Cs use different techniques for estimating such potential
range of risks, particularly where limited data are available. The losses. These techniques can be broadly grouped into two
Federal Reserve expects BHCs using scenario analysis to have a approaches: probabilistic approaches that generate a distribu
clearly defined process and provide an appropriate rationale for tion of potential portfolio-level profit/loss (P/L) and determ inistic
the specific scenarios included in their loss estim ate. The pro approaches that generate a point estim ate of portfolio-level
cess for choosing scenarios should be credible, transparent, and losses under a specific stress scenario.
well supported.
Both approaches have different strengths and weaknesses. A
probabilistic approach can provide useful insight into a range of
Historical Averages
scenarios that generate stress losses in ways that a determ inistic
Some BH Cs used historical averages of operational-risk losses, stress testing approach may not be able to do. However, the
in combination with other approaches noted above, to estimate probabilistic approach is com plex and often lacks transparency,
operational-risk losses under stress scenarios. For exam ple, and as a result, it can be difficult to communicate the relevant
BH Cs have used historical averages for event types where no scenarios to senior managers and the board of directors. In addi
correlation between m acroeconom ic factors and operational- tion, the challenges inherent in tying probabilistic loss estimates
risk losses was identified but used a regression model for
event types where correlations were identified. A small number
of BH Cs have used historical averages as the sole approach 37 Under the Federal Reserve's stress testing rules, BH Cs with greater
than $500 billion in total consolidated assets who are subject to the
to develop stressed loss estim ates. When used alone, this
m arket risk rule (12 C FR part 225, appendix E) are required to apply the
approach is backward-looking and excludes potential risks the global m arket shock as part of their annual Dodd-Frank A ct company-
BH Cs have not experienced. When using historical averages, run stress tests.
256 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
plausible. In particular, BH Cs should take care in modeling dislo market shock scenario. BH Cs often use a model similar to that
cations and discordant moves of risk factors that normally move used for the incremental risk regulatory capital charge— a proba
similarly. Additionally, while dislocations and discordant moves bilistic approach based on some measure of PD, LG D , and EAD
are expected under stress, BH Cs should have a process to of counterparties or issuers— to estim ate losses from possible
assess that the resulting joint moves of risk factors are reason defaults over some future horizon (e.g ., to the typical margin
able. Also, the dislocations and discordant moves implied by a period of risk). BH Cs with leading practices also considered for
stress scenario may require risk-factor mappings that deviate their internal stress testing an explicit default scenario of one
from the normal m appings. BHCs should clearly docum ent or more of their largest counterparties and/or custom ers. This
instances of such deviation and provide support.40 approach has the benefit of allowing the BHC to consider tar
geted defaults of counterparties and custom ers to which the
Revaluation Methodologies and P/L Estimates BHC has large exposures.
Key assumptions that may m aterially affect PPNR estim ates In addition, BH Cs with stronger practices made projections
should be consistent with assumed scenario conditions and based on a full exploration of the most relevant relationships
internally consistent within each scenario, particularly assum p between assumed scenario conditions and revenues and
tions related to the business model and strategy (e.g ., deposit expenses. A t these BH Cs, business-line expertise was leveraged
growth, pricing assumptions, expense reductions, and other in the developm ent of m ethodologies. A key part of this explo
m anagem ent actions). M anagem ent is expected to evaluate the ration was determ ining the way that revenues and expenses
reasonableness and timing of projected strategies, including were segm ented for projection purposes. BH Cs with stronger
mitigating actions taken in a stressful scenario, to ensure that practices did not rely exclusively on the line-item definitions in
the assumptions reflect realistic and achievable outcom es for regulatory reports, though these BH Cs often established a pro
a given scenario. W here possible, assumptions should be sup cess to clearly map internal BH C reporting conventions to the
ported by quantitative analysis or empirical evidence. various line items on the FRY-14 schedules.
In all cases, BHCs should ensure that projections (including In contrast, BH Cs with lagging practices lacked clear processes
those of PPNR, loss, balance sheet size and com position, and for translating assumed scenario conditions into revenue and
RWA) present a coherent story within each scenario. BHCs expense projections. Frequently, it was observed that one or
should clearly establish a relationship among revenue, expenses, more material com ponents of their projections appeared incon
the balance sheet, and any applicable off-balance-sheet items sistent with scenario conditions. In some cases, projections of
and docum ent how their process generates a consistent and certain revenue and expense com ponents relied heavily on
coherent evolution of these items over the course of the sce m anagem ent judgm ent, which was not transparent, well sup
nario.42 For exam ple, origination assumptions should be the ported, or subject to a robust challenge process. In other cases,
same for projecting loan balances, related loan fees, origination revenue estim ates varied from historical experience and conven
costs, and loan losses. Similarly, there should be coherence tional expectations, and m anagem ent provided no docum ented
among trading revenue projections, trading assets, trading lia support or analysis around the reasonableness and sensitivity
bilities, and trading RWA projections. M anagem ent should doc of modeling assumptions. O verall, data limitations, unclear or
ument the relationships among these items and avoid cases unsubstantiated m anagem ent assumptions, and poor docum en
where outcom es move in counterintuitive directions.43 tation were the problems most prevalent across the BH Cs.
258 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
baseline estim ates is not problem atic in itself, some BH Cs the assumption of mitigating actions) that were not consistent
relied heavily on baseline estim ates to develop stress scenario with stressed scenario conditions and the intent of a capital
outcom es w ithout considering favorable strategic actions and planning and stress testing exercise. For exam ple, m anagem ent
assum ptions incorporated into baseline results that might not assumed it would be able to drastically reduce loan origina
be realistic or feasible under stressed conditions. If a BH C tion activity, cut expenses, or take other mitigating actions in a
derives stressed estim ates by applying a stress overlay to b ase severely adverse scenario without considering the longer-term
line estim ates, it should dem onstrate the link betw een baseline consequences on the BHC's strategy and operating structure.
estim ates and baseline conditions, dem onstrate the appro
The following sections provide specific expectations for project
priateness of the overlay based on the differing conditions
ing key com ponents of PPNR, as well as summary points on
betw een the scenarios, and appropriately consider changes
observed range of practice.
in m anagem ent actions or other related assum ptions under a
stress scenario. Net Interest Income
BH Cs with w eaker practices used models with low predictive Net interest income projections are closely linked to many other
power, in part due to data limitations. BH Cs should not use elem ents of a BHC's capital plan. Balance sheet assumptions
w eak models just for the sake of using a modeled approach to used to project net interest income should be consistent with
PPNR. Some BH Cs used weak models either as a fram e of refer balance sheet assumptions considered as part of loss estimation
ence or a starting point to translate econom ic factors into esti as well as with other asset and liability m anagem ent assum p
mates of key PPNR com ponents, but then adjusted the results tions. Loan pricing should be consistent with both scenario
using expert judgm ent. In such cases, BH Cs should thoroughly conditions and com petitive and strategic factors, including pro
explain and docum ent why results, once adjusted, are consistent jected changes to the size of the portfolio. Deposit projections
with the scenario conditions.44 In cases where models have low should incorporate the impact of strategic plans and pricing on
predictive power, BH Cs with stronger practices found other deposit growth or decline, in addition to scenario factors.
ways to com pensate, such as using industry-level models with
Net interest income projections are expected to incorporate
BHC-specific market share assumptions to project revenue. In all
the balances and contractual term s of current portfolio holdings
cases, BH Cs with stronger practices provided supplem ental
as well as the behavioral characteristics of these portfolios. The
analysis describing why the approach was appropriate.
methods BHCs use to project their net interest income should
In cases where BH C-specific data w ere lim ited, BH Cs with be able to capture dynamic conditions for both current and pro
stronger practices used external data to augm ent and extend jected balance sheet positions. Such conditions include but are
their internal data. BH Cs with w eaker practices relied on not limited to prepaym ent rates, new business spreads, re-pric-
m odels that w ere overly influenced by lim ited data covering a ing rates due to changes in yield curves, behavior of em bedded
single econom ic cycle. This approach is particularly problem optionality such as caps or floors, call options, and/or changes in
atic if the BH C also experienced favorable conditions, such as loan perform ance (that is, transition to nonperforming or default
a significant recovery, during the single cycle, which m ight not status) consistent with loss estim ates.
recur in future dow nturns. In some cases, data w ere limited to
Some BH Cs specified product characteristics and conducted
as few as 10 quarters, which would not encom pass a period
analysis around these characteristics (e.g ., repricing behavior,
of econom ic weakening or be sufficient to estim ate a robust
line utilizations) both for current assets and new originations in
m odel, and thus would not be appropriate for considering
order to understand the variance in behaviors under the different
potential results in a dow nturn. Many BH Cs cited challenges
scenarios considered. They also attem pted to capture the prod
due to system s m ergers or changes that limited data availabil
uct mix changes that would occur as a result of custom er and
ity, but failed to adequately com pensate for these lim itations
market conditions (e.g., changes in dom estic deposit mix due to
by supplem enting internal data with external industry data,
anticipated growth in demand for time deposits for a specified
where appropriate, or by considering w hether longer tim e
scenario). BHCs with stronger documentation practices provided
series of available aggregate data would be preferable to a
detailed tables explaining underlying assumptions such as bal
shorter tim e series of more granular data.
ance drivers and spread and growth assumptions by product.
Some BH Cs with w eaker practices made business model and
Some BH Cs partially integrated loss projections into net interest
strategy assumptions (e.g ., new business, expense reductions,
income projections but did not adequately align all projection-
related assumptions. For exam ple, these BH Cs might take the
44 See id. full loan loss projections and allocate them across the portfolios
260 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
drivers. For exam ple, while many BH Cs showed significant to evaluate the timing of projected strategies and their impact
declines in credit card gross-interchange fee revenue due to on future revenue, expenses, and operating structure.
declines in consumer spending, some BH Cs also assumed that
BH Cs with stronger practices had estimation m ethodologies
significant declines in marketing expenses recorded as contra-
that considered the drivers of individual expense items and the
revenue would more than offset the declines in gross inter
sensitivity of those drivers to changing scenario conditions and
change revenue, resulting in an increase in net revenue. O ther
business strategies. They considered the timing of non-interest
BH Cs assumed revenue com ponents, such as fees or trading
expense cuts and recognized that the BH C might not be able
revenue, could not fall below historical levels.
to react to a developing stressful scenario im m ediately or might
Further, BHCs with w eaker practices considered only a very lim be subject to existing contractual obligations that could not be
ited set of scenario variables and/or drivers in establishing rela altered. BHCs with w eaker practices generated non-interest
tionships, which resulted in estim ates that appeared inconsistent expense estim ates that appeared unrealistic in light of assumed
with the scenario. For exam ple, some BH Cs used interest rates scenario conditions. Some BH Cs assumed that they could
only to project origination activity or solely used asset balances im m ediately reduce costs through dram atic cuts in marketing
(instead of the number of accounts) to estim ate account fees. and rewards programs, com pensation, or other discretionary
O ther BH Cs simply regressed high-level revenue items against expenses. Projecting sizeable reductions in key expense com po
scenario factors rather than considering how scenario condi nents without providing sufficient support as to the reasonable
tions would affect the key drivers of those line items (such as ness of the cuts, how m anagem ent intends to realize the cuts,
volume). For instance, modeling interchange revenues or asset and how the cuts will affect future revenue is not acceptable.
m anagem ent fees is likely to be less effective than modeling Additionally, such assumptions imply perfect knowledge of
custom er spending or assets under m anagem ent, respectively, the conditions as they unfold, rather than a series of indepen
given the scenario being used, and then considering fee and/or dent decisions that would be made by m anagem ent as the
rate m ovement. scenario unfolds.
Non-Interest Expense
BH Cs should fully consider the various impacts of the assumed
14.8 ASSESSIN G CAPITAL
scenario conditions on their non-interest expense projections, A D EQ U A C Y IMPACT
including costs that are likely to increase during a downturn.
For exam ple, items such as other real estate owned or credit- Balance Sheet and RWAs
collection costs may spike, whereas m anagem ent may have
BH Cs should have a well-docum ented process for generating
some ability to control other expenses. Like other projections,
projections of the size and composition of on- and off-balance
non-interest expense projections should be consistent with bal
sheet positions and RWA over the scenario horizon.48 Balance
ance sheet and revenue estim ates and should reflect the same
projections are a key input to enterprise-wide scenario analysis
strategic business assumptions. BHCs with w eaker practices did
given their direct im pact on the estimation of losses, PPNR, and
not account for additional headcount needs in certain areas, nor
RWA. Estim ating the evolution of balance sheet size and com
for any corresponding changes to compensation expense asso
position under stress integrates many interrelated features. For
ciated with increased collections activity resulting from declines
exam ple, loan balances and the stock of A FS securities at a
in portfolio quality and/or increased underwriting activity to sup
point in time will depend upon origination, purchase, and sale
port any assumed portfolio growth.
activity from period to period, as well as m aturities, prepay
To the extent the projections assume mitigating actions to offset ments, and defaults. Due to com plexities related to dynamically
revenue declines, BH Cs should dem onstrate that such actions projecting and integrating various com ponents (e.g ., origina
are attainable in the scenario, given assumed asset levels and tions, prepaym ents and defaults), most BHCs made direct pro
the resources necessary to support operations. If the projections jections of balances for each major segm ent of the balance
em bed material expense reductions, such assumptions should sheet (e.g ., loans, deposits, trading assets and liabilities, and
be supported with analysis of historical data or empirical evi other assets) for each quarter of the scenario horizon.
dence and subject to challenge and review. BH Cs with weaker
practices assumed mitigating actions consistent with past
actions but failed to consider how differences in the business
environm ent and the severity of the econom ic conditions might 48 12 C FR 225.8(d)(2)(i)(A); see also FR Y-14A reporting form : Summary
affect their ability to execute such actions. BH Cs are expected Schedule Instructions, p. 6.
significant balance sheet shrinkage with no consideration of the process for aggregating loss, revenue and expense, and on- and
potential losses associated with reducing positions in periods off-balance sheet and RWA estim ates, as part of enterprise-wide
of market stress; and (4) operating margin im provem ent. BHCs scenario analysis, to assess the post-stress impact of those esti
that make favorable assumptions should have sufficient evi mates on capital ratios. BH Cs that are more effective at im ple
dence that they can be reasonably assured in the assumed stress menting such a process have established centralized groups
BH Cs' RWA projections should be based on corresponding pro • combining loss, revenue, balance sheet, and RWA
attributes and should be consistent with the severity of the • providing strong governance and controls around the
stress conditions under each scenario. For general credit-risk process;
exposures, BH Cs should project balances for material asset cat
egories with sufficient granularity to facilitate application of reg
ulatory risk-weighting approaches associated with different asset
categories. For trading exposures, BH Cs should translate 49 See id.
262 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• ensuring coherence of com ponent estim ates and aggregate BH Cs with w eaker practices had limited or no reconciliation
results; and procedures or other controls in place to ensure the integrity,
• applying and docum enting any adjustm ents.50 com pleteness, and accuracy of the consolidated post-stress
capital m etrics. BH Cs with w eaker practices also had no process
These centralized groups have been able to source estimates from
to ensure consistency in the BHC-wide application of scenario
a range of internal parties involved in enterprise-wide scenario
assumptions and m anagem ent adjustm ents, and had weak gov
analysis and develop consolidated pro forma financial results that
ernance and docum entation standards.
are internally consistent and conform to accounting standards.
264 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Stress Testing
Banks
Learning Objectives
A fter com pleting this reading you should be able to:
Describe the historical evolution of the stress testing Explain challenges in modeling a bank's revenues, losses,
process and com pare m ethodologies of historical EB A , and its balance sheet over a stress test horizon period.
C C A R and SC A P stress tests.
Excerp t by Til Schuermann is reprinted from the International Journal o f Forecasting 30, no. 3, (2014) pp. 717-728.
265
ABSTRACT and Basel 1 (Wachovia), the O TS (WaMu), and O FH EO (Fannie and
Freddie)—the last actually based on a narrow stress scenario. All
How much capital and liquidity does a bank need to support its firms had a broad exposure to residential real estate assets, in the
risk taking activities? During the recent (and still ongoing) finan form of either whole loans (mortgages) or securities (MBS), or
cial crisis, answers to this question using standard approaches, both, and all had internal risk models which may or may not have
e.g., regulatory capital ratios, were no longer credible, and thus deviated materially from the regulatory models (we do not know
broad-based supervisory stress testing became the new tool. this, as it is/was firm proprietary information).3 Yet the answer to
Bank balance sheets are notoriously opaque and susceptible to the question of what is the capital you need vs. the capital you
asset substitution (easy swapping of high risk for low risk assets), have came out wrong in each case. O f course, neither firm-internal
so stress tests, tailored to the situation at hand, can provide clarity (economic) nor regulatory capital and liquidity models can guaran
by openly disclosing details of the results and approaches taken, tee failure prevention; indeed, that is not their purpose, as every
allowing trust to be regained. With that trust re-established, the firm accepts some probability of failure, sized by its risk appetite.
cost-benefit of stress testing disclosures may tip away from bank- Nevertheless, the cascading of defaults, and the resulting deep
specific towards more aggregated information. This paper lays skepticism of the market's stated capital adequacy, forced regula
out a framework for the stress testing of banks: why it is useful tors to turn to a new tool for assessing the capital adequacy of
and why it has become such a popular tool for the regulatory banks in a credible way. That tool turned out to be stress testing.4
community in the course of the recent financial crisis; how stress This paper lays out a fram ework for the stress testing of banks:
testing is done (design and execution); and finally, with stress test why it is useful and why it has becom e such a popular tool for
ing results in hand, how one should handle their disclosure, and the regulatory community in the course of the recent financial
whether it should be different in crisis vs. "norm al" times. crisis; how stress testing is done (design and execution); and
finally, with stress testing results in hand, how one should handle
their disclosure, and whether it should be different in crisis vs.
15.1 INTRODUCTION "norm al" tim es. The fram ework is equally applicable to capital
and liquidity adequacy, but for the sake of sim plicity, the bulk of
There are three kinds of capital and liquidity: (1) the capital/liquid-
the discussion will focus on capital.
ity you have; (2) the capital/liquidity you need (to support your
business activities); and (3) the capital/liquidity the regulators A successful macro-prudential stress testing program, particu
think that you need.1 Stress testing, regulatory capital/liquidity larly in a crisis, has at least two com ponents: first, a credible
and bank-internal (so-called "econom ic capital/liquidity") models assessm ent of the capital strength of the tested institutions, to
all seek to do the same thing: to assess the amount of capital and size the capital "hole" that needs to be filled, and second, a
liquidity which is needed to support the business activities of the credible way of filling that hole. The US bank stress test in 2009,
financial institution. Capital adequacy addresses the right side of the Supervisory Capital Assessm ent Program or SCAP, may
the balance sheet (net worth), and liquidity the left side (share of serve as a useful exam ple. The US entered 2009 with an enor
assets that are "liquid", however defined). If all goes well, both mous uncertainty about the health of its banking system . In the
the economic and regulatory capital/liquidity are less than the absence of a more concrete and credible understanding of the
required regulatory minimum, and their difference (between eco problems with bank balance sheets, investors were reluctant to
nomic and regulatory) is small, that is, regulatory models do not com mit capital, especially given the looming threat of possible
deviate substantially from the results of internal models. governm ent dilution. With a credible assessm ent of losses under
a sufficiently stressful m acroeconom ic scenario, the supervisors
Prior to their failure or near-failure, financial institutions such as
hoped to draw a line in the sand for the m arkets: fill this hole,
Bear Stearns, Washington Mutual, Fannie Mae, Freddie Mac,
and you won't risk being diluted later because the scenario
Lehman and Wachovia were adequately or even well capitalized,
wasn't tough enough. Moreover, if some institutions could not
at least according to the regulatory capital rules disclosed in their
public filings.2 This set of institutions spans a broad range of regu
latory capital regimes and regulators: the SEC and Basel 2 capital 3 Lester, Reynolds, Schuerm ann, and Walsh (2012) report that, out
of 16 banks (US and non-US) that publicly disclosed their econom ic
rules (Bear Stearns, Lehman), the O C C and the Federal Reserve
capital before the crisis, four actually exp erienced losses exceed ing
those requirem ents, all of which w ere calibrated to at least the 99.9%
level (im plying an accep tab le annual default probability of no more
1 This pithy sum m ary I owe to Peter Nakada. than 10bp).
2 Kuritzkes and Scott (2009) make the case for a more market-oriented 4 Flannery (2012) argues that stress tests should be evaluated on a fair
assessm ent of capital adequacy. value (rather than book capital) basis.
266 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
convince investors to fill the hole, a US governm ent program, A t first glance, the results of the 2011 EB A stress test of 90
namely the Treasury's Capital Assistance Program (CAP), stood banks in 21 countries were mild, sim ilar to the previous year's.9
ready to supply the required capital. Importantly, the US Trea Eight banks w ere required to raise a total of only €2.5 bn.
sury was a sufficiently credible debt issuer that the C A P promise However, the degree of disclosure was much more extensive,
was itself cred ib le.5 All banks with assets greater than $100 bn approaching the high bar set by the Central Bank of Ireland in
(YE 2008) were included, accounting for two-thirds of the total March 2011, including information on exposure by asset class
assets and about half of the total loans in the US banking sys by geography. Im portantly, all bank level results were available
tem . In the end, ten of the 19 SC A P banks were required to to download in spreadsheet form , to enable m arket analysts to
raise a total of $75 bn in capital within six months, and indeed easily im pose their own loss rate assum ptions. In this way, the
raised $77 bn of Tier 1 common equity in that period.6 None "official" results were no longer so final: analysts could (and
needed to draw on C A P funds. did) easily apply their own sovereign haircuts on all exposures,
and thus test the solvency of any of the 90 institutions
The European experience in 2010 and 2011 stands in stark con
them selves.
trast to the 2009 SCAP. Against the background of a looming
sovereign debt crisis in the peripheral eurozone countries, the In an uncom fortable parallel to the Irish experience in 2010, the
Com m ittee of European Bank Supervisors (CEBS) conducted a 2011 E B A stress test did nothing to alleviate concerns about the
stress test of 91 European banks in 2010, covering about two- Spanish banking system . Five of the 25 Spanish banks in the
thirds of the total European bank assets and at least half of that EB A stress test did not pass, though once provisions and man
in any given participating country. The stress test included impos datory bond conversions (to equity) were taken into account,
ing haircuts on the market value of sovereign bonds held in the the required additional capital raise was €0. By the spring of
trading book; however, the bulk of the sovereign exposure was 2012, Spain was engaged in or had announced several addi
(and is) in the banking book. O f the 91 banks, only seven were tional stress tests. First was the IMF's Financial Sector A ssess
required to raise a total of €3.5 bn (< $5 bn at the time) in capital. ment Program (FSAP), conducted jointly with the Banco de
The level of disclosure provided was rather less than in the SCAP. Espana. The results of this were released on June 8, 2 0 1 2 ,101
For instance, loss rates by firm were only made available for two with 11 of the 29 banks requiring a total of €17.7 bn capital
sub-categories: overall retail and overall corporate.7 By contrast, using a post-stress hurdle similar to that of the SC A P (4% core
the SCA P results released loss rates by major asset class such as Tier 1 capital), or 17 banks requiring a total of €37.1 bn using
first-lien m ortgages, credit cards, commercial real estate, and so the higher hurdle of 7% core Tier 1 capital. Second was a short
on. Markets reacted benignly nonetheless— until a few months (4-week) top-down exercise conducted by two outside advisers
later, when Ireland requested financial assistance from the EU and (working in parallel to provide, ostensibly, two further indepen
the IMF. Subsequent stress tests of just the Irish banks, con dent assessm ents), and those results were released on June 21,
ducted largely by outside independent advisors (Black-Rock) 2012. No firm -specific results were provided, only an overall
revealed a total capital need of €24 bn; all of these banks had capital need. The first estim ate, provided by Roland Berger, was
previously passed the C EB S stress test. Moreover, to help close €51.8 bn, while O liver W yman provided a range of € 51-62 b n .12
the credibility gap, the extent and degree of disclosure was far A more detailed and intensive bottom-up analysis by O liver
greater than in any of the stress testing exercises to date.8 The Wyman follow ed, with results released on Septem ber 28, 2012,
markets reacted favorably, with both bank and Irish sovereign showing that 7 of 14 the banking groups needed a total of
credit spreads tightening. The stakes for the 2011 European €57.3 bn using the post-stress core Tier 1 threshold of 6%;
stress test, now conducted by the successor to the C E B S — the
European Banking Authority (EBA )— had risen substantially.
SCA P Stress / /
March 2009
CCAR
March 2011
CCAR Stress / /
March 2012
June 8, 2012
m erger activity had resulted in a significant reduction in inde Table 15.2 Features of Stress Testing, Pre- and
pendent banking en tities.13 Post-SCAP
A summary of the major macro-prudential stress tests to date P re-SC A P P o st-SC A P
is provided in Table 15.3, and a summary of their disclosures is
• Mostly single shock • Broad macro scenario and
given in Table 15.1.
• Product or business market stress
The SCA P was the first of the macro-prudential stress tests of this unit level • Com prehensive, firm-wide
crisis, but the changes at the micro-prudential or bank-specific • Static • Dynamic and path dependent
• Not usually tied to • Explicit post-stress common
level were at least equally significant, and they are summarized
capital adequacy equity threshold
in Table 15.2. With the SCAP, stress testing at banks went from
• Losses only • Losses, revenues and costs
mostly single factor shocks (or a handful) to using a broad macro
scenario with market-wide stresses; from product or business
unit stress testing, focusing mostly on losses, to firm-wide and
a discussion of how to design the stress sce n ario , in clu d
comprehensive testing, encompassing losses, revenues and costs;
ing the choice of a post-stress capital hurdle. Sectio n 4
and with all of these tied to a post-stress capital ratio to ensure a
going concern. d e scrib e s m odeling ap p ro ach es fo r the th ree co m p o nents
needed to im p lem ent stress te stin g : lo sses, net revenues
The rem aind er of the p ap er p ro ceed s as fo llo w s. Sectio n 2 (p ro fitab ility), and balance sh eet dynam ics. Sectio n 5 review s
b riefly review s the scant lite ra tu re , and Sectio n 3 p ro vid es the d isclo su re regim es across the d ifferen t stress te sts to
date in m ore d e ta il, and presents a discussion of disclo sure
13 http://w w w .bde.es/f/w ebbde/SSICO M /20120928/inform e_ow 280912e in "n o rm a l" tim e s, afte r w hich Section 6 p ro vid es som e co n
.pdf. cluding rem arks.
268 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 15.3a Summary of Macroprudential Stress Tests to Date
CEBS • 6% T1 91 (20 countries) • Largest banks in country Constant total €3.5 bn (7) M ,C
until at least 50% of total assets
July 2010
assets are included
• (~2/3 of total banking
assets)
Ireland • 6% T1 C 4 • Largest banks not in wind- Allowed for balance €24 bn (4) M, C , L, O
• 10.5% T 1 C down mode sheet shrinkage
March 2011
(in base)
EB A • 5% T1 C 90 (21 countries) • Largest banks in country Constant total €2.5 bn (8) M, C , Lc, O
until at least 50% of total assets
July 2011
assets are included
• (~2/3 oftotal banking
assets)
d
CCAR • 5% T1C 19 • SCAP-19 None M, C , O
• 4% T1; 8% Total; • An additional 11 BHCs
March 2012
3%-4% leverage with assets > $50 bn
a T1: Tier 1 capital ratio; T 1 C : Tier 1 common (or core) capital ratio.
b O nly banks with at least $100 bn in trading assets were required to conduct the m arket risk stress test.
c Liquidity risk was not assessed directly, though funding stresses were taken into account, especially as they related to sovereign stress impacting the funding costs for financial
institutions.
Four of the 19 did not pass, in the sense of not having gained non-objection to their subm itted capital plans.
Risk types
included:
market, credit,
# of Balance Total required liquidity
Target participating Participation criteria sheet capital raise (for (funding),
capital ratio3 banksb (total coverage) assumptions # of banks) operational
Bottom-up • 9% T1C 14 entities • Large and medium Deleveraging • €24.1 (5) [base] C, L
[base] banks and cajas, • €57.3 (7) [stress]
Sept. 28, 2012
• 6% T1C together making
[stress] up ~90% of total
bank assets
15.2 S T R E S S T E S T IN G IN T H E Risk management as a technical discipline came into its own with
the publication of the RiskMetrics technical document in 1994,
LIT ER A T U R E
and stress testing (of both kinds, sensitivities and scenarios) is
mentioned throughout. The first edition of Jorion's
Stress testing has been part of the risk m anager's toolkit for a
standard-setting VaR book (Jorion, 1996) had a subsection
long tim e. It is perhaps the most basic of risk-based questions
devoted to the topic (which was elevated to a chapter in subse
to w ant to know the resilience of an exposure to deteriorating
quent editions), and there must surely be earlier exam ples. Stress
conditions, be it a single position or loan or a w hole portfolio.
testing as a risk management discipline was found largely in the
Typically, the stresses take the form of sensitivities (spreads
relatively data rich environment of the trading room, with the
double, prices drop, volatilities rise) or scenarios (black
closely related treasury function of conducting interest rate sce
M onday 1987, autumn of 1998, post- Lehman bankruptcy,
narios and shocks.14 The Com m ittee on Global Financial Systems
severe recession, stagflation). These types of stresses lend
(CG FS) of the BIS conducted a survey on stress testing in 2001,
them selves naturally to understanding financial risks, particu
and it reinforces this view .15 In their summary of the C G FS report,
larly in a data rich environm ent such as that found in a trading
Fender et al. (2001) point out that most of the scenarios involve
operation. Nonfinancial risks, such as operational, reputational
shocks to market rates, prices or volatilities. Typical exam ples are
and other business risks, are much harder to quantify and
equity market crashes such as O ctober 1987, rates shocks such
param eterize yet rely heavily on scenario analysis (earthquakes
as 1994, credit spread widening such as during the fall of 1998,
and other natural disasters, com puter hacking, legal risks, and
and so on. Such stress scenarios have the virtue of being
so on). W hile the original Basel I A ccord of 1988 did not make
any form al mention of stress testin g , it m erited its own se c
tion in the M arket Risk A m endm ent of 1995, and thus becam e
14 See Berkowitz (2000) and Kupiec (1998) for more extensive discus
em bedded in the regulatory co d ex. Indeed, evidence of stress sions of VaR-based stress testing.
testing cap ab ilities is a requirem ent for regulatory approval of 15 See C G F S (2001) and the summary of its principal findings by Fender,
internal m odels. G ibson, and M osser (2001).
270 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
unambiguously articulated and defined, and are thus transparent and implementation of their stress tests. Brian Peters, then head of
and easy to implement and communicate, at least on assets that risk in bank supervision at the New York Fed, observed at an indus
have them selves natural market prices or analogs, as is mostly try conference in March 2007 that no firm had a fully-developed
the case in the trading book. More typical banking assets, such program of integrated stress testing that captured all major finan
as corporate loans (especially to privately held firms) and con cial risks on a firmwide basis.19 Market risk stress tests were most
sumer loans (e.g. auto loans), are less naturally amenable to this advanced, while corporate or enterprise-wide stress testing,
approach. whereby all businesses were subjected to a common set of stress
scenarios, was in a developmental phase at best.
Formal stress testing of the banking book, which is dominated by
credit risk, is more recent, partly because quantitative credit risk
H /
17 For an excellent overview and com parison of these and related mod
els, see Koyluoglu and Hickman (1998). 19 Presentation delivered at Marcus Evans conference "Im plem ent
ing stress tests into the risk m anagem ent process", W ashington D C ,
18 The most recent guidance on counterparty credit risk, SR 11-10, has
March 1-2, 2007.
greatly expanded on stress testing expectations. All SR letters can be
found at http://www.federalreserve.gov/bankinforeg/srletters/srletters.htm. S e e http://w w w .federalreserve.gov/bankinforeg/bcreg20121115a3.xlsx.
(Lehman), and risk premia at the time arguably placed a signifi corresponding micro-outcomes: losses and revenues under
cant probability on the kind of adverse real economic outcome adverse m arket and m acroeconom ic conditions? To date, there
painted by the tri-variate SCA P scenario. This solution achieved has been very little discussion in the public domain on how to
a loose coherence of the real and financial stresses. However, the solve this problem , except perhaps for stress testing the trading
price that one pays for choosing a historical scenario is the usual book. Indeed, one of the more im portant contributions of the
one: it does not test for anything new. Figures 15.3 and 15.4 com supervisory stress tests in the US and Europe has been the
pare some of these risk factors (real GDP, unemployment, equity accom panying m ethodology docum ents that have been dis
and home prices indices) across the four US stress tests to date, closed by the supervisors, which are, understandably, more
both to each other and to actual realizations since 2008 Q4. heavily focused on the banking book.21
272 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Modeling Losses provided on stressed probabilities of default (PDs) and stressed
LGDs. Note that such guidance presumes that a bank has imple
For a firm which is active in many markets (product and geogra mented an internal credit rating system for its commercial loan
phy), the first task is to map from the few macro-factors to the portfolio. For a Basel II bank this may not be unreasonable, since
many intermediate risk factors that drive losses for particular internal ratings, mapped to a common external scale such as
products by geography. The EB A was forced to confront the those used by the rating agencies, are a cornerstone of the
problem of geographic heterogeneity directly, since it spans 21 Accord. With a credit rating (internal or external) in hand, com
sovereign nations with rather different economies. US supervisors, puting stressed default rates for the portfolio becomes a straight
in stress testing an economic region only slightly smaller than that forward exercise, either by assigning higher PDs to a given rating,
of the EB A , left the task of accounting for the not-inconsiderable or by imposing a downward migration on the current portfolio.22
geographic heterogeneity to individual firms. Regional differences Since the EB A stress test was based on risk weighted assets
are critical in modeling losses for real estate lending (residential (RWA) computed using Basel II risk weights, which are ratings
and commercial), but are hardly limited to those products. Since sensitive, banks were forced to make use of stress migration
the US experiences regional business cycles— the national busi matrices to compute not only increased defaults (the last column
ness cycle obscures a considerable degree of variation across of the matrix), but also the entire future ratings distribution, to
states— nearly all lending has some geographic component. For arrive at the correct RWA value. The US stress tests were con
exam ple, credit card losses are especially sensitive to unemploy ducted under Basel I risk weights, which are not obligor ratings
ment, and in July 2011, with the national rate at 9.1 %, the state- sensitive. The fuss about RWA calculations is important, since the
level unemployment rate ranged from 3.3% in North Dakota to denominator of capital ratios, used to determine whether or not
12.9% in Nevada. Similar dynamics are at work in wholesale lend a bank needs to raise capital, is RWA. Clearly, this complicates
ing, particularly for SM E (small and medium enterprise) lending, any comparison of US and European stress test results.
whose performance has a strong geographic component.
Implementation in the trading book is more straightforward, and
The problem of mapping from macro to more interm ediate risk has been discussed extensively in the public domain; see inter
factors is not limited to geography. An interesting exam ple is alia Allen, Boudoukh, and Saunders (2004), Jorion (2007), or
auto lending and leasing, where the collateral assets are used Rebonato (2010). In a nutshell, existing positions are simply
cars. W hile auto sales invariable decline during a recession, and repriced using the stress scenario risk factors, subject to the pro
the decline in 2008-2009 was unprecedented in the post-war viso that the risk factor mapping problem, discussed in Section 3,
period, used car sales typically suffer less. Yes, households buy has been solved. The corresponding problem of stressing the
few er cars in a recession, but if they do need to purchase a counterparty credit risk that comes with the activities of deriva
car, it is relatively more likely to be a used car. Thus, even if the tives has received less attention.23 Counterparty credit risk arises
default rate on auto loans increases significantly during a reces when, in a derivative transaction which is revalued to the stress
sion, the corresponding loss given default (LGD) or loss severity scenario, the bank finds itself in the money (i.e., enjoys a deriva
need not. A useful indicator of the health of the used car mar tive receivable), but cannot be sure that the counterparty to the
ket, and thus the collateral of an auto lending portfolio, is the transaction will be solvent in order to make good on the pay
Manheim index. O ver the course of the most recent recession ment. Thus, the value is discounted, where the discount is a func
(Dec. 2007-June 2009), the index rose 4%, while total new auto tion of the expected default likelihood of the counterparty under
and light truck sales declined by 37%. the stress scenario, which is presumably higher than today. This
The problem of loose coupling of the loss severity to the busi adjustment is called a credit value adjustm ent (CVA), and banks
ness cycle is not limited to auto loans. Acharya, Bharath, and with significant derivative activities manage CVA as a matter of
Srinivasan (2007) show that for corporate credit, an important course. As Canabarro (2010) and Hopper (2010) point out, the
determ inant of LG D is w hether the industry of the defaulted modeling challenge of stress testing counterparty credit risk is
firm is in distress at the time of default. The authors make a considerable. Not only does the PD of the counterparty change
com pelling asset specificity argument: if the airline industry is in in a stressful environment, the exposure does likewise. Thus, any
distress, and a bank is stuck with the collateral on defaulted air CVA stress test involves two distinct simulation exercises. If the
u
CD
<
2012 CCAR P/L coverage
5
4
(/>
a >
3 Median:63%
i/)
(/>
2
o 1
0 1
Z
-1 □
Q_ -2
Q_ X CD u
<
<D 4—* 4-» CO
u
<J CL w— > o if) CD
o
LU C • _CD C CD if)
o 66 > CD
__I z CD =3 LO I
E E o o d
<
CD +-* C Q_
CD Z
o 32 Q_ CJ 4—1
CD CD CD *6 ) f- £
CD 4CD-» o CD
4—
LO
* CD
LO
CD
C
•
DC 4—* D
Q. C CD CO
<
CD O CD 4-J
u CD LO
O
+-»
c
V) 3
CD
CD
E
V)
V)
2 Median:66%
_0
a
■_ i illl.ll
CD "v)
Q- U ) 1 i in mi h II
0 I knt m
E • *c*
m n iiiiiiiiiin m -i« 1■i . 1111111. ii n ii m i ii m i n n ii
1
•
c
i
CD
CD
-
1 r
CD
-1
0 0 LD N O O O C N J ^ N O O ^ O C N ^ v O O O O C N ^ v O C O O C N j C N ^ s o O ^ ^ r O L n N O ^ O O u i N O ^ C D L n ^ O N
o O O o ^ - c \ j r s j c \ j c N j ( N O ^ - N O s O v O O O N r \ N r ss r s» c o c o ^ - ^ - ^ - c o Ov f ^ r^ r^ r 0 r^ ,:^ ^ ' ^ ^ t ,::t i ; LD L^ c o c o L r )
o O_ O
_000000000000000000000000000000000000g00000
|— L U > - L U L U L U L U L U L U ^ ^ L O C O L O L O L O C O L O C O L O L O L O C O l i _ Q C : Q C : G Q G Q ^ C £ ^ u -j l l , I— f“ l 0 ^ t " L U L U LO
< CD ( J Q Q Q Q Q Q Q Q LU LU LU LU LU LU LU LU LU LU LU LU L L U - O O O O O Q_ Q_ to CO
Fiqure 15.1 Projected coverages of losses with profits in the 2009 SCAP and 2011 EBA stress tests.
collateral posted by the counterparty is anything other than conditions. Banks' total incom e can be divided roughly into
cash or a cash equivalent, a revaluation of that collateral interest and non-interest incom e. The interest income is clearly
under the same stress scenario needs to be added to the a function of the yield curve and credit spreads posited under
process. 24 the stress scenario, but the net im pact of rising or falling rates
on bank profitability remains am biguous, perhaps in part
because of interest rate hedging strategies (English, 2002;
Modeling Revenues Purnanandam , 2007). The im pact of stress scenarios on the
Im plem enting stress scenarios on the revenue side of the equa noninterest incom e, which includes service charges, fiduciary,
tion remains largely a black box, and seem s far less well devel fees, and other income (e.g ., from trading), is far harder to
oped than stress testing for losses. N either the 2009 S C A P nor assess, and there has been precious little discussion of its
the otherw ise richly docum ented 2011 E B A disclosures determ inants in the literature. This is concerning, since Stiroh
devoted much space or revealed much detail about the m eth (2004) shows that not only has the share of noninterest income
ods and approaches for com puting revenues under stressful2
*
4 in US banks been rising steadily, from 25% in 1985 to 43% in
2001, but it is associated with a greater volatility and lower
risk-adjusted returns. If we com pare the 2009 SCAP, the 2011
E B A and the 2012 C C A R stress tests, the median bank in the
24 There is the added com plication that major derivatives dealers actively
manage CVA risk using a range of strategies and instruments that them US was able to cover about 58% of its total projected losses
selves vary in price and availability depending on market conditions. with profits (including reserve releases, if any) in 2009 and 63%
274 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Two year dynamic forecast
L L
A P&L A
E E
V /
Capital
and
iquidity
ratios
o r Q/
in 2012, com pared with 66% in the European case. As years. This is illustrated in Figure 15.2 below. The point of
Figure 15.1 shows, there is a considerable degree of variability departure is the current balance sheet, at which point the bank
across banks, especially in the E B A test, where in som e cases meets the required capital (and, if included, liquidity) ratios. The
profits are projected to outpace losses 4:1, even under the starting balance sheet generates the first quarter's income and
stress scenario! loss, which in turn determ ines the quarter-end balance sheet.
The m odeler is then faced with the problem of considering the
nature and amount of new assets originated and/or sold during
Modeling the Balance Sheet the quarter, and any other capital depleting or conserving
Recall that capital adequacy is defined in term s of a capital actions such as acquisitions or spin-offs, dividend changes or
ratio, roughly capital over assets. O f course, both the num era share (re-)purchase or issuance programs, including em ployee
tor and denom inator are nuanced. All supervisory stress tests stock and stock option programs. The problem of balance sheet
have insisted, to varying degrees, that the relevant form of modeling exists under a static (be it in raw form , as in the 2011
capital be common equity. The 2010 C E B S test allowed for EB A , or in risk weighted form, as in the 2009 SCA P) or dynamic
some forms of hybrid capital which are typical of state partici balance sheet assumption. The bank should not drop below the
pations, but the requirem ents were tightened a year later. As required capital (and liquidity) ratios in any quarter. Moreover, at
was discussed in Section 4.1, the denom inator is typically risk- the end of the stress horizon, the bank needs to estim ate the
w eighted assets (RW A), where the risk weights are determ ined amount of reserves needed to cover expected losses on loans
by the prevailing regulatory capital regim e, namely Basel I (in and leases for the following year. In this way, the stress tests are
the US cases of the SC A P and C C A R ) and Basel II (in the Euro really three years (or T + 1 years for a T-year stress test).
pean stress tests). The many subtleties of what this implies are
beyond the scope of this paper; suffice it to say that a bank
15.5 S T R E S S T E S T IN G D IS C L O S U R E
may be forced to raise capital under one regime but not the
other, and there is no way to know which regime will result in a
Stress testing is here to stay, whether because it is just good
more favorable treatm ent without knowing about the portfolio
risk management practice, or because it is enshrined in legisla
in considerable detail. tion (through the Dodd-Frank Act). In the debate on disclosure
Regardless of the risk w eight regim e, determ ining the post regimes, it is not clear that more is always better. We divide the
stress capital adequacy requires modeling of both the income discussion into crisis and noncrisis or normal times, with the simple
statem ent and the balance sheet, both flows and stocks, over point that normal times may not require or even desire the same
the course of the stress test horizon, which is typically two degree of transparency as is clearly needed in times of crisis.
SC A P in 2009 opened Pandora's box by disclosing projected accompanying rules (final and proposed27), gave a glimpse of
stress losses for each of the 19 participating banks, for eight dif what regular disclosure might look like. The 2012 C C A R dis
ferent categories or asset classes, as well as resources other than closed nearly the same level of detail as the 2009 SCAP, namely
capital for absorbing losses (mostly pre-provision net revenue bank-level loss rates and dollar losses by major regulatory asset
and reserve releases, if any). Until then, regulatory disclosures classes (following the categories of the FR Y-9C bank holding
(e.g., Y-9C reports for US bank holding companies) reported only company reports): first and second lien m ortgages, commercial
realized losses (the past), not projected losses (a possible future). and industrial (C&l) lending, C R E , credit cards, other consumer,
This allowed the market to check the severity of the stress test and other loans. In addition, the Fed reported the dollar PPNR,
easily, not just in term s of the scenario, but also, and much more gains/losses on the AFS/H TM securities portfolio, and trading
importantly, in term s of the resulting outcomes at the bank and counterparty losses for those firms who were required to
level. Given the crisis of confidence which was prevalent in the conduct the trading book stress.28 Again, as with the 2009 SCAP,
market at the tim e, this amount of transparency was crucial. Two the numbers reported were supervisory estim ates, not the banks'
years later, the C C A R displayed a radically different disclosure own estim ates of losses (and PPNR) under the stress scenario.
regime: only the macro-scenario was published, with no bank-
By contrast, the 2011 Irish and 2011 Europe-wide EB A stress tests,
level results. The only indications of bank-level outcomes were
both of which were disclosed after the C C A R , were consider
the subsequent dividend and other capital actions announced by
able in their detail, including comparisons of bank and third-party
some banks: banks which were allowed to raise their dividends
were interpreted as having "passed" the stress test. The market
digested this m eager information event without a hiccup.
27 http://w w w .gpo.gov/fdsys/pkg/FR-2011-12-01/p d f/2011-30665.pdf.
Dodd-Frank, however, requires the Fed to disclose the results of 28 In 2012, these w ere the six institutions with the largest trading
regular stress testing, and the 2012 C C A R , with the portfolios.
276 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Dow Jones total stock market index level House Price index
Stress-test scenarios vs. recent historical observations Stress-test scenarios vs. recent historical observations
18,000 -|
16,000 -
14.000 -
12.000 -
10,000 -
8,000 -
6,000 -
4.000 -
2.000 -
0 H---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1
0 1 2 3 4 5 6 7 8 9 10 11 12 13
Stressed quarter Stressed quarter
C C A R 1 from 2010 Q4 ------- C C A R 1 from 2010 Q4
------- C C A R 2 from 2011 Q3
C C A R 2 from 2011 Q3
C C A R 3 "severely adverse" from 2012 Q3
C C A R 3 "severely adverse" from 2012 Q3
------- C C A R 3 "adverse" from 2012 Q3
C C A R 3 "adverse" from 2012 Q3
S C A P "more adverse scenario" from 2008 Q4
Historical from 2008 Q4 — — Historical from 2008 Q4
Fiq u re 1 5 .4 US equity and house price indices compared
S o u rce: Fed, The Supervisory Capital A ssessm ent Program : Design and Im plem entation, 24 April 2009; Fed, Com prehensive Capital Analysis and
Review: O bjectives and O verview , 18 March, 2011; Fed, "Com prehensive Capital Review " docum ent and "C apital Plan review " 22 N ovem ber 2011;
Fed, "2013 Supervisory Scenarios" 15 N ovem ber 2012; Datastream .
estimates of losses in the Irish case (revealing the bias that any Clearly, some disclosure is still preferable to no disclosure, and
bank is likely to have when estimating its own potential losses), Goldstein and Sapra propose the disclosure of aggregated but
and data in electronic, downloadable form in the EBA case. Ire not necessarily bank-specific results, with sufficient information
land in particular was suffering from an acute credibility problem, about category outcom es (loss rates by major asset class, for
having emerged from the C EB S stress test with flying colors in instance). Aggregation has the advantage of being less wrong,
July 2010, only to require massive external aid four months later. since the idiosyncratic errors in estimating bank conditions
under hypothesized stress scenarios are averaged out. In this
This difference in experiences between Europe and the US
way, supervisors can still provide the useful macro-prudential
provides some hints on how to design a disclosure regime dur
information which only they can provide— loss rates by asset
ing "norm al" tim es. The discussion of the benefits and costs of
class, total capital decline in the system (or significant fraction
stress test disclosures by Goldstein and Sapra (2012) is helpful.
of the banking system)— without drowning out signals about
They argue persuasively that in a world with frictions and stra
individual banks from the market participants them selves. Such
tegic environm ents, the benefits (better market discipline) may
a disclosure gives the market an anchor point for system-wide
not outweigh the costs: banks may make poor portfolio choices
possibilities, without diluting the incentive to dig hard into a
which are designed to maximize the chance of passing the test
particular firm's financials.
(window dressing), thereby giving up longer term value; while
traders may place too much weight on the public information of During tim es of crisis, with the enormous uncertainty about
stress test disclosure and lose their incentive to produce private the health of the banking system , the benefit of detailed bank-
information about the banks; and finally, with the information specific stress test disclosure is significant, given the ability of
content of market prices having been dam aged, market disci supervisors to assess the health of individual firms correctly, and
pline is harmed, and supervisors will find market prices less use the resulting inability of the market distinguish between a good
ful for policy decisions (micro- as well as macro-prudential). bank and a bad. Indeed, Goldstein and Sapra argue that stress
278 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Acharya, V., Mehran, H., Schuerm ann, T., & Thakor, A . (2011). Gupton, G . M ., Finger, C ., & Bhatia, M. (1997).
R o b u st capital regulation. Federal Reserve Bank of New York C red itM etricsT M — technical docum ent. This version: April 2.
Staff report no. 490. J .P Morgan. Available at: http://w w w .defaultrisk.com /_pdf6j4/
creditm etrics_techdoc.pdf.
Allen, L., Boudoukh, J ., & Saunders, A . (2004). U nderstanding
m arket, cred it and operational risk: the value at risk approach. Hopper, G . (2010). Stress testing and scenario analysis: some
Blackwell: New York, NY. second generation approaches. In E. Canabarro (Ed.), Counter
party credit risk (C hapter 71). London, UK: Risk Books.
Bangia, A ., Diebold, F. X ., Kronimus, A ., Schagen, C ., &
Schuerm ann, T. (2002). Ratings migration and the business cycle, Jo rio n, P. (1996). Value at risk: the new benchm ark for managing
with applications to credit portfolio stress testing. Journal o f financial risk (1st ed.). New York, NY: M cGraw Hill.
Banking and Finance, 26(2-3), 235-264.
Jo rio n, P. (2007). Value at risk: the new benchm ark for managing
Berkowitz, J . (2000). A coherent fram ework for stress testing. financial risk (3rd ed.). New York, NY: M cGraw Hill.
Journal o f Risk, 2, 1-11.
Koyluoglu, H. U., & Hickman, A . (1998). Credit risk: reconcilable
Board of Governors of the Federal Reserve System (2012). C om differences. Risk, 7 7(10), 56-62.
prehensive capital analysis and review 2012: m ethodology and
Kupiec, P. H. (1998). Stress testing in a value at risk fram ework.
results for stress scenario projections. 13 March, 2012. Available
Journal o f D erivatives, 6(1), 7-24.
at: http://w w w .federalreserve.gov/new sevents/press/bcreg/
bcreg20120313a1 .pdf. Kuritzkes, A ., & Scott, H. (2009). Markets are the best judge of
bank capital. Financial Tim es, Septem ber 23.
Canabarro, E. (2010). Pricing and hedging counterparty risk: les
sons relearned? In E. Canabarro (Ed.), C ounterparty cred it risk Lester, J ., Reynolds, P., Schuermann, T., & W alsh, D. (2012).
(C hapter 6). London, UK: Risk Books. Stra teg ic capital: defining an effective real w orld view o f capital.
O liver Wyman financial services report. Available at: http://www
Com m ittee on the Global Financial System (2001). A survey of
.oliverwym an.com /strategic-capital-defining-an-effective-real-
stress tests and current practice at major financial institutions.
world-view-of-capital.htm .
Available at: http://w w w .bis.org/publ/cgfs18.htm .
Morgan, D. P. (2002). Rating banks: risk and uncertainty in an
Dang, T.V., Gorton, G ., & Holmstrom, B. (2010). Financial crises and
opaque industry. Am erican Econom ic Review , 92(4), 874-888.
the optimality o f d e b t for liquidity provision. Working paper. Avail
able at: http://mfi.uchicago.edu/publications/papers/ignorance- Purnanandam, A . (2007). Interest rate risk m anagem ent at com
crisis-and-the-optimality-of-debt-for-liquidity-provision.pdf. mercial banks: an em pirical investigation. Journal o f M onetary
Econom ics, 54, 1769-1808.
English, W. B. (2002). Interest rate risk and bank net interest
margins. BIS Q uarterly Review , D ecem b er, 67-82. Rebonato, R. (2010). C oh eren t stress testin g: a Bayesian
approach to the analysis o f financial stress. New York: John
European Banking Authority (2011). 2011 EU-wide stress test:
W iley & Sons.
methodological note. 18 March 2011. Available at: http://www
.eba.europa.eu/EU-w ide-stress-testing/2011/The-EBA-publishes- Stiroh, K. (2004). Diversification in banking: is noninterest
Explain how risks can arise through outsourcing activities Describe topics and provisions that should be addressed
to third-party service providers, and describe elem ents of in a contract with a third-party service provider.
an effective program to manage outsourcing risk.
E x c e rp t is Supervisory Le tte r SR 13-19/CA 13-21 from the Board o f G overnors o f the Federal R eserve System , D ece m b er 2013.
281
16.1 P U R P O S E • Country risks arise when a financial institution engages a
foreign-based service provider, exposing the institution to
In addition to traditional core bank processing and information possible econom ic, social, and political conditions and events
technology services, financial institutions1 outsource operational from the country where the provider is located.
activities such as accounting, appraisal m anagem ent, internal • Operational risks arise when a service provider exposes a finan
audit, human resources, sales and m arketing, loan review, asset cial institution to losses due to inadequate or failed internal
and wealth m anagem ent, procurem ent, and loan servicing. The processes or systems or from external events and human error.
Federal Reserve is issuing this guidance to financial institutions • Legal risks arise when a service provider exposes a financial
to highlight the potential risks arising from the use of service institution to legal expenses and possible lawsuits.
providers and to describe the elem ents of an appropriate ser
vice provider risk m anagem ent program. This guidance supple
ments existing guidance on technology service provider (TSP) 16.3 B O A R D O F D IR E C T O R S
risk,1
2 and applies to service provider relationships where busi A N D S E N IO R M A N A G E M E N T
ness functions or activities are outsourced. For purposes of this
R E S P O N S IB IL IT IE S
guidance, "service providers" is broadly defined to include all
entities3 that have entered into a contractual relationship with a
The use of service providers does not relieve a financial insti
financial institution to provide business functions or activities.
tution's board of directors and senior m anagem ent of their
responsibility to ensure that outsourced activities are conducted
3 Entities may be a bank or nonbank, affiliated or non-affiliated, regu tom er information or new bank products or services; or pose
lated or non-regulated, or dom estic or foreign. material com pliance risk.
282 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The depth and form ality of the service provider risk m anage B. Due Diligence and Selection of Service
ment program will depend on the criticality, com plexity, and
Providers
number of material business activities being outsourced. A com
munity banking organization may have critical business activities A financial institution should conduct an evaluation of and
being outsourced, but the number may be few and to highly perform the necessary due diligence for a prospective service
reputable service providers. Therefore, the risk m anagem ent provider prior to engaging the service provider. The depth and
program may be sim pler and use less elem ents and consider form ality of the due diligence perform ed will vary depending
ations. For those financial institutions that may use hundreds or on the scope, com plexity, and im portance of the planned out
thousands of service providers for numerous business activities sourcing arrangem ent, the financial institution's fam iliarity with
that have material risk, the financial institution may find that they prospective service providers, and the reputation and industry
need to use many more elem ents and considerations of a ser standing of the service provider. Throughout the due diligence
vice provider risk m anagem ent program to manage the higher process, financial institution technical experts and key stake
level of risk and reliance on service providers. holders should be engaged in the review and approval process
as needed. The overall due diligence process includes a review
W hile the activities necessary to im plem ent an effective service
of the service provider with regard to:
provider risk m anagem ent program can vary based on the scope
and nature of a financial institution's outsourced activities, effec 1. Business background, reputation, and strategy;
tive programs usually include the following core elem ents: 2 . Financial perform ance and condition; and
A. Risk assessm ents; 3 . O perations and internal controls.
B. Due diligence and selection of service providers;
1. Business Background, Reputation, and Strategy
C. Contract provisions and considerations;
Financial institutions should review a prospective service pro
D. Incentive com pensation review;
vider's status in the industry and corporate history and qualifi
E. O versight and monitoring of service providers; and
cations; review the background and reputation of the service
F. Business continuity and contingency plans. provider and its principals; and ensure that the service provider
has an appropriate background check program for its em ployees.
3. Operations and Internal Controls • Terms governing the use of the financial institution's prop
erty, equipm ent, and staff.
Financial institutions are responsible for ensuring that services
provided by service providers comply with applicable laws and • C o st and co m p e n sa tio n : Contracts should describe the
regulations and are consistent with safe-and-sound banking com pensation, variable charges, and any fees to be paid
practices. Financial institutions should evaluate the adequacy of for non-recurring items and special requests. Agreem ents
standards, policies, and procedures. Depending on the charac should also address which party is responsible for the pay
teristics of the outsourced activity, some or all of the following ment of any legal, audit, and examination fees related to
may need to be reviewed: the activity being perform ed by the service provider. W here
applicable, agreem ents should address the party responsible
• Internal controls;
for the expense, purchasing, and m aintenance of any equip
• Facilities m anagem ent (such as access requirements or shar ment, hardware, software or any other item related to the
ing of facilities); activity being perform ed by the service provider. In addition,
• Training, including com pliance training for staff; financial institutions should ensure that any incentives (for
• Security of systems (for exam ple, data and equipm ent); exam ple, in the form of variable charges, such as fees and/or
commissions) provided in contracts do not provide potential
• Privacy protection of the financial institution's confidential
incentives to take im prudent risks on behalf of the institution.
information;
• R ig h t to a u d it: Agreem ents may provide for the right of the
• M aintenance and retention of records;
institution or its representatives to audit the service provider
• Business resumption and contingency planning; and/or to have access to audit reports. Agreem ents should
• Systems developm ent and m aintenance; define the types of audit reports the financial institution will
• Service support and delivery; receive and the frequency of the audits and reports.
• Em ployee background checks; and • E sta b lish m e n t and m o n ito rin g o f p e rfo rm a n ce sta n d a rd s:
Agreem ents should define m easurable perform ance stan
• Adherence to applicable laws, regulations, and supervisory
dards for the services or products being provided.
guidance.
• C o n fid e n tia lity and se c u rity o f in fo rm a tio n : Consistent with
applicable laws, regulations, and supervisory guidance, ser
C. Contract Provisions and Considerations
vice providers should ensure the security and confidentiality
Financial institutions should understand the service contract of both the financial institution's confidential information and
and legal issues associated with proposed outsourcing arrange the financial institution's custom er information. Information
ments. The term s of service agreem ents should be defined in security measures for outsourced functions should be viewed
written contracts that have been reviewed by the financial insti as if the activity were being perform ed by the financial insti
tution's legal counsel prior to execution. The characteristics of tution and afforded the same protections. Financial institu
the business activity being outsourced and the service provider's tions have a responsibility to ensure service providers take
284 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
appropriate measures designed to meet the objectives of the • O w n ersh ip and lice n se : Agreem ents should define the abil
information security guidelines within Federal Financial Insti ity and circum stances under which service providers may use
tutions Exam ination Council (FFIEC ) guidance,4 as well as financial institution property inclusive of data, hardware, soft
com ply with section 501(b) of the Gram m -Leach-Bliley A ct. ware, and intellectual property. Agreem ents should address
These measures should be mapped directly to the security the ownership and control of any information generated by
processes at financial institutions, as well as be included or service providers. If financial institutions purchase software
referenced in agreem ents between financial institutions and from service providers, escrow agreem ents may be needed
service providers. to ensure that financial institutions have the ability to access
Service agreem ents should also address service provider use the source code and programs under certain conditions.8
of financial institution information and its custom er inform a • In d em n ifica tio n : Agreem ents should provide for service pro
tion. Information made available to the service provider vider indemnification of financial institutions for any claims
should be limited to what is needed to provide the con against financial institutions resulting from the service pro
tracted services. Service providers may reveal confidential vider's negligence.
supervisory information only to the extent authorized under • D efa u lt and term in a tio n : Agreem ents should define events
applicable laws and regulations.5 of a contractual default, list of acceptable rem edies, and pro
If service providers handle any of the financial institution cus vide opportunities for curing default. Agreem ents should also
tom er's Nonpublic Personal Information (NPPI), the service define termination rights, including change in control, merger
providers must com ply with applicable privacy laws and regu or acquisition, increase in fees, failure to m eet perform ance
lations.6 Financial institutions should require notification from standards, failure to fulfill the contractual obligations, failure
service providers of any breaches involving the disclosure of to provide required notices, and failure to prevent viola
NPPI data. G enerally, NPPI data is any nonpublic personally tions of law, bankruptcy, closure, or insolvency. Contracts
identifiable financial information; and any list, description, or should include termination and notification requirem ents that
other grouping of consumers (and publicly available inform a provide financial institutions with sufficient time to transfer
tion pertaining to them) derived using any personally identifi services to another service provider. Agreem ents should also
able financial information that is not publicly available.7 address a service provider's preservation and tim ely return of
Financial institutions and their service providers who main financial institution data, records, and other resources.
tain, store, or process NPPI data are responsible for that • D isp u te re so lu tio n : Agreem ents should include a dispute
information and any disclosure of it. The security of, retention resolution process in order to expedite problem resolution
of, and access to NPPI data should be addressed in any con and address the continuation of the arrangem ent between
tracts with service providers. the parties during the dispute resolution period.
W hen a breach or com prom ise of NPPI data occurs, financial • Lim its on liability: Service providers may want to contractually
institutions have legal requirem ents that vary by state and limit their liability. The board of directors and senior manage
these requirem ents should be made part of the contracts ment of a financial institution should determine whether the
between the financial institution and any service provider that proposed limitations are reasonable when compared to the
provides storage, processing, or transmission of NPPI data. risks to the institution if a service provider fails to perform .9
Misuse or unauthorized disclosure of confidential custom er
• In su ra n ce: Service providers should have adequate insurance
data by service providers may expose financial institutions
and provide financial institutions with proof of insurance.
to liability or action by a federal or state regulatory agency.
Further, service providers should notify financial institutions
Contracts should clearly authorize and disclose the roles and
when there is a material change in their insurance coverage.
responsibilities of financial institutions and service providers
regarding NPPI data.
8 Escrow agreem ents are established with vendors when buying or leas
ing products that have underlying proprietary softw are. In such agree
ments, an organization can only access the source program code under
4 For further guidance regarding vendor security practices, refer to the specific conditions, such as discontinued product support or financial
'F F IE C ' Inform ation Secu rity B o o k le t (July 2006) at http://ithandbook. insolvency of the vendor.
ffiec.gov/it-booklets/inform ation-security.aspx.
9 Refer to SR letter 06-4, "Interagency Advisory on the Unsafe and
5 See 12 C FR Part 261. Unsound Use of Limitations on Liability Provisions in External Audit
Engagem ent Letters," regarding restrictions on the liability limitations
6 See 12 C FR Part 1016.
for external audit engagem ents at http://w w w .federalreserve.gov/
7 See 12 U .S .C . 6801(b). boarddocs/srletters/2006/SR0604.htm .
disaster recovery and contingency plans. Agreem ents may the customer.
include a service provider's responsibility for testing of plans
and providing testing results to financial institutions.
E. Oversight and Monitoring of Service
• F o re ig n -b a se d se rv ic e p ro v id e rs: For agreem ents with
Providers
foreign-based service providers, financial institutions should
consider including express choice of law and jurisdictional To effectively m onitor contractual requirem ents, financial
provisions that would provide for the adjudication of all dis institutions should establish accep tab le perform ance m etrics
putes between the two parties under the laws of a single, that the business line or relationship m anagem ent determ ines
specific jurisdiction. Such agreem ents may be subject to to be indicative of accep tab le perform ance levels. Financial
the interpretation of foreign courts relying on local laws. institutions should ensure that personnel with oversight and
Foreign law may differ from U.S. law in the enforcem ent of m anagem ent responsibilities for service providers have the
contracts. As a result, financial institutions should seek legal appropriate level of exp ertise and stature to m anage the
advice regarding the enforceability of all aspects of proposed outsourcing arrangem ent. The oversight process, including
contracts with foreign-based service providers and the other the level and frequency of m anagem ent reporting, should be
legal ramifications of such arrangem ents. risk-focused. H igher risk service providers may require more
frequent assessm ent and m onitoring and may require finan
• S u b c o n tra c tin g : If agreem ents allow for subcontracting, the
cial institutions to designate individuals or a group as a point
same contractual provisions should apply to the subcontrac
of contact for those service providers. Financial institutions
tor. Contract provisions should clearly state that the primary
should tailor and im plem ent risk m itigation plans for higher
service provider has overall accountability for all services that
risk service providers that may include processes such as ad d i
the service provider and its subcontractors provide. A g ree
tional reporting by the service provider or heightened m oni
ments should define the services that may be subcontracted,
toring by the financial institution. Further, more frequent and
the service provider's due diligence process for engaging and
stringent m onitoring is necessary for service providers that
monitoring subcontractors, and the notification and approval
exh ib it perform ance, financial, com pliance, or control con
requirem ents regarding changes to the service provider's
cerns. For lower risk service providers, the level of m onitoring
subcontractors. Financial institutions should pay special
can be lessened.
attention to any foreign subcontractors, as information secu
rity and data privacy standards may be different in other juris Financial co n d itio n : Financial institutions should have estab
dictions. Additionally, agreem ents should include the service lished procedures to monitor the financial condition of service
provider's process for assessing the subcontractor's financial providers to evaluate their ongoing viability. In performing
condition to fulfill contractual obligations. these assessm ents, financial institutions should review the
most recent financial statem ents and annual report with regard
to outstanding com m itm ents, capital strength, liquidity and
D. Incentive Compensation Review
operating results. If a service provider relies significantly on
Financial institutions should also ensure that an effective process subcontractors to provide services to financial institutions, then
is in place to review and approve any incentive compensation the service provider's controls and due diligence regarding the
that may be em bedded in service provider contracts, including subcontractors should also be reviewed.
286 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Internal co n tro ls: For significant service provider relationships, • Docum ent the roles and responsibilities for maintaining and
financial institutions should assess the adequacy of the provider's testing the service provider's business continuity and contin
control environment. Assessm ents should include reviewing gency plans;
available audits or reports such as the Am erican Institute of • Test the service provider's business continuity and contin
Certified Public Accountants' Service Organization Control gency plans on a periodic basis to ensure adequacy and
2 report. If the service provider delivers information technology effectiveness; and
services, the financial institution can request the FFIEC Technol
• Maintain an exit strategy, including a pool of com parable ser
ogy Service Provider examination report from its primary federal
vice providers, in the event that a contracted service provider
regulator. Security incidents at the service provider may also
is unable to perform.
necessitate the institution to elevate its monitoring of the
service provider.
G. Additional Risk Considerations
Esca la tio n o f o v e rsig h t a c tiv itie s: Financial institutions should
ensure that risk m anagem ent processes include triggers to S u s p ic io u s A c tiv ity R e p o r t (S A R ) re p o r tin g fu n c tio n s :
escalate oversight and monitoring when service providers are Th e co n fid en tiality of suspicious activity reporting m akes
failing to m eet perform ance, com pliance, control, or viability the outsourcing of any SA R-related function more co m p lex.
expectations. These procedures should include more frequent Financial institutions need to identify and m onitor the risks
and stringent monitoring and follow-up on identified issues, associated with using service providers to perform certain
on-site control reviews, and when an institution should exercise suspicious activity reporting functions in com pliance with
its right to audit a service provider's adherence to the term s of the Bank Secrecy A ct (B SA ). Financial institution m anag e
the agreem ent. Financial institutions should develop criteria for m ent should ensure they understand the risks associated
engaging alternative outsourcing arrangem ents and terminating with such an arrang em ent and any B SA -sp ecific guidance in
the service provider contract in the event that identified issues this area.
are not adequately addressed in a tim ely manner. F o re ig n - b a se d s e rv ic e p r o v id e r s : Financial institutions should
ensure that foreign-based service providers are in com pliance
F. Business Continuity and Contingency with ap plicable U .S. laws, regulations, and regulatory guid
ance. Financial institutions may also w ant to consider laws
Considerations
and regulations of the foreign-based provider's country or
Various events may affect a service provider's ability to provide regulatory authority regarding the financial institution's ability
contracted services. For exam ple, services could be disrupted by to perform on-site review of the service provider's operations.
a provider's performance failure, operational disruption, financial In addition, financial institutions should consider the authority
difficulty, or failure of business continuity and contingency plans or ability of home country supervisors to gain access to the
during operational disruptions or natural disasters. Financial insti financial institution's custom er inform ation while exam ining the
tution contingency plans should focus on critical services pro foreign-based service provider.
vided by service providers and consider alternative arrangements
In tern a l a u d it: Financial institutions should refer to existing
in the event that a service provider is unable to perform .11 When
guidance on the engagem ent of independent public accounting
preparing contingency plans, financial institutions should:
firms and other outside professionals to perform work that has
10.
• Ensure that a disaster recovery and business continuity plan been traditionally carried out by internal auditors. The
exists with regard to the contracted services and products; Sarbanes-O xley A ct of 2002 specifically prohibits a registered
• Assess the adequacy and effectiveness of a service provider's
disaster recovery and business continuity plan and its align
12 Refer to SR 13-1, "Supplem ental Policy Statem ent on the Internal
ment to their own plan;1
0
Audit Function and Its O utsourcing," specifically the section titled,
"D epository Institutions Subject to the Annual Audit and Reporting
Requirem ents of Section 36 of the FDI A ct" at http://w w w .federalreserve
.gov/bankinforeg/srletters/sr1301.htm . Refer also to SR 03-5, "Am ended
10 Refer to w w w .A IC P A .o rg .
Interagency G uidance on the Internal A udit Function and Its O utsourc
11 For further guidance regarding business continuity planning with ser ing," particularly the section titled, "Institutions Not Subject to Section
vice providers, refer to the 'F F IE C ' Business Continuity B o o k le t (March 36 of the FDI A ct That Are Neither Public Com panies Nor Subsidiaries of
2008) at http://ithandbook.ffiec.gov/it-booklets/business-continuity- Public Com panies" at http://w w w .federalreserve.gov/boarddocs/
planning.aspx. srletters/2003/sr0305.htm .
288 Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Management of
Risks Associated
with Money
Laundering
and Financing
of Terrorism
Learning Objective
A fter com pleting this reading you should be able to:
• Aw areness of an array of official sector pronouncem ents. 2. The risk function and/or the function under the chief
Am ong the most im portant are standards issued by the M L/FT officer must monitor the effectiveness of first line
Financial Action Task Force (FATF), an intergovernmental m anagem ent of M L/FT risks and com pliance with all
coordinating body.1
A
policies and procedures. Conflicts of interest on the part
of second line em ployees should be avoided. The chief
M L/FT officer should have direct reporting lines to senior
m anagem ent or the board.
3. Internal auditors and/or external eq uivalents should
1 FATF, "International Standards on Com bating Money Laundering
and the Financing of Terrorism and Proliferation," February 2012; and in d ep end ently evaluate M L/FT risk m anagem ent and
"M ethodology" February 2013. controls.
290 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
17.3 R ISK A S S E S S M E N T • Though information about a customer's previous banking
relationships may be helpful, the fact that a custom er previ
Banks should assess and understand the M L/FT risks inherent ously had accounts at another bank is not sufficient to classify
within their businesses and custom er base: the custom er as low-risk or as well-identified. For exam ple,
the previous bank may have ejected the custom er due to
• All relevant risk factors at the country, sector, bank and
M L/FT concerns.
business relationship levels should be considered. C harac
• Due diligence and monitoring may be more com plex for
teristics of the custom er base, products and services offered,
banks operating internationally, particularly for those
and delivery channels should be considered.
operating in jurisdictions that do not perm it custom er
• For each custom er or business relationship, a profile of
inform ation to cross borders. However, inform ation should
normal activity should be built to support identification of
be com bined and analyzed across the group as much as
abnormal activity.
possible.
• Risk assessm ents should be docum ented for potential
• In some jurisdictions, banks may be perm itted to rely on
inspection by authorities.
third parties for some custom er due diligence. Banks should
• International banks should be attentive to national risk ensure that the third parties' own m anagem ent of M L/FT
assessm ents and country reports. risks is sound and are ultimately responsible even if deci
sions are made by third parties. Arrangem ents, controls and
reviews should be docum ented.
1 7 .4 C U S T O M E R D U E D IL IG E N C E
AND A CCEPTA N CE•
17.5 T R A N S A C T IO N A N D O T H E R
Some customers pose a low risk of involving a bank in M L/FT M O N IT O R IN G A N D R E P O R T IN G
activity (e.g., a long established client employed in the commu
nity with regular, small account inflows and outflows) and some Banks should monitor custom er and transaction activity for
pose a high risk (e.g., a person with a past record of criminal unusual patterns to identify potential M L/FT activity.
activity with large and intermittent account inflows and outflows).
• A profile of normal activity and transactions must be built
If a bank chooses to do business with a high-risk customer,
in order to aid identification of abnormal activity, such as
more intensive ongoing monitoring of that customer's activity is
unusual business relationships and transactions.
needed. Moreover, to classify customers by level of risk, a bank
• The higher the assessm ent of the risk posed by a customer,
should have well-developed customer identification and accep
the more intense and wide-ranging the monitoring.
tance policies and procedures. Such policies and procedures
should not prevent the general public, nor people who are finan • Changes in a customer's risk profile should trigger changes in
cially or socially disadvantaged, from accessing banking services. the intensity of monitoring.
• W ritten policies and procedures should exist to ensure that • Monitoring should cover all accounts and transactions.
a custom er is not accepted, and business is not done, until • C D D information should be used.
the customer's identity has been satisfactorily established. • The larger and more com plex the bank and its businesses,
Reliable, independent source docum ents and information and the more international its operations, the more likely that
should be used in identification. Consideration should be autom ated monitoring applications will be needed.
given to a customer's home jurisdiction(s), including whether
• Monitoring activity should be docum ented.
that jurisdiction is known to have M L/FT deficiencies. The
• Especially where required by law, suspicious activity revealed
reasons the custom er is opening accounts should also be
by monitoring should be reported to appropriate law
considered.
enforcem ent authorities.
• Politically exposed persons (PEP), such as form er high gov
ernm ent officials, pose higher risk given the possibility that
some wealth may have been obtained through corruption.
17.6 C O R R E S P O N D E N T B A N K IN G
• Consider the potential customer's background, occupation,
source of wealth and income, and country of origin and Correspondent banking involves the provision of banking ser
residence. vices by one bank to another bank. O f most concern in the
Chapter 17 Management of Risks Associated with Money Laundering and Financing of Terrorism ■ 291
context of M L/FT is execution of cross-border payments by a 17.8 IN T E R N A T IO N A L S C O P E
correspondent bank for a respondent bank's customer.
• Because the correspondent bank does not have a rela Banks with a presence in multiple countries should:
tionship with the ultim ate custom er, it must perform due • Understand and abide by laws and regulations in each
diligence on the respondent bank. Details of the services country. If a country's laws and regulations prevent adequate
provided and of counterparties are relevant to the risk. m anagem ent of M L/FT risks, consider cessation of business
The quality of the respondent banks' m anagem ent of ML/ in the country.
FT risks is vitally im portant. A s such, due diligence must
• A pply consistent group-wide policies and procedures.
be done on such m anagem ent, and agreem ents among
• Share information across the group and usie groupwide
correspondent and respondent banks should set out
information and understanding in monitoring and risk
responsibilities.
assessm ent.
• Some correspondent banking activity involves nested
respondent banks (i.e., the ultimate custom er may have a Good official-sector supervisory exam ination and enforcem ent
relationship with the respondent bank's respondent bank). in each country of bank m anagem ent of M L/FT risks is important
For exam ple, a small bank might use a medium-sized bank, to global containm ent of M L/FT activity.
which in turn uses a large international bank as correspon
dent. Though many legitimate transactions and activities are
conducted through such nested relationships, M L/FT risks are
References
higher. This is especially true if relationships among respon
dent banks cross borders. Basel Com m ittee on Banking Supervision, 2016, "Sound Manage
• W hen information about the risk changes, termination of ment of Risks Related to Money Laundering and Financing of
correspondent banking relationships with a respondent bank Terrorism."
may be appropriate.
Financial Action Task Force, 2016, "The FA TF Recom m endations."
292 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Regulation of the
OTC Derivatives
Market
Learning Objectives
A fter com pleting this reading you should be able to:
Excerp t is Chapter 17 of Risk M anagem ent and Financial Institutions, Fifth Edition, by John C . Hull.
The exchange-traded market is a market where products devel Variation margin is the collateral posted to reflect the change in
oped by an exchange are bought and sold on a trading platform the value of a derivatives portfolio. Consider the situation where
developed by the exchange. A market participant's trade must Party A is trading with Party B and the collateral agreem ent
be cleared by a m em ber of the exchange clearing house. The states that variation margin (with no threshold or minimum
exchange clearing house requires margin (i.e., collateral) from transfer amount) has to be posted by both sid es.1 This means
its m em bers, and the m em bers require margin from the brokers that, if the value of outstanding transactions changes during a
whose trades they are clearing. The brokers in turn require mar day so that they increase in value by $ X to A (and therefore
gin from their clients. decrease in value by $ X to B), B has to provide A with $ X of
acceptable collateral. The cumulative effect of variation margin
The O T C market is a market where financial institutions, fund
is that, if outstanding derivatives have a value of + $ V to A and
managers, and corporate treasurers deal directly with each other.
—$\/ to B at a particular tim e, B should have posted a total of $V
An exchange is not involved. Before the 2007-2008 credit crisis,
of collateral with A by that tim e.1
2
the O TC market was largely unregulated. Two market participants
could enter into any trade they liked. They could agree to post Variation margin provides some protection against a counterparty
collateral or not post collateral. They could agree to clear the default. It would provide total protection in an ideal world where
trade directly with each other or use a third party. Also, they were (a) the counterparty never owes any variation margin at the time
under no obligation to disclose details of the trade to anyone else. of default and (b) all outstanding positions can be replaced at
mid-market prices as soon as the counterparty defaults.
Since the crisis, the O T C market has been subject to a great
In practice, defaulting counterparties often stop posting collateral
deal of regulation. This chapter will explain the regulations and
several days before they default, and the non-defaulting
show that regulatory pressure is leading to the O T C market
counterparty is usually subject to a bid-offer spread as it replaces
becoming more like the exchange-traded market.
transactions.3 To allow for adverse movements in the value of the
portfolio during a period prior to defaulting when no margin is
being posted, market participants sometimes require initial mar
18.1 C L E A R IN G IN O T C M A R K E T S
gin in addition to variation margin. Note that, in this context,
We start by describing how transactions are cleared in the adverse market movements are increases in the value of the port
O T C m arket. There are two main approaches: central clear folio to the non-defaulting party, not decreases. This is because
ing and bilateral clearing. They are illustrated schem atically in increases in the value during a period when variation margin is not
Figure 18.1 (which makes the simplifying assumption that there being posted lead to increases in replacement costs.4 Initial mar
are only eight market participants and only one C C P ). In bilateral gin, which can change through time as the outstanding portfolio
clearing, market participants clear transactions with each other. and relevant volatilities change, reflects the risk of a loss due to
In central clearing, a third party, known as a central counterparty adverse market moves and the costs of replacing transactions.5
(CC P), clears the transactions.
Bilateral clearing Clearing through a single CCP 5 As indicated earlier, the non-defaulting party is allowed to keep all
margin posted by the defaulting party up to the amount that can be
Fiq u re 18.1 Bilateral and central clearing. legitim ately claim ed.
294 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Most margin is cash, but the agreem ents in place may specify The OTC Trade
that securities can be posted instead of cash. The securities
may be subject to a haircut. This means that the market value
of the securities is reduced to determ ine their value for margin
purposes. For exam ple, a Treasury bond might be subject to
a 10% haircut, indicating that, if its market value were $100, it
would cover only $90 of a margin requirem ent. Role of CCP
Should cash margin earn interest? There is a difference between
futures markets and O T C markets here. A futures exchange clear
ing house requires both initial margin and variation margin from
members. Members earn interest on the initial margin. But they
Fig u re 1 8.2 Role of CCP in OTC markets.
do not do so on variation margin because futures contracts are
settled daily so that variation margin does not belong to the mem
Consider the swap in Figure 18.2. Suppose for sim plicity that
ber posting it. In the case of O T C trades, interest is usually earned
it is the only transaction each side has with the CCP. The C C P
on all cash margin posted because trades are not settled daily.
might require an initial margin of $0.5 million from each side. If,
on the first day, interest rates fall so that the value of the swap
to A goes down by $100,000, Party A would be required to pay
Central Clearing
a variation margin equal to this to the CCP, and the C C P would
In central clearing, a central counterparty (CCP) handles the be required to pay the same amount to B. There could also be
clearing. A C C P operates very much like an exchange clearing a change to the initial margin requirem ents determ ined by the
house. W hen two com panies, A and B, agree to an over-the- CCP. If required margin is not paid by one of its m em bers, the
counter derivatives transaction and decide to clear it centrally, C C P closes out its transactions with that member. Cash and
they present it to a CCP. Assuming that the C C P accepts it, the Treasury instruments are usually accepted as margin by C C P s.
C C P acts as an interm ediary and enters into offsetting transac Typically the interest rate paid on cash balances is close to the
tions with the two com panies. overnight federal funds rate for U.S. dollars (and close to similar
overnight rates for other currencies).
Suppose, for exam ple, that the transaction is an interest rate
swap where company A pays a fixed rate of 5% to com pany B In practice, market participants are likely to have multiple
on a principal of $100 million for five years and company B pays transactions outstanding with the C C P at any given tim e. The
LIBO R to company A on the same principal for the same period initial margin required from a participant at any given time
of tim e. Two separate transactions are created. Com pany A has reflects the volatility of the value of its total position with the
a transaction with the C C P where it pays 5% and receives LIBOR CCP. The role of a C C P in the O T C market is similar to the
on $100 million. Com pany B has a transaction with the C C P role of a clearing house in the exchange-traded market. The
where it pays LIBO R and receives 5% on $100 million. The two main difference is that transactions handled by the C C P are
com panies no longer have credit exposure to each other. This is usually less standard than transactions in the exchange-traded
illustrated in Figure 18.2. If one or both parties to the transac market so that the calculation of margin requirem ents is more
tion are not members of the CCP, they can clear the transaction com plicated.
through members.
The key advantage of clearing a transaction through a C C P
Three large C C P s are is that O T C market participants do not need to worry about
the creditworthiness of the counterparties they trade with.
1. Sw apCIear (part of LCH Clearnet in London),
Credit risk is handled by the C C P using initial and variation
2. C learPort (part of the C M E Group in Chicago), and margin.
3 . IC E Clear Credit (part of the Intercontinental Exchange).
A C C P requires its members to contribute to a default fund.
A C C P requires its members to provide initial margin and varia (As m entioned, if one or both parties to a transaction are not
tion margin for the transactions being cleared. Typically, the members of the CCP, they can clear the transaction through
initial margin is calculated so that there is a 99% probability that m em bers. They will then have to post margin with the mem
it will cover market moves over five days. This protects the C C P bers.) If a m em ber fails to post margin when required, the
from losses as it tries to close out or replace the positions of a m em ber is in default and its positions are closed out. In closing
defaulting member. out a member's positions, the C C P may incur a loss. A waterfall
Netting can also save initial margin. Suppose Party A has two
transactions with a C C P that are not perfectly correlated. The
7 The non-defaulting party is not obliged to term inate transactions.
Counterparties that are out-of-the-money som etim es consider that it is
in their best interests not to term inate.
296 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
18.2 PO ST-CRISIS R E G U L A T O R Y provides regulators with im portant information on the risks
being taken by participants in the O T C market. It is partly a
CH A N G ES response to the AIG fiasco where regulators were not aware
of the huge risks being taken by a subsidiary of AIG until
The O T C derivatives market was considered by many to have
the insurance company asked to be bailed out.
been partly responsible for the 2008 credit crisis. When the G20
leaders met in Pittsburgh in Septem ber 2009 in the aftermath of The first two of these requirements apply only to transactions
the 2008 crisis, they wanted to reduce system ic risk by regulat between two financial institutions (or between a financial insti
ing the O T C market. The statem ent issued by the leaders after tution and a non-financial company that is considered to be
the meeting included the following paragraph: system ically im portant because of the volume of its O T C deriva
tives trading). Derivatives dealers can therefore continue to
All standardized O T C derivative contracts should be
trade with many of their non-financial corporate clients in the
traded on exchanges or electronic trading platforms,
same way that they did pre-crisis.
where appropriate, and cleared through central coun
terparties by end-2012 at the latest. O T C derivative A bout 25% of O T C transactions were cleared through C C P s pre
contracts should be reported to trade repositories. crisis and the remaining 75% were cleared bilaterally. As a result
Non-centrally cleared contracts should be subject to of the new rules, these percentages have flipped so that approx
higher capital requirem ents. We ask the FSB and its rel imately 75% of O T C transactions are now cleared through C C P s,
evant members to assess regularly implementation and while 25% are cleared bilaterally.
whether it is sufficient to improve transparency in the
derivatives m arkets, mitigate system ic risk, and protect
against market abuse. Uncleared Trades
The results of this were three major changes affecting O T C Following another G 20 meeting in 2011, the rules have been
derivatives: tightened for non-standard O T C derivatives. These are the
1. A requirem ent that all standardized O T C derivatives be derivatives that are not covered by the rules just m entioned.
cleared through C C P s. Standardized derivatives include They are cleared bilaterally rather than centrally and are referred
plain vanilla interest rate swaps (which account for the to as uncleared trades. Regulations, which are being im ple
majority of O T C derivatives traded) and default swaps on mented between 2016 and 2020, require uncleared trades
credit indices. The purpose of this requirem ent is to reduce between two financial institutions (or between a financial insti
system ic risk (see Business Snapshot 21.1). It leads to deriv tution and a non-financial company that is considered to be
atives dealers having less credit exposure to each other so system ically important) to be subject to rules on the margin that
that their interconnectedness is less likely to lead to a col has to be posted. Previously, one of the attractions of bilateral
lapse of the financial system. clearing was that m arket participants were free to negotiate any
credit support annex to their ISDA master agreem ents.
2. A requirement that standardized O T C derivatives be traded
on electronic platforms. This is to improve transparency. The The rules state that both initial margin and variation margin must
thinking is that, if there is an electronic platform for matching be posted for uncleared trades by both sides. Variation margin
buyers and sellers, the prices at which products trade should was fairly common in the O TC market pre-crisis (particularly in
be readily available to all market participants.9 The platforms trades between derivatives dealers), but initial margin was rare.
are called swap execution facilities (SEFs) in the United When entering into a transaction with a much less creditworthy
States and organized trading facilities (OTFs) in Europe. In counterparty, a derivatives dealer might insist on the counterparty
practice, standardized products, once they have been traded posting initial margin. But the posting of initial margin by both
on these platforms, are passed automatically to a CCP. sides was almost unheard of in the bilaterally cleared market.
3 . A requirem ent that all trades in the O T C market be Variation margin is usually transm itted directly from one coun
reported to a central trade repository. This requirem ent terparty to the other. Initial margin when posted by both sides
cannot be handled in this way. If, for exam ple, A transm itted
$1 million of initial margin to B and B transm itted $1 million of
9 An issue here is that the type of electronic platform that is appropriate initial margin to A , the initial margin would not serve the desired
for swaps may not be the same as the one that is used by exchanges.
purpose because the transfers would cancel each other. For this
Sw aps are traded interm ittently with large notional principals. Futures
and options on an exchange trade continually and the size of trades is reason the regulations require initial margin to be transm itted to
usually much smaller. a third party, where it is held in trust.
I n n
where the W-, is the risk weight for risk factor / (specified by the
regulators), 8, is the sensitivity of the position held to risk factor /
(determ ined by the bank), and p,y is the correlation between
risk factors / and j (specified by the regulators). Because a
10-day tim e horizon with 99% confidence is used, a possible
formula for Wi; is
where cr, is the daily volatility (or standard deviation, in the case
of interest rates, credit spreads, and volatilities) of the fth risk
factor in stressed m arket conditions. Fiq u re 18.3 Relation b etw een A and (3.
298 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
There are a number of other details in SIM M . To
B
simplify m atters, gamma is calculated from vega A < B
(§ >
using the relationship between the two that holds
for European options. Risk factors are divided into
buckets, and some risk factors involve term struc
tures with vertices. There are rules specified for
calculating the correlations p tj both within buckets
and between buckets.
18.3 IM PA CT O F T H E
Exposure Exposure
CH A N G ES Exposure after after netting after netting
Dealver bilateral netting Dealer including CCP excluding CCP
The new regulations have led to a world where A 0 A 120 0
B 100 B 120 120
more collateral is required for O T C derivatives
C 20 C 90 90
transactions. Pre-crisis, most O T C transactions
Average 40 Average 110 70
were cleared bilaterally and an initial margin was
usually not required. Under the new regulations,
F ia u re 1 8 .4 Example where there are three market participants,
most transactions will be cleared through C C Ps one CCP, and two product types. One product type (represented by
where both initial and variation margin will be dotted lines) can be cleared; the other (represented by solid lines)
required from both sides. Furtherm ore, transac cannot.
tions that are cleared bilaterally between financial
institutions will require even more collateral than are three market participants and one CCP. For exam ple, in B's
they would if they could be cleared through C C Ps. dealings with A , the nonstandard transactions are worth 100 to
As discussed by Duffie and Zhu, there is one potential partial B and —100 to A ; the standard transactions are worth +50 to A
offset to the huge increase in collateral requirem ents mandated and —50 to B.
by the new rules.10 Under central clearing there is the potential W ithout central clearing, the average exposure before collateral
for more netting. In Figure 18.1, under bilateral clearing a mar of the three parties is +40. With central clearing, the average
ket participant has many different netting sets, one for each of exposure is 110 when the exposure to the C C P is included and
the other market participants. Under central clearing, there is 70 when it is not. Central clearing is likely to increase the col
only one netting set. Bank A can, for exam ple, net its transac lateral market participants have to post in this simple situation.
tions where Bank B is the counterparty with its transactions This happens because without the central clearing rules stan
where Bank C is the counterparty, provided that all go through dard transactions can be netted with nonstandard transactions,
the same CCP. but with the central clearing rules this is no longer possible.
Figure 18.1, however, is a sim plification. It suggests that the Most experts think that there will be an increase in netting,
choice is between a 100% bilateral world and a world where but the overall effect of the changes will be an increase in
all transactions are cleared through a single CCP. The reality is margin requirem ents. Pre-crisis, relatively few O T C derivatives
that (a) there will be a number of C C P s and it is quite likely that attracted initial margin. Post-crisis, the vast majority of O T C
they will not cooperate with each other to reduce initial margin derivatives will require initial margin. A related consideration is
requirem ents, and (b) some transactions will continue to be that, as more transactions are cleared through C C P s, more of
cleared bilaterally; so banks will face a situation that is a mixture the funds of a financial institution will be tied up in default fund
of the two worlds depicted in Figure 18.1. contributions.
Liquidity pressures are likely to increase because of another derivatives. Many O T C transactions are now traded on platforms
post-crisis change. W hat is known as "rehypothecation" was similar to exchanges and cleared through organizations simi
lar to exchange clearing houses. As time goes by, more O T C
common in some jurisdictions (particularly the United Kingdom)
pre-crisis. (See Business Snapshot 18.1.) It involved a dealer transactions are likely to be classified as "standard" so that the
percentage of O T C transactions handled similarly to exchange-
using collateral posted with it by one counterparty to satisfy a
collateral demand by another counterpart. It is estimated that traded transactions will increase. W hat is more, even those
pre-crisis about $4 trillion of collateral was required in derivatives O T C transactions between financial institutions that are cleared
bilaterally may begin to look more like exchange-traded transac
markets, but that because of rehypothecation only $1 trillion of
tions. This is because margin has to be posted with a third party,
and we can expect organizations (som ewhat similar to exchange
clearing houses) to be set up to facilitate this.
BUSIN ESS SN A PSH O T 18.1 It is also the case that exchanges are increasingly trying to offer
REH YPO TH ECA TIO N less standard products to institutional investors in an attem pt
A practice in the m anagem ent of collateral known as rehy to take business away from the O T C market. As a result, while
pothecation can cause problem s. If Party A posts collateral O T C markets are moving in the direction of becoming more like
with Party B and rehypothecation is perm itted, Party B can exchange-traded m arkets, exchange-traded markets are moving
use the same collateral to satisfy a demand for collateral in the opposite direction and becoming more like O T C m arkets.
from Party C ; Party C can then the use the collateral to Many C C P s and exchanges have a common ownership and will
satisfy a demand for collateral from Party D; and so on. In find areas for cooperation on margin requirem ents and business
2007, it was estim ated that U.S. banks had more than practices. W hether a transaction is being cleared through an
$4 trillion of collateral, but that this was created by exchange or a C C P may not be im portant in the future because
using $1 trillion of original collateral in conjunction with it will be handled in the same way by the same organization.
rehypothecation. Rehypothecation was particularly com
mon in the United Kingdom , where title to collateral is
transferred. 18.4 C C P S A N D B A N K R U P T C Y
A fter Lehman declared bankruptcy in Septem ber 2008,
The key objective of regulators is to reduce system ic risk. Some
clients (particularly European hedge fund clients) found it
com m entators have criticized the new derivatives regulations as
difficult to get a return of the collateral they had posted
replacing too-big-to-fail banks by too-big-to-fail C C P s. 1
with Lehman because it had been rehypothecated. As a
result of this experience, many market participants are
more cautious than they used to be, and clauses in C SA s
11 See M. Singh and J . A itken, "Th e (Sizable) Role of Rehypothecation in
banning or limiting rehypothecation are now common. the Shadow Banking System ," Working Paper, International M onetary
Fund, 2010.
300 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
It certainly would be a disaster for the financial system if a major variation margin to be posted by both sides. Nonstandard trans
C C P such as LCH Clearnet's Sw apCIear and CM E's ClearPort actions between financial institutions will continue to be cleared
were to fa il.12 In theory, as described in Hull (2012), it is possible bilaterally, but are subject to regulation on the collateral that
to design the contract between C C P s and their members so that must be posted. Specifically, transactions between financial
it is virtually impossible for a C C P to fail. In practice, it is consid institutions are subject to initial margin (segregated) and varia
ered im portant that a C C P has "skin in the gam e." It is then tion margin (transferred from one side to the other when the
motivated to take good decisions with respect to key issues value of outstanding transactions changes).
such as whether a new m em ber should be adm itted, how initial
W hat will the derivatives world look like in 15 or 20 years? Pres
margins should be set, and so on.
ent trends indicate the there will be a convergence between
The main reason why it makes sense to replace too-big-to-fail O T C and exchange-traded markets, and the distinction between
banks by too-big-to-fail C C P s is that C C P s are much sim pler the two will becom e blurred. But it should be acknowledged
organizations than banks. They are therefore much sim pler to that there is no certainty that this trend will continue. The O T C
regulate than banks. In essence, regulators need ensure only market as it existed before the crisis was very profitable for a
that the C C P follows good practices in (a) choosing members, few large banks. It is possible that they will chip away at the reg
(b) valuing transactions, and (c) determ ining initial margins and ulations so that they are able eventually to find a way of creating
default fund contributions. In the case of banks, a myriad of dif a new O T C m arket som ewhat similar to the one that existed
ferent, much more com plex activities must be monitored. It is before the crisis. A battle is likely to take place pitting the deter
of course im portant for regulators to ensure that C C P s are not mination of regulators against the ingenuity of banks.
allowed to becom e more com plex organizations by expand
ing outside their core activity of interm ediating derivatives
transactions. Further Reading
Most standard O T C derivatives between two financial institu Singh, M ., and J . Aitken. "The (Sizable) Role of Rehypothecation
tions must be cleared through central counterparties. These in the Shadow Banking System ." Working Paper, International
are very similar to exchanges. They require initial margin and Monetary Fund, 2010.
12 See J . Hull, "C C P s, Their, Risks, and How They Can Be Reduced,"
Jo u rn a l o f D erivatives 20, no. 1 (Fall 2012): 26-29.
Explain the motivations for introducing the Basel regula Com pare the standardized IRB approach, the Foundation
tions, including key risk exposures addressed, and explain Internal Ratings-Based (IRB) approach, and the advanced
the reasons for revisions to Basel regulations over tim e. IRB approach for the calculation of credit risk capital under
Basel II.
Explain the calculation of risk-weighted assets and the
capital requirem ent per the original Basel I guidelines. Com pare the basic indicator approach, the standardized
approach, and the Advanced M easurem ent Approach for
Describe measures introduced in the 1995 and 1996 the calculation of operational risk capital under Basel II.
am endm ents, including guidelines for netting of credit
exposures and methods to calculate m arket risk capital for Summarize elem ents of the Solvency II capital fram ework
assets in the trading book. for insurance com panies.
303
Financial regulation has developed increm entally over the cen • Custom ers of failed financial institutions were unhappy (at the
turies, often in response to stressful periods which exposed the very least) when large fractions of their wealth disappeared.
limitations of previous regulations. Fraud was not uncommon, but even when a failure was not
associated with fraud, custom ers com plained of unfairness
In the days before governm ent regulation, banks or insurance
and of the difficulty of adequately monitoring a financial insti
com panies could be created without official approval. Success
tution's safety-and-soundness.
(or failure) was based primarily on w hether they could persuade
clients to use their services. • Globalization was the fourth trigger of regulation ,and espe
cially of international coordination of regulation. Central
As such, these businesses have often found it essential to
banks have facilitated international transfers and capital
establish trustworthy reputations. They did this by enlisting
movements for centuries. As international trade blossomed
the support of prominent people in the community, carrying
in the 1960s and 1970s, and as multinational corporations
large amounts of capital at creation, and constructing promi
becam e more numerous, foreign exchange flows and capital
nent buildings. These measures provided com fort that deposits
flows grew ever larger.
would be returned and claims paid as promised. Later, govern
ments required new financial institutions to obtain a license Multinationals valued financial service providers who operated
before being allowed to operate in many countries, which gave rise to several issues.
Financial institution failures were frequent, and som etimes • First, large financial firms, especially international banks,
occurred not because of insolvency but because of a loss becam e interlinked, so a failure of one would cause problems
of client confidence. When losses occurred, clients naturally in many countries, not just its home country.
attem pted to withdraw funds from the institution in question. • Second, as described further below, banks and regulators
When these withdrawals grew into a run or panic, even a solvent becam e concerned about com petitive (dis)advantages flow
institution could fail if it could not liquidate assets or raise new ing from differences in capital requirem ents across nations.
funds quickly enough. • Third, technical arrangem ents in clearing and settlem ent
The first "regulations" were the result of financial firms band proved to be im portant. For exam ple, when Herstatt Bank
ing together to share resources in the event of runs. The Bank failed in the summer of 1974, differences in the required
of England, for exam ple, was originally a private-sector entity delivery tim es for currencies across countries and time zones
that would provide support to other banks. In addition, early caused large amounts of foreign exchange transactions to fail
clearinghouses were partly arrangem ents for mutual support. to clear. In turn, this raised concerns about a potential col
Specifically, clearinghouse m em bers shared financial statem ents lapse of the global financial system.
with each other and had rights of inspection, and so monitoring It becam e evident that only official-sector cooperation and
and enforcem ent of solvency was a part of the arrangem ents.
coordination could address these risks. As a result, what is now
However, this was done privately. called the Basel Com m ittee on Banking Supervision (BCBS) was
Such private arrangem ents had several limitations. created 1974, following the Herstatt failure. Perhaps motivated
in part by the perceived success of the B C B S, the International
• If a panic was big enough, no entity without the power to
Association of Insurance Supervisors (IAIS) and the International
print money would have enough resources to support the
Organization of Securities Com m issioners (IO SCO ) were created
financial system . As a result, governm ent controlled central
in 1994 and 1983, respectively.
banks gradually replaced clearinghouses and private banks as
lenders of last resort.1 This chapter focuses on solvency regulation of banks and insur
• Governm ents learned that financial crises imposed large ance com panies before the Global Financial Crisis (i.e., before
2009), with a particular attention to the Basel Accord. Later
costs on the econom y as a whole (e.g ., crises were often fol
chapters focus on regulation after the crisis.
lowed by depressions). Desiring stability, governm ents began
making attem pts to ensure that financial institutions were sol
vent and liquid enough to survive plausible levels of distress.
19.1 T H E B A S E L A C C O R D : B A S E L I
Such regulations becam e more wide-ranging in the wake of
each crisis.
V A R IA N T
304 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
This accord, which has come to be known as Basel I, was ini The Ratio and Minimum Values
tially agreed upon by the members of the BC BS (roughly, the
Basel I required consolidated banking organizations to maintain
G 10 nations). By the early 2000s, however, it becam e a de facto
global minimum capital standard. Note that Basel I has no legal
Tier 1 capital >4%
RWA
standing in and of itself. Rather, nations haven chosen to incor
porate its standards through dom estic law and regulation. and
Total capital > 8%
Two events motivated creation of Basel I. RWA
• First, the growth of cross-border finance continued after Her- Total capital is the sum of Tier 1 capital and Tier 2 capital. By
statt's failure and it was evident that the G 1 0 nations had a design, Tier 2 capital may com prise no more than half of total
common interest in ensuring that banks had enough equity capital. To the extent that Tier 1 capital exceeded 4 percent of
to absorb large losses. risk-weighted assets, the excess could be included with Tier 2
• Second, international banks were com peting vigorously in capital to satisfy the second (8%) requirem ent.
each other's home countries. However, minimum levels of
required capital varied significantly across nations, creating
"Capital"
a perception that banks headquartered in countries with Under the Basel I fram ework, Tier 1 capital consists of common
low minimums had a com petitive advantage. In response, equity and disclosed reserves (i.e., retained earnings plus some
m em bers of the B C B S decided to develop a global mini types of minority interest in subsidiaries) minus goodwill. Later
mum standard to "level the playing field " and avoid a race fram eworks include a limited amount of non-cumulative per
to the bottom . Th at is, while the Basel Accord was partly petual preferred stock.
about ensuring safety and soundness, negotiations also
In contrast, Tier 2 capital consists of
had an elem ent of m aneuvering for perceived com petitive
advantage. • loan loss reserves not already allocated to im pairm ent of
particular assets;
The central elem ents of Basel I are a risk-based capital ratio, a
• undisclosed reserves (including some revaluation reserves); and
minimum level of this ratio, and definitions of the num erator and
denominator. • hybrid instruments (i.e., unsecured, subordinated, not
redeem able at the investor's behest, on which payment
default would not precipitate bankruptcy or resolution, and
The Risk-Based Capital Ratio
on which interest or dividend payments could be deferred.)
A goal of Basel I was to ensure that financial institutions would
A limit was placed on the proportion of loan loss reserves
have sufficient assets to remain solvent during periods of stress.
allowed into capital (originally 2%, later reduced to 1.25% of
However, the BC BS had to find a way of measuring sufficiency.
RWA). Some kinds of subordinated debt and preferred stock
Since banks differ greatly in size, specifying minimum amounts were in the latter category. In the years after Basel I was im ple
of capital (in dollars, pounds, etc.) would be infeasible. A ratio m ented, consultants and investm ent bankers invented instru
of capital to the book value of assets (i.e., "leverage ratio"), on ments that would qualify as Tier 1 or Tier 2 capital.
the other hand, would seem ingly allow for a universal standard
Though never expressed by the B C B S, two assumptions were
that could apply to institutions of all sizes. However, banks can
implicit in these definitions.
also differ greatly in the composition and riskiness of their bal
ance sheets. • First, preservation of solvency was the job of Tier 1 capital,
whereas Tier 2 capital would provide resources for recapi
Given the perception that minimums specified in term s of
talization of an entity in resolution and reduce the impact of
leverage ratios would disadvantage banks with low-risk port
failures on depositors.
folios and advantage those with high-risk portfolios, the BCBS
• Second, although general loan loss reserves were often viewed
decided on a risk-based capital ratio (i.e., a ratio of capital to
as covering losses that are likely already embedded in the
risk-weighted assets (RWA)) instead. Moreover, these assets
entity's portfolio but that have not yet occurred, they were not
included not only assets on the balance sheet according to
counted as loss-absorbing capacity that could preserve solvency.
accounting conventions (e.g ., loans or securities), but also off-
balance-sheet exposures (e.g ., loan commitments) and deriva
tive exposures. Though crude by modern standards, these 2 The ratios are som etim es referred to as "C o o ke " ratios, for Peter
risk-based ratios represented a major innovation at the tim e. Cooke of the Bank of England.
0% Cash; claims on O E C D governm ents such as bonds issued by the central governm ent; other
instruments with a full guarantee from an O E C D governm ent
20% Claim s on O E C D banks and on O E C D public sector entities, such as claims on municipalities or on
Fannie Mae and Freddie Mac
where W| is the risk w eight and A| is the size of the asset. For exam ple, a $100 million five-year loan com m itm ent to an
O E C D m unicipality would first be converted to a $20 million
In Basel I, the weights are as shown in Table I, which includes a
credit equivalent, and then be assigned a 20 percent risk
summary of the assets in each category. In the absence of other
w eight. Thus, its contribution to RW A would be only $4 million.
adjustm ents, the maximum amount that a position could con
tribute to RWA was the book value of its assets (since the m axi With respect to derivatives, Basel I offered authorities in each
mum risk w eight was 100 percent). nation a choice between two methods of computing a credit
equivalent amount (this structure was revised in 1995 with the
Implicit in Table 19.1 is a view that no O E C D governm ent would
addition of a maturity bucket greater than five years)
ever default on its obligations as well as that residential mort
gages and claims on banks are much less likely to impose losses 1. Current Exposure Method:
than a typical bank loan. Though these assumptions appear
a. First, calculate the current market value of the contract
unreasonable today, they were consistent with what was experi-
o V. If the current market value is negative (making it a
enced in the decades preceding Basel I.
liability rather than an asset), set V = 0.
b. Second, add an amount D to account for changes in the
Example 19.1: contract's future market value. For interest rate swaps,
D was
The assets of a Canadian bank consist of C $200 million of loans
i. zero for for maturities of less than one year,
to corporations, C$100 million of Canadian central governm ent
ii. 0.5% of the notional value of the swap for remaining
bonds, C$100 million of residential m ortgages insured by the
maturities of five years or less; and
central governm ent, and C$100 million of uninsured residential
iii. 1.5% for more than five years.
m ortgages. Though the book value of assets is C$500 million,
c. For foreign exchange swaps, D was
the sum of risk-weighted assets is C$250 million since
i. 1% of notional value for maturities of less than one
RWA = 100% x 200 + 0% x 100 + 0% x 100 + 50% x 100 = 250 year,
ii. 5% of notional value for maturities between one and
five years, and
Though the concept of RW A was natural for traditional
iii. 7.5% of notional value for maturities greater than
balance-sheet exposures, banking organizations also had many
five years.
2. Original Exposure Method (only for interest rate and foreign
exchange contracts)
3 Im plicit in the beneficial treatm ent of sovereign debt is the expectation
that governm ents can print money to address potential defaults. This
a. Nations could ignore the current market value of the
assumption does not hold when debt is borrowed in foreign currencies,
or where a national governm ent is not fully in control of its own m one contract and choose whether to use the original or
tary policy, as could be the case in the European M onetary Union today. remaining maturity.
306 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 19.2 Credit Conversion Factors for Traditional Off-Balance-Sheet Exposures
20% Loan commitments with original maturity greater than or equal to one year
= $42 million where NRR (i.e., the net replacem ent ratio) is
With netting, the current exposure portion of the credit equiva The standardized approach details separately for five categories
lent amount is 5 for the first counterparty (i.e., the —5 exposure of positions:
on the first interest rate derivative is netted against the 10 exp o
• fixed income securities and interest rate derivatives other
sure on the foreign exchange derivative) and 0 for the second,
than options, for which remaining maturity was a key driver;
for a total of 5. Note that current exposure may not be less than
• equity securities and equity derivatives other than options;
zero, and the —10 market value on the wheat option may only
be netted against positive exposures at the second counter • foreign exchange;
party, not at the first counterparty. • com m odities; and
In this case, NRR = 0.5 because the num erator of NRR is the • all types of options.
current exposure of 5 and the denom inator is the sum of the These approaches were relatively simple for some categories,
positive exposures (i.e., 10).
while for others there were many operational com plexities (e.g.,
The add-on for potential future exposure must be calculated the separate treatm ent of sp e cific risk and general m arket risk,
separately for each type of derivative, multiplying the total where the latter is due to general movements in m arket prices
notional value for each type by the add-on factor to obtain and the form er is driven by idiosyncratic changes in a specific
values of Dj. For the interest rate derivatives, 200 X 0.5% yields position's value).
a value of 1, while for the remaining types in the table D is 10, The internal models-based approach em bodied a major change
10, and 30 for the foreign exchange, equity, and wheat types,
in philosophy by permitting banks to use internally developed
respectively. Applying the formula for C E A risk measures as the inputs to formulas specified by regulators.
C E A = 5 + (0.4*1+0.6*1*.5) + (0.4*10+0.6* 10*. 5) + (0.4*10+0.6*10*.5) To limit manipulation of the internal m easures, monitoring was
built in. In contrast, the standardized approach specified most of
+ (0.4*30-0.6*30*.5) = 5 + .7 + 7 + 7 + 21 = 40.7
the details and was based on observable characteristics of posi
tions (e.g ., remaining maturity).
Capital for Market Risks Associated with Trading Under both approaches, capital charges were calculated sepa
Activities rately for specific risk (SR) and general market risk (MR) for each
of the five categories. These were summed and multiplied by
W hile m arket risk (i.e., changes in market value of trading
12.5 so that the usual multipliers on risk weighted assets could
book assets) is the primary risk for the trading book, it was not
also be applied to them 5
captured by the requirements described previously. The 1996
Am endm ent to Basel I offers two ways to measure of for market Total capital for trading assets = 0.08 * l2.5£y=1(M/?7- + S R j)
risk: a standardized approach and an internal models-based
approach. To measure m arket risk, a bank using the internal models-based
approach must calculate value-at-risk (VaR) for each asset
For banks with trading books of material size, the internal
models-based approach was preferred because it generally
yielded smaller capital requirem ents. This is in part due to the
5 12.5 is the inverse of 8%. The m ultiplier has the effect of turning a
fact that asset values were not assumed to be perfectly corre capital requirem ent into an RWA m easure. This adjustm ent is based on
lated, as they were in the standardized approach. the total capital requirem ent rather than Tier 1 adjustm ent.
308 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
category. A 10-day VaR at the 99th percentile was required, 19.2 T H E B A S E L A C C O R D : B A S E L II
based on at least one year of daily data, usually using a scaled
V A R IA N T
one-day VaR multiplied by V T o . Correlations within a category
of position were considered by the internal model, whereas
Some supervisors had becom e concerned by the mid-1990s that
adjustm ents for correlations across categories were allowed at
Basel I, while more risk-based than capital requirem ents based
the discretion of the national supervisor.
on equity-to-asset ratios, was not risk-based enough. The 100
Thus, m arket risk was given by percent risk weight, for exam ple, incorporated exposures pos
MR = max(VaRt-i, m*VaRaVg) ing a wide range of risk, from very safe loans made to highly-
rated corporations to very risky loans to commercial real estate
where VaRavg was the average VaR over the past 60 days and m developm ent projects.
was a m ultiplier that was never less than 3 (and could be larger
Moreover, banking crises in the Nordic countries had dem
if national supervisors found deficiencies in the bank's models
onstrated that system ic problem s could occur even in well-
or other system s, or if monitoring implied other deficiencies.)
capitalized banking system s. M eanwhile, there had been several
Given a multiplier of 3, the second term was usually larger
technical advances in market and credit risk m easurem ent and
than the 10-day VaR com puted for the preceding business day
m anagem ent since 1987, signaling a potential for more precise
(i.e., t — 1).
risk weighting and vastly improved risk m anagem ent at all levels
Capital for specific risk, which was required for fixed income, of banking organizations.
equity instruments, and derivatives, could be determ ined using
Basel II was the reaction to such concerns. Discussions among
either the standardized approach or the bank's internal models.
supervisors about a revised accord began in the late 1990s
In the latter case, the approach was similar to that for market
and the "final" revision was published in 2004 (further revisions
risk, but the multiplier was 4 rather than 3 and capital for sp e
occurred frequently in the years that followed).
cific risk could not be less than half of capital calculated using
the standardized approach.6 W hile retaining much of Basel I, Basel II contained four signifi
cant innovations:
The 1996 Am endm ent created a new class of capital (i.e., Tier 3
capital), com posed mainly of unsecured subordinated debt with 1 . Risk w eight formulas for credit risk based on modern
an original maturity of at least two years, that could be used to credit risk m anagem ent concepts and banks' internal risk
meet part of the m arket risk capital requirem ent. However, only measures;
about 70 percent of the market risk capital requirements could
2. Required capital for operational risk, in addition to credit
be satisfied with Tier 3 capital.
risk and m arket risk.
Th e 1996 A m en d m en t sp ecified several q u alitative criteria
3. In addition to minimum capital requirements (Pillar 1), Basel
th at banks using the internal m odels-based approach must
II included specific requirements for supervision related to
m eet (e .g ., sound risk m anagem ent, in d ep en d en t risk m an
capital and risk m anagem ent (Pillar 2) and required public
ag em ent units, lim its, active invo lvem ent of the board, and
disclosures (Pillar 3).
so on).
4. Repeated use of Q uantitative Impact Studies (QIS) to fine-
It also required daily back testing. Each day, for each model,
tune the design of the accord. In each Q IS, banks contrib
the bank was required to use its current model and procedures
uted detailed data which was then analyzed by supervisors.
to calculate one-day 99% VaR for each of the most recent 250
days, and to com pare the actual loss for the day to the VaR. Although the first two innovations have received the most
Each day with actual loss larger than VaR was term ed an e x c e p attention from the public, the three pillars represented a major
tion. Five or less exceptions enabled the m ultiplier m to be 3, developm ent as well. Through the early 2000s, regulatory phi
but larger numbers of exceptions could lead to larger multipliers losophy differed across nations, ranging from supervision-heavy
at the discretion of the supervisor. With 10 or more exceptions, approaches (in which rules played much less of a role than the
a m ultiplier of 4 was required. judgm ent of field supervisors) to rules-heavy approaches (in which
regulators presented detailed rules and field supervisors focused
on evaluating compliance with the rules). Moreover, at the time of
Basel II developm ent, disclosures of bank condition and risk also
tional clarity (and pressure) was provided by the Basel Comm ittee. less favorable than the sovereign's (and capped at 100%) or
a risk w eight based on the bank's own ratings, (or one cat
egory more favorable where the obligation had no more than
Capital for Credit Risk 3 months' original maturity, subject to a floor of 20%). Risk
A t Basel II was developed, supporting data and analysis weights on bank obligations could be capped at 100 percent.
remained limited, and many supervisors were concerned that
The Standardized Approach included two ways of adjusting for
banks would manipulate internal risk measures to reduce collateral. Under the "sim ple approach," which was similar to
required capital. Negotiators addressed such concerns by
Basel I, the risk w eight of a counterparty could be replaced by
including three options for determination of minimum capital
the risk w eight of collateral for the portion of exposure covered
requirem ents for credit risk:
by the collateral. A minimum risk w eight on the collateral was
1. The standardized approach. Like Basel I, this included some set at 20 percent, unless the collateral was sovereign debt in the
increased sensitivity of risk weights to credit quality for bor same currency as the exposure.
rowers with external ratings.7
The alternative "com prehensive approach" required changes in
2. The Foundation Internal Ratings-Based (IRB) approach. exposure and collateral am ounts to allow for possible changes
Here, risk weights were sensitive to internal measures of in the value. The risk w eight of the collateral was applied to
default probability, with the use of regulatory-specified loss the reduced am ount of collateral, and the counterparty's risk
given default param eters. w eight was applied to the remaining exposure. Any netting
3. The Advanced IRB approach. Risk weights were sensitive to was applied separately to exposures and collateral, and either
internal measures of default probability, loss given default, Basel rules or (approved) internal m odels could be used to
7 The United States chose not to im plem ent the Standardized Approach. The IRB Approach
Internationally active banks were required to use IRB approaches, while
all other banks w ere required to use an updated version of the Basel I The Gordy (2003) "asym ptotic single risk factor" model of
requirem ents. credit losses, now more commonly referred to as a one-factor
310 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 19.3 Risk Weights Under the Standardized Approach
Obligation type:
Retail 75
M ortgage 35
Cash 0
O ther 100
Gaussian copula m odel, was an expression of the thinking that Because the Basel Com m ittee did not view loan loss reserves
led to the IRB A p p ro ach .8 The paper dem onstrates that in as Tier 1 capital, and yet loan loss reserves were thought to be
large, well-diversified credit portfolios, a positive relationship approxim ately equal to expected losses, the Com m ittee chose
exists between the probability of default of an obligor and that to make capital a function only of unexpected losses (i.e., net
obligor's contribution to the capital needed to limit the proba of expected losses). In cases where loan loss reserves are less
bility of portfolio losses exceeding a percentile of the than EL, a reduction in capital is made for the shortfall. See
loss distribution. Figure 19.1 for a depiction of the capital for total stress losses,
expected losses, and unexpected losses.
Using the Basel Com m ittee's choices of a one-year time horizon
for credit losses and a desire that capital be enough to absorb This setup allowed the Basel Com m ittee to specify a loss per
losses up to the 99.9th percentile of the credit loss distribution, centile and an asset correlation p for each type of asset.101Each
the formula is: individual asset's contribution to capital at any bank would then
Capital = Z iE A D i * LGDt * D R99.9i] - E L depend only on the bank's estim ates of EA D , LGD and PD for
that asset.
where
Basel II included two variants of the IRB approach:
• Capital is expressed in dollars;
• Foundation IRB, in which the bank would provide only the
• EADj is the exposure at default for asset i (i.e., the amount
PD, with the accord specifying values of EAD and LGD for
expected to be owed by the counterparty on asset i at the
each class of asset; and
tim e of default);
• Advanced IRB, in which the bank would provide all three
• LGD| is the expected loss given default for asset i (i.e., the
values.
fraction of EADj that is expected to be lost);9
Earlier work had found that, at least in the United States, most
• DR99.9i is the default rate at the 99.9th percentile for a large
large banks had internal rating system s that could be used to
portfolio of assets of type i. Gordy's research provides a for
obtain a PD for each loan.11 Thus, supervisors expected that
mula for DR99.9
Foundation IRB would be feasible for most large banks. The lim
^/p/V-1 (0 .9 9 9 ) ited available data on EAD and LGD made it likely that few er
DR99.9i = N N~1(PDi) +
V1~ P banks would be able to use Advanced IRB.
b ( M - 2 .5 )
MA = 1+
1 - 1.5 b
312 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 19.4 DR Values for different combinations of PD and p
-1 o
That is, correlations are lower for retail than for wholesale years of negative gross income. This could be a material
exposures. amount of capital, given that gross income is usually far
larger than net income. However, this approach is relatively
Like the previous exam ple, suppose a bank has
easy to im plem ent and may be chosen by banks that do not
$100 million of residential m ortgages with a PD = .01
expect to be constrained by capital requirem ents.
and an LGD of 30 percent. DR is 0.09 rather than 0.14, so
RW A = 12.5*100*.3*(0.09 - 0.01) = $30 million. This is less 2. Standardized Approach: Like the basic indicator approach,
than Basel I's $50 million for such a portfolio and the Basel II but different multipliers are applied to gross income from
Standardized Approach's value of $35 million. different business lines.
Credit Mitigants Other Than Collateral models are used to calculate a one-year VaR-like measure of
operational risk losses at the 99.9th percentile. Operational
A credit substitution approach is used to handle arrangem ents risk capital is this amount less expected operational losses.
like guarantees and credit default swaps. Under this approach, This approach allows recognition of risk mitigants such as
the credit rating of the guarantor is substituted for that of the insurance under some circum stances.
obligor in capital calculations, up to the amount covered by the
mitigant.
However, this approach is not quite generous enough relative Example 19.4 Capital for the Basic Indicator and
to the actual loss outcom es, given that a double default (both Standardized Approaches (Sbillions)
guarantor and borrower) is implied in the treatm ent. How
The table above provides an exam ple of a bank's gross income
ever, Basel II assumes relatively low correlations of wholesale for each of the eight business lines specified in the Standardized
counterparty defaults, meaning that double defaults should be
Approach over a period of three years. It also shows the opera
infrequent.
tional risk capital levels each year for each business line under
As an alternative, in 2005 the Basel Com m ittee am ended the the Standardized Approach, which are obtained by multiplying
accord to allow capital without the mitigant to be multiplied by gross income tim es the business-line-specific multiplier.
0.15 + 160*PDg, where PD g is the one-year PD of the guarantor.
Negative capital may offset positive capital within a year, but
years for which total estim ated capital is negative are ignored in
Capital for Operational Risk computing the three-year average. Thus, under the Standard
ized Approach, operational risk capital in this exam ple would be
The Basel C o m m ittee defined o p era tio n a l risk as the risk of (8.73 + 9.69)72 = $9.21 billion.1
3
loss resulting from inadequate or failed internal processes,
people and system s, or from external events. In the w ake of
rogue trad er losses at Barings Bank in the m id-1990s, the
possibility of large losses from sources other than credit or 13 The definition of "gross incom e" provided by the B C B S for
m arket risk becam e more concrete. Basel II im plem ented the first quantitative im pact study w as: Net interest income
(interest received minus interest paid) + net fees and commissions
capital requirem ents for operational risk, perm itting three
(fees and com m issions received minus fees and com m issions paid)
approaches: + net trading incom e + gross other incom e. Income should be reflected
gross of any provisions (e.g . for unpaid interest) and gross of any opera
1. Basic Indicator Approach: 15 percent of the bank's average tional costs and losses. Income should exclude extraordinary or irregular
annual gross income over the past three years, ignoring any items and also income derived from insurance.
Under the Basic Indicator approach, total gross income for each The BC BS requires the inclusion of both expected and unex
year is multiplied by 15 percent, (again ignoring years of nega pected losses, and that the overall program use internal data
tive total gross income) and so the capital requirem ent in this (at least five years of experience), external data, scenario analy
exam ple would be 0.15*(61 + 70)/2 = $9.83 billion. sis, and a consideration of the business environment and the
bank's controls. Though each supporting elem ent need not be
included directly in calculations, the overall process must include
Some Details of the AM A Approach
all four. Moreover, a bank must make a convincing argument
Banks using the A M A approach are expected to estim ate a dis that its process can capture bad-tail events and, if it chooses to
tribution of operational risk losses in seven categories that incor
assume that losses across business lines and loss categories are
porates estim ates of both the incidence of operational loss anything but perfectly correlated, it must convincingly defend
events and their severity.14 its correlation assumptions. A bank may offset at most 20 per
A M A m ethodologies vary w idely across different banks, but two cent of the operational risk capital charge with insurance, and
broad approaches are most popular: only insurance arrangem ents that m eet stringent requirements
are acceptable.
• A param etric and Monte Carlo approach, in which data are
used to param eterize the bank's choice of probability dis In recent years, required capital for operational at some banks
tribution for incidence (e.g ., Poisson) and for severity (e.g ., risk was a material fraction of total required capital, in part
W eibull). These distributions are then used to produce large because the internal loss data that was required to be used
numbers of simulated loss observations from which the value under the A M A included many large penalties for com pliance
at the 99.9th percentile can be read; and/or failures, scandals, or misbehavior. As a result, the A M A approach
• Generate a moderate number of detailed scenarios in which has lost favor and is no longer perm itted.
losses occur, and then measure operational losses in each
scenario. Separate scenario analyses are often conducted for
each category of operational losses. Scenario analysis has the
Solvency II
advantage of generating informative narratives and being Minimum capital requirem ents also exist for insurance com pa
forward-looking. However, the number of data points gener nies in many nations. Though international standards do not yet
ated is usually small and it is not obvious how to best convert exist, sophisticated approaches have been im plem ented in the
such data into losses at the 99.9th percentile. As a result, many United States and the European Union.
banks use a combination of scenario and parametric methods.
In the mid-1990s, the U.S.-based National Association of Insur
ance Com m issioners (NAIC) promulgated a capital standard that
14 The categories are: C lients, Products and Business Practices; Execu
anticipated some elem ents of Basel II. In addition to capital
tion, Delivery and Process M anagem ent; External Fraud; Internal Fraud;
Dam age to Physical A ssets; Em ployee Practices and W orkplace Safety; requirements covering the risks associated with liabilities, capital
Business Disruption and System Failures. is required for risky assets at levels that depend on ratings
314 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
assigned by the N AIC to each asset.15 Insurance regulation is at Also similar to Basel II, requirements may be satisfied by a com
the state level in the United States, but most states have im ple bination of Tier 1 capital (equity, retained earnings, and equiva
mented these requirem ents. lents), Tier 2 capital (liabilities subordinated to policyholders and
available for write-off in liquidations), and Tier 3 capital (subor
In Europe, regulation of insurance companies is done by the Euro
dinated to policyholders but not satisfying the other criteria for
pean Union's (EU) European Insurance and Occupational Pensions
Tier 2).
Authority (EIOPA). The first capital regulations at the EU level were
known colloquially as Solvency I, which has recently been replaced
by Solvency II. More than 10 years in the making, Solvency II
resembles Basel II in that many elements of its capital requirements
SUMMARY
are based on a one-year VaR concept (at the 99.5th percentile) and
This chapter has provided an overview of internationally agreed
it has three pillars (quantitative requirement, internal governance
capital requirem ents that were created before the Global Finan
and official supervision, and disclosure and transparency). Under
cial Crisis. The 1988 Basel Accord (Basel I) introduced risk-based
writing risk, credit and market risk, and operational risk are all
capital requirem ents, while the 1995 and 1996 am endments
considered. Underwriting risk is further subdivided into risks arising
introduced much more sophisticated treatm ents of netting and
from life insurance, property & casualty, and health insurance.
market risk than had been previously available.
Solvency II also has elem ents found in Basel III (see Chapter ##),
Basel II introduced additional approaches to capital for credit
such as required buffers of capital above the minimum amount.
risk that were much more risk-sensitive and more aligned with
If an insurance com pany breaches Solvency ll's minimum capital
modern credit risk m anagem ent analysis. It also introduced
requirem ent (M CR), supervisors may prevent the stressed firm
two new pillars in addition to quantitative capital requirem ents:
from writing new policies or put it into resolution (e.g ., a sale to
supervision and disclosure.
a stronger com pany, or liquidation). The required buffer above
the M CR is defined by the solvency capital requirem ent" (SCR)
less the M CR. If the SCR is breached, the insurance company
References
should present a plan for capital restoration, and the supervisor
might impose additional requirem ents. Bank for International Settlem ents, 2006, "Basel II: International
Solvency II includes both standardized and internal model-based Convergence of Capital M easurem ent and Capital Standards."
approaches to calculating the SCR. Internal models must satisfy
Bank for International Settlem ents, 1988, "International conver
three criteria. gence of capital m easurem ent and capital standards."
• First, the data and m ethodology must be sound.
Carey, Mark S., and William F. Treacy, 1998, C redit risk rating at
• Second, risk assessm ents must be calibrated to be in accor large U.S. banks, Federal Reserve Bulletin, November.
dance with target criteria set by the regulator.
Gordy, M. B., 2003, A risk-factor model foundation for ratings-
• Finally, the model must be used in actual business based capital ratios, Journal of Financial Intermediation 12,
decision-making. 199-232.
Describe and calculate the stressed VaR introduced in Describe the motivations for and calculate the capital conser
Basel 2.5, and calculate the market risk capital charge. vation buffer and the countercyclical buffer, including special
rules for globally systemically important banks (G-SIBs).
Explain the process of calculating the incremental risk
capital charge for positions held in a bank's trading book. Describe and calculate ratios intended to improve the man
agement of liquidity risk, including the required leverage ratio,
Describe the com prehensive risk (CR) capital charge for
the liquidity coverage ratio, and the net stable funding ratio.
portfolios of positions that are sensitive to correlations
between default risks. Describe the mechanics of contingent convertible bonds
Define in the context of Basel III and calculate where (CoCos) and explain the motivations for banks to issue them.
appropriate:
Explain motivations for "gold plating" of regulations and
Tier 1 capital and its com ponents
provide exam ples of legislative and regulatory reforms
Tier 2 capital and its com ponents
that were introduced after the 2007-2009 financial crisis.
Required Tier 1 equity capital, total Tier 1 capital, and
total capital
317
The financial crisis that began in the summer of 2007 revealed converted to VaR by multiplying by \/T o ). During periods of
limitations and gaps in the existing solvency and liquidity regula low volatility, such a practice causes measured VaR to gradually
tions. It also revealed market practices and product designs that decline because all or nearly all of the historical observations
proved ill-suited to stressed environments. Global regulators have small changes in value. When volatility rises again, as it did
reacted with more restrictive regulations and supervision and in 2007 for many assets, VaR from historical simulation was slow
with more coordination across nations. to follow because most historical observations were from a low-
volatility period.
20.1 T H E F IN A N C IA L The Basel Com m ittee introduced a requirem ent for use of
stressed-VaR measures to counter such tendencies. Rather
STA B ILITY B O A R D
than drawing daily observations from the most recent historical
period, a bank is required to identify the one-year (i.e., 250 day)
The Financial Stability Forum , a body that undertook o cca
period from the most recent seven years that was most stress
sional studies, was reconstituted as the Financial Stability
ful for its current portfolio. Because this will be the sub-period
Board (FSB) in the wake of the financial crisis. The FSB is com
with the highest fraction of portfolio-weighted large declines
posed of representatives from finance m inistries, central banks,
in value, the resulting 1-day VaR will be relatively large and will
prudential regulators, securities regulators, and others from
not change much as tim e passes (unless a period of low volatility
dozens of nations.
persists for 7 years).
Although organizations like the Basel Com m ittee and IO SC O
Stressed VaR was combined with the traditional VaR measure in
appeared to retain their independence and authority, as a
an expanded formula
practical m atter the FSB becam e the body in which many
changes in international standards w ere approved. Later, as MR2.5 = max(VaRt-i, mr*VaRavg) + max(SVaRt-i, ms*SVaRavg)
the regulatory tsunam i receded, the FSB's began to focus on
where VaRt_i and VaRavg are the traditional 10-day, 99 percent
other m atters.
VaR calculated by drawing from the the previous day and the
average of the 60 most recent days, respectively. SVaRt_-| and
SVaRavg are calculated by drawing from the equivalent times
20.2 B A S E L 2.5
during the most stressful period in the past seven years. The
multipliers mr and ms must be at least 3 as under the 1996
M arket prices of financial assets fell sharply during 2007-2009. In
Am endm ent.
addition, many assets not already illiquid becam e so, the sound
ness of securitizations was doubted, and many hedging strate Because the definition of the stress period is such that the
gies failed. It was clear that minimum capital charges under the most recent period cannot be more stressed than the stressed
market risk am endm ent were inadequate for the trading-book period, and the charges based on traditional and stressed VaR
risks revealed during the crisis. are sum m ed, MR25 must be at least tw ice as large as MR cal
culated under the 1996 Am endm ent as long as the m ultipliers
The Basel Com m ittee responded with updated rules for capital
are equal.
for the trading book, making three major changes:
These changes were im plem ented by the end of 2011. Although the specific risk charge was intended to capture
default risk (as well as other sources of idiosyncratic risk), banks
had learned by the early 2000s that even with the specific
Stressed VaR
risk charge, most banking-book exposures had sm aller capital
Most banks com puted capital under the market risk am end requirements in the trading book than in the banking book.
ment using historical simulation, (i.e., 1-day VaR was com puted Thus, many illiquid instruments posing default risk were placed
by drawing daily changes in value from recent history and then in the trading book.
318 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
To remove this incentive, the Basel Com m ittee proposed adding Table 20.1 Comprehensive Risk Capital Charge
an incremental default risk charge (IDRC). Two variants were Under the Standardized Approach
proposed:
<BB,
• An internal model of default risk calibrated to the same AAA, AA A BBB BB unrated
99.9th percentile at a one-year horizon as the Com m ittee's Securitizations 1.6% 4% 8% 28% 100%
IRB approach
Re-securitizations 3.2% 8% 18% 52% 100%
• Or, in the absence of such a model, either a "standardized"
or a "current exposure" approach that had some similarity to
Basel I capital charges for specific risk. The Basel Com m ittee addressed this issue by replacing the IRC
As a practical matter, capital in the trading book would be the and specific risk charge with a com prehensive risk (CR) charge
greater of market risk capital and banking book cap ital.1 for the correlation book. Under the new rules, banks may use a
standardized approach (summarized in Table 20.1) that depends
Late in the crisis, however, the Com m ittee had realized that
only on the rating of the instrument. (Note that percentages are
most losses in portfolio value associated with credit risk had
capital as a fraction of the exposure, not risk weights.)
been due to changes in ratings, credit spreads, or liquidity, not
defaults. As a result, the scope of the proposal was increased to Because re-securitizations (for which the underlying pool of
include changes in ratings. The same 99.9th percentile was used, assets are the tranched liabilities of securitization vehicles) are
but in addition to defaults, banks were required to estim ate more vulnerable to changes in correlations, capital requirements
losses associated with rating downgrades. Portfolio credit qual are much higher for them . M eanwhile, tranches rated below BB
ity is held approxim ately constant by an assumption that any are the most exposed to losses in the underlying pool (i.e., in
position that is downgraded or that defaults is replaced by a effect they must be financed entirely with capital).
position with the same pre-downgrade rating. A loss is recorded Banks may also use an internal model to estim ate the CR
from sale of the downgraded or defaulted position. The period charge if approved to do so by supervisors, though the model-
over which replacem ent could occur differs across positions based charge may not be less than a fraction of the charge
according to their liquidity but is never less than three m onths.1
2*• under the standardized approach. Given the com plexity of
the underlying instrum ents and the rationale for using an
Correlations and the Comprehensive internal m odel, which often includes the capture of hedges
with more sophistication than the standardized approach, the
Risk Measure
internal m odels must be unusually com plete, com plicated and
An assumption em bedded in Basel II is that the correlation robust. M ultiple default and rating change events; volatility
param eter in the Gordy (2003) model is constant across obli in correlations and credit spreads; basis risk (e .g ., the differ
gors and over time (though not across types of assets). This ence betw een C D S and underlying index values); the dynam ics
assumption is reasonable for portfolios of debt instruments of hedges; and volatility in recovery rates must be m odeled,
for purposes of determ ining banking-book capital, but not ideally with sim ulations that revalue the whole portfolio for
for instruments in the correlation b o o k (e.g ., securitizations, each iteration of a sim ulation.
re-securitizations and derivatives written on securitizations).
2 See BCBS, Guidelines for computing capital for incremental risk in the • The official sector came to believe that distress at some
trading book, July 2009. banks posed greater threats to society than distress at other
Chapter 20 Solvency, Liquidity and Other Regulation After the Global Financial Crisis ■ 319
banks, and that those in the form er category should be bet The Definition of Capital
ter able to manage distress. Categories of "system ically
im portant" financial firms were created and em bedded in a Basel III eliminated Tier 3 Capital and divided Tier 1 Capital into
wide range of regulatory and supervisory practices. Tier 1 Equity Capital (also known as Core Tier 1 Capital) and
Additional Tier 1 Capital, restricting the form er to high-quality
• Risk-based capital ratios were thought to have been too sus
capital.
ceptible to gaming. Leverage-ratio capital requirem ents were
needed as a backstop, especially since market participants Minimum capital requirem ents were also changed: Core Tier 1
who focused only on tangible common equity tended to also must be at least 4.5 percent of risk-weighted assets, and Total
focus only on leverage ratios. Tier 1 (i.e., the sum of Core and Additional Tier 1) capital must
be at least 6 percent of risk-weighted assets. The Total Capital
• It was not enough for banks to remain solvent up to the
point of maximum losses - they also had to be able to requirem ent (Tier 1 plus Tier 2) was left unchanged at 8 percent.
operate as a going concern thereafter, which meant they The com ponents of each category are:
needed substantial capital a fter absorbing the losses.
• Tier 1 Equity Capital includes
In many cases, governm ents provided capital, but such
provision was unpopular. Buffers of capital above the • common equity,
minimum requirem ents were needed, as w ere means of • retained earnings, and
recapitalizing failed banks. • a limited amount of minority interest and unrealized gains
• Entities that were thought to be solvent by regulators nev and losses.
ertheless suffered runs and, in some cases, failed. This was Goodwill and other intangibles are deducted, as are deferred
in part because their liquid reserves proved inadequate to tax assets and any shortfall of reserves relative to IRB
cover withdrawn funding and in part because wholesale fund expected losses.
ing proved to be unstable. Thus, liquidity requirem ents were
• Additional Tier 1 Capital includes:
needed.
• Unsecured, unguaranteed, non-cumulative perpetual
• Especially after the failure of Lehman, which did not honor
preferred equity instruments subordinated to depositors and
its com m itm ents as a counterparty in derivative contracts, it
subordinated debt, and callable only after five years or more.
becam e clear that capital was needed to cover counterparty
• Debt with appropriate triggers that cause conversion to
credit risk.
equity or write-downs.
• In addition, a Large Exposures Fram ework was created in
• Approved minority interest not included in Core Tier 1.
2014 to set a common global standard to limit exposure
concentrations to a single counterparty, particularly between • Tier 2 capital is designed to absorb losses after failure,
system ically im portant institutions. Specifically, there limits protecting depositors and other creditors. It includes:
are 25% of capital (and 15% between global system ically • Subordinated debt. Specifically, unsecured, unguaranteed,
im portant banks). This fram ework assumes 100% probability
debt instruments subordinated to depositors and subordi
of default and 100% loss given default (after netting and col
nated debt, with five years or more original maturity, and
lateral adjustm ents), limited use of models that failed in the
callable only after five years or more.
crisis, and aggregates across wholesale credit, trading and
• General loan loss reserves. These are reserves not allo
other books. LEF also addresses a limitation of the capital cated to absorb losses on specific positions. Reserves
fram ework, which does not adjust capital requirements for
included in capital are capped at 1.25% of standardized
significant concentrations under either the Standardized
approach RWAs, or 0.6% of IRB RWAs.
Approach or the G ordy Model used in IRB (which assumes
exposures are granular, not concentrated). A number of other deductions are required, such as
Proposals to remedy the deficiencies were published in 2010 • defined-benefit pension plan deficits,
and 2011 and am ended in later years.3 • certain cross-holdings within a group, and
• m ortgage servicing rights greater than 10 percent of com
mon equity.
3 BCBS, "Basel III: A global regulatory framework for more resilient
O verall, capital requirem ents were significantly increased rela
banks and banking systems," June 2011; and BCBS, "Basel III: Interna
tional framework for liquidity risk measurement standards and monitor tive to Basel 2 because minimum ratios were increased, and
ing," December 2010. allowable capital was constricted.
320 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Leverage Ratio Capital Requirements be recapitalized without governm ent assistance. A s described
ahead, system ically im portant firms are often subjected to more
Prior to Basel 3, minimum capital ratios specified by the Basel wide-ranging supervision and regulation.
Com m ittee were expressed as a percentage of risk-weighted
assets (RWA). However, during and after the crisis many observ
ers felt that RWA had understated the risks borne by banking Buffers
organizations and thus led them to be over-leveraged. Though
As of early 2019, the Basel specifications feature three require
known weaknesses in the calculation of RW A were addressed,
ments for capital above the minimum fractions of RWA:
the possibility of future m ism easurem ent rem ained. Moreover,
during the crisis market participants had focused on simple 1. A 2.5 percent capital conservation buffer (CCB) requirement.
ratios of equity to unweighted assets as they assessed the 2. An additional G-SIB requirem ent that depends on an
soundness of banking organizations, making risk-weighted ratio organization's score when the Com m ittee applies its
values peripheral to the debates of the tim e. method to identify G-SIBs. These additions are 1, 1.5, 2,
The Com m ittee's reaction was to introduce a "sim ple" lever 2.5 and 3.5 percent.4
age ratio capital requirem ent as a supplem ent to the risk-based 3 . A Countercyclical Capital Buffer (CCyB) that varies at the
requirem ents: banking organizations must maintain a ratio of discretion of national supervisors and is between 0 and
Core Tier 1 Capital to Leverage Exposure of 3 percent or more. 2.5 percent.
Leverage Exposure includes both on-balance-sheet assets and The rationales for the buffers differ som ewhat. In the case of the
fractions of off-balance-sheet assets (e.g ., derivatives or poten C C B , the rationale roughly follows that for the Prompt C o rrec
tial futures exposures). Though the IFRS and G A A P accounting tive Action (PCA) system built into U.S. capital regulation begin
standards differ som ewhat in their handling of off-balance sheet ning in 1991 (i.e., a bank with ratios that begin to approach the
assets, the Com m ittee's Leverage Exposure measure is specified minimums should be subject to increasingly stringent supervi
in some detail to promote com parability across nations. sory intervention in order to induce a return to well-capitalized
status). Though the only restrictions form ally imposed by the
Com m ittee involve restrictions on dividend payments and
Systemically Important Financial bonuses, as well as a requirem ent for plans to restore capital
Institutions ratios, supervisors may try to act more broadly as w e ll.5
The FSB publishes lists of globally system ically im portant banks In the case of the G-SIB buffer, the rationale is similar to that
(G-SIBs) and (in cooperation with the IAIS) globally system ically for the C C B but also recognizes the very large costs to society
im portant insurers (G-SII). Some nations also designate other of distress at G-SIBs (and the higher volatility of losses at some
banks as dom estically system ically im portant (D-SIBs). of them). Thus, larger buffers are specified to further reduce
the chance of failure. A breach of the G-SIB buffer has conse
Collectively, these and other firms fall into the category of sys
quences similar to a breach of the C C B .
tem ically im portant financial institutions (SIFIs). To determ ine
whether an entity is a G-SIB, the FSB com bines variables that The C C yB has two rationales. O ne is to provide an instrument
proxy for size, interconnectedness, com plexity, international for macroprudential restraint of overheating; the other is atten
activity and other matters. tive to the cost of capital.
An entity is system ically im portant if its failure or distress would The overheating rationale posits that higher bank capital
cause substantial problems in the financial system or the real requirements tend to restrict credit supply by banks, and thus
econom y. For exam ple, the aftermath of Lehman's failure dem
onstrated that it was system ically im portant because many finan
cial markets were disrupted, and many counterparties suffered 4 The 2018 list of G-SIBs contained 29 entities. Since the list of G-SIBs
because Lehman failed to satisfy its obligations. was first published in 2011, none have been in the 3.5 percent category,
and since 2013 only HSBC and JP Morgan Chase have appeared in the
SIFIs are often presumed to be "too big to fail," but key goals 2.5 percent category.
of reforms include reducing the likelihood of failure while also 5 Supervisors have a range of tools at their disposal and may be
making it possible for any entity to "fail" without disrupting constrained from certain actions when a bank is still meeting its
minimums. In stressed environments it may be difficult to achieve asset
the financial system or the real econom y. Though shareholders
sales, capital raises, or mergers that provide a remedy to deal with a
likely would be wiped out in a failure and some creditors would weak bank. A failure to meet a buffer is less severe than failing to meet
suffer losses, the goal is for the entity to keep operating and a minimum requirement.
Chapter 20 Solvency, Liquidity and Other Regulation After the Global Financial Crisis ■ 321
overheating in the credit markets, thereby damping the amplitude Key Changes - Standardized Approach
of the credit cycle and perhaps reducing the frequency and sever • Risk weights for banks have been adjusted, with one set of
ity of financial crises. A consequence of the overheating rationale weights linked to external rating agencies, and another to
is that computation of the CCyB requirement is complicated for credit risk assessm ents (i.e., G rade A , B or C) used when
banks with international operations. This is beucase the C C yB may a country does not perm it external ratings to be used for
differ across nations, and a bank with operations in several nations capital measures. Range is 20% RWA for A A A up to 150%
will have a consolidated C C yB requirement that is a weighted RW A for lower than B-.
average of the requirements in each nation in which it operates. • Covered bonds (i.e., bonds issued by banks and secured by
The cost-of-capital rationale presumes that a bank's costs of a portfolio of collateral) meeting specific criterial carry a risk
increasing its capital ratio are sm aller in good tim es than in weight of between 10% and 100%.
bad tim es, which implies that increased financial stability can • Corporate bonds carry risk weights of 20%, 50%, 75%, 100%
be obtained at lower cost by increasing the C C yB during good and 150% tied to ratings. In countries that do not allow
times and reducing it during bad tim es. Implicitly, this rationale ratings, a 65% risk weight applies to investm ent grade and
focuses on capital market costs for the entity as a whole, without 100% to non-investment grade. Favorable treatm ent is pro
regard to conditions in different nations' credit markets. vided to loans to small and medium enterprises (SM Es).
As a practical matter, different supervisors have given different • Specialized lending has several buckets (e.g ., project finance
weights to the two rationales. The consequences of violating or object finance) with detailed definitions and specific risk
the C C yB are similar to those of violating the C C B . However, weights.
because national supervisors can reduce the C C yB at any • Equities have a 400% risk weight (with exceptions) and
tim e, such consequences can be m itigated by changing the sub-debt or other instruments have a 150% risk weight.
requirem ent.
• New risk weights were set for real estate tied to loan value
All of the aforem entioned requirem ents apply only to risk-based and type (e.g ., retail versus commercial).
capital ratios. In 2017, the Com m ittee introduced a leverage • New credit conversion factors were set for a range of
ratio buffer for G-SIBs as well, equal to one-half of its risk-based off-balance sheet exposures.
G-SIB buffer (not including the C C B or C C y B ).6 Earlier, the U.S.
• A definition of default was added. It includes payments past
had im plem ented a 2 percentage point leverage buffer require
due for 90 days, non-accrual assets, write-offs in anticipation
ment for G-SIB consolidated organizations, and a 3 percentage
of default, sale of asset at loss, distressed restructuring, bank
point buffer for subsidiary banks, for an aggregate minimum of
ruptcy, and inability to pay without recourse to collateral.
5 and 6 percent, respectively. In 2018, the U.S. proposed to
change its G-SIB leverage buffer to half of the sum of C C B and • Treatm ent of hedges and collateral was expanded into
G-SIB risk-based buffer requirem ents. significant detail.
c) the CVA fram ework for counterparty credit, • IRB is not perm itted for large corporates or banks where
modeling is problem atic, given few historical defaults and a
d) operational risk, and
limited number of exposures in the data set.
e) the leveraged ratio.
• Banks must apply IRB to all assets in a given asset class and
In addition, an output floor was introduced to ensure that cannot cherry pick some exposures to be covered under SA
capital calculations under the ratings-based and other modelled alone and IRB for others.
approaches is constrained at not less than 72.5% of the stan
• Minimum UL risk weights apply for specialized lending.
dardized approach.
Collateral haircuts are applied for secured lending.
322 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
range of 0% to 15% minimum on secured exposures. Retail a substantial fraction of retail deposits was withdrawn and North
exposures have a 50% minimum LDG on credit cards, 30% ern Rock's wholesale funding fell. With most of its remaining assets
on other unsecured exposures, and a similar 0% to 15% mini illiquid, Northern Rock found itself in imminent danger of being
mum LG D on secured loans. unable to meet further requests for withdrawals. By the following
Monday, the government announced that all deposits would be
guaranteed for all U.K. banks.
Key Changes - CVA Risk
• Two approaches are available for calculating CVA risk: Basel 3 addressed liquidity risk by specifying two requirem ents,
the standardized approach (SA-CVA) and basic approach the liquidity coverage ratio (LCR) and the net stable funding
(BA-CVA). ratio (NSFR).
ILM Net cash outflows are com puted by applying assumptions about
ILM =Ln(exp( 1)-1 +(LC/BIC)A0.8)) the tendency of different classes of liabilities to be withdrawn in
stress situations, and the tendency credit line holders to draw on
them . For exam ple, only 3 percent of insured retail deposits are
Liquidity Requirements assumed to be withdrawn, whereas that number is 100 percent
Solvent financial institutions can som etim es fail because their for most non-operational wholesale deposits and 30 percent
depositors and counterparties withdraw more rapidly than for undrawn capacity of lines of credit to nonfinancial wholesale
assets can be sold. Regardless of the causes of a run, authorities custom ers. These exam ples only scratch the surface of a vast
value having tim e to diagnose the problem and find a solution, structure of asset/com m itm ent categories and their associated
ideally one not involving governm ent guarantees. percentages. As such, the definition of the LCR is simple but the
implementation is com plicated.
During the crisis, perhaps the most notable exam ple of a failure
involving a run was that of Northern Rock. Heavily dependent The NSFR uses a one-year period and is conceptually slightly
on securitization markets to fund its mortgage business, the different, in that it focuses not on what can be sold but rather
bank had trouble finding enough wholesale funding to finance what funding would remain after a stressful year. It is defined as
Chapter 20 Solvency, Liquidity and Other Regulation After the Global Financial Crisis ■ 323
The available am ount of stable funding is calculated by Using a 5% runoff rate for the stable retail deposits, a 100%
m ultiplying the am ount in several categories of funding by runoff rate for the one-third of wholesale CD s that mature in the
available stable funding (ASF) factors (which are sim ilar to next month, and a 0% runoff rate for senior bonds and equity,
haircuts). However, these categories are different from those net 30-day cash outflows are 25 + 67 = 92, so
of the LC R. The required stable funding is sim ilarly calculated
LCR = = 2.72
by m ultiplying am ounts in each category of asset by required
stable funding (RSF) facto rs, where the factor is higher the
Thus, the bank in this exam ple would be in com pliance with the
more illiquid the asset (since it cannot be sold as easily when
LCR and N FSR. Note that a very large number of categories,
funding runs off).
factors and haircuts were not discussed in this exam ple and the
The new liquidity requirements represent a major change in liquidity requirem ents are operationally com plex.
bank regulation and m anagem ent. Prior to the crisis, the pre
sumption was that regulators would instantly know whether a
bank was solvent or not. If a bank was solvent, central banks Derivatives Counterparty Credit Risk
could im m ediately provide enough em ergency funding until
Banks calculate a credit valuation adjustm ent (CVA) for
market participants becam e com fortable with its solvency, each derivatives counterparty, which is the difference in
whereas insolvent banks would be closed im m ediately.
value betw een a risk-free portfolio of derivatives with that
One lesson of Northern Rock is that provision of funding by counterparty and the actual portfolio. CVA increases with the
central banks can make funding stresses w orse, not better, counterparty's credit spread and also changes with the m arket
and doing so for one bank can destabilize a banking system. value of the portfolio. The com ponent from changes in m arket
Thus, banks must be much better prepared to survive periods values affects profit, while the com ponent associated with
of funding stress with their own resources. This means that bal counterparty credit spreads appears in m arket risk capital.
ance sheet composition is som ewhat constrained, with a smaller
proportion of illiquid assets and a larger proportion of illiquid
liabilities. 2 0 .4 R E S O L U T IO N P LA N N IN G
A N D P R EP A R A TIO N
Example of LCR and NSFR
Banks will fail in the future in spite of Basel I, II, III and later
A bank's liabilities consist of USD 500 of stable retail deposits
reforms. To limit the disruptions caused by such failures, the
with 9 months or less remaining maturity, USD 200 of 3-month
FSB agreed in 2014 that national resolution regimes for G-SIBs
wholesale certificates of deposit with one-third maturing each
would have 12 key attributes and that each G-SIB should have
month, USD 200 of 10-year senior bonds with none maturing
sufficient total loss absorbing capacity (TLAC) to enable it to
in the next year, and USD 100 of common equity. A S F factors
recapitalize itself.
for these categories of liability are 95% , 0%, 100%, and 100%,
respectively. Recapitalization might be accom plished by causing convertible
bonds to becom e equity or by bail-in, in which certain w hole
The bank's assets consist of USD 100 of vault cash, USD 100 of
sale debt liabilities are either written down or converted to
the debt of its sovereign, USD 100 of corporate debt securities
equity. The term s of conversion are written into the indentures
rated BBB in the trading account, and USD 700 of loans to busi
of convertible bonds and often require conversion when a bank
nesses with more than one year of remaining maturity and risk
appears to be solvent, whereas bail-ins are governed by national
weights of 50% or more. The RSF factors for these assets are
law and details are generally chosen by authorities after they
0%, 5%, 50%, and 85%, respectively. Thus
have seized control of a bank.
475 + 0 + 200 + 100
N SFR = 1.19
0 + 5 + 50 + 595
CoCos
For the LCR, H Q LA factors (1-haircut) are 100%, 100%, 50%,
0%, presuming the supervisory allows inclusion of the corporate Traditionally, convertible bonds were issued by non-financial
debt securities. Note that the corporate debt securities are firms who wished to avoid the dilution of issuing equity before
Level 2 assets, which may not com prise more than 40% of H Q LA the firm's perform ance im proved. Such bonds would, at the
after the haircut. This is satisfied since total H Q LA is USD 250, of option of the holder, convert into equity when the firm's share
which USD 50 is the corporate debt securities. price exceeded thresholds specified in the indenture.
324 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
For banks, contingent convertible bonds (CoCos) are the mirror Though participating countries are not supposed to promulgate
im age: they cause a bank's equity to increase when distress dom estic laws and regulations that are less onerous for inter
occurs, as reflected by triggers written into the indenture, and nationally active banks, they may enact requirem ents that are
not at the option of the holder. With C o C o s, equity increases superequivalent (i.e., imposing a different but higher, or just a
either because the bond converts to equity or because its value higher standard than Basel requires).
is written down.
This approach som etim es acts as a safety valve in the Basel
Triggers have varied som ewhat across C o C o s, but a common negotiations, allowing those who want stronger standards for
trigger is when the ratio of Core Tier 1 Capital to RW A falls everyone to at least have them dom estically, and som etim es it
below a threshold, or when a bank's primary regulator declares reflects a nation's special circum stances. Switzerland's choices
it to be nonviable. C oC os may be included in Additional Tier 1 are in the latter category: as a small country with two huge
Capital if the threshold is 5.125 percent or higher, and Tier 2 G-SIBs, it found itself during the crisis in the uncom fortable situ
capital otherwise. ation of being unable to recapitalize its G-SIBs should that have
Econom ically, it is not obvious why the m arket would price been necessary. Thus, its capital requirem ents are more onerous
C o C o s to make the cost of capital for them less than the cost than those of Basel 3, and in resolution planning it has required
of equity. Because C oC os are debt instruments when issued, the G-SIBs to structure them selves so that dom estic opera
holders receive little or none of the high returns received by tions could continue even if international operations failed. The
equity holders when a bank does w ell, but holders bear losses United Kingdom has taken a som ewhat similar step, requiring
not so different from those of equity holders when a bank fails. that retail operations be ringfenced (i.e., separated from) w hole
Thus, they should be expensive for a bank to issue. But they do sale operations.
have an accounting advantage: because they do not appear in Basel anticipates that in addition to minimum standards, each
the equity account until converted, a bank can report a higher jurisdiction will supervise banks and take other actions to ensure
return on equity. they have adequate capital and liquidity, and strong risk man
agem ent and governance. In the U .S., coordinated stress tests
based upon supervisory designs and scenarios ensure that banks
Living Wills
have capital and liquidity planning processes, risk m anagem ent,
In many countries, G-SIBs (and som etim es D-SIBs) are required and sufficient buffers to allow com pliance with minimum capital
to prepare detailed resolution plans in which they specify and liquidity standards even in a stressed situation.
how they would fund them selves when distressed, how they
Th e Federal Reserve's C o m p rehensive C ap ital A nalysis and
would recapitalize, how they would continue to operate as a
Review (C C A R ), which requires participation by G -SIBs and
going concern even if some subsidiaries failed, and many other
D-SIBs with m aterial operations in the United States, includes
related matters.
a sup erviso ry severe scenario that has been one of the more
severe stress te sts. For som e banks, C C A R stress testing is
Chapter 20 Solvency, Liquidity and Other Regulation After the Global Financial Crisis ■ 325
20.6 O T H E R R E F O R M S consumers of financial products and to curb abuses by finan
cial firms of all kinds.
A vast array of legislation and regulations was im plem ented • In the United States, m ortgage lenders were required to
across the globe in the decade after 2007. These include: determ ine w hether borrowers have the ability to repay the
loans they take. The legal and financial liabilities associated
• Capacity to conduct macroprudential policy was added
with mistakes in such determ inations have caused many
through institutional reforms in some nations where legal
banks to exit the m ortgage market.
authority was previously lacking. For exam ple, in the United
States, bank regulators' missions often restricted them to • In the United States, large banks were required to have
consider only the soundness of individual banks, not the board risk com m ittees where at least one m em ber has risk
financial system as a whole. The Financial Stability O versight m anagem ent experience at a large financial firm.
Council (FSO C) was created to take a more m acropruden • In the United States and the European Union, issuers of secu
tial view, though its legal authority was som ewhat limited. ritizations were required to retain at least 5 percent of each
In the United Kingdom , the Financial Policy Com m ittee was tranche, in an attem pt to better-align the incentives of issuers
created at the Bank of England, with some power to take and investors.
macroprudential policy actions and to recommend others to
Parliament.
• Pre-crisis com pensation practices at large banks that made References
pay effectively independent of risk-taking were widely
blamed for im prudent risk taking. The FSB promulgated prin Basel Com m ittee on Banking Supervision, "The Application
ciples for better com pensation practices, and many nations of Basel II to Trading Activities and the Treatm ent of Double
responded with increased supervision and regulation. Some Default Effects," Ju ly 2005.
elected to take a more form ulaic approach, in some cases
Basel Com m ittee on Banking Supervision, "G uidelines for
restricting the level of pay, while other nations focused on
computing capital for incremental risk in the trading book,"
supervision of the presence of risk-sensitive features in com
January 2009.
pensation arrangem ents.
Basel Com m ittee on Banking Supervision, "Revisions to the
• In the United States, the Volcker Rule (part of the Dodd Frank
Basel II m arket risk fram ew ork," Ju ly 2009 and February 2011.
Act) restricts proprietary trading and investments in hedge
funds and private equity at deposit-taking financial firms. The Basel Committee on Banking Supervision, "Guidelines for comput
rationale is that banks should not be perm itted to "sp ecu ing capital for incremental risk in the trading book," July 2009.
late" while being funded by insured depositors. However, the
Basel Com m ittee on Banking Supervision, "Basel III: A global
Volcker Rule has proved difficult to enforce because of chal
regulatory fram ework for more resilient banks and banking
lenges in identifying the intent of a trade and in separating
system s - revised version June 2011," Ju n e 2011.
hedging activity from speculative activity. N evertheless, most
banks shut down their proprietary trading desks. Basel Com m ittee on Banking Supervision, "Basel III: A global
regulatory fram ework for more resilient banks and banking
• In the United States and in the European Union, some over-
system s," D ecem b er 2010.
the-counter derivatives (i.e., those that are relatively standard
in form and terms) must be traded on swap execution facili Basel Com m ittee on Banking Supervision, "Basel III: the net
ties (SEFs), which are electronic platforms that promote price stable funding ratio," O cto b e r 2014.
transparency. Derivatives traded between financial institu
Basel Com m ittee on Banking Supervision, "Basel III: the
tions must be cleared by central counterparties (CCPs).
Liquidity Coverage Ratio and liquidity risk monitoring tools,"
• In the United States, an Office of Credit Ratings was created at January 2013.
the Securities and Exchange Commission to provide oversight
Basel Com m ittee on Banking Supervision: Basel III Finalising
of rating agencies, though its powers were somewhat limited.
Post Crisis Reforms, D ecem ber 2017
Prior to the crisis, rating agencies had been subject to rela
tively little regulatory oversight and they were widely blamed Basel Com m ittee on Banking Supervision: Minimum capital
for underestimates of the credit risks posed by securitizations. Requirem ents for M arket Risk, R evised 14 January 2019.
• In the United States, a Consum er Financial Protection Basel Com m ittee on Bank Supervision: Large Exposures
Bureau (CFPB) was created to improve information flows to Fram ework, A pril 2014.
326 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Learning Objectives
A fter com pleting this reading you should be able to:
Explain the motivations for revising the Basel III fram ework The CVA risk fram ework
and the goals and im pacts of the D ecem ber 2017 reforms
The operational risk fram ework
to the Basel III fram ework.
The leverage ratio fram ework
Summarize the D ecem ber 2017 revisions to the Basel III
fram ework in the following areas: Describe the revised output floor introduced as part of
the Basel III reforms and approaches to be used when
The standardized approach to credit risk
calculating the output floor.
The internal ratings-based (IRB) approaches for
credit risk
327
This note summarises the main features of the finalised Basel III requirem ents under the internal ratings-based (IRB) approach
reforms. The standards text, which provides the full details of for credit risk and by removing the use of the internal model
the reforms, is published separately and is available on the BIS approaches for CVA risk and for operational risk;
w ebsite at w w w .bis.org/bcbs/publ/d424.htm . • introducing a leverage ratio buffer to further limit the lever
The Basel III fram ework is a central elem ent of the Basel C om age of global system ically im portant banks (G-SIBs); and
mittee's response to the global financial crisis. It addresses a • replacing the existing Basel II output floor with a more robust
number of shortcomings in the pre-crisis regulatory fram ework risk-sensitive floor based on the Com m ittee's revised Basel III
and provides a foundation for a resilient banking system that will standardised approaches.
help avoid the build-up of system ic vulnerabilities. The fram e
work will allow the banking system to support the real economy
through the econom ic cycle. S T A N D A R D IS E D A P P R O A C H
The initial phase of Basel III reforms focused on strengthening F O R C R E D IT R ISK *•
the following com ponents of the regulatory fram ework:
Credit risk accounts for the bulk of most banks' risk-taking activi
• improving the quality of bank regulatory capital by placing a
ties and hence their regulatory capital requirem ents. The stan
greater focus on going-concern loss-absorbing capital in the
dardised approach is used by the majority of banks around the
form of Common Equity Tier 1 (CET1) capital;
world, including in non-Basel Com m ittee jurisdictions.
• increasing the level of capital requirem ents to ensure that
banks are sufficiently resilient to withstand losses in tim es of The Com m ittee's revisions to the standardised approach for
stress; credit risk enhance the regulatory fram ework by:
• enhancing risk capture by revising areas of the risk-weighted • improving its granularity and risk sensitivity. For exam ple, the
capital fram ework that proved to be acutely m iscalibrated, Basel II standardised approach assigns a flat risk w eight to all
including the global standards for market risk, counterparty residential m ortgages. In the revised standardised approach
credit risk and securitisation; m ortgage risk weights depend on the loan-to-value (LTV)
• adding macroprudential elem ents to the regulatory fram e ratio of the m ortgage;
work, by: (i) introducing capital buffers that are built up in • reducing mechanistic reliance on credit ratings, by requiring
good tim es and can be drawn down in tim es of stress to banks to conduct sufficient due diligence, and by developing
limit procyclicality; (ii) establishing a large exposures regime a sufficiently granular non-ratings-based approach for juris
that m itigates system ic risks arising from interlinkages across dictions that cannot or do not wish to rely on external credit
financial institutions and concentrated exposures; and (iii) ratings; and
putting in place a capital buffer to address the externalities • as a result, providing the foundation for a revised output
created by system ically im portant banks; floor to internally m odelled capital requirements (to replace
• specifying a minimum leverage ratio requirem ent to constrain the existing Basel I floor) and related disclosure to enhance
excess leverage in the banking system and com plem ent the com parability across banks and restore a level playing field.
risk-weighted capital requirem ents; and
The revisions to the standardised approach for credit risk,
• introducing an international fram ework for mitigating exces relative to the existing standardised approach, are outlined in
sive liquidity risk and maturity transform ation, through the Table 21.1. In summary, the key revisions are as follows:
Liquidity Coverage Ratio and Net Stable Funding Ratio.
• A more granular approach has been developed for unrated
The Com m ittee's now finalised Basel III reforms com plem ent exposures to banks and corporates, and for rated exposures
these im provem ents to the global regulatory fram ework. The in jurisdictions where the use of credit ratings is perm itted.
revisions seek to restore credibility in the calculation of risk-
• For exposures to banks, some of the risk weights for rated
weighted assets (RWAs) and improve the com parability of
exposures have been recalibrated. In addition, the risk-
banks' capital ratios by:
weighted treatm ent for unrated exposures is more granular
• enhancing the robustness and risk sensitivity of the stan than the existing flat risk weight. A standalone treatm ent for
dardised approaches for credit risk, credit valuation adjust covered bonds has also been introduced.
ment (CVA) risk and operational risk; • For exposures to corporates, a more granular look-up
• constraining the use of the internal model approaches, by table has been developed. A specific risk w eight applies to
placing limits on certain inputs used to calculate capital exposures to small and medium-sized enterprises (SM Es).
328 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
In addition, the revised standardised approach includes a is used to facilitate transactio ns rather than a source
standalone treatm ent for exposures to project finance, object of credit).
finance and com m odities finance. • For commercial real estate exposures, approaches have
• For residential real estate exposures, more risk-sensitive been developed that are more risk-sensitive than the flat risk
approaches have been developed, whereby risk weights w eight which generally applies.
vary based on the LTV ratio of the mortgage (instead of the • For subordinated debt and equity exposures, a more granu
existing single risk weight) and in ways that better reflect lar risk w eight treatm ent applies (relative to the current flat
differences in market structures. risk weight).
• For retail exp o su res, a more granular treatm en t ap p lies, • For off-balance sheet item s, the credit conversion factors
which distinguishes betw een different typ es of retail (C C Fs), which are used to determ ine the amount of an
exp o su res. For exam p le, the regulatory retail portfolio exposure to be risk-weighted, have been made more risk-
distinguishes betw een revolving facilities (w here cred it is sensitive, including the introduction of positive C C F s for
typ ically drawn upon) and transacto rs (w here the facility unconditionally cancellable commitments (UCCs).
Exposures to banks
Risk weights where the ratings approach is not perm itted and for unrated exposures
Risk weight of issuing bank 20% 30% 40% 50% 75% 100% 150%
(Continued)
1 A risk w eight of 30% may be applied if the exposure to the bank satisfies all of the criteria for G rade A classification and in addition the counterparty
bank has (i) a CET1 ratio of 14% or above; and (ii) a T ie r 1 leverage ratio of 5% or above.
Exposure (excluding real estate) Project finance Object and commodity finance
LTV bands Below 50% 50% to 60% to 70% to 80% to 90% to above Criteria not met
60% 70% 80% 90% 100% 100%
G eneral R R E
G eneral C R E
W hole loan approach LTV < 60% LTV > 60% Criteria not m et
W hole loan LTV < 60% 60% < LTV < 80% LTV > 80% Criteria not m et
approach
70% 90% 110% 150%
2 Under the loan-splitting approach, a supervisory specified risk w eight is applied to the portion of the exposure that is below 55% of the property
value and the risk w eight of the counterparty is applied to the rem ainder of the exposure. In cases where the criteria are not met, the risk w eight of
the counterparty is applied to the entire exposure.
330 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Land acquisition, d evelo p m en t and construction (ADC) exp o su res
To address these shortcom ings, the Com m ittee has made the Banks and A-IRB, F-IRB, SA F-IRB, SA
following revisions to the IRB approaches: (i) removed the other financial
institutions
option to use the advanced IRB (A-IRB) approach for certain
asset classes; (ii) adopted "input" floors (for metrics such as Equities Various IRB SA
probabilities of default (PD) and loss-given-default (LGD)) to approaches
ensure a minimum level of conservativism in model param eters Specialised A-IRB, F-IRB, A-IRB, F-IRB,
for asset classes where the IRB approaches remain available; and lending3 slotting, SA slotting, SA
(iii) provided greater specification of param eter estimation prac
tices to reduce RWA variability.
of RWA variability as it applies fixed values to the LGD and EAD
param eters. In addition, all IRB approaches are being removed
Removing the Use of the Advanced IRB for exposures to equities, which are typically a small com ponent
of the credit risk of banks.
Approach for Certain Asset Classes
Table 21.2 outlines the revised scope of approaches available
The revised IRB fram ework removes the use of the A-IRB
under Basel III for certain asset classes relative to the Basel II
approach— which allows banks to estim ate the PD, LG D , exp o
fram ework.
sure at default (EAD ) and maturity of an exposure - for asset
classes that cannot be m odelled in a robust and prudent man
ner. These include exposures to large and mid-sized corporates,
3 W ith respect to specialised lending, banks would be perm itted to
and exposures to banks and other financial institutions. As a
continue using the advanced and foundation IRB approaches. The
result, banks with supervisory approval will use the foundation Com m ittee will review the slotting approach for specialised lending in
IRB (F-IRB) approach, which removes the two im portant sources due course.
Loss-Given-Default (LGD)
Probability of Exposure at
Default (PD) Unsecured Secured Default (EAD)
Corporate 5 bp 25% Varying by collateral type:
• 0% financial
• 10% receivables
• 10% commercial or residen
tial real estate
• 15% other physical EAD subject to a floor
that is the sum of (i) the
Retail classes: on-balance sheet exp o
M ortgages 5 bp N/A 5% sures; and (ii) 50% of the
off-balance sheet exposure
Q R R E transactors 5 bp 50% N/A
using the applicable Credit
Q R R E revolvers 10 bp 50% N/A Conversion Factor (C C F) in
O ther retail 5 bp 30% Varying by collateral type: the standardised approach
• 0% financial
• 10% receivables
• 10% commercial or residen
tial real estate
• 15% other physical
• enhance its risk sensitivity: the current CVA fram ework does
Additional Enhancements not cover an im portant driver of CVA risk, namely the exp o
sure com ponent of CVA. This com ponent is directly related
The Com m ittee agreed on various additional enhancem ents to to the price of the transactions that are within the scope of
the IRB approaches to further reduce unwarranted RW A variabil application of the CVA risk capital charge. As these prices are
ity, including providing greater specification of the practices that sensitive to variability in underlying market risk factors, the
banks may use to estim ate their model param eters. Adjustm ents CVA also materially depends on those factors. The revised
were made to the supervisory specified param eters in the F-IRB CVA fram ework takes into account the exposure com ponent
approach, including: (i) for exposures secured by non-financial of CVA risk along with its associated hedges;
collateral, increasing the haircuts that apply to the collateral and
• strengthen its robustness: CVA is a com plex risk, and is
reducing the LG D param eters; and (ii) for unsecured exposures,
often more com plex than the majority of the positions in4
reducing the LG D param eter from 45% to 40% for exposures to
non-financial corporates.
4The LGD and EAD floors are only applicable in A-IRB approaches. The
Given the enhancem ents to the IRB fram ework and the introduc EAD floors are for those exposures where EAD modelling is still permit
tion of an aggregate output floor (discussed further below), the ted. The LGD floors for secured exposures apply when the exposure is fully
secured (ie the value of collateral after the application of haircuts exceeds
Com m ittee has agreed to remove the 1.06 scaling factor that is
the value of the exposure). The LGD floor for a partially secured exposure is
currently applied to RWAs determ ined by the IRB approach to calculated as a weighted average of the unsecured LGD floor for the unse
credit risk. cured portion and the secured LGD floor for the secured portion.
332 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
banks' trading books. Accordingly, the Com m ittee is of the where:
view that such a risk cannot be m odelled by banks in a robust
• Business Indicator Com ponent (BIC) = 2 > i Bli)
and prudent manner. The revised fram ework removes the
• Bl (Business Indicator) is the sum of three com ponents: the
use of an internally modelled approach, and consists of: (i) a
interest, leases and dividends com ponent; the services com
standardised approach; and (ii) a basic approach. In addition,
ponent and the financial com ponent
a bank with an aggregate notional amount of non-centrally
cleared derivatives less than or equal to €100 billion may • a\ is a set of marginal coefficients that are multiplied by the
calculate their CVA capital charge as a simple multiplier of its Bl based on three buckets (i = 1, 2, 3 denotes the bucket), as
counterparty credit risk charge. given below:
O perational risk capital = BIC X ILM 5 Specifically, ILM = In [exp(1) — 1 + (LC /B IC )08].
As an exam ple, Table 21.4 shows the minimum capital conser OUTPUT FLO O R
vation standards for the CET1 risk-weighted requirements and
Tier 1 leverage ratio requirem ents of a G-SIB in the first bucket The Basel II fram ework introduced an output floor based on
of the higher loss-absorbency requirements (ie where a 1% risk- Basel I capital requirem ents. That floor was calibrated at 80%
weighted G-SIB capital buffer applies). of the relevant Basel I capital requirem ents. Implementation of
the Basel II floor has been inconsistent across countries, partly
because of differing interpretations of the requirem ent and also
Refinements to the Leverage Ratio
because it is based on the Basel I standards, which many banks
Exposure Measure
and jurisdictions no longer apply.
In addition to the introduction of the G -SIB buffer, the
The Basel III reform s replace the existing Basel II floor with a
C o m m ittee has agreed to m ake various refinem ents to the
floor based on the revised Basel III standardised approaches.
C o n sisten t with the original floor, the revised floor places
Table 21.4 Capital Conservation Ratios for a G-SIB a lim it on the regulatory capital benefits that a bank using
Subject to a 1% Risk-Weighted Buffer and 0.5% internal m odels can derive relative to the standardised
Leverage Ratio Buffer ap p ro aches. In effe ct, the output flo o r provides a risk-based
backstop that lim its the exte n t to which banks can lower their
Minimum Capital
capital requirem ents relative to the standardised ap p ro aches.
Conservation
This helps to m aintain a level playing field betw een banks
CET1 Risk- Ratios (Expressed
using internal m odels and those on the standardised
Weighted Tier 1 Leverage as a Percentage
ap p ro aches. It also supports the cred ib ility of banks' risk-
Ratio Ratio of Earnings)
w eig hted calculatio ns, and im proves co m p arab ility via the
4.5-5.375% 3-3.125% 100% related disclo sures.
> 5 .3 7 5 -6 .2 5 % > 3 .1 2 5 -3 .2 5 % 80% Under the revised output floor, banks' risk-weighted assets
> 6 .2 5 -7 .1 2 5 % > 3 .2 5 -3 .3 7 5 % 60% must be calculated as the higher of: (i) total risk-weighted assets
calculated using the approaches that the bank has supervisory
> 7 .1 2 5 -8 % > 3 .3 7 5 -3 .5 0 % 40%
approval to use in accordance with the Basel capital fram e
> 8.0% > 3.50% 0%
work (including both standardised and internal model-based
334 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Implementation Dates of Basel III Post-Crisis Reforms and Transitional Arrangement for Phasing in the
Aggregate Output Floor
Revision Implementation Date
approaches); and (ii) 72.5% of the total risk-weighted assets • M arket risk: the standardised (or simplified standardised)
calculated using only the standardised approaches. approach of the revised m arket risk fram ework. The SEC-
ER B A , the SEC -SA or a 1250% risk w eight must also be used
The standardised approaches to be used when calculating the
when determ ining the default risk charge com ponent for
output floor are as follows:
securitisations held in the trading book.
|• • | | | |• | | r |• • |
• C re d it risk: the standardised approach tor cred it risk
• O p eratio n al risk: the standardised approach for opera-
outlined ab o ve. W hen calculating the degree of credit
tional risk.
risk m itigation, banks m ust use the carrying value when
applying the sim ple approach or the com prehensive Banks will also be required to disclose their risk-weighted assets
approach with standard sup erviso ry haircuts. This also based on the revised standardised approaches. Details about
includes failed trad es and non-delivery-versus-paym ent these disclosure requirem ents will be set forth in a forthcoming
transactio ns as set out in A n n e x 3 of the Basel II fram ew ork consultation paper.
(Ju n e 2006).
336 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Basel III: Finalising
Post-Crisis Reforms
Learning Objectives
A fter com pleting this reading you should be able to:
Explain the elem ents of the new standardized approach • Describe general and specific criteria recom m ended by
to measure operational risk capital, including the business the Basel Com m ittee for the identification, collection, and
indicator, internal loss multiplier, and loss com ponent, and treatm ent of operational loss data.
calculate the operational risk capital requirem ent for a
bank using this approach.
Consistent with Part I (Scope of Application) of the Basel II The definitions for each of the com ponents of the Bl are
Fram ework, the standardised approach applies to internationally provided in the annex of this section.
active banks on a consolidated basis. Supervisors retain the dis
cretion to apply the standardised approach fram ework to non-
The Business Indicator Component
internationally active banks.
To calculate the BIC, the Bl is multiplied by the marginal
coefficients («j). The marginal coefficients increase with the
size of the Bl as shown in Table 22.1. For banks in the first
2 2 .2 T H E S T A N D A R D IS E D A P P R O A C H
bucket (ie with a Bl less than or equal to €1 bn) the BIC is
The standardised approach m ethodology is based on the fo l equal to Bl X 12%. The marginal increase in the BIC result
lowing com ponents: (i) the Business Indicator (Bl) which is a ing from a one unit increase in the Bl is 12% in bucket 1,
financial-statem ent-based proxy for operational risk; (ii) the 15% in bucket 2 and 18% in bucket 3. For exam ple, given
a Bl = € 3 5 b n , the BIC = (1 X 12%) + (3 0 -1 ) X 15% +
Business Indicator Com ponent (BIC), which is calculated by
multiplying the Bl by a set of regulatory determ ined marginal (3 5 -3 0 ) X 18% = € 5 .3 7 b n .
coefficients («[); and (iii) the Internal Loss M ultiplier (ILM), which
is a scaling factor that is based on a bank's average historical
The Internal Loss Multiplier
losses and the BIC.
A bank's internal operational risk loss experience affects the
calculation of operational risk capital through the Internal Loss
The Business Indicator M ultiplier (ILM). The ILM is defined as:
( / \0.8 ^
The Business Indicator (Bl) com prises three com ponents: the
LC
interest, leases and dividend com ponent (ILDC); the services ILM = Ln exp(l) - 1 +
V \ BIC / /
com ponent (SC), and the financial com ponent (FC).
The Bl is defined as: w here the Loss C o m p o nent (LC) is equal to 15 tim es average
annual operational risk losses incurred over the previous 10
Bl = ILD C + SC + F C years. The ILM is equal to one when the loss and business
indicator com ponents are equal. W hen the LC is greater
than the B IC , the ILM is g reater than one. Th at is, a bank
with losses that are high relative to its BIC is required to hold
higher capital due to the incorporation of internal losses into
1 Legal risk includes, but is not limited to, exposure to fines, penalties, the calculation m ethodology. C o n verse ly, w here the LC is
or punitive dam ages resulting from supervisory actions, as well as pri
vate settlem ents.
338 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 22.1 Bl R anges and M arginal C o efficien ts Minimum operational risk capital (O RC) is calculated by multiply
ing the BIC and the ILM :5
Bl Marginal
Bucket Bl Range (in €bn) Coefficients (cO ORC = BIC ■ILM
1 < 1 12%
The calculation of average losses in the Loss Com ponent must the Bl figures from the subsidiary.
be based on 10 years of high-quality annual loss data. A s part of Similar to bank holding com panies, when Bl figures for sub-con
the transition to the standardised approach, banks that do not solidated or subsidiary banks reach bucket 2, these banks are
have 10 years of high-quality loss data may use a minimum of required to use loss experience in the standardised approach
five years of data to calculate the Loss Com ponent.4 Banks that calculations. A sub-consolidated bank or a subsidiary bank uses
do not have five years of high-quality loss data must calculate only the losses it has incurred in the standardised approach cal
the capital requirem ent based solely on the Bl Com ponent. culations (and does not include losses incurred by other parts of
Supervisors may however require a bank to calculate capital the bank holding company).
requirements using few er than five years of losses if the ILM is
In case a subsidiary of a bank belonging to bucket 2 or higher
greater than 1 and supervisors believe the losses are representa
does not m eet the qualitative standards for the use of the Loss
tive of the bank's operational risk exposure.
Com ponent, this subsidiary must calculate the standardised
approach capital requirem ents by applying 100% of the Bl C om
ponent. In such cases supervisors may require the bank to apply
The Standardised Approach Operational
an ILM which is greater than 1.
Risk Capital Requirement
The operational risk capital requirem ent is determ ined by the
product of the BIC and the ILM. For banks in bucket 1 (ie with 22.4 MINIMUM STANDARDS FOR
Bl < €1 billion), internal loss data does not affect the capital THE USE O F LOSS DATA UNDER
calculation. That is, the ILM is equal to 1, so that operational risk THE STANDARDISED APPROACH
capital is equal to the BIC (= 12% • Bl).
A t national discretion, supervisors may allow the inclusion of Banks with a Bl greater than €1 bn are required to use loss data
internal loss data into the fram ework for banks in bucket 1, sub as a direct input into the operational risk capital calculations.
ject to meeting the loss data collection requirem ents. In addi The soundness of data collection and the quality and integrity
tion, at national discretion, supervisors may set the value of ILM of the data are crucial to generating capital outcom es aligned
equal to 1 for all banks in their jurisdiction. In case this discretion with the bank's operational loss exposure. National supervisors
is exercised, banks would still be subject to the full set of disclo should review the quality of banks' loss data periodically.
sure requirem ents. Banks which do not meet the loss data standards are required
to hold capital that is at a minimum equal to 100% of the BIC.
In such cases supervisors may require the bank to apply an ILM
4 This treatm ent is not expected to apply to banks that currently use the
advanced m easurem ent approaches for determ ining operational risk
capital requirem ents. 5 Risk-weighted assets for operational risk are equal to 12.5 tim es O R C .
AND TREATM ENT level of detail of any descriptive information should be com
mensurate with the size of the gross loss amount.
The proper identification, collection and treatm ent of internal f. O perational loss events related to credit risk and that are
loss data are essential prerequisites to capital calculation under accounted for in credit risk RWAs should not be included
the standardised approach. The general criteria for the use of in the loss data set. O perational loss events that relate to
the LC are as follows: credit risk, but are not accounted for in credit risk RWAs
should be included in the loss data set.
a. Internally generated loss data calculations used for regula
tory capital purposes must be based on a 10-year observa g. Operational risk losses related to market risk are treated as
tion period. When the bank first moves to the standardised operational risk for the purposes of calculating minimum
approach, a five-year observation period is acceptable on regulatory capital under this framework and will therefore be
an exceptional basis when good-quality data are unavail subject to the the standardised approach for operational risk.
able for more than five years. h. Banks must have processes to independently review the
b. Internal loss data are most relevant when clearly linked to a com prehensiveness and accuracy of loss data.
bank's current business activities, technological processes and
risk management procedures. Therefore, a bank must have
documented procedures and processes for the identification, 22.6 SP EC IFIC CRITERIA ON LOSS
collection and treatment of internal loss data. Such proce DATA IDENTIFICATION, CO LLECTIO N
dures and processes must be subject to validation before the AND TREATM ENT
use of the loss data within the operational risk capital require
ment measurement methodology, and to regular indepen Building of the Standardised Approach
dent reviews by internal and/or external audit functions.
Loss Data Set
c. For risk m anagem ent purposes, and to assist in supervisory
Building an acceptable loss data set from the available internal
validation and/or review, a supervisor may request a bank
data requires that the bank develop policies and procedures to
to map its historical internal loss data into the relevant Level
address several features, including gross loss definition, refer
I supervisory categories as defined in A nnex 9 of the Basel
ence date and grouped losses.
II Fram ework and to provide this data to supervisors. The
bank must docum ent criteria for allocating losses to the
specified event types. Gross Loss, Net Loss, and Recovery
d. A bank's internal loss data must be com prehensive and Definitions
capture all material activities and exposures from all appro
Gross loss is a loss before recoveries of any type. Net loss is
priate subsystem s and geographic locations. The minimum
defined as the loss after taking into account the impact of recov
threshold for including a loss event in the data collection
eries. The recovery is an independent occurrence, related to the
and calculation of average annual losses is set at €20,000.
original loss event, separate in tim e, in which funds or inflows of
A t national discretion, for the purpose of the calculation of
econom ic benefits are received from a third party.7
average annual losses, supervisors may increase the thresh
old to €100,000 for banks in buckets 2 and 3 (ie where the
Bl is greater than €1 bn). 6 Tax effects (eg reductions in corporate income tax liability due to
operational losses) are not recoveries for purposes of the standardised
e. Aside from information on gross loss amounts, the bank must
approach for operational risk.
collect information about the reference dates of operational
7 Exam ples of recoveries are paym ents received from insurers, repay
risk events, including the date when the event happened or ments received from perpetrators of fraud, and recoveries of m isdi
first began ("date of occurrence"), where available; the date rected transfers.
340 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Banks must be able to identify the gross loss amounts, non The following items should be excluded from the gross loss
insurance recoveries, and insurance recoveries for all operational computation of the loss data set:
loss events. Banks should use losses net of recoveries (including
a. Costs of general m aintenance contracts on property, plant
insurance recoveries) in the loss dataset. However, recoveries
or equipm ent;
can be used to reduce losses only after the bank receives pay
ment. Receivables do not count as recoveries. Verification of
b. Internal or external expenditures to enhance the business
payments received to net losses must be provided to supervi after the operational risk losses: upgrades, im provem ents,
sors upon request. risk assessm ent initiatives and enhancem ents; and
c. Insurance premiums.
The following items must be included in the gross loss com puta
tion of the loss data set: Banks must use the date of accounting for building the loss data
set. The bank must use a date no later than the date of account
a. Direct charges, including impairments and settlem ents, to
ing for including losses related to legal events in the loss data
the bank's P&L accounts and write-downs due to the opera
set. For legal loss events, the date of accounting is the date
tional risk event;
when a legal reserve is established for the probable estim ated
b. Costs incurred as a consequence of the event including loss in the P&L.
external expenses with a direct link to the operational risk
event (eg legal expenses directly related to the event and Losses caused by a common operational risk event or by related
operational risk events over tim e, but posted to the accounts
fees paid to advisors, attorneys or suppliers) and costs of
repair or replacem ent, incurred to restore the position that over several years, should be allocated to the correspond
was prevailing before the operational risk event; ing years of the loss database, in line with their accounting
treatm ent.
c. Provisions or reserves accounted for in the P&L against the
potential operational loss impact;
22.11 A N N EX : DEFINITION O F
22.9 INCLUSION O F LO SSES AND Bl BUSINESS INDICATOR CO M PO N EN TS *•
ITEMS RELATED TO M ERGERS AND The following P&L items do not contribute to any of the items of
ACQUISITION S the Bl:
P&L or Balance
Bl Component Sheet Items Description Typical Sub-Items
Interest, lease Interest income Interest income from all financial • Interest income from loans and advances, assets
and dividend assets and other interest income available for sale, assets held to maturity, trading
(includes interest income from assets, financial leases and operational leases
financial and operating leases • Interest income from hedge accounting derivatives
and profits from leased assets) • O ther interest income
• Profits from leased assets
Interest Interest expenses from all finan • Interest expenses from deposits, debt securities
expenses cial liabilities and other interest issued, financial leases, and operating leases
expenses • Interest expenses from hedge accounting derivatives
• O ther interest expenses
(includes interest expense from
• Losses from leased assets
financial and operating leases,
• Depreciation and im pairm ent of operating leased
losses, depreciation and impair
assets
ment of operating leased assets)
Interest earning Total gross outstanding loans, advances, interest bearing securities (including governm ent
assets (balance bonds), and lease assets measured at the end of each financial year
sheet item)
Dividend Dividend income from investments in stocks and funds not consolidated in the bank's finan
income cial statem ents, including dividend income from non-consolidated subsidiaries, associates
and joint ventures
342 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Business Indicator Definitions
P&L or Balance
Bl Component Sheet Items Description Typical Sub-Items
Services Fee and com Income received from provid Fee and commission income from:
mission income ing advice and services. Includes
• Securities (issuance, origination, reception, transm is
income received by the bank as
sion, execution of orders on behalf of customers)
an outsourcer of financial services
• Clearing and settlem ent; A sset m anagem ent; C us
tody; Fiduciary transactions; Payment services;
Structured finance; Servicing of securitisations; Loan
commitments and guarantees given; and foreign
transactions
Fee and Expenses paid for receiving Fee and commission expenses from:
commission advice and services. Includes
• Clearing and settlem ent; Custody; Servicing of
expenses outsourcing fees paid by the
securitisations; Loan com m itm ents and guarantees
bank for the supply of financial
received; and Foreign transactions
services, but not outsourcing
fees paid for the supply of non-
financial services (eg logistical, IT,
human resources)
O ther operat Income from ordinary banking • Rental income from investm ent properties
ing income operations not included in other • Gains from non-current assets and disposal groups
Bl items but of similar nature classified as held for sale not qualifying as discontin
ued operations (IFRS 5.37)
(income from operating leases
should be excluded)
O ther operat Expenses and losses from ordi • Losses from non-current assets and disposal groups
ing expenses nary banking operations not classified as held for sale not qualifying as discontin
included in other Bl items but of ued operations (IFRS 5.37)
similar nature and from opera • Losses incurred as a consequence of operational loss
tional loss events (expenses from events (eg fines, penalties, settlem ents, replacem ent
operating leases should be cost of dam aged assets), which have not been provi-
excluded) sioned/reserved for in previous years
• Expenses related to establishing provisions/reserves
for operational loss events
Financial Net profit (loss) • Net profit/loss on trading assets and trading liabilities (derivatives, debt securities, equity
on the trading securities, loans and advances, short positions, other assets and liabilities)
book • Net profit/loss from hedge accounting
• Net profit/loss from exchange differences
Net profit (loss) • Net profit/loss on financial assets and liabilities measured at fair value through profit and
on the banking loss
book • Realised gains/losses on financial assets and liabilities not measured at fair value through
profit and loss (loans and advances, assets available for sale, assets held to maturity,
financial liabilities measured at amortised cost)
• Net profit/loss from hedge accounting
• Net profit/loss from exchange differences
344 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Learning Objectives
A fter com pleting this reading you should be able to:
Describe elem ents of an effective cyber-resilience Explain methods that can be used to assess the financia
fram ework and explain ways that an organization can impact of a potential cyber attack and explain ways to
becom e more cyber-resilient. increase a firm's financial resilience.
E x c e rp t is C hapter 8 from Solving C yber Risk: Protecting Your Com pany and Society, by A n d re w Coburn, Eireann Leverett, and
G ordon Woo.
345
23.1 C H A N G IN G A P P R O A C H E S $120 billion industry today. Projections expect the industry to
continue to grow rapidly to reach hundreds of billions annually
T O R IS K M A N A G E M E N T
worldwide in a few years.
Identify, Protect, Detect, Respond, However, the type of expenditure for typical cyber security bud
1 . Identify. Develop an organizational understanding to man Key trends include increasing em phasis on incident response,
age cyber security risk to system s, people, assets, data, and shifting from intrusion prevention to intrusion tolerance, com-
capabilities. partmentalization and 'credential silos' with protected end
2. Protect. Develop and im plem ent appropriate safeguards to points, and risk m anagem ent in the supply chain. We discuss
ensure delivery of critical services. each of these in this chapter.
346 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
This astonishing feat of resilience was accom plished through Cyber Risk Awareness in Staff
a highly effective man-machine partnership. First, the intrinsic
aeronautic design of the F-15 meant that it acted like a rocket, M icrosoft provides considerations for a cyber resilience pro
with sufficient lift being provided by the large surface area of gram .4 Am ongst the recom m endations is that every person with
the stabilizers, fuselage, and what remained of the wings. Sec corporate network access, including full-time em ployees, con
ond, the enterprising pilot had the presence of mind to light the sultants, and contractors, should be regularly trained to develop
afterburner and accelerate his way out of a deep crisis. a cyber-resilient mindset. This should include not only adhering
to IT security policies around identity-based access control, but
There is much to learn from this exam ple of surprisingly success
also alerting IT to suspicious events and infections as soon as
ful real-time crisis m anagem ent. Technology should be designed
possible to help minimize time to rem ediation.
to be robustly adaptive to threats both foreseen and unfore
seen. The man-machine interface is crucial. Corporate staff Training programs specifically geared towards developing a
have to be trained and prepared for both the expected and the cyber- resilient mindset are particularly productive. Many, cor
unexpected. The aim of cyber resilience is to maintain a system's porate training programs exist to help staff to deal safely with
capability to deliver the intended outcome at all tim es, including social engineering scams. Even the most savvy of staff members
tim es of crisis when regular delivery has failed. A wide range of may fall victim to one of these scams, which prey upon all man
m easures, from backups to full disaster recovery, contribute to ner of psychological, em otional, and cognitive weaknesses.
cyber resilience, and to maintaining business continuity under Magicians exploit these weaknesses to fool people with their
the most testing, unusual, and unexpected circum stances. illusions. In the cognitive science literature, it is established that
providing misinformation about past events can reduce memory
accuracy and even create false m em ories. Phishing attacks and
Rapid Adaptation to Changing Conditions social engineering use a wide variety of con tricks, misdirection,
As defined by a Presidential Policy Directive, resilience is the and scams to try to get staff to reveal credentials, open toxic
ability to prepare for and adapt to changing conditions and attachm ents, follow false links, and carry out other tasks. Spot
withstand and recover rapidly from disruptions. Cyber resilience ting these tricks, questioning their veracity, and identifying the
analysts assess system deficiencies in disruption response, and clues to their fakeness are skills that need to be learned and
develop means of rectifying these weaknesses through cyber reinforced in staff behavior.
security enhancem ents in prevention, detection, and reaction.
Organizations need to be agile in crisis response. Organizations
Business Continuity Planning
need to prepare, prevent, respond, and recover from any crisis
that may em erge.
and Staff Engagement
C yber resilience requires a coherent strategy encompassing All staff m em bers need a good understanding of business con
people, processes, and technology. The human dimension is tinuity issues. Those assigned specialist duties, such as planning
especially important, because people can make im prudent secu testing and incident response, need extra specific training, as all
rity decisions and take risky actions. On the other hand, under em ergency responders do. Middle and senior managers have
crisis situations, people can rise in an extraordinary way to the their own responsibilities, and are required to understand and
challenge of adversity. They can make excellent decisions under adopt integrated cyber resilience m anagem ent best practice
intense pressure, coping well with the uncertainty over the trou and com pliance to standards. The key cyber resilience standards
ble they find them selves in and the viability of their em ergency that should be adopted are:
response plan. • ISO 27001, the international standard describing best prac
Corporate decision making starts with the board of directors, tice for an information security m anagem ent system.
who have to drive forward the cyber resilience agenda and • ISO 22301, the international standard for business continuity.
involve the whole organization, extending to the supply chain,
Successful training can be achieved only with full staff engage
partners, and custom ers. To balance risk with opportunity, a
ment. If the training is perceived as dull, tedious, and boring,
corporate risk-based strategy needs to be put in place that man
the results are likely to be disappointing. No matter how tech
ages the vulnerabilities, threats, risks, and impacts. This strategy
nically expert the training is, eliciting an enthusiastic human
has to include preparation for and recovery from a cyber attack.
response requires addressing an extra dim ension: psychology.
A t the same tim e, costs need to be kept under control, user
convenience must be taken into account, and business require
ments should be satisfied. 4 Johnson (2017).
348 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
THE C H A LLEN G E O F C Y B ER R E S ILIE N C E : TRUM P H O TELS
Hotels are at high risk of data breach attacks, particularly consum er notifications regarding compromised data. Tim eli
major chains. Seven of the luxury hotels owned by presiden ness of security response is also a requirem ent of resilience.
tial candidate Donald Trump were infected between May Trump Hotels duly enhanced security m easures, including
2014 and June 2015 with malware that stole paym ent infor em ployee training, com prehensive risk assessm ents, and reg
mation. This data breach ended up exposing 70,000 credit ularly scheduled testing of system s - but not before another
card numbers and custom er records, and was discovered data breach was discovered in March 2016.
only when multiple banks spotted hundreds of fraudulent
Later that year, hackers broke into the Sabre SynXis Central
transactions on custom er accounts where the last legitimate
Reservations System , which facilitates online hotel booking
transaction was at Trump Hotels.
for som e of the largest hotel chains. The intrusion remained
Cardholders were unaware of the breach until a notice was undetected on the Sabre network for seven months, steal
posted on the Trump Hotels w ebsite four months after ing data between A ugust 2016 and March 2017. This was
the hotel chain had learned of the major data exfiltration. the third credit card data breach affecting Trump Hotels in
This delay violated New York state laws stipulating timely three years.8
presence of accidents, errors, and disasters. In particular, resil President Trump gave a public com mitment to keeping Am erica
ience engineering is well suited to systems that are tightly cou safe in the cyber era.9 This com mitment extended to resilience:
pled but intractable in the sense that they cannot be com pletely building defensible governm ent networks and improving the
described or specified. ability to provide uninterrupted and secure communications
and services under all conditions. Although a strident critic of
In general term s, resilience is the ability of an organization to
big governm ent, as a victim of data breaches in his hotel chain,
recover to a stable state, allowing it to continue operations dur
Trump may recognize that stronger cyber security regulations
ing and after a major mishap or in the presence of continuous
may be needed and may need to be better enforced.
significant stresses. Both of these contingencies are relevant for
cyber resilience. The m anagem ent challenge of building and
leading a resilient organization increases in com plexity as more
products and services are online and open to cyber disruption
2 3 .4 A T T R IB U T ES O F A
by m alevolent hackers. C Y B E R -R E S IL IE N T O R G A N IZ A T IO N
because they have a business hospitality culture of openness. A For exam ple, even while withstanding or recovering from
Case studies of organizations that have suffered major data 4 . A w areness of the true state of defenses, and their state of
breaches often highlight missing attributes for a resilient organiza degradation. Also, insight into the quality of human perfor
tion. For example, security commentators referred negatively to mance, and the extent to which it is a problem.
the security culture at Equifax, which discovered a massive data 5 . P reparedness for problem s, especially in human perfor
breach on July 29, 2017, and announced it six weeks later on mance. The organization should actively anticipate prob
Septem ber 7. In his testimony to a US House of Representatives lems and prepare for them .
subcommittee on consumer protection, the Equifax C E O , Rick
6 . Flexibility to adapt that maximizes ability to solve problems
Smith, justified the delay in communicating the data breach on the
without loss of functionality. It requires that im portant secu
grounds of avoiding further attacks and ensuring consumer protec
rity decisions may be made at lower organizational levels.
tion measures could be put in place. A resilient organization would
have had detailed contingency plans in place for a data breach, These six attributes are qualitative organizational attributes, which
which would have expedited its crisis communication response. have a significant bearing on quantitative resilience metrics: the
time and cost to restore operations, the time and cost to restore
The Equifax C E O also excused the communication delay with
system configurations, the time and cost to restore functionality
reference to Hurricane Irma, which took down two large call cen
and performance, the degree to which the pre-disruption state is
ters in Septem ber, soon after the breach announcement. This is
restored, the potential disruption circumvented, and successful
a classic failure of resilience. Corporate preparedness for natural
adaptations within time and cost constraints.
hazards should include plans to overcome breakdowns in infra
structure. Professional resilience engineers would not have been
astonished that some of the 15 million Britons affected by the Cyber Resilience Objectives
Equifax data breach were only notified eight months afterwards.
Because the cyber threat is so dynamic, many actions to improve
resilience may be effective for only a short duration. However,
Six Positive Attributes for Resilience common to all actions are various general cyber resilience objec
tives, which are summarized next.
For a consumer credit reporting agency, corporate resilience
should have been a business priority. The many millions of1
0 • Adaptive Response
An adaptive response involves executing and monitoring the
effectiveness of actions that best change the attack surface,
10 W reathall (2006). maintain critical capabilities, and restore functional capabilities.
350 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• Analytic Monitoring perpetrators are outside W estern jurisdiction, and even if they
Analytic monitoring involves gathering and analyzing data on are within the same jurisdiction as the victim , successful prosecu
an ongoing basis and in a coordinated way to identify poten tion is difficult to achieve.
tial vulnerabilities, adversary activities, and dam age. However, where a significant corporate cyber crim e has been
• Coordinated Defense com m itted, som e level of criminal investigation is required for
In any conflict situation, having multiple defenses is advanta legal reasons, as well as to com ply with obligations to share
geous, but they have to be carefully coordinated so that they holders and other corporate stakeholders, and to enhance
do not interfere negatively with each other, but rather have a resilience. This involves com puter forensics. A s with any
maximum positive effect. forensic investigation, diligence is needed when attending the
scene of a crim e, to ensure that significant evidence gathered
• Deception
is adm issible. In particular, the following four principles must
Sun Tzu's dictum that 'All war is based on deception' applies
be u p h eld :11
to cyber warfare as well as older traditional forms of conflict.
Deception is an essential weapon of cyber defense, espe 1. No action taken by law enforcem ent agencies, persons
cially against a powerful adversary, such as a state-sponsored em ployed within those agencies, or their agents should
threat actor. change data, which may be subsequently relied upon in
court.
• Privilege Restriction
Violation of privilege restriction has facilitated some major 2 . W here a person finds it necessary to access original data,
cyber attacks. To minimize the impact of criminal action, privi that person must be com petent to do so, and be able to
leges should be carefully restricted. give evidence explaining the relevance and the implications
of his or her actions.
• Random Changes
3 . An audit trail or other record of all processes applied to
Static security, however strong, is progressively liable to be
digital evidence should be created and preserved. An inde
eroded over tim e. Frequent randomized security actions that
pendent third party should be able to exam ine those pro
make it more perplexing for an adversary to predict behavior
cesses and achieve the same result.
increase the chance of adversary detection.
• Redundancy 4. The person in charge of the investigation has overall
responsibility for ensuring adherence to the law and these
The value of redundancy in enhancing system safety is evi
principles.
dent from elem entary reliability analysis. If the chance of fail
ure of a key com ponent is one in a thousand, then the chance Forensic investigators not only must comply with these prin
of failure of two such com ponents, assumed to have indepen ciples; they also have to cope with insidious attem pts to thwart
dent failure rates, is as low as one in a million. com puter forensic analysis. This may include encryption, the
• Segm entation overwriting of data, and the modification of file m etadata. And
even where no such anti-forensic efforts have been m ade, a
The attack surface of a system can be reduced if system com
shrewd defense lawyer can query in court the quality of evi
ponents can be segm ented based on criticality to restrict the
dence of an intrusion - maybe the log file had been tam pered
dam age from exploits. Segm entation often employs either
with, or the origination of the internet protocol (IP) address was
physically distinct entities or virtualization of computing sub
fa ke d .1
12 Thinking through defense arguments is a valuable intel
1
networks to provide the desired separation.
lectual exercise in cyber resilience, because it raises technical
• Substantiated Integrity
issues that could lead to ideas for improving the cyber security
It is crucial that critical systems and backups have not been cor environment. One argum ent might be over identifying when
rupted by an adversary. Their integrity needs to be substanti exactly a cyber security incident occurred. For exam ple reconcil
ated and data checked that they are not invalid or out of range. ing the tim estam p for a connection to a Webserver might involve
clients in London, a server in Tokyo and various time zones and
Forensic Investigation
The vast majority of internet crimes are left unreported. A tiny 11 A C P O (2012).
13 C R E S T (2013).
352 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
C A SE STU D IES IN GERM AN S T E E L R ES ILIEN C E
In February 2016, Southeast Asian hackers exfiltrated tech shock not just to the steel mill security staff, but to the entire
nological intellectual property data from Thyssenkrup, one cyber security industry in Germ any and beyond. Surprise is
of the world's largest steelm akers, Early detection and tim ely the enem y of resilience.
counterm easures limited the loss from this professional
cyber espionage attack, which was discovered, continuously It would not have been feasible for an outside vandal to have
observed, and analyzed by Thyssenkrup's com puter em er physically gained access to the steel mill and sabotaged a
gency response team . This adm irably resilient response to blast furnace. Basic site security would have detected the
a cyber attack contrasts with what happened when a steel unauthorized intrusion and prevented this kind of criminal
mill in an undisclosed location in Germ any was targeted for dam age. The cyber attack was not detected because it was
a cyber attack in 2014. (Thyssenkrup denied it was one of an advanced persistent threat (APT), executed carefully in
its steel mills.) The motive for this apparently senseless act stages in a slow and stealthy way, keeping a low profile to
of cyber vandalism remains unknown, but it does provide an make detection difficult.16 A part from remaining undetected,
instructive contrasting case study in cyber nonresilience. the attack was neither contained nor controlled.
The attackers used spear phishing emails to access the steel A more resilient cyber defense strategy would have had a
mill office IT network, com prom ise a multitude of systems, network intrusion detection system (NIDS) deployed. This
and spread over to the production network. Failures accum u strategy should also have maintained a strict separation
lated in individual control com ponents, and a blast furnace between business and production networks to contain the
was unable to be shut down in a regulated manner, which attack, preventing it from spreading from the entry point to
resulted in extensive dam age. This cyber attack came as a the key industrial target.
Minimize Intrusion Dwell Time anomaly detection, when dealing with an intelligent adversary
striving to keep illicit activities hidden within the noise, is the
A resilient strategy for coping with a cyber attack should mini possibility of false negatives. The international prize for smart
mize the intrusion dwell tim e, which is the tim e from initial sys detection avoidance might be awarded to the Soviets who vio
tem com prom ise to the tim e the malware ceases to be effective. lated nuclear test ban treaties by autom atically timing the deto
Controlling dwell tim e means early detection with an appropri nation of nuclear test explosions to coincide with the occurrence
ate effective response. Ju st as with malignant cancer, the lateral of regional earthquakes. The seismic signal of a nuclear explo
spread of intrusion should also be contained and controlled, so sion (the observational basis for nuclear test forensics) would
as to minimize the number and extent of com prom ised systems. be hidden within the tail of the earthquake signal. This kind of
Dwell tim es can be measured in months rather than days or subtle trickery to evade detection ended with the Cold War, but
weeks because attackers are often ingeniously adaptive to new the ingenious cunning of the Russian chess mind in the age of
security system s, and may change their threat signatures from state-sponsored cyber attacks should not be underestim ated.
those detected by threat intelligence service providers. Spotting
anomalous behavior is a crucial aspect of resilient cyber security.
Anomaly Detection Algorithms
A network behavior anomaly detection (NBAD) program tracks
critical network characteristics in real time and generates an Anom aly detection algorithms use state-of-the-art artificial
alarm if an anomaly or unusual trend is detected that might sig intelligence methods, incorporating sophisticated Bayesian
nal a threat. Exam ples of such characteristics include increased techniques of statistical inference. These probabilistic tools
traffic volum e, bandwidth, and protocol use. Such a program for searching for discrepancies have been refined using ideas
can also monitor the behavior of individual network subscribers. developed for Big Data analysis. Faster, cheaper, sim pler - but
less powerful - are signature-based detection methods. Rather
For N BAD to be optimally effective, a baseline of normal
like a police biom etric database of fingerprints or D N A sam ples,
network or user behavior must be established over a period
these methods rely on a database of signatures carried by
of tim e. A large volume of network data can enable even a
packets known to be sources of malicious activities. Signature-
com paratively m odest anomaly to be tracked and flagged up.
based methods check for automated procedures supplied by
Inevitably, as in any anomaly detection system , there may be
well-known hacker tools. These tend to have the same traffic
false positives, such as when an em ployee decides to back
up the contents of a hard drive on a Saturday evening before
going away on vacation the following morning. The flip side of 16 Bartman and Kraft (2016).
suring work on vulnerability assessm ent is not measuring risk risk mitigation, instead of more empirical and scientific practices.
reduction. For exam ple, a vulnerability scanner might determ ine Although pen testers know what to charge for their professional
that a server is missing critical operating system patches by services, most pen testers cannot put a price on their success or
detecting an outdated version of the operating system during a failure. Pen testers can make recom m endations on how to close
network probe. This vulnerability might be rem edied simply by security gaps, and how to prioritize the necessary tasks. But no
a software update and a reboot. Assessing the corresponding two pen testers go about their assignm ent in the same way, and
cyber risk reduction is not so straightforward. This would involve pen testing is usually done on a limited set of targets. A cco rd
explicitly devising an exploit to show that the missing patch ingly, pen testing is not strictly a risk m anagem ent exercise.
would allow an attacker to gain access to the server. This might To provide another perspective on security risk m anagem ent,
be a difficult task, not necessarily cost-effective for a work- consider the pen testing analog of red-teaming in counterterror
averse hacker. ism studies. Ever since 9/11, security consultancies with exten
sive military expertise have undertaken vulnerability assessments
for specific locations and events that might be targeted for a
17 G eorge (2016). terrorist attack. Red-teaming exercises are particularly valuable
354 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
in identifying gaps in security that would make a location or shock that might be foreseeable. In the United States public
event a com paratively soft target relative to other alternative com panies are expected to file annual 10-K submissions to the
targets. By hardening any one potential target, e.g . deploying Securities and Exchange Commission that identify the key risks
additional perim eter security guards and installing CCTV, the to their business and to notify their shareholders and counter
risk may be transferred to another soft target, in a process that parties of those risks. The UK equivalent is the Long Term Viabil
1Q
terrorism risk analysts recognize as target substitution. This ity Statem ent (LTVS) reporting to the Financial Reporting Council
tactic should extend to cyber risk as well. Hackers (like terrorists) on liquidity. C yber risk is one of the most commonly reported
follow the path of least resistance in their targeting, and if an risks by com panies, declared in their 10-K and LTVS filings.
attractive designated target for a cyber attack has been hard
A cyber attack can cause sufficient loss to cause dam age to a
ened, others lacking the benefit of pen testing or red-teaming
company's balance sheet, even for fairly sizeable organizations.
knowledge may becom e more likely to be attacked.
Exam ples include com panies having to issue profit warnings,
suffer credit dow ngrades, make em ergency loan provisions, and
Financial Consequences of a Cyber Attack likelihood of cyber attacks causing a loss sufficient to trigger
each of these thresholds depends on the type of risk analysis we
A major cyber attack on a corporation can impact it in numer have described, defining the odds of experiencing a cyber loss
ous adverse ways. Intellectual property and other confidential of these levels of severity, com bined with the financial structure
information may be stolen; im portant com puter system files may of the organization, its liquidity, its access to capital reserves,
be corrupted or encrypted; denial of service may bring systems and analysts' interpretation of the event in term s of how it
down; physical dam age to corporate facilities and property may might affect the future business model and position relative to
be inflicted; psychological and bodily harm may be caused to its com petitors.
staff and custom ers; reputational dam age may be incurred, and
Balance sheet resilience for the levels of financial shock that
liability lawsuits may be filed. W hatever the impact, business
might be inflicted by a cyber event can be achieved by having
will be disrupted to an extent that depends on the resilience of
all of the standard financial engineering processes to minimize
the organization. We describe many of these consequences and
earnings volatility, including having sufficient liquidity margins,
illustrate some of these costs in the first two chapters: C hap
reducing debt ratios, having access to em ergency loan provi
ter 1, 'Counting the Costs of Cyber A ttacks', and Chapter 2,
sions, being able to cut costs to meet earnings targets, and
'Preparing for C yber A ttacks'.
having cyber insurance to provide a level of financial indemnity
The bottom line for any commercial organization is the ultimate against the loss.
financial cost. Each of the adverse impacts results in a financial
loss to the corporation. For publicly listed corporations, the stock
price is a resilience measure. For those publicly listed corporations
Reverse Stress Testing
for which cyber security is paramount for customer confidence, For any specified cyber attack scenario designed as a financial
the impact of a severe cyber attack on stock price can be devas stress test, the implications for a corporation can be evaluated,
tating. As fallout from a massive identity theft data breach, the taking account of the myriad ways that it might affect business.
stock price of Equifax fell precipitously by about one-third in one For a particularly severe scenario, a corporation's credit rat
week, before a new C E O was appointed in late Septem ber 2017 ing might be dow ngraded. The implications of cyber attacks
and started to turn the consumer credit reporting agency around. could start taking a higher priority in credit analysis. Moody's
But with further revelations that the data breach was worse than Investors Service views material cyber threats in a similar vein
previously thought, the stock price in mid-February 2018 was still as other extraordinary event risks, such as those arising from
lower by 20% than it had been before the breach disclosure. natural disasters, with any subsequent credit impact depending
on the duration and severity of the eve n t.19 W hile Moody's does
Financial Risk Assessment not explicitly incorporate cyber risk as a principal credit factor,
its fundamental credit analysis incorporates numerous stress
Com panies have to make assessm ents of their risk and build testing scenarios, and a cyber event could be the trigger for one 1
resilience into their balance sheet to withstand the types of1
8
1 Q
18 Woo (2011). Moody's Investors Service (2015).
21 See References for list of publications by C C R S . Traditionally, the confidence levels have been estim ated under
22 Harm er (2017). the simplifying hypothesis that the underlying loss variability
356 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
can be represented by a bell-shaped normal distribution. This is but this would be little consolation to an organization that suf
very convenient for mathematical analysis, because the sum of fered loss through a Xen bug.
any number of normal distributions is still normal. However, the
normal approxim ation is invalid for open-ended risks like cyber
risks, which recognize no bounds of geography and can increase
Counterfactual Analysis
in severity scale by orders of m agnitude. A problem faced by Counterfactual analysis can also quantify the benefit from past
cyber risk analysts is the brief observational period of historical security enhancem ents, such as regular penetration testing, as
data, which may not represent accurately the tail of the loss dis well as from the introduction of resilience measures to mitigate
tribution, which could have a much fatter shape than any bell. the loss from cyber attacks. For exam ple, measures to stream
line the process of restoring backup systems in the event of a
ransomware attack might be assessed retrospectively for the
Re-Simulations of Historical Events
W annaCry attack of May 2017. Suppose that the kill switch had
The historical record of cyber attacks is just a couple of decades not been found early on by Marcus Hutchins, and that Wanna
long. By conducting stochastic simulations of past cyber attacks Cry had spread w idely within the United States. How much
within this tim e window, cyber risk analysts can look beyond the worse might the corporate cyber loss have been if an improved
near horizon of history and scan the far horizon, gaining insight backup restoration process had not been im plem ented? Due
into how large cyber losses might potentially have been. For consideration of past near misses such as this would encour
exam ple, suppose that a major bug (such as H eartbleed) had age improved future preparedness for, and resilience against,
been discovered by a black hat rather than by a white hat; what another ransomware attack.
might the cyber loss have been? Even though H ea rtb leed was
This kind of counterfactual analysis would also help decide on
found first in 2014 by the G oogle security team , the alarming
the cost-effectiveness of additional cyber resilience measures.
potential for data exfiltration was dem onstrated by Chinese
Suppose that an additional resilience technology had been
hackers who, after the bug was disclosed, stole the personal
introduced several years ago. How much would the cyber losses
data of about 4.5 million patients of hospital group Comm unity
over this period have been reduced? A positive answer would
Health System s Inc. The hackers used stolen credentials to log
then lead to a quantitative assessm ent of whether the substan
into the network posing as em ployees. O nce in, they hacked
tial expenditure on this resilience enhancem ent is warranted by
their way into a database and stole millions of records. If this
prescribed corporate limits on its cyber risk appetite. Resilient
bug had not been found by white hats and patched, many
organizations are less prone to strategic surprise.
criminal hacking groups might have followed this basic modus
operandi of using the H ea rtb leed bug to steal credentials, which
would then be a gateway of opportunity to exfiltrate very large Building Back Better
volumes of valuable data. With a com plete medical record sell
In the depth of the financial crisis in Novem ber 2008, President
ing on the dark web for high prices, the econom ic loss from tens
elect Obam a's chief of staff, Rahm Em anuel, looked forward
of millions of medical records alone might have been many bil
optim istically: 'You never let a serious crisis go to w aste. And
lions of dollars.
what I mean by that - it's an opportunity to do things you
The sensitivity of corporate vulnerability to cloud failure might could not do b efo re'.24 In earthquake engineering, there is an
also be assessed by revisiting the most severe historical cloud extended resilience concept that reconstruction after an earth
outages involving a cloud service provider, and contemplating quake should not merely aim to restore a building to its pre
some downward counterfactuals where the situation, which was earthquake state, which was evidently seism ically vulnerable,
bad already, turned for the worse because of poor resilience but to make it more earthquake-resistant in the future. This is
of the cloud service provider. In 2015, a notable bug, XSA-148, called building back better. The same concept applies to recon
was found in the Xen hypervisor software by the cloud platform figuring a com puter system after a major cyber attack. Merely
security team at the Chinese multinational A lib ab a.23 This bug restoring previous functionality with its exposed security vulner
would have allowed malicious code to be written into a hypervi abilities is a poor short-term option; far superior is building in
sor's memory space. This vulnerability was probably the worst more robust, enhanced security from the outset. For exam ple, if
ever seen affecting Xen, which is a free software project. It is overall system failure can be traced back to a single item failure,
claimed that Xen has few er critical bugs than other hypervisors, which could have either a technological or human source, then
selves have suffered loss, but when others have had this mis crucial for filling the looming cyber security skills gap. Demand
fortune. The Target breach was a wake-up call not just for the for cyber security professionals is growing faster than the overall
retailer's own m anagem ent, but for m anagem ent right across IT job m arket. Many more of the millennial cohort are needed
corporate Am erica. A survey conducted of 20,000 IT practitio to train and work as cyber security professionals. The increasing
ners in the United States by the Ponemon Institute found that demand for young cyber security staff should serve a valuable
respondents' security budgets increased by an average of 34% societal purpose in providing gainful em ploym ent for hackers of
in the year following the Target breach, with most of those funds rather m odest IT skill and knowledge, who might struggle to get
used for security information and event m anagem ent (50%), end a well-paying job in a tight IT labor market.
point security (48%), and intrusion detection and prevention Such average hackers m ight otherw ise drift into a life of petty
(44% ).25 Some 60% of respondents also said they made changes cyber crim e, purchasing from better-skilled cyber crim inals
to their operations and com pliance processes in response to off-the-shelf exp lo it toolkits that they could use to make
recent well-publicized data breaches: 56% created an incident money illegally in cyb erspace. W ith dem and for talented cyber
response team , 50% conducted training and awareness activi security professionals outstripping supply now and into the
ties, 48% added new policies and procedures, 48% began using foreseeab le future, a life of cyber crim e makes little sense for
data security effectiveness metrics, 47% added specialized edu a highly able cyber security professional, unless he or she has
cation for the IT security staff, and 41% added monitoring and a penchant for illegal hacking, in which case legitim ate and
enforcem ent activities. fulfilling governm ent em ploym ent at the National Security
From such substantial rem edial security m easures, organiza A gency (NSA) or G overnm ent Com m unications H eadquarters
tions show they can be fast learners in cyberspace, and the (G C H Q ) beckons. C o llectively, N SA and G C H Q may have
cyber security m arket is seen to be highly adaptive, swift, and the best offensive cyber attack capability, which in itself is an
responsive to new commercial opportunity. Indeed, the digital em ploym ent draw.
revolution would not have happened so rapidly had it not been Aviation resilience in the skies ultimately depends on the skill,
for the spirit of technical enterprise and ingenuity that digital training, and experience of airline pilots. The safety of airlines
pioneers have abundantly displayed in overcom ing enormous varies quite significantly, even though their fleets of Boeing arid
challenges. Back in 1996, the Clinton-Gore vision of having Airbus aircraft may be quite similar. The cyber security of corpo
the internet in every Am erican school seem ed blighted by rations also varies quite significantly, even though their M icro
soft and Apple com puter systems may also be quite similar.
Cyberspace resilience ultimately depends on the skill, training,
25 Ponemon Institute (2015). and experience of smart cyber security professionals who have
358 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the knowledge, capability, and motivation to defend their orga Cyber Academ y to defend the nation in cyberspace. This acad
nization effectively against a continuous barrage of targeted and emy would be rather like the existing sea, land, and air acad
random cyber attacks, some of which are m asterm inded by elite emies at Annapolis, W est Point, and Colorado Springs. The
state-sponsored hacking team s. underlying rationale for this investm ent is the realization that
winning in cyberspace is fundam entally a m atter of cyber secu
rity skill and expertise.
Improving the Cyber Profession
Beyond the governm ent, recruiting and retaining the best cyber
In any professional adversarial contest, the outcom e depends
security staff should be a priority of every cyber-resilient organi
heavily on the quality of the best players. Nobody appreciates
zation. In 2018, 70% of C ISO s reckoned that lack of com petent
this as much as the North Koreans, Chinese, and Russians, with
in-house staff was their top security threat. O ther than being tar
their prestigious and highly com petitive cyber academ ies. To
geted by a cyber attack, the resilience of a corporation may be
match such training centers of cyber excellence, the UK National
severely tested if one or more of its leading cyber security team
C yber Security Centre has offered bursaries, specialist training,
were to leave. From the C ISO downwards, robust backup plans
and paid work placem ents to a thousand young British students.
need to be prepared for this contingency. M anagem ent consul
This training initiative has had the support of major international
tants highlight the im portance of both C ISO succession planning
defense contractors, as well as the City of London Police.
and developing others to represent the C ISO . The sooner that
More am bitiously, with additional US expenditure on national individuals are trained and prepared for this role, the more resil
security programs, the Pentagon could establish a US National ient a corporation will be.
Define cyber-resilience and compare recent regulatory Explain and assess current practices for the sharing of
initiatives in the area of cyber-resilience. cybersecurity information between different types of
institutions.
Describe current practices by banks and supervisors in
the governance of a cyber risk m anagem ent fram ework, Describe practices for the governance of risks of intercon
including roles and responsibilities. nected third-party service providers.
E x c e rp t is rep rin ted from Cyber-Resilience: Range of Practices, by the Basel C om m ittee on Banking Supervision, D ecem b er 2018.
361
24.1 IN T R O D U C T IO N resilience beyond the purview of operational risk m anagem ent
and minimum capital requirem ents, and established the O p era
In March 2017, the G 20 Finance M inisters and Central Bank tional Resilience Working Group (O RG) with the intention of
G overnors noted that "the malicious use of information and contributing to, inter alia, the international effort related to
com munication technologies (ICT) could disrupt financial cyber-risk in close coordination with the other international bod
services crucial to both national and international financial ies involved. The Com m ittee therefore requested that the O RG
system s, underm ine security and confidence, and endanger provide this first assessm ent of observed cyber-resilience prac
financial sta b ility ".1 tices at authorities and firms.
Regulated institutions' use of technology includes greater levels of The objective of this report is to identify, describe and compare
automation and integration with third-party service providers and the range of observed bank, regulatory and supervisory cyber
customers.1
2 This results in an attack surface that is growing and is resilience practices across jurisdictions. In preparing this range
accessible from anywhere, and it incentivises cyber-adversaries to of practices docum ent, O RG members used the input provided
increase their capabilities. Increased use of third-party providers by their organisation to an FSB survey in April 2017, which led
means that the perimeter of interest to financial sector regulators to the publication of its stocktake of publicly released cyber
has gotten bigger, and greater use of cloud services means that security regulations, guidance and supervisory practices at both
the perimeter is also shared. Shared service models require regu the national and international level issued in O ctober 2017.
lated institutions to think differently about how they build and According to the FSB cyber-security stocktake, banking is the
maintain their cyber-resilience in partnership with third parties. only sector in financial services for which all FSB jurisdictions
have issued at least a regulation, guidance or supervisory prac
Given the increase in the frequency, severity and sophistication
tices. In addition, the FSB found that m em ber jurisdictions drew
of cyber-incidents in recent years, a number of legislative, regu
upon a small body of previously developed national or interna
latory and supervisory initiatives have been taken to increase
tional guidance or standards of public authorities or private
cyber-resilience. A t the international level, the G7 issued Funda
bodies in developing their cyber-security regulatory and supervi
mental Elem ents of Cyber-security for the financial sector,3 and
sory schem es (mainly the 2016 C PIM I-IO SC O guidance, the US
the Com m ittee on Payments and M arket Infrastructures (CPMI)
National Institute of Standards and Technology (NIST) cyber
issued, jointly with the International Organization of Securities
security fram ework and the ISO 27000 series).6
Comm issions (IO SC O ), guidance on cyber-resilience for financial
market infrastructures (FMIs) in June 2016.4 In the European Besides reviewing and com pleting their jurisdiction's responses
Union (EU), the European Commission's (EC) Fintech Action Plan to the FSB survey questions, O RG members shared their direct
invites the European Supervisory Authorities to consider issuing experiences and insights in order to provide a more concrete
guidelines to achieve convergence on IC T risk.5 and specific understanding of the main trends, progress and
gaps in the pursuit of cyber-resilience in the banking sector. Fur
Against this backdrop, the Basel Com m ittee on Banking Super
therm ore, additional insight was gained and findings were fine-
vision (BCBS) recognised the merits of approaching operational
tuned through outreach to a broad set of industry stakeholders
including banks, utility and technology service providers, consul
tancies and associations involved in dom estic and international
1 See G 20, C om m unique: G 20 Finance M inisters and Central Bank
G overn o rs M eetin g , Baden-Baden, G erm any, 17-18 March 2017, www cyber-security m atters.
.bundesfinanzm inisterium .de/Content/EN /Standardartikel/Topics/
For the purpose of this report, the B C B S uses the FSB Lexicon
Featured/G20/g20-com m unique.pdf?_blob= publicationFile& v= 3.
definition of cyber-resilience,7 which defines it as the ability of
2 Many regulated institutions are adopting strategies that will see more
an organisation to continue to carry out its mission by anticipat
data stored and/or processed outside the perim eters of the regulated
institution while at the sam e tim e granting service providers (now grow ing and adapting to cyber threats and other relevant changes in
ing to what is commonly a multitude of providers) access to their envi the environm ent and by withstanding, containing and rapidly
ronments to perform business and technology processes.
recovering from cyber incidents. Although this paper focuses on
3 See G 7, Fundam ental elem ents o f cyb ersecu rity fo r the financial sector,
O c to b e r 2016.
4 See C P M I-IO SC O : G uidance on cyber-resilience fo r financial m arket 6 See NIST, Fram ew ork fo r im proving critical infrastructure cybersecurity,
infrastructures, Ju n e 2016. 16 April 2018, w w w .nist.gov/cyberfram ew ork/fram ew ork, which consists
of standards, guidelines and best practices to manage cyber- security-
5 The European Securities and M arkets Authority (ESM A ), the European
related risk.
Banking Authority (EBA ), and the European Insurance and O ccupational
Pensions Authority (EIO PA), collective referred to as the "European 7 See FSB , C yb er Lexicon, 12 Ju n e 2018, w w w .fsb.org/w p-content/
Supervisory A utho rities". uploads/P121118-l.pdf.
362 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
cyber-resilience, practices also relevant to the broader opera Standards on general risk topics such as business continuity
tional resilience context were considered. A distinction was also planning and outsourcing contribute to the m anagem ent of a
drawn between cyber-risk m anagem ent (which deals with vul wide range of risks and also have relevance to cyber-risk. Discus
nerabilities and threats) and IT risk m anagem ent, the scope of sion at the 2017 Information Technology Supervisors' Group
which is broader than the m atter at hand in this report. W here (ITSG) meeting highlighted that many countries are working on
appropriate, deeper dives on practices that reflect new updates to their outsourcing standards.9 The Australian Pruden
approaches or address w idely shared strategic concerns have tial Regulation Authority(APRA) is also considering whether the
been perform ed O RG m em bers in the form of nine specific term outsourcing remains relevant or whether service p ro vid er
case studies. risk m anagem ent might be more appropriate, recognising that
bank supply chains have becom e more com plex. Section 6 of
The rem ainder of this report is divided into the following
this report further discusses expectations and practices in rela
sections:
tion to third-party interconnections.
• Section 2 provides a high-level overview of current
Specific cyber-risk m anagem ent guidance has em erged in the
approaches taken by jurisdictions to issue cyber-resilience
context of information security. A few jurisdictions have issued
guidance standards.
specific cyber-risk m anagem ent or information security guidance,
• Section 3 assesses the range of practices regarding gover
including on the importance of effective cyber-security risk man
nance arrangem ents for cyber-resilience.
agem ent (Hong Kong SAR), on early detection of cyber intru
• Section 4 focuses on current approaches on cyber-risk man sions (Singapore), on the establishm ent of a cyber-security policy
agem ent, testing, and incident response and recovery. (Brazil) and on the common procedures and methodologies for
• Section 5 explores the various types of communications and the assessm ent of IC T risk (European Banking Authority (EBA)).
information-sharing.
In jurisdictions where no specific cyber-security regulations exist
• Section 6 analyses expectations and practices related to for the financial sector, supervisors encourage their regulated
interconnections with third-party services provides in the con entities to implement international standards and apply prescrip
text of cyber-resilience. tive guidance, and supervisory practices align with the top-down
initiatives of national cyber-agencies. Most jurisdictions implement
key concepts from international and industry standards such as
2 4 .2 C Y B E R -R E S IL IE N C E S T A N D A R D S NIST, ISO /IEC and C O B IT .10 Regulators also leverage supervisory
A N D G U ID E L IN E S practices from the US (Federal Financial Institution Examining
Council (FFIEC) IT Examination Handbook) and the UK (CBEST).
Most jurisdictions address cyber through the lens of IT and gen
Some jurisdictions are developing enforceable standards for
eral operational risk. Cyber-resilience expectations, which are
cyber-resilience in the financial sector. This is the them e of this
som etim es em bedded within high-level IT risk guidance, cover a
report's first case study (Box 24.1).
wide range of regulatory standards.8 The intent of IT risk guid
ance is to com m unicate jurisdictions' expectations and encour
age good practice. Guidance typically addresses governance, 24.3 C Y B E R -G O V E R N A N C E
risk m anagem ent, information security, IT recovery and m anage
ment of IT outsourcing arrangem ents. W hile guidance is pre The majority of the regulators have issued either principles-
sented as operational risk or IT risk guidance, it effectively based guidance or prescriptive regulations, with varying levels
provides coverage of cyber-risk m anagem ent as a subset of of maturity. In general, regulatory standards and supervisory
these practices. practices address enterprise IT risk m anagem ent but do not
include specific regulations or supervisory practices that cover
A key objective is to minimise the likelihood and impact of • information risk m anagem ent and information security
information security incidents on the confidentiality, integrity m anagem ent;
or availability of information assets, including information • user access m anagem ent;
assets managed by related parties or third parties. The board • IT project m anagem ent and application developm ent;
of an APRA-regulated entity is ultimately responsible for
• IT operations; and
ensuring that the entity maintains its information security.
The key requirem ents of this Prudential Standard are that an • outsourcing and other external procurem ent of IT services.
APRA-regulated entity must:
• clearly define the information security-related roles and
US A g e n c ie s' N otice o f P ro p o se d Rulemaking
responsibilities of the board, senior m anagem ent, govern fo r N e w Cyber-Security Regulations fo r Large
ing bodies and individuals; Financial Institutions
• maintain its information security capability com m ensu Another exam ple is the joint announcem ent from the US Fed
rate with the size and extent of threats to its information eral Reserve, the O fficer of the Com ptroller of the Currency
assets, and so that it enables the continued sound opera (O C C ) and the Federal Deposit Insurance Corporation (FD IQ ,
tion of the entity; which provided a notice of proposed rulemaking for new
• im plem ent controls to protect its inform ation assets cyber-security regulations for large financial institutions. The
com m ensurate with the criticality and sensitivity of intent is to address the type of serious cyber-incident that
those inform ation assets, and undertake system atic te st could im pact safety and soundness. As announced, require
ing and assurance regarding the effectiveness of those ments will relate to cyber-risk governance, risk m anagem ent,
controls; and internal dependency m anagem ent, external dependency
• notify A P R A of material information security incidents. m anagem ent, incident response, assurance m anagem ent of
third parties and audit.
The State of New York Departm ent of Financial Services has
Supervisory Requirem ents fo r IT in Financial
also released cyber-security regulations that require regulated
Institutions (BaFin Circular 10/2017, BAIT)
intuitions in New York to have a cyber-security programme
The Germ an Banking A ct requires financial institutions to designed to protect consumers' private data; a written policy
dem onstrate that its risk m anagem ent com prises, among or policies that are approved by the board or a senior officer;
other things, adequate technical and organisational resources a C hief Information Security O fficer to help protect data and
and adequate contingency planning, especially for IT systems; and controls and plans in place to help ensure the
systems. safety and soundness of the financial services industry.
cyber-risk m anagem ent of critical business functions, intercon Cyber-Security Strategy Is Expected But
nectedness or third-party risk m anagem ent. Against this back
Not Required
drop, supervisory expectations and practices were identified
and analysed in the following areas relevant to governance: Although most regulators do not require regulated entities to
develop a cyber-security strategy, all exp ect regulated institu
• Cyber-security strategy
tions to have a board-approved information security strategy,
• M anagem ent roles and responsibilities
policy and procedures under the broad remit of effective over
• Cyber-risk awareness culture sight of technology.
• Architecture and standards Many jurisdictions (eg Australia, Brazil and jurisdictions across
• Cyber-security workforce Europe) expect that cyber-risk should be covered by the
364 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
organisation-wide risk m anagem ent fram ework and/or inform a The majority of such guidance prioritises the roles and respon
tion security fram ework which is monitored and reviewed by sibilities of the BoD and senior m anagem ent, while others have
senior executives. prioritised them even more in overseeing overall business tech
nology risks. O ther jurisdictions approach cyber-governance as a
Consistent with the previous observation regarding regulatory
risk that regulated entities are expected to address within their
expectations, most supervisors review regulated entities' infor
existing risk m anagem ent fram eworks.
mation security strategies, but very few require or evaluate those
entities' standalone cyber-security strategies. Exam iners typically Alm ost all the jurisdictions em phasise the im portance of man
review an institution's information security strategy, information agem ent roles and responsibilities for cyber-governance and
security plans, and cyber-security implementation, including key controls. In the US, EU and Jap an, high-level guidelines encour
cyber-security initiatives and tim elines. They may also review its age global system ically im portant banks (G-SIBs) and dom es
practices for communicating with relevant stakeholders. tic system ically im portant banks (D-SIBs) to im plem ent well
defined, risk-sensitive m anagem ent fram eworks under initiatives
A variety of approaches can also be observed within regions:
taken by theBoD . In addition, the EB A implements granular and
while the FFIE C IT Examination Handbook in the US does not
prescriptive requirem ents, ensuring consistent cyber-security
specifically address the developm ent of a cyber-security strat
regulation and supervision across the European banking sector.
egy, Canada's self-assessm ent guidance attem pts to determ ine
Similarly, emerging market econom ies im plem ent more granular
whether a regulated financial institution has established a cyber
and prescriptive cyber-security requirem ents.
security strategy aligned with the institution's business strategy
and im plem entation plan. M exico does not have supervisory
practices focused on cyber-security strategy but has issued regu
Variety of Supervisory Approaches Regarding the
lations that direct banks to develop IT security strategies.
Second and Third Lines of Defence (3LD)
The majority of regulators have adopted the 3LD risk m anage
Jurisdictions enforce cyber-security strategy requirem ents using
ment model to assess cyber-security risk and controls. However,
three types of non-mutually exclusive regulatory approaches:
most regulators do not require the implementation of 3LD at
1. The regulator/authority implements cyber-security strategy regulated entities and do not prescribe precisely how responsi
requirem ents, either sector-specific or across multiple indus bilities should be distributed across the lines, as the expectation
tries, with which financial institutions have to comply. This is rather for banks them selves to clearly define responsibilities
is a common approach in emerging market econom ies with and leave no gaps between the lines. As a result, supervisory
relative hom ogeneity in their banking systems. practices for assessing the degree of 3LD implementation vary
2 . The financial institutions establish their own cyber-security w idely, and there appears to be a greater supervisory focus on
strategies in com pliance with principles-based risk m anage the first and second lines of defence than on the third line across
ment practices. Regulators review these strategies as part jurisdictions, which could hamper the effectiveness of the 3LD
of their assessm ent of an institution's overall risk m anage checks and balances model. In particular, only a few jurisdictions
ment p ractices.11 have form ulated specific expectation regarding the independent
reporting line from the chief audit executive to the audit com
3 . A third approach, prevalent in Europe, involves exam in
mittee of the BoD.
ing whether financial entities have an IT strategy and the
accom panying security provisions.
Some jurisdictions have issued specific regulatory guidance and tors in most jurisdictions have published guidance emphasising
requirements addressing cyber-governance roles and responsi the im portance of risk awareness and risk culture for staff
bilities of the board of directors (BoD) and senior m anagem ent. and m anagem ent at all levels, including BoDs and third-party
em ployees. Regulatory requirem ents include increasing cyber
security awareness and cyber-related staffing at regulated
11 The Saudi Arabian M onetary Authority (SAM A) applied the first two of
entities. In some jurisdictions, regulators require cyber-security
these approaches by com pelling financial institutions to form ulate their
own cyber-security strategies while it developed supervisory practices awareness training during each phase of the em ploym ent pro
for im plem enting cyber-security strategy. cess, from recruitm ent to term ination.
Regulated entities may be required to include non-disclosure for cyber-security architecture. For instance, the US FF IE C IT
clauses within staff agreem ents. To mitigate insider threats, Exam ination Handbook specifies that when discussing network
some jurisdictions require new em ployees to com plete a screen architecture, supervisors should confirm that the diagram s are
ing and background verification process, while existing em ploy current, securely stored and reflective of a defence-in-depth
ees undergo a mandatory reverification process at regular security architecture. In Saudi A rabia, practices covering cyber
intervals. In some jurisdictions, regulators assess whether banks security architecture are subject to a periodic self-assessment.
have robust processes and controls in place to ensure their
em ployees, contractors and third-party vendors understand their
responsibilities, are suitable for their roles and have the requi
Cyber-Security Workforce
site skills to reduce the risk of theft, fraud or misuse of facilities. The skills and com petencies of cyber-workforces, their regula
The majority of the regulators encourage the developm ent of a tory fram eworks and the range of practices differ m arkedly
common risk culture sufficient to ensure effective cyber-risk man across jurisdictions. Som e jurisdictions have IT-specific standards
agem ent. In some jurisdictions, regulators assess each bank's that address the responsibilities of the IT workforce and infor
cyber-risk appetite, considering such factors as the bank's busi mation security functions, with particular attention to cyber
ness model, core business strategy and key technologies. Some security workforce training and com petencies. Their range of
jurisdictions view cyber-security as a critical business function, supervisory practices covers the assessm ent of team divisions,
since a cyber-attack could lead to the insolvency of individual staff expertise (background and security checks of cyber-security
entities or even to widespread disruption of the entire sector. specialists), the staff training processes and the adequacy of
funding and resources to im plem ent the organisation's cyber
security fram ework. Most of the jurisdictions are in the early
Architecture and Standards
stages of im plem enting supervisory practices to monitor a
For most jurisdictions, general regulatory requirem ents for bank's cyber-workforce skills and resources. Their regulatory
architecture and standards are not in place, or there is a lack of schem es require regulated entities to manage risks but do not
coverage. Only a small number of countries specifically highlight set specific requirem ents to address cyber-security workforce
control considerations and substantial supervisory guidance skills and resources.
366 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BO X 24.3 C A SE STUD Y 3: FRA M EW O RKS FOR P R O FESSIO N A L TRAIN IN G
IN C Y B ER -SEC U R ITY AND CER TIFICA TIO N PRO GRAM M ES
The Center for Financial Industry Information Systems Security Testers (C R EST), ie the C R E S T Certified Threat Intel
(FISC), a public-private partnership, was founded in Japan ligence M anager (CCTIM ) for providers of threat intelligence
in 1984 to promote the cyber-security initiatives of financial services, and the C R E S T Certified Simulated A ttack M anager
institutions. FISC facilitates the exchange of staff between (CCSAM ) and C R E S T Certified Simulated A ttack Specialist
financial sector supervisors, banks, and IT security vendors (CC SA S) for providers of penetration testing services.
by partnering with the private sector and supervisors. FISC's
efforts have resulted in the developm ent of FISC Guidelines Monetary Authority of Singapore (MAS): MAS requires
for cyber-security preparedness in Jap an , as well as cyber financial institutions to have in place a com prehensive tech
security education and training programs for its bankers. nology risk and cyber-security training programme for the
Bank exam iners at the FSA and BoJ reference FISC G uid e BoD. Such a programme may include periodic briefings con
lines to ensure a consistent and integrated supervisory ducted by in-house cyber-security professionals or external
approach. The same structure can be found in the Finan specialists. The goal is to help equip the BoD with the requi
cial Security Institute (FSI) founded in Korea in 2015. This site knowledge to com petently exercise its oversight function
illustrates the effectiveness of cross-border public-private and appraise the adequacy and effectiveness of the financial
partnerships when the supervisors leverage the industry for institution's overall cyber-resilience program m e.
cyber-security enhancem ent. A t a minimum, FISC's efforts
Hong Kong Monetary Authority (HKMA): The HKM A's Pro
serve as a model for other jurisdictions transitioning from
fessional Developm ent Program (PDP) is one of the three ele
prescriptive to more risk-based and incentive-com patible
ments of HKM A's Cybersecurity Fortification Initiative (CFI).
regulatory models.
It seeks to increase the supply of qualified cyber-security
Bank of England (BoE): The BoE has established the C B E S T professionals in Hong Kong SAR. The HKM A has worked
accreditation for suppliers who offer threat intelligence and with the Hong Kong Institute of Bankers and the Hong Kong
penetration testing services who wish to be involved in the Applied Science and Technology Research Institute (ASTRI)
C B E S T schem e. This is in addition to the accreditation for to develop a localised certification schem e and training pro
individuals offered by the Council for Registered Ethical gramme for cyber-security professionals.
The majority of regulators assess the cyber-security workforce appropriate cyber-security workforce m anagem ent. In other
of the institutions through on-site inspections, where they have jurisdictions, regulatory requirem ents for cyber-workforce man
the opportunity to talk with relevant specialists. Self-assessment agem ent are limited to supervisory expectations, and there may
questionnaires are becoming common practice. Training pro be no assessm ent by supervisors of cyber-security skills and staff
cesses are particularly scrutinised. As staff com petence is integral training at regulated entities. Only the Hong Kong, Singapore
to cyber-security, authorities have been known to raise concerns and the UK have issued dedicated fram eworks to certify cyber
about the capability or qualifications of an institution's head workforce skills and com petencies.
of IT or information security. Jurisdictions diverge in how they
regulate the roles and responsibilities of the IT and information
security staff. Some jurisdictions, including Argentina, Australia, 2 4 .4 A P P R O A C H E S T O R ISK
the EU, Japan and Saudi Arabia, issue regulations specifically M A N A G EM EN T , T ES T IN G A N D
addressing IT staff's roles and responsibilities. Sometim es regula
IN C ID E N T R E S P O N S E A N D R E C O V E R Y *•
tions are em bedded in a jurisdiction's global governance fram e
work, such as those issued in Switzerland. In regulations issued
This section sets out a range of observed practices on cyber-risk
by M exico, the US, and Saudi Arabia, regulatory requirements
management, and incident response and recovery. It aims to identify
addressing the roles and responsibilities of the IT and informa practices in the supervision of banks' cyber-resilience which could
tion security functions are encom passed by requirements for the
inform future work. This section is divided into four sub-sections:
BoD and senior managem ent. In South Africa, such regulations
are included in the national cyber-security strategy. • Methods for supervising cyber-resilience
• Information security controls testing and independent
The range of practices and regulatory expectations for w ork
assurance
force com petence is w ide, and many jurisdictions have not
form ulated any. The FISC in Japan and FSI in South Korea are • Response and recovery testing and exercising
both exam ples where public authorities have set guidelines on • Cyber-security and resilience metrics.
368 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
of user access rights), while some m em bers use existing inter Taxonomy of Cyber-Risk Controls
national standards, applying them to other types of institution
W hile putting cyber-risk controls in place is only one aspect
(eg South Africa applies the C PM I-IO SC O guidance on cyber
of building cyber-resilience, many jurisdictions find review of
resilience for FMIs to banks).
controls a ready way to engage with regulated institutions.
Independent assurance also provides m anagem ent and regula Some jurisdictions use taxonom ies of controls to understand
tors with an evaluation of whether appropriate controls have whether there are any gaps in the coverage of their supervisory
been im plem ented effectively. Jurisdictions commonly also approach. Currently the taxonom ies are jurisdiction-specific
leverage the m anagem ent information outputs of these activi and do not rely on harmonised concepts and definitions. If an
ties, providing the regulator with another source of information authority is unable to assess a particular type of control, for
for their own assessm ents. exam ple because it has no supervisory approach, assessm ent
method or the required skillset to assess the control, then that is
Penetration Testing identified as a gap. An exam ple taxonom y of cyber or inform a
Cyber-security controls are im plem ented through risk-based tion security controls is included in A nnex A .
Participants included UK and US supervisory authorities, • amount to a "cyber war gam e" or include live play;
governm ent departm ents and cyber-agencies. The exercise • test the actions of law enforcem ent or the security and
exam ined how the UK and US could enhance cyber-security intelligence agencies;
cooperation by: • seek to involve the entire range of the UK and US finance
• enhancing processes and mechanisms for maintaining sectors; or
shared awareness of cyber-security threats between US • seek to test individual firms or financial system s, but
and UK governm ents and the private sector; instead rehearse communication and coordination links.
This is conducted through the discussion of regulated institutions' Cyber-Security and Resilience Metrics
response and the root cause analysis, but no further standard
practice could be observed. Cyber-Security and Resilience Metrics are Not
Yet Mature
Joint Public-Private Exercising Some jurisdictions have m ethodologies to assess or benchm ark
Distinct from testing, most supervisors and banks use exercises regulated institutions' cyber-security and resilience. Those juris
to train and practice how they would respond to an incident. dictions that have developed ways to assess cyber-security and
Cross-border international exercises have made this more visi resilience have focused on reported incidents, surveys, penetra
ble. Exam ples include the UK/US exercise Resilient Shield tion tests and on-site inspections. None of these m ethodologies
(Box 24.4) and the TITU S exercise in 2 0 1 5 ,16 as well as the G7 produce quantitative m etrics or risk indicators com parable to
exercise under planning in 2018. those available for financial risks and resilience, eg standardised
quantitative metrics where established data are available.
In the UK, the Sector Exercising Group (SEG ), which is a sub
Instead, indicators provide information on regulated institutions'
group of the Cross M arket O perational Resilience Group
approach to building and ensuring cyber-security and resilience
(C M O RG ), manages the sector's annual exercise regim e, which
more broadly. Supervisory authorities also rely on entities' own
incorporates cyber-specific scenarios.17 In Jap an , the JF S A has
m anagem ent information, although this differs across entities
conducted tabletop exercises to improve cyber-security, and in
and is not yet mature.
particular communication and coordination of response m echa
nisms. O ver 100 regulated institutions including banks, credit
Emerging Forward-Looking Indicators of Resilience
unions, insurance com panies and securities com panies partici
pated in the 2017 exercise, which covered two cyber-scenarios. It is common for jurisdictions (and often regulated institutions
A summary of results was then published to enable others to them selves) to focus on backward-looking indicators of the
draw lessons from the exercise. perform ance of the technology function. These indicators are
presented to Board members and executives as part of m anage
ment information that regulators may review (exam ples can be
16 TITU S was a crisis communication exercise for euro area financial mar found in A nnex B).
ket infrastructures held in N ovem ber 2015.
Backward-looking indicators com m ent on past perform ance as
17 C M O R G is a UK industry forum which is co-chaired by the Bank of
England and UK Finance and attended by senior representatives from an indicator of future perform ance, which is reasonable when
regulated institutions. institutions' operations and risk environm ent are relatively stable
370 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
over tim e and more or less independent from outside influ A number of jurisdictions (eg Australia, Canada, the ECB-SSM ,
ences. However, cyber-risk frustrates this because adversaries Hong Kong, Singapore, the UK and the US) analyse survey
are dynamic, them selves adapting to institutions' responses and responses to assess regulated institutions' capabilities and
protective m easures, som etim es changing their tactics and strat inform prioritisation of follow-up work. The outcom es of this
egies even in the space of a single cyber-incident. Distributed work tend to be institution-specific findings and remediation or
denial of service (DDOS) incidents are a good exam ple, where action plans which can be monitored over tim e, and/or them atic
the volume and scale of disrupted internet traffic generated reports. As such, they provide indicators and trends if per
has increased significantly in the last two years and adversaries form ed on a regular basis. Results from the Australian surveys
adapt their techniques in response to an institution's defences. are subsequently published to influence industry behaviour. In
W hile backward-looking metrics continue to be important, the UK, them atic findings are often shared with participating
jurisdictions are increasingly recognising the need for forward- firms for the same purpose.
looking indicators as direct and indirect metrics of resilience,
indicating whether a regulated institution is likely to be more or
less resilient in the event of a risk crystallising. 24.5 COM M UNICATION AND
Regulated institutions are also seeking to improve metrics for SHARING O F INFORMATION
resilience more broadly. A nnex C contains cyber-centric metrics
collated by a sam ple set of regulated institutions for decision Most Basel Com m ittee jurisdictions have put in place cyber-secu
making bodies (boards and board sub-com m ittees). It is notable rity information-sharing mechanisms, be they mandatory or vol
that the data provided typically allow for trend information so untary, to facilitate sharing of cyber-security information among
that the reviewer can assess if the situation is getting better banks, regulators and security agencies. These communications
or worse. Some metrics track com pliance with internal policies are established for multiple purposes, including helping relevant
parties defend them selves against emerging cyber-threats.
while others measure inherent risk. Patch ageing in particular is
a widespread and com parable metric. This section sets out a range of observed cyber-security
This list of cyber-metrics collated by regulated entities can be information-sharing practices among banks and regulators. For
reviewed by regulators to gain insight into what may be col the purpose of this report, they are divided into five categories
according to the parties involved in the sharing. Figure 24.1
lected across the regulated population to gain an enhanced set
of cyber-metrics for measuring the state of cyber-resilience more illustrates the interlinkages of the five types of practices.
(1) the num bered circles next to the arrows indicate the "typ es" of info sharing as described in section 5.1 and Figure 24.2.
sharing with security agencies are the most commonly observed. potentially due to the allocation of responsibilities for cyber
Sharing among regulators is the least observed type. This is partly security information processing among regulators and security
due to the less systematic nature of information-sharing arrange agencies within a jurisdiction.
ments between regulators, where it can happen on an ad hoc basis
For some of the jurisdictions, both mandatory and voluntary
at a bilateral level or within supervisory colleges, under specific
information-sharing arrangements are noted for the same type
circumstance. Figure 24.2 illustrates the adoption rate of different
of information-sharing arrangement. This is because voluntary/
types of cyber-security information-sharing, both mandatory and
mandatory sharing is sometimes applicable when different types
voluntary, by the jurisdictions covered by this report.
of information are being shared, or when information is shared
Different kinds of cyber-security information are shared by with different parties. For example, there is a mandatory require
banks and regulators, including cyber-threat inform ation, ment in Singapore for financial institutions to report relevant cyber
information related to cyber-security incidents, regulatory and security incidents to MAS, while cyber-threat information exchange
supervisory responses in case of cyber-security incidents and/ between MAS and the Cyber Security Agency (CSA) is voluntary.
or identifications of cyber-threat, and best practices related
O ther types of information-sharing arrangem ents are observed,
to cyber-security risk m anagem ent. Depending on the type
which include public announcem ent/disclosure of information
of arrangem ent, the kind of information shared varies. For
about cyber-security incidents and cross-sector inform ation
instance, information related to cyber-security incidents is more
sharing with public and private institutions. In particular, the range
w idely observed in sharing from banks to regulators and with
of stakeholders involved in cyber-attacks typically includes non
security agencies, whereas cyber-threat inform ation/intelligence
bank critical infrastructure operators, third-party service providers
is the most common kind of information shared among banks.
and customers who could contribute to sharing information with
Various jurisdictions have put in place certain cyber-security security agencies for further distribution to other sectors, or be
information-sharing arrangem ents to facilitate more effective part of other setups such as a joint-industry groups.18
sharing of cyber-security information by banks and regulators.
The rem ainder of this section summarises common practices
Full adoption of all types of information-sharing arrangem ents
adopted by various jurisdictions, describes more specific prac
within a jurisdiction is still exceptional.
tices adopted by individual jurisdictions and sum marises key
That said, it was also noted that for jurisdictions with observed gaps observed.
practices of information-sharing among banks, there are less
observed practices of information-sharing from regulators
18 This "o th er" type of information is shown in Figure 24.3. O ne
to banks. This is probably attributable to the lesser need for exam ple is the E B A guidelines on IC T Risk Assessm ent under the
sharing by regulators to banks if an effective peer sharing Supervisory Review and Evaluation process (SREP) (EBA /G L/2017/05)
and recom m endations on outsourcing to cloud service providers (EBA /
mechanism among banks already exists. Similarly, jurisdictions
R EC /2 0 1 7/03), which assum ed good information-sharing of IT risks
with observed practices of information-sharing from banks to betw een banks and supervisors, although there was no specific require
regulators display lower rates of sharing with security agencies, ment for banks to report security incidents to their supervisors.
372 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
No of practices observed
0% 10% 20% 30% 40% 50% 60%
c
•O Cyber-threat information /
+-» 18 2 2 2 2 [l|
(U intelligence
E
Cyber-security incidents 20 18
&
Cyber-security regulatory
u 1 4
Q )
</i> responses
CD
_Q
Good practices F J 2 T|~2~ 2
u
M—
o
“O O ther p l|jl|
_r^
■ Type 1 - Sharing among banks □ Type 2 - Sharing from bank lo regulator ■ Type 3 - Sharing among regulators
□ Typ e 4 - Sharing from regulator □ Type 5 - Sharing with security agencies □ O thers
to banks
Sharing Among Banks interpersonal level with a closer group and then be exchanged
at the company level with a broader group of banks helps build
Banks share inform ation (eg know ledge of a cyber-security trust into the system.
threat) with peer banks through established channels, mainly
to allow peer banks to take more tim ely action in response Sharing from Banks to Regulators
to sim ilar threats. Although there is no common standard
for autom ated inform ation-sharing, regulators in most ju risd ic The sharing of cyber-security information from a bank to its
tions are not directly involved in bank-to-bank inform ation regulator(s)/supervisor(s) is generally limited to cyber-incidents
sharing but do play a role in facilitating the establishm ent of based on regulatory reporting requirem ents. Such requirements
voluntary sharing m echanism s for cyber-vulnerability, threat are mainly established to (i) enable system ic risk monitoring
and incident inform ation, and in som e cases indicators of of the financial industry by regulator(s); (ii) enhance regulatory
com prom ise. requirem ents or issue recom m endations by regulator(s) to adjust
policies and strategies based on information collected; (iii) allow
Some jurisdictions have established public sector platforms to
appropriate oversight of incident resolution by regulator(s); and
accomplish information-sharing initiatives while others have
(iv) facilitate further sharing of information with industry and
encouraged private sector developm ent of information-sharing
regulators to develop a cyber-risk response fram ework.
organisations. Three jurisdictions (Brazil, Japan and Saudi A ra
bia) have mandated cyber-security information-sharing among Reporting requirem ents are established by different authori
banks through regulations or statutes. ties for specific purposes depending on their mandate (eg
supervisory and regulatory functions, consumer protection and
O utside the information-sharing and analysis centre construct,
further distribution of information to national cyber-security
some jurisdictions have established public/private forums or
agencies for system ic operators). Incident reporting by banks
governm ent-led centres for information-sharing. In some juris
to regulator(s) is a m andatory requirem ent in many jurisdictions,
dictions, local regulations on data protection are perceived to
with different scopes of requirem ents and ranges of applica
be an obstacle to cyber-security information-sharing among
tion. For jurisdictions already enforcing the requirem ent in the
banks and may warrant a specific dialogue between banks and
past, the reporting obligation has a broader operational incident
their local or regional regulators.
scope, including cyber-incidents. The perim eter can include all
Sharing of information and collaboration among banks depend supervised institutions but is more often limited to system ically
on the financial industry's culture and level of trust among par im portant institutions. Nearly all institutions regulated in the EU
ticipants. Experience shows that a two-level information-sharing are required to report cyber-security incidents to the com petent
structure through which information would be first shared on the authorities. The requirements stem from supervisory fram eworks
(such as the Single Supervisory Mechanism (SSM) cyber-incident authorities, as these banks are likely to be obliged to fill in vari
reporting fram ework), EU directives (PSD2, NIS) and local law. ous tem plates with different taxonom y, reporting time frame
Some requirements also include the obligation to submit a root and threshold. This may increase their regulatory burden, con
cause analysis for the incident, or a full post-mortem or lessons suming significant resources to ensure com pliance. It may be
learnt after the incident. possible for an authority with multiple functions to receive from
a bank multiple reports with distinct form ats for multiple tim es.
Different scopes and perim eters may depend on the type of
authority (eg supervisors, regulators, national security) and their All incident reporting processes have a single direction flow, by
mandate (ie national cyber-security agencies, consum er protec a bank to an authority, although an informal flow back can be
tion, banking supervision, etc), sector(s) involved (eg m ultisector used for alerting firms in case of an incoming threat. By normal
or specific: banks, significant banks, system ic operators, pay ising the prompt exchange of information between banks and
ment) and geographical range (eg national, multiregional). W hile supervisors, reciprocal flow mechanisms can help remove the
many of the supervisors focus only on reporting and tracking possible stigma associated with incident reporting by banks,
incidents that have already taken place, some require proac thereby fostering effective and tim ely incident reporting.
tive monitoring and tracking of potential cyber-threats because
concerns about reputational risk may lead to a delay in incident Sharing Among Regulators
reporting by the regulated entity.
Regulators share information with fellow regulators, be they
Based on these considerations, different reporting fram eworks
dom estic or cross-border, as appropriate according to estab
are also observed. These range from formal communications to
lished m andatory or voluntary information-sharing arrange
informal communications (eg free-text updates via email or ver
ments. Cyber-security information shared among regulators
bal updates over the phone).
may include regulatory actions, responses and measures. C on
Differences are noted in: (i) taxonom y for reporting; (ii) reporting sidering different types of cyber-security information-sharing,
time fram e (im m ediately, after two hours, after four hours and information-sharing among regulators is the least observed
after 72 hours are exam ples of practices observed); (iii) tem practice across jurisdictions, although it is expected that many
plates; and (iv) threshold to trigger an incident reporting. These informal and ad hoc communication channels exist, such
differences highlight the fragm entation issue facing the banks as through supervisory colleges and memoranda of under
operating in multiple jurisdictions or supervised by different standing. Cyber-fraud is becoming more sophisticated and
374 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BO X 24.6 C A SE STUDY 6: BILATERAL C Y B ER -SEC U R ITY IN FORM ATION -SHARING
B ETW EEN THE HONG KO N G M ONETARY AU TH O RITY (HKMA) AND THE
M ONETARY AU TH O RITY O F SIN G A P O R E (MAS)
Given the im portance of facilitating more cross-border cyber 24 hours. Incom plete information about cyber-security
security information-sharing, the HKM A and MAS established incidents can be shared so long as a reasonable degree of
a bilateral cyber-security information-sharing fram ework in validity has been ascertained.
the first quarter of 2018. • E ffe c tiv e : To ensure the efficacy of the fram ew ork, shar
As part of the fram ework, the HKM A and MAS have agreed ing of cyber-security inform ation should not be limited
upon four im portant guiding principles and key design fe a to inform ation related to those financial institutions
tures of the governance arrangem ent, the scope of inform a with an operation in both jurisdictions (ie unlike typical
tion-sharing, a traffic light protocol, standard taxonom y and supervisory college or m em oranda of understanding,
dedicated communication channels. "supervisory locus" is not required to be established).
A taxonom y was also established with reference to
• Voluntary: Given that some cyber-security information may
the Structured Threat Inform ation expression (STIX)
be highly sensitive, the sharing of information under the fram ew ork.
fram ework should be voluntary, without creating any legal
obligations for the participating authorities. • C onfidential: The confidentiality of any information shared
between the authorities should be properly protected.
• Tim ely: The HKM A and MAS recognise that tim ely sharing The fram ework will focus on the sharing of general infor
of cyber-security information is of paramount im portance mation such as the modus operandi of the attacks. The
to building an effective fram ework. The authorities have authorities also adopted a Traffic Light Protocol (TLP) for
therefore agreed that information about cyber-security subsequent sharing of information.
incidents should be shared as soon as possible to the
extent perm itted by law. If a cyber-security incident is The HKM A and MAS have been exchanging information
assessed to have the potential to spread to other jurisdic regarding real-life cyber-threats and cyber- security-related
tions, the related information should be shared within regulatory responses and measures since April 2018.
cross-jurisdiction, and sharing of cyber-security information forums), m eetings and informal communications to dissem inate
among regulators could assist in maintaining awareness of the information to the banks.
cyber-threat situation for tim ely guidance to be provided to
In cases where non-public information is obtained by regula
banks to protect financial system s against cyber-frauds.
tors, the information is shared with selected parties via informal
m eetings or other informal communication vehicles, so as to
Sharing from Regulators to Banks preserve anonymity and confidentiality of the institution(s)/
bank(s) im pacted by a cyber-attack, and maintain banks' confi
Information-sharing from regulators to banks occurs through dence and trust in the regulators generally.
established channels, based on the information the regulator
Mandatory requirem ents for regulators to share information
receives both from banks and other sources. Various jurisdictions
with banks have only been established for a few jurisdictions (eg
(eg Australia, China, Korea, Saudi Arabia, Singapore, Turkey and
China). A few other jurisdictions have put in place practices for
the US) have established clear guidance in the form of standards
voluntary sharing (eg Singapore, the UK). However, many juris
and practices to enable cyber-security information-sharing by
dictions have not put in place any standard practices for regula
regulators to banks. In these jurisdictions, information flows
tors in the sharing of information with banks, nor established any
from the bank to the regulator, and the regulator assesses the
process or time fram e to enable tim ely, risk-based information
risk to the financial industry and shares the information with the
sharing. Classification of information could ensure that the
industry, as appropriate, based on the risk assessment. In cases
appropriate audience could receive the appropriate information
where the information is sensitive (eg contains customer-specific
and help to build trust between regulators and banks.
or bank-specific information), the regulator anonymises or sum
marises it to allow sharing.
Sharing with Security Agencies
Regulators with a regulator to bank sharing mechanism more
readily share publicly available information such as cyber-secu This section exam ines sharing of information by banks or regu
rity risk m anagem ent best practices. They use informal channels lators with the security agencies operating in their respective
such as industry sharing platforms (eg participation in industry jurisdictions.
Given that cyber-security incidents encountered by banks or Cyber-security and Com m unications Integration C enter and
regulators could potentially be experienced by entities in other the US CERT. In Luxem bourg, the Com puter Incident Response
sectors, effective communication of relevant cyber-security inci C enter (CIRCL) has established a Malware Information-sharing
dents with security agencies could facilitate broader awareness Platform (MISP) to gather, review, report and respond to com
of cyber-threats in a tim ely manner, and enhance defensive m ea puter security threats and incidents. The MISP allows organisa
sures against adversaries. tions to share information about malware and their indicators.
The aim of this trusted platform is to help improve the counter
For jurisdictions with operations of Com puter Em ergency Readi
measures used against targeted attacks and set up preventive
ness Team (CERT) or similar security agencies, these agencies
actions and detection.
may act as focal points for cyber-security incident notification.
Banks or regulators share cyber-security information with these For jurisdictions with mandatory requirements for cyber-security
agencies for broader circulation of information and collaboration incident information-sharing with national security agencies
with other sectors within the country (eg public sector, civilian (Canada, France, Singapore and Spain), the sharing arrange
sector, com puter community). ments are bilateral in general. Instead of requiring banks or reg
ulators to share all cyber-security incidents, these jurisdictions
Jurisdictions have generally set out standards and practices
require cyber-security incidents affecting key operators of critical
for critical infrastructure entities and regulators to share cyber
infrastructure to be reported.
security information with national security agencies. W hile
most jurisdictions adopt a voluntary approach, a few jurisd ic Som e jurisdictions have established procedures for relevant
tions m andate formal sharing requirem ents. Some jurisdictions inform ation to be exchanged voluntarily and bring to g eth er
(eg Luxem bourg, the US) have established sharing platforms relevant parties for coordination of responses to incidents. In
to facilitate multilateral sharing of cyber-security incident or the UK, the A uthorities Response Fram ew ork can be invoked
cyber-threat information. In the US, an online portal is available by financial authorities to bring to g eth er the Financial C o n
for cyber-security information to be subm itted to the National1
9 duct A uthority (FC A ), the Bank of England, the Treasury,
the National Crim e A g en cy and the National Cyber-security
C entre to coordinate their response to a cyber-security
19 As required by the NIS D irective, identification of O E S should have incident. M eetings and form al com m unications can be trig
been com pleted by O cto b er 2018. gered as appropriate.
376 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
2 4 .6 IN T E R C O N N E C T IO N S W ITH and signing contracts (eg involvement of a cyber- security func
tion), with specifications on the result (ie an official, written and
TH IR D PA RTIES
detailed contract) and the applicability of the fram ework (typi
cally also for intragroup outsourcing).
All jurisdictions recognise the challenge of gaining assurance
of an entity's cyber-resilience, a challenge both for regulators The regulatory expectations on risk assessm ents and contracts
with regard to financial institutions, and for financial institutions tend to specify in a rather com prehensive way which risks (and
with regard to their third-party service providers. Extensive m itigating m easures) to cover, albeit m ostly in general term s.
use of third-party services increases the challenge for ju risd ic N ext to a description of the nature of the service, the
tions and regulated institutions them selves to have full sight of exp ected results of the outsourcing, and the roles and respon
the controls in place, and the level of risk. For the purpose of sibilities of the service provider and the financial institution,
identifying the range of practices in relation to cyber-resilience, risk assessm ents and contracts are exp ected to include analysis
"third parties" is understood in a broad sense, including: (i) all and clauses on strategic risk, com pliance risk, security risk (typ
form s of outsourcing (including cloud com puting services); ical areas of attention are security m onitoring, patch m anage
(ii) standardised and non-standardised services and products m ent, authentication solutions, authorisation m anagem ent and
that are typically not considered outsourcing (pow er supply, data loss/breach procedures), business continuity risk, vendor
telecom m unication lines, com m ercial hardware and softw are, lock-in risk (the general ability of an institution to w ithdraw
etc); and (iii) interconnected counterparties such as other insti from the service provider and to absorb the outsourced activ
tutions (financial or not) and FMIs (eg paym ent and settlem ent ity or transfer it to another service provider), counterparty risk
system s, trading platform s, central securities depositories and (the visibility into the service provider's organisation), country
central counterparties). risk, contractual risk, access risk (m eaning that financial institu
tions and/or supervisors cannot audit the third-party connec
Cyber-resilience practices in relation to third parties are analysed
tion due to inadequate contractual agreem ents) and
across the following areas:
concentration risk.20
• Governance of third-party interconnections
Along with the outsourcing and contractual fram eworks, regula
• Business continuity and availability
tors typically expect that information, cyber-security and/or con
• Information confidentiality and integrity tinuity fram eworks address some crucial aspects of third-party
• Specific expectations and practices regarding visibility of arrangem ents to ensure the availability of critical system s and
third-party interconnections the security of sensitive data that are accessible to, or held by,
third-party service providers. These aspects include the identifi
• Auditing and testing
cation and prioritisation of interconnections, as well as the clas
• Resources and skills
sification and response to incidents with third parties according
to service agreem ents and the communication of these policies
Governance of Third-Party Connections to relevant external parties.
Widespread Expectations and Practices As regards supervisory practices, the following activities appear
to be widespread:
Regulations across different jurisdictions require that insti
tutions develop a m anagement- and/or board-approved • Intrusive on-site inspections with respect to cyber-risk in rela
outsourcing (or organisational) fram ew ork that defines the tion to outsourcing. During such inspections, the outsourcing
applicable roles and responsibilities, the outsourceable activi fram ework, the applicable processes and the com pleteness
ties and concrete conditions for outsourcing, the specific risks and adequacy of specific risk assessm ents and contracts will
that need to be analysed (either prior to selection of a provider typically be reviewed.
or when substantially am ending/renewing an agreem ent) and
recurrent obligations (such as monitoring procedures or regular
risk assessm ents). 20 "Concentration risk" in this context does not refer to the potential
system ic risk to the industry as a w hole, but rather to the potential lack
Regulators typically also require that institutions im plem ent of control of an individual firm over one single provider as multiple
activities are outsourced to the sam e service provider. These different
a contractual fram ework, defining generic rights, obligations,
aspects of concentration risk are explained in Jo in t Forum , Outsourcing
roles and responsibilities of the institution and the service pro in financial services, February 2005; and Com m ittee of European Bank
vider, specifying the responsibility for reviewing, approving ing Supervisors, G uidelines on outsourcing, D ecem ber 2006.
378 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BO X 24.9 C A SE STUD Y 9: CLO U D S ER V IC E PR O V ID ER S' REG U LA TO RY CLO U D
SUMMITS
Some cloud service providers organise regulatory cloud sum Th e main part of the sum m its is usually organised into
mits that provide exam ples of how a supervisory college sessions provided by the staff of the service provider.
model could work in practice when applied to a global tech Typically, one session consists of a panel discussion of
nology provider. regulators (chosen by the cloud service provider) that starts
a dialog with the cloud service provider's staff, after which
These summits are organised with regulators and supervisors
the discussion is opened to all regulators. D iscussions are
with the objective of:
typ ically not reco rded, but the cloud service provider's staff
(i) holding cloud-focused discussions on the threats related takes notes.
to cloud, the international regulatory landscape and the
Regulatory summits could also be organised by regulators or
cloud service provider's stance in this regard; and
an independent body to allow exam iners to understand the
(ii) providing the regulators with an opportunity to learn products and com pliance controls so as to usefully com plete
about products, processes and practices and to discuss their expertise and becom e more effective doing on-site
approaches to supervise and gain assurance that financial exam inations.
institutions using these cloud services operate in a safe
and sound manner.21
or prior authorisation of material (cloud) outsourcing activities. authority (as is done in Hong Kong, Singapore and the US) or
To this end, jurisdictions have created questionnaires/tem plates based on cooperation from service providers. For exam ple,
(sometimes specifically for IT outsourcing or cloud computing). Australia engages with system ically important third-party service
Although these are not harmonised in their coverage and m et providers which host critical systems for regulated institutions.
rics across jurisdictions, they facilitate the creation and docu Periodic engagem ents are voluntary and focus on service provid
mentation of risk assessm ents locally. ers' system ic role as opposed to their relationship with individual
institutions. This allows for a more open discussion of relevant
By focusing on the products and services them selves, new
strategy, governance, customer engagem ent, controls and capa
expectations for secure developm ent and procurem ent also
bilities (including those pertaining to cyber). It also can provide
contribute to making regulations and practices future-proof.
useful insight into the maturity (or lack thereof) of regulated
In particular, specific requirem ents (eg regarding "internet
institutions oversight practices, informing further supervisory
of things" system s in Japan) are in place for system s to be
activities. They can also be used as a mechanism to influence the
designed, developed and operated under the principle of secu
provider regarding regulatory expectations and best practice.
rity by design, considering that many individual devices, applica
tions and systems will be interconnected in the future, providing In the same vein, supervisors can work directly with cloud sup
new opportunities and possibly introducing new vulnerabilities. pliers both on formal or informal grounds, to include the right
to audit in contracts for the financial industry (as in the Nether
Observed Supervisory Practices lands) or to take part in regulatory summits organised by major
cloud providers (including for discussions of assurance fram e
O verall, although jurisdictions' mandates to supervise third-party
works; see Box 24.9).
service providers vary, supervisors have been using traditional
supervisory tools in order to ensure that the common exp ecta Against the above findings, a "supervisory college" model to
tions described above are met. Them atic exercises based on supervise and share information about large, internationally
self-assessment questionnaires to assess the cyber-security active service providers (particularly cloud providers) could also
and IT outsourcing risk of banks are a typical exam ple. Third- be a way to address the blind spots resulting from m andate limi
party providers can also be reviewed during on-site reviews tations and regulatory fragm entation.
and inspections, either on the basis of formal requirements or
380 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
exp licitly requiring encryption solutions for confidential data to suppliers and associated contracts and categorise them into
be under the banks' control, to regulating the transfers of data type, significance and criticality in order to establish a process
abroad and requiring exp licit client consent for data handling for their evaluation.
by third parties.
Analysis of supervisory expectations for the visibility of third-
party connections shows that the scope, form at and content of
Specific Expectations and Practices with supervisory authorities' information requests about material out
sourcing vary greatly across jurisdictions.
Regard to the Visibility of Third-Party
Connections
Auditing and Testing
In many jurisdictions the supervisory authority requests to be
informed about the material outsourcing agreem ents made by Supervisory expectations regarding the audit of third parties
supervised institutions and imposes some conditions on them , (internal and/or external) are aligned in two areas. First, the
including about preserving a minimum level of visibility on the majority of the requirements state the necessity for the super
outsourced functions by the supervised entity. vised organisations to guarantee the "rights to inspect and
Beyond the prior notifications and authorisation processes, audit" their service providers. Some jurisdictions require that
this right be cascaded to the significant subcontractors while
supervised institutions are commonly expected to maintain an
inventory of outsourced functions and to receive regular reports other jurisdictions (France, Switzerland and Singapore) have
granted this right directly to supervisory authorities.
from service providers, mainly about m easurem ents of service
level agreem ents and the appropriate perform ance of controls. Second, for several jurisdictions the audit opinion on the out
Some jurisdictions also require sub- outsourcing activities to be sourcing arrangem ents may be form ed based on the report of
visible for the supervised entities so that the associated risks can the service provider's external auditor. O thers accept pooled
also be managed. audits, organised by multiple financial institutions,26 or audits
Inventorying expectations can be set in relation to IT assets in performed by the internal audit departm ent of a service pro
vider, under the condition that the audit departm ent comply
some jurisdictions, such as the identification of both hardware
and software elem ents together with the function they are with certain regulatory conditions. Some jurisdictions specify
O ther fram eworks, such as the US FF IE C IT Exam ination Hand ognised standards or be perform ed by auditors with adequate
book and the C PM I-IO SC O guidance, focus on the connections skills and knowledge.
and information flows of financial institutions with external Current regulations focus on traditional outsourcing and, in
parties. some cases, cloud computing providers. The scope of the
The current practices inspired by the various expectations set at requirem ents for "rights to inspect and audit" critical third par
ties is nonetheless still focused on the strict banking sector.
national supervisory level and by international guidance play a
Shared and independent audit reporting on the critical intercon
com plem entary role. W hile supervisory authorities' expectations
define activities that can fit into classical cyber-security fram e nections with third parties could therefore facilitate the audit
approach effectiveness and efficiency.
works (identify, protect, detect, respond and recover), standard
setting bodies have an organisational process-oriented A s regards testing of the security requirem ents for outsourcing
approach: for instance, ISO IEC 27036-2 addresses configuration and cloud com puting providers, although institutions are
m anagem ent, information m anagem ent processes and the out generally required to m onitor their providers' com pliance,
sourcing relation termination processes, and ISA C A C O B IT 5 most regulations are not aligned in term s of how com pliance
elaborates on the implementation of an information security should be verified or te sted . O ne possible m ethod is the
m anagem ent system . On the other hand, both ISO and the US application of supervisor-led or bank-led (intelligence-based)
O cr
N IST fram ework recommend the identification, documentation red team ing exercises focused on interconnections. In the
and categorisation of suppliers to address information security EU , the scope of the T IB ER -EU test appears to include the
issues, while ISA C A C O B IT 4.1 and 5 recommend to identify institution's critical functions that are outsourced to third-party
service providers.
382 Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Building the UK
Financial Sector's
Operational
Resilience
Learning Objectives
A fter com pleting this reading you should be able to:
Describe operational resilience and describe threats and Describe potential consequences of business disruptions,
challenges to the operational resilience of a financial including potential system ic risk impacts.
institution.
Define im pact tolerance; explain best practices and poten
Explain recom m ended principles, including tools and tial benefits for establishing the impact tolerance for a firm
m etrics, for maintaining strong operational resilience at or a business process.
financial institutions.
Excerp t is reprinted from Building the UK Financial Secto r's O perational Resilience, Ju ly 2018, by permission of the Bank of England
and the Financial Conduct Authority. This article is a reproduction of a discussion paper, seeking views from stakeholders, and does
not represent current Bank of England, Prudential Regulation Authority or Financial Conduct Authority policy.
383
25.1 IN T R O D U C T IO N outsource a significant level of activities to third parties. Some of
these challenges are illustrated in Figure 25.1.
1. This discussion paper (DP) is issued jointly by the Prudential 6. The operational resilience of firms and FMIs is a priority for
Regulation Authority (PRA), the Financial Conduct Authority the supervisory authorities and is viewed as no less important
(FC A ), and the Bank of England (the Bank) in its capacity of than financial resilience. A lack of resilience represents a threat
supervising financial market infrastructures (FMIs), (collectively to the supervisory authorities' specific objectives as well as their
'the supervisory authorities').The purpose of this DP is to share shared goal of maintaining financial stability (see Box 25.1).
the supervisory authorities' thinking regarding operational
7. The Bank and the supervisory authorities have interlinked
resilience and obtain feedback. Feedback is welcom ed from all
objectives, which include promoting financial stability. The super
parts of the financial sector, as well as from consum ers, market
visory authorities consider that improvements in operational
participants and other stakeholders, including other regulatory
resilience would be facilitated by complementary regulatory stan
organisations.
dards and supervisory approaches.
2. UK banks, building societies, credit unions, insurers, overseas
8. Figure 25.2 illustrates the objectives which are most likely to
UK deposit takers with PRA regulated activity perm issions, PRA
be affected by operational resilience issues. It also illustrates
regulated investm ent firms, F C A authorised and recognised
that the consum er protection objective is likely to be affected
entities1 (collectively 'firm s'), and the FMIs supervised by the
more often, and by more firms, than the market integrity, the
Bank of England (recognised paym ent system s, specified service
safety and soundness, and financial stability objectives.
providers, central securities depositories and central counterpar
ties) may be particularly interested in responding, as any future 9. Interconnectedness occurs both within the UK and interna
policy may be directly applicable to them . tionally. The supervisory authorities are engaged in international
fora supporting the developm ent of operational resilience prin
3. Feedback is encouraged on how firms and FMIs currently
ciples and standards. Common standards would help ensure
address the issues and risks discussed in this paper. The super
that operational resilience is not adversely affected by the loca
visory authorities would welcom e responses to the questions
tion of firms' and FM Is' infrastructure, and will assist regulatory
asked throughout the DP and listed in Section 8.
co-operation in the supervision of international firms.
4. O p eratio n al disruptions to the products and services that may help new entrants establish them selves in a market.
firm s and FM Is provide have the potential to cause harm to
consum ers and m arket p articip an ts, threaten the viab ility of
firm s and FM Is, and cause instab ility in the financial system . Important Concepts in the Supervisory
This DP fo cuses on how the provision of these products and Authorities' Approach to Operational
services can be m aintained. O p eratio n al resilience refers Resilience
to the ability of firm s, FM Is and the secto r as a w hole to
11. This DP discusses a number of im portant concepts which are
prevent, respond to, recover and learn from operational
relevant to all firms and FMIs:
disruptions.
• The sup erviso ry authorities co nsid er th at the continuity of
5. From the perspective of firms and FMIs, there are numerous
business services is an essential com ponent of operational
challenges to making sure their businesses are resilient to opera
resilien ce. A cco rd in g ly, firm s and FM Is should focus on
tional disruption. These challenges have becom e more com plex
that outcom e when approaching operational resilience.
and intense in recent years, during a period of technological
A voiding disruption to a particular system supporting a
change and in an increasingly hostile cyber environm ent. A d d i
business service is a contributing facto r to operational
tional challenges occur where firms operate internationally or
resilience. But ultim ately it is the business service that
needs to be resilient— and needs to continue to be p ro
vid e d . Th e sup erviso ry authorities envisage th at boards
1 Entities authorised, registered or recognised under the Financial Ser and senior m anagem ent should assum e that individual
vices and M arkets A ct 2000 (FSM A) (eg investm ent or consum er credit
system s and processes th at support business services will
firm s or recognised investm ent exchanges) and authorised and/or reg
istered under other regim es (eg, Paym ent Services Regulations 2017 be d isru p ted , and increase the focus on back-up plans,
(PSRs 2017), and Electronic M oney Regulations 2011 (EM Rs 2011)). responses and recovery options.
384 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Technical Changing Keeping Challenging System
innovation behaviours pace environment complexity
Crypto
assets
• Setting impact tolerances which quantify the amount of dis FPC impact tolerance when setting their own impact
4
ruption that could be tolerated in the event of an incident tolerances.
i
may be an efficient way for boards and senior m anagem ent • How firms and FMIs manage their response to operational
to set their own standards for operational resilience, prioritise disruption is critical to maintaining confidence in the busi
and take investm ent decisions. An exam ple would be a m axi ness services they provide. The speed and effectiveness of
mum acceptable outage tim e for a business service. Firms communications with those affected, including custom ers, is
and FMIs would test their ability to stay within their impact an im portant part of their overall response and could help to
tolerances in severe but plausible scenarios in order to iden manage the expectations of those affected and maintain or
tify vulnerabilities and take mitigating action. The supervisory restore confidence in the firm 's business services.
authorities may expect some firms and FMIs to consider any
FCA
• Operational resilience is already a responsibility of firms and system s and processes. The section also explains that firms and
FM Is, and an outcom e supported by the existing regula FMIs are more likely to be operationally resilient if they design
tory fram ework. The supervisory authorities are considering and manage their operations on the assumption that disruptions
the extent to which they might supplem ent existing policies will occur to their underlying system s and processes.
to improve the resilience of the system as a whole, and to
13. Section 3 explains that financial stability rests on the opera
increase the focus on this area within individual firms and
tional resilience of individual firms, FMIs and the system as a
FM Is. They are reviewing existing policies, including those
whole. The FPC is establishing its tolerance for the length of any
on risk m anagem ent, outsourcing, controls and communi
period of disruption to the delivery of vital services the financial
cation and business continuity plans, to ensure that these
system provides to the econom y in the context of cyber (an
continue to be effective, in light of market and technological
'F P C impact tolerance'), as set out in its June 2018 Financial Sta
developm ents.
bility Report (FSR).6 The supervisory authorities consider that
• The supervisory authorities are also reviewing their approach their approach to operational resilience described in this DP is
to the assessm ent of operational resilience matters, consistent with the FPC 's approach, and supports its agenda.
which may include an increased focus on firms' and FMIs'
14. Section 4 suggests that the boards and senior m anage
non-financial resources. Gaining assurance that appropriate
ment of firms and FMIs could set their own tolerances for
impact tolerances are set, monitored and tested is likely to
operational disruption, on the assumption that some (or all)
be a key com ponent of future supervisory approaches.5
supporting system s and processes will fail. In setting impact
tolerances, the supervisory authorities suggest that a firm 's or
Discussion Paper Structure FM I's board or senior m anagem ent might prioritise those busi
ness services which, if disrupted, have the potential to: threaten
12. Section 2 explains why the supervisory authorities con
the firm 's or FM I's ongoing viability; cause harm to consumers
sider that managing operational resilience is most effectively
and market participants; or undermine financial stability. The
addressed by focusing on business services, rather than on
section also highlights relevant existing regulatory standards
related to operational resilience that firms and FMIs are already
5 This DP has been written in the context of the current UK and EU expected to meet.
regulatory fram ew ork. The supervisory authorities will keep the dis
cussed approach under review to assess w hether any changes would be
required due to changes in the UK regulatory fram ew ork, including those 6 Financial Stability Report, Ju n e 2018: https://w w w .bankofengland
arising once any new arrangem ents with the European Union take effect. .co.uk/financial-stability-report/2018/june-2018.
386 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
15. Section 5 expands the idea that firms and FMIs would to tran sact. R esilient business services th erefo re support
develop im pact tolerances for im portant business services. financial stab ility.
These would provide clear metrics indicating when an opera
2. The UK financial system is resilient if its economic functions can
tional disruption would represent a threat to a firm 's or FM I's
continue to operate during potentially disruptive incidents at a
viability, to consumers and market participants or to financial
firm, FMI or across groups of firms. Resilience of the financial sys
stability. The section discusses what impact tolerances are and
tem depends on both individual firms and FMIs and the intercon
their purpose. To help inform the developm ent of the approach,
nections between them.
the supervisory authorities are particularly interested in metrics
firms and FMIs currently use. 3. Continuity of business services is also critical to the viability
of individual firms and FM Is, and disruptions can cause harm to
16. Section 6 explains how supervisors could gain assurance
consumers and market participants.
that firms and FMIs ensure the continuity of their most impor
tant business services, and that boards and senior m anagem ent 4. Th e sup erviso ry authorities b elieve that if firm s' and FM Is'
are sufficiently engaged. The supervisory authorities are review boards and senior m anagem ent focus on the operational
ing their existing approaches in light of the proposed focus on resilience of th eir m ost im portant business se rvices, this
business services, and are considering the role of scenario te st would assist the sup erviso ry authorities in furthering their
17. Section 7 summarises the key concepts set out in the DP. 5. Priorities betw een firm s and FM Is and the sup erviso ry
authorities may not alw ays be aligned . It is possible that the
18. Section 8 is a com plete list of the questions in the DP.
sup erviso ry authorities may believe that a disruption to a
19. This DP is part of the supervisory authorities' wider engage business service would harm th eir o b jective s, w hile a firm or
ment on this topic. Further dialogue on the financial sector's FMI m ight co nsid er the disruption to be a m anageable risk.
operational resilience will occur through discussions with firms,
FMIs and other industry participants and through international Prioritising by Business Services
engagem ent.
6. A business services approach is an effective way to prioritise
20. A glossary of term s is provided in A nnex 1.
improvements to systems and processes. Firms and FMIs may cur
rently prioritise the upgrading of their IT systems by: age; those
most prone to failure; anticipated cost of financial failure; or cost
2 5 .2 O P E R A T IO N A L R E S IL IE N C E of upgrade against available budget. Such considerations may be
O F B U S IN E S S S E R V IC E S inconsistent with an outcome focused on continuity of business
services. Looking at the systems and processes on the basis of
This section explains why the supervisory authorities consider the business services they support may bring more transparency
that managing operational resilience is most effectively to and improve the quality of decision making, thereby improv
addressed by focusing on business services, rather than on sys ing resilience. The supervisory authorities are keen to understand
tem s and processes. The section also explains that firms and which approaches to operational resilience firms and FMIs have
FMIs are more likely to be operationally resilient if they design found most useful.
and manage their operations on the assumption that disruptions
7. A focus on business services could help drive specific and
will occur to their underlying system s and processes.
m easurable activities, including investm ent, that increase opera
tional resilience. Firms and FMIs could set target metrics for the
continuity of im portant business services. Firms' and FMIs' abil
Focusing on Business Services
ity to m eet their target metrics could then be tested, enabling
1. O p eratio n ally resilient business services provided by firm s them to take action as necessary.
and FM Is d irectly sup p o rt resilient econom ic fu n ctio n s,7
8. W hile this DP focuses on the delivery of business services,
enabling people to buy goods, borrow m oney and m arkets
operational disruption can also impact firm s' and FMIs' ability to
m eet other regulatory or contractual obligations. For exam ple,
firms are expected to ensure the confidentiality of data, or may
be required to provide tim ely and accurate financial reports.
7 A list of econom ic functions, defined for resolution purposes, was
set out in PRA Supervisory Statem ent 19/13. This list is reproduced in Firms and FMIs also need an appropriate degree of resilience in
A n n ex 2 of this DP to aid discussion. these and other areas.
supervisory authorities consider that firms and FMIs would pay tant business services, which provide tim ely information for
attention to all of these aspects. custom ers, other market participants and the supervisory
authorities.
10. It is particularly im portant to plan on the basis that opera
12. Firms' and FM Is' implementation of these elem ents would
tional disruptions will occur. This is because it is not possible to
prevent every risk m aterialising, and dependencies are often be proportionate to their nature, scale and com plexity, as dis
cussed in 'W hat this might mean for firms and FMIs in practice'
only identified once something has gone wrong. The assum p
in Section 4.
tion that operational disruptions will arise could be used to
inform strategy, planning and resourcing. 13. Figure 25.3 illustrates the variety of system s and processes
that would need to be considered. This may be contrasted
11. The supervisory authorities believe that an operationally
with an incom plete view of resilience obtained by taking a
resilient firm or FMI would have in place:
narrow focus on particular system s or processes considered in
• a clear understanding of their most im portant business ser isolation. In this exam ple, m ortgages are the im portant busi
vice or services; ness service, and there are a num ber of steps necessary from
• a com prehensive understanding and mapping of the systems origination through to custom er service. O nly by looking at all
and processes that support these business services, including of these stages— and where appropriate, at how elem ents of
those over which the firm or FMI may not have direct control. this service get delivered by other parties— can a clear picture
This would include an understanding of the resilience of out be developed of how best to support the resilience of the
sourced providers or entities within the same group but in business service.
another jurisdiction; 14. It would be neither possible nor an efficient use of resources
• know ledge of how the failure of an individual system or to attem pt to make every com ponent of an organisation com
process could im pact the provision of the business service; pletely resilient to operational disruption. The supervisory
1 i i I
Financial institutions Third party
i i
Business processes Business processes
i i
People Information People Information
388 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
authorities recognise that firms and FMIs need to prioritise and service will occur. Impact tolerance is expressed by reference to
want this prioritisation to be well- considered and agreed at specific outcom es and m etrics. Such metrics could include the
the appropriate level. Under the approach outlined in this DP, maximum tolerable duration or volume of disruption, a measure
firm s' and FMIs' prioritisation would be informed by an effective of data integrity or the number of custom ers affected.
understanding of their most im portant business services and
4. Having im pact tolerances may help ensure that boards and
underlying system s and processes.
senior m anagem ent consider what the firm or FMI would do
when a disruptive event occurs, rather than only trying to mini
Q u e stio n
mise the probability of disruption. This might include how to
A) W hat are readers' views on the proposed focus on con handle the situation to minimise the consequences of disruption
tinuity of business services? Would a service rather than as well as ensuring that the relevant business services continue
system s-based approach represent a significant change for to be delivered within tolerance.
firms and FMIs com pared with existing practice? W hat other
5. W hile an assumption that disruption will occur enables
approaches could be considered?
greater clarity around the outcom e being sought, firm s and
FM Is may also need to think about the instances in which it
2 5 .3 O P E R A T IO N A L R E S IL IE N C E w ould, or would not, be acceptable to m eet a tolerance. This
DP describes such instances as scenarios.
O F FIR M S A N D FM IS *1
6. The supervisory authorities may also consider setting their
This section suggests that the boards and senior m anagem ent own impact tolerances for firms or FMIs to m eet within the con
of firms and FMIs would set impact tolerances for the opera text of severe, but plausible, scenarios.
tional disruption of business services, on the assumption that
7. In arriving at an im pact tolerance, boards or senior m anage
some or all supporting system s and processes will fail. In set
ment would consider the commercial interests of the firm or FMI
ting im pact tolerances, the supervisory authorities suggest that
and the objectives, rules, principles, expectations and guidance
a firm 's or FM I's board or senior m anagem ent might prioritise
of the relevant supervisory authorities. This section therefore
those business services which, if disrupted, have the potential
discusses:
to: threaten the firm 's or FM I's ongoing viability; cause harm
to consumers and m arket participants; or undermine financial • factors relating to the supervisory authorities' objectives that
stability. The section also highlights relevant existing regulatory are likely to be key com ponents in determ ining appropriate
standards related to operational resilience that firms and FMIs im pact tolerances: when the viability of the firm or FMI is
are already expected to meet. threatened; the impact on consumers and market partici
pants; and the impact on financial stability;
1. In view of the potentially severe consequences of poor
operational resilience, the supervisory authorities believe • existing rules, principles, expectations and guidance relat
operational resilience is a key issue on which boards and senior ing to operational resilience that firms and FMIs are already
m anagem ent should focus. A firm 's or FM I's resilience is the required to m eet; and
result of its activities and choices, and will depend on its gov • what this might mean for different types of firms and FMIs in
ernance, culture, corporate structure, controls and regulatory practice.
fram ew ork.
8. For the purposes of this DP, the supervisory authorities
2. To be effe ctive, boards and senior m anagem ent must envisage that how im pact tolerances are derived and justified
agree clear standards that they e xp e ct the execu tive of a might be set out by firms and FMIs in a single docum ent-an
firm or FMI to m eet. Section 2 suggests that the supervisory impact tolerance statem ent.
autho rities co nsid er th at they m ight best do this by focusing
9. Firm s and FM Is could use th eir im pact to leran ces in
on business services. Th e sup erviso ry authorities consider
running th eir b usinesses: to take decisions on investm ents,
th at boards and senior m anagem ent could go further by se t
risk m anagem ent, business continuity planning and co rp o
ting im pact to leran ces for disruption to the most im portant
rate structure. Section 5 discusses how im pact to leran ces
business services.
m ight be set and considered alongside existing risk ap p etite
3. An impact tolerance describes a firm 's or FM I's tolerance for statem en ts. The sup erviso ry autho rities are aw are that som e
disruption to a particular business service, under the assumption firm s and FM Is may already be taking this approach, for
that disruption to the system s and processes supporting that exam ple C P M I-IO S C O principles for financial m arket
8 A joint publication of the Com m ittee on Paym ents System s and Market
Infrastructures (CPM I) and the Technical Com m ittee of the International 12 Internal Capital A d eq uacy Assessm ent Part of the PRA Rulebook:
Organization of Securities Com m issions (IO SC O ): w w w .bis.org/cpm i/ w w w .prarulebook.co.uk/rulebook/Content/Part/211179/05-07-2018.
publ/d101a.pdf.
13 Risk Control Part of the PRA Rulebook: PRA w w w .prarulebook.co.uk/
9 Principle 17. rulebook/Content/Part/214146/05-07-2018.
10 The F C A is the prudential supervisor for approxim ately 46,000 firm s; 14 For exam ple, B C B S Principles for the Sound M anagem ent of O p e ra
for 18,000 firm s, a regim e of minimum standards beyond both the prin tional Risk (B C B S 2011), PRA rulebook, Solvency II firm s, Conditions
ciple of business of financial prudence and the threshold condition of Governing Business 3. Risk M anagem ent.
appropriate resources exists.
15 FC A , O ur Mission, April 2017: w w w .fca.org.uk/publication/corporate/
11
Box 25.1 sets out the supervisory authorities' specific objectives. our-mission-2017.pdf.
390 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
B O X 25.2: EXAMPLES OF HARM
Harm arising from operational resilience failures is illustrated Some custom ers are unable to access cash when they
in the following exam ples. Some relate to the continuity of need it because their balances are incorrect.
business services, while others relate to the integrity of data. • A system error at a consum er credit firm leads to inaccu
rate (higher) debt repaym ent dem ands and consequential
Supply o f N e w Business Services: effect on the custom ers' credit files.
• A retail bank's m ortgage application system fails to pres
ent all relevant questions for custom ers or brokers to Availability o f a Vital Link in a Value Chain:
answer, with the result that underwriting decisions start • A custody bank is unable to confirm ownership of assets in
to be based on incom plete disclosure. Harm m aterialises a tim ely way, which delays asset valuations, and sales can
in several ways: some m ortgage applications are rejected not be com pleted on the intended value dates.
and, once the error is detected, all the affected custom
• A disruptive event at a specialist trading venue prevents
ers experience delays while the additional information is
trading of derivatives for a number of hours.
obtained from them .
repaym ents, checking balances, or accessing deposits and resilience of others, including the Bank (see Box 25.3). The resil
ience of the financial system as a whole depends on the resil
savings; and
ience of individual participants and the interconnections that
• supply of new business services, for exam ple renewing a
exist between them .
general insurance contract, obtaining life insurance, receiving
a m ortgage advance or personal loan, or making a money 20. Changing business models and increased outsourcing has
transfer. increased the dependence of participants on others, including,
in some cases, a limited number of technology providers, giv
17. Harm to m arket participants is concerned with the risks
ing rise to concentration risk. This illustrates how, while tech
that operational disruptions pose to the smooth operating of
nological innovation creates opportunities, including increasing
financial m arkets and the potential threat to m arket confidence
efficiency and enabling better risk m anagem ent, changing
that can result from a substantial disruption. Harm to m arket
technologies are also creating new risks. Cyber threats have
participants and m arket integrity may arise from , for exam ple,
increased and have a greater propensity to be transm itted
the failure of a shared facility or m arket infrastructure on which
between participants.
the functioning of a m arket depends, uncontrolled access to
and misuse of m arket sensitive data, the inability to access 21. Supporting financial stability is reflected in each of the
m arket data to price trad es, or the inability to com plete post supervisory authorities' objectives and their respective
sale activity. approaches to supervision. The supervisory authorities do not
seek to ensure that no firm or FMI fails, but they do seek to
18. The supervisory authorities invite discussion about how firms
ensure that, in the event of failure, it is orderly and avoids sig
and FMIs could be more active in assessing harm caused by
nificant disruption to the UK economy.
the disruption to business services. Identifying harm caused by
the disruption to business services could inform the setting of 22. Firm s and FM Is should consider the im pact of disruption
im pact tolerances explained in Section 5. within th eir own businesses on consum ers and m arket
participants which rely upon them , and take this into 25. Som e of the existing rules and standards are sum m arised
account when considering their approach to operational below. Those listed here cover key policy areas only and may
resilience. not necessarily be applicable to all firm s and FM I. Box 25.4
provides an exam ple of how som e existing regim es interact to
support operational resilience.
Existing Regulatory Requirements and
Expectations for Firms and FMIs
Existing Regulatory Requirements Relating
23. The supervisory authorities consider that setting impact to the Viability of Firms and FMIs
tolerances could play an im portant part in increasing the opera
M anagem ent and G overnance
tional resilience of firms and FMIs. These would support existing
regulatory expectations and obligations. The supervisory author 26. An effective board is critical to ensuring a sound and
ities are reviewing the existing regulatory fram ework in the light well-run business. The supervisory authorities set expectations
of the overall approach set out in this DP, and with regard to of the boards and senior m anagem ent of regulated firm s
existing international, European Union and dom estic require and FM Is to run their businesses prudently and in support
ments and regulatory fram eworks. of their objectives, including the continuing stability of the
financial system .
24. Each supervisory authority is responsible for a spectrum of
firm s or FM Is and each has its own rules, principles, e xp e cta 27. Boards should ensure there is sufficient challenge to
tions, or guidance. N evertheless, common regulatory them es the executive and that they have access to people within
apply across regulated entities including individual and col the business with appropriate technical skills. They should
lective accountability for m atters that support operational
resilience. This is generally achieved by rules, principles,
expectations, or guidance on: m anagem ent and governance;
16 See Box 2 of the 'Bank of England's supervision of financial m arket
risk m anagem ent; internal controls for system s and pro
infrastructures-annual report' for further explanation: w w w
cesses; contingency planning; and oversight of outsourcing .bankofengland.co.uk/news/2018/february/supervision-of-financial-
arrangem ents. m arket-infrastructures-annual-report-2018.
392 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
B O X 25.4: IN T E R A C T IO N O F R E G IM E S
The regulatory fram ework already features many require resilience in its focus on the continuity of services, but is nar
ments that help build the operational resilience of firms and rower as it focuses specifically on stress and resolution, and
FM Is. A brief explanation of how the supervisory authori events that might occur in those circum stances. O C IR policy
ties see the relationship between operational resilience and includes requirements to have resolution-proof contracts with
policies on operational continuity in resolution and capital third parties and for firms to be able to map critical services
requirem ents for operational risk is set out below. supporting critical functions.
Operational risk refers to the risk associated with inadequate
Operational Resilience, Operational Continuity or failed processes, people or systems or from external events
in Resolution and Operational Risk including legal risk. It includes consideration of both the
severity of impact and the likelihood of loss occurring, in the
This DP on operational resilience is focused on the continuity
broader context of the requirement on firms to manage their
of business services and econom ic functions. The approach
businesses prudently, or for those firms to whom the Capital
set out in this DP includes an assumption that disruptions
Requirements Regulation (CRR) applies, requiring capital to be
to system s and processes will occur and focuses on firms'
held against operational risks. In the latter case, the policy
and FM Is' responses to these disruptions. Tim e-to-recover
aim is to minimise the impact and likelihood of such losses.
is often a key metric. O perational resilience is an outcome
Loss can include financial loss and loss of availability or confi
which em erges from a wide array of practices and disciplines
dence. Regulation relating to operational risk has tended to
undertaken by firms and FMIs.
focus on minimising the probability of risk events occurring
Some of the UK's largest banks and building societies are and ensuring firms can absorb financial losses when they do
subject to the PRA's operational continuity in resolution occur. Good operational risk management and the holding of
(O CIR) policy.17 O C IR policy aims to ensure the continuity of capital against potential operational losses will help build oper
critical functions, from an operational perspective, through ational resilience, but the ability to withstand financial loss is
severe stress and resolution. It is similar to operational not sufficient in itself to ensure continuity of business services.
also ensure the recruitm ent and training of suitable people 29. Similarly for FM Is, the PFM I2
21 recommend that FMI boards
0
for relevant executive roles, drawing on additional skills should explicitly define the roles and responsibilities for address
where relevant. ing operational risk and the FM I's operational risk-management
fram ework.
28. The PRA's Senior Managers and Certification Regime (SM&CR)
requires relevant firms to have a Senior Management Function
(SMF) responsible for the internal operations and technology of a R isk M anagem ent
firm, SM F 2 4 .18 This includes operational resilience, cybersecurity 30. Risk m anagem ent should cover all typ es of risk, includ
and operational continuity. The PRA and FC A have consulted on ing o p eratio n al, and firm s and FM Is are exp e cte d to id en
the creation of an equivalent SM F as part of the extension of the tify, m onitor and m anage the risks they are or m ight be
SM&CR to insurers, to be effective on 10 Decem ber 2018,19 and exp o sed to.
FC A solo-regulated firms (FC A CP17/40). In respect of FC A solo-
31. FMIs in particular are encouraged to consider threats such as
regulated firms, this SM F would apply in 'enhanced firms', which
natural disasters, terrorism , pandem ics and cyber attacks. FMIs
are generally those that are larger and more complex.
are also expected to assess the evolving nature of the opera
tional risks they face on an ongoing basis so they can analyse
17 PRA Policy Statem ent 21/16 'Ensuring operational continuity in reso potential vulnerabilities and im plem ent appropriate defence
lution', Ju ly 2016: w w w .bankofengland.co.uk/prudential-regulation/
mechanisms.
publication/2014/ensuring-operational-continuity-in-resolution.
33. The supervisory authorities' existing rules, principles, exp ec 40. Existing requirem ents include obligations on firm s and
tations and guidance already require firms and FMIs to manage FM Is to put in place risk m anagem ent system s and business
their affairs in a responsible manner, which includes having ad e contingency or continuity arrangem ents. The supervisory
quate control systems in place. Effective internal controls should authorities invite discussion about w hether the way that firm s
ensure firms' and FM Is' core businesses are managed appropri approach existing requirem ents is com patible with identifying
ately, and that risks are dealt with. and preventing harm caused by disruption to business services.
O utsourcing and Critical S e rv ice P ro vid e rs 42. The supervisory authorities recognise that harm may also
arise from the loss of, or unauthorised access to, personal, finan
36. Boards' and senior m anagem ents' oversight also needs
cial and other sensitive data relating to consumers and market
to cover any activities outsourced to third-party providers, for
participants. The obligations on firms under, for exam ple, the
exam ple cloud service providers. W hile outsourcing can enable
General Data Protection Regulation (G D PR)22 will be relevant to
firms and FM Is to m anage risks more effectively and at a
operational resilience.
reduced cost, it can also give rise to new risks for which they
remain responsible.
Existing Regulatory Requirements Relating
37. Boards' and senior m anagem ents' o versig ht also needs to Financial Stability
to include identification and understanding of the firm 's
43. FMIs are typically unique in the services they provide to
or FM I's reliance on critical service pro vid ers. Th ese are
other market participants and are an integral part of almost
third party services critical to the continuous and adequate
all financial transactions. The financial system has a significant
functioning of the firm 's or FM I's o p eratio n s, for exam ple
dependency upon them . Given their role and the obligations
inform ation tech n o lo g y, telecom m unications and m essaging
this creates, FMIs have an im portant role to play in promoting
services.
financial stability.
38. Indeed, existing rules require dual-regulated firms to
avoid reducing the level of control or introducing additional 22 Regulation (EU) 2016/679 O f The European Parliam ent And O f The
risk through outsourced arrangem ents. Similarly, FMIs are Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free m ovem ent of
expected to deal with outsourcing in a prudent way and ensure
such data, and repealing Directive 95/46/EC (General Data Protection
that outsourced and critical service providers m eet the same Regulation): https://publications.europa.eu/en/publication-detail/-/publi
requirem ents as internally provided services. cation/3e485e15-11 bd-11e6-ba9a-01aa75ed71 a1/language-en.
394 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
B O X 25.5: M A N A G IN G RISKS IN T H E E N D - T O - E N D PR O C E SSIN G O F PA Y M E N T S
A payments network connects a number of participants: paym ent instructions. When confidence in the integrity of
the end users that want to make or receive paym ents; the the entire system has been lost, such individual precaution
banks that hold the end-users' accounts and initiate the pay ary controls could, in aggregate: create significant gridlock in
ment process following their custom ers' instruction; and the processing paym ents; reduce overall liquidity in the financial
payments system operator (FMI) that connects the banks m arkets; and potentially cause a build-up of unsettled posi
to enable the payments to be processed, transferred and tions and bilateral credit exposures among financial institu
settled. tions. In extrem e circum stances these actions could ultimately
im pede econom ic activity and disrupt financial stability. The
The resilience and robustness of the network depends on
existence or fear of fraud and weaknesses in security arrange
both the processes and system s of each participant and the
ments could also be reasons for concern by participants.
nature of the connection between each participant. Threats
to the network could be introduced by any participant and Individual firms and FMIs are responsible for their own robust
com m unicated to others via the network's connections. ness and security. However, it is important that participants
work together to deliver the resilience of the end-to-end
If participants have concerns about the resilience of the pay
processing of payments within the network. This is a good
ments network, their own resilience or the resilience of other
exam ple of how an FMI can work together with its participants
participants, each of them may im plem ent additional controls
and other stakeholders to mitigate risks to financial stability.
before releasing payments or may limit or halt processing
44. The Bank expects FMIs to comply with the PFM I.23 The PFMI What This Might Mean for Firms
were designed to enhance the safety and efficiency of FMIs, but
and FMIs in Practice
more broadly, to limit systemic risk and foster transparency and
financial stability. In this regard they include a principle that an 47. The supervisory authorities consider the ideas in this DP to
FMI's governance arrangements should support financial stability. be applicable to all types of firms and FMIs. The application of
these ideas will, however, differ depending upon the nature and
45. Specifically to manage system ic risk, an FMI should review
com plexity of the relevant firm or FM I, including its size, activi
the risks that it bears from others as a result of interdependen
ties and level of interconnectedness (and hence its impact on
cies, and develop appropriate risk m anagem ent tools. To this
others and the financial system). Generally, all firms and FMIs
end, FMIs impose and monitor standards and disciplines at
would be considering two aspects in determ ining whether sig
their m em bers to improve the robustness and resilience of the
nificant change is required by any future policy:
service provided. These typically include satisfying the FMI that
adequate security and resiliency arrangem ents are in place, • Have they identified their business services in a way that per
including technical requirem ents (eg around messaging) to mits the firm or FMI to link their activities to their business
access the FM I's infrastructure. FMIs should then have proce objectives and the objectives of the supervisory authorities?
dures to ensure their members continue to m eet the standards • Have they appropriately prioritised between business ser
for m em bership. vices to ensure the most im portant ones are resilient to
46. FMIs should also work with their members to enhance stan operational disruption?
dards and minimise the adverse effects of disruption when it 48. Figure 25.4 illustrates the steps firms and FMIs could go through
occurs. The standards need to be complementary to any regula if policy were to be developed along the lines set out in this DP.
tory standards, but it is also the case that these standards might
Large Firm s and F M Is
need to be more rigorous or be more granular to enable the
FMI to meet fully its obligations to its members and regulators. 49. Large firms are likely to have many business services, while
Box 25.5 provides an example of how an FMI could work together FMIs typically have a single business service which is likely to be
with its participants and other stakeholders to mitigate risk to significant to financial stability. There are numerous ways disrup
financial stability. tions to business services could im pact the supervisory authori
ties' objectives.
23 The PFMI are form ally applied to Central Counterparties and Central 50. Such firms and FMIs could be expected to consider their
Securities D epositories through the European regulatory regim es (EM IR
and CSD R). There is, however, no equivalent legislative fram ew ork
impact tolerances for their most im portant business services. In
applying the PFMI to paym ent system s. doing so, the supervisory authorities could also expect them to
how the failure of an individual system or process could impact the business service
Assess
using scenarios and by learning from experience, that resilience meets the firm's tolerance
Invest in ability to respond and recover from disruptions through having appropriate
systems, oversight and training
timely information to internal stakeholders, supervisory authorities, customers,
counterparties and other market participants
Fiq u re 2 5 .4 Improving operational resilience.
Firms and FM Is could consider the following issues. To be effective, the process would need to be repeated routinely, with lessons learned incorpo
rated into each iteration.
take into account the work of the FPC , consider their contribu most important business services. Identifying these two services,
tion to econom ic functions, and use any FPC impact tolerances and assuming disruptions to them will occur, could support a
to inform their own im pact tolerances. They could test them smaller firm 's own risk m anagem ent and the setting of appropri
selves regularly against their own severe but plausible opera ate impact tolerances.
tional scenarios. They could also ensure that they have
55. Such firm s could undertake som e lim ited testing of their
co-ordinated communications plans for internal functions, the
operational resilien ce, based on their own scenario s. A p re
supervisory authorities, consumers and other market partici
designed scenario provided by the sup erviso ry authorities
pants should tolerances be breached. As set out in the June
may also be of use. Testing could be designed to reveal,
2018 FSR, some firms and FMIs may also be the subject of
for exam p le, w hat im pact an incident would have on a
stress testing developed by the Bank and the PRA, with input
firm 's custom ers for a sp e cific business service and other
from the FPC .
co nnected business se rvices, as w ell as how the continuity
51. The supervisory authorities could review the work these planning arrangem ents seek to m itigate or prevent harm
firms and FMIs undertake in relation to operational resilience to consum ers.
on a regular basis, and provide feedback as appropriate. If the
56. Firms could then address any deficiencies identified. This
supervisory authorities identify concerns, they could take further
could include: ensuring joined up communications between all
targeted action, with specific assessm ents of certain areas and,
relevant functions within the firm (such as the business area that
if necessary, request remedial action.
owns the data, customer services, operations, technology, and
52. In many instances, the ideas discussed in this DP are a natu any third party providers); providing customers with information
ral extension of what large firms and FMIs and the supervisory and advice; and prioritising assistance to customers exposed to
authorities already do. the greatest harm.
Sm all o r M id-Sized Firm s 57. The supervisory authorities could review the work such firms
undertake on a periodic basis. But it is less likely such firms
53. Sm aller firm s are likely to only have a few business services,
would be required to undertake further supervisory authority led
not all of which will be im portant to the firm s' viability, have
review work, unless the supervisory authorities have particular
the potential to cause harm to consum ers, or im pact on finan
cause for concern.
cial stability. N evertheless, som e business services may be
pivotal to the firm or even to the w ider econom y. There is V ery Sm all Firm s
likely to be a w ide range of different business services across
58. The sm allest firms, such as financial advisors with few
the sector.
em ployees, are likely to only have few — perhaps only
54. A small bank or building society might identify operating one— im portant business services. Such firms are also likely to
customer savings accounts and the provision of mortgages as its have limited resources to increase their operational resilience.
396 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
59. Nevertheless, the supervisory authorities consider the pro management considering a firm's or FMI's business interests
posed fram ework could still be relevant and beneficial. They alongside the supervisory authorities' objectives. A business service
envisage such a firm could: that, if disrupted, represents a threat to a firm's or FMI's viability
is clearly important— likewise, a business service that, if disrupted,
• identify 'financial advice' as its im portant business service;
could cause consumer harm, or impact financial stability.
• identify how long it could operate as a business without
providing that service; 3. The supervisory authorities are considering w hether firms
and FM Is should be required to set m etrics that describe an
• consider the system s and processes it relies on— for
intolerable level of disruption to their most im portant busi
instance access to financial products and communication
ness services, in a severe but plausible stress scenario— im pact
to clients; and
tolerances. As discussed in Section 4, it is im portant to note
• consider how these processes could be duplicated in the
that the im pact tolerance would apply to the provision of the
event of some type of disruption, the length of tim e it might
business service as opposed to the system s and process that
take to set up alternative arrangem ents, and whether prior
support it.
planning would be useful.
4. The supervisory authorities envisage that firms and FMIs would
60. Such firms are likely to have limited supervisory engagem ent
determine their own impact tolerances. A firm or FMI would need
in this area. N evertheless, thinking about the issue of opera
to be able to explain how the particular impact tolerance has been
tional resilience and what alternative arrangem ents could be
arrived at for an important business service, how it relates to the
made may still be beneficial.
supervisory authorities' objectives, and in which scenarios a breach
of impact tolerances could be acceptable. These are likely to be
Q u e stio n s
limited to the most severe, but plausible, scenarios.
B) How do boards and senior m anagem ent currently prioritise
their work on operational resilience? 5. Scenarios are im portant because they introduce proportional
ity. They indicate how severe a disruption the firm or FMI antici
C) W hat changes are firms and FMIs planning to make to
pates being able to withstand, while remaining within its impact
strengthen operational resilience over the next few years?
tolerance. This is illustrated in Figure 25.5 in Case 1, where Sce
How involved are board m em bers in the planning, im ple
nario 4 is so severe that it would be disproportionate for a firm
mentation and em bedding of any changes? W hat are the
or FMI to stay within their im pact tolerance. Case 2 shows where
likely benefits and costs involved?
a firm or FMI might need to improve the system s and processes
supporting the business service, as less severe scenarios would
2 5 .4 C L E A R O U T C O M E S F O R breach their impact tolerance.
1. As discussed in Section 2, the supervisory authorities consider 7. As an exam ple of an impact tolerance in practice, the Bank
that there is a benefit in boards and senior management having sets a tim e and volume-based impact tolerance as operator of
a clear understanding of the level of resilience required for their C H A P S .*1
24 The Bank states that all payments (volume) should be
most important business services. To achieve this, they would
need to be able to identify the relative importance of business
services and be able to articulate the clear outcomes required. 24 See also the PFM I. Principle 17 (O perational risk) indicates that an
FMI should aim to resume operations within two hours following a dis
2. The supervisory authorities envisage that the relative impor ruptive event and com plete settlem ent by the end of the day, even in
tance of business services can be derived by boards and senior extrem e circum stances.
Scenario 4 Scenario 4
1/1
_Q
Scenario 3 Scenario 3
<
uD
c
ru
i—
Scenario 2 _QJ Scenario 2
O
Scenario 1
Scenario 1
Low Low
---- ► —►
2 Day 2 Day
Time Time
outage outage
Key
• Scenario recovered within tolerance • Scenario recovered within tolerance
• Scenario not recovered within tolerance • Scenario not recovered within tolerance
Fig u re 2 5 .5 Combining impact tolerances and scenario testing to establish a proportionate level of operational
resilience.
settled by the end of the operating day (time) in all, even for the most important business services, the supervisory authori
Qr
extrem e, circum stances. The supervisory authorities envisage ties seek to provide a focus for some of the existing work many
that firms and FMIs may need to establish tim e-based impact firms and FMIs will already be doing. For instance, firms and FMIs
tolerances for services such as transferring funds between would still set board-agreed risk appetites, but the supervisory
accounts, the processing of m ortgages, and the ability to per authorities consider these could be better informed by detailed
form collateral m anagem ent. impact tolerance statem ents focused on the most important busi
ness services. Similarly, there is still likely to be a need for setting
26 In line with the Basel Com m ittee on Banking Standards' Principles for
the Sound M anagem ent of O perational Risk (Principle 4 w w w .bis.org/
publ/bcbs195.pdf), the Basel Com m ittee and International Organization Potential Benefits of Setting Impact
of Securities Com m issions' joint Principles for Financial M arket Infra
structures (Principle 2, w w w .bis.org/cpm i/publ/d101a.pdf), and EIO PA
Tolerances
G uidelines on System of G overnance (Guideline 19 (Operational Risk
10. The supervisory authorities consider that setting impact tol
M anagem ent Policy): https://eiopa.europa.eu/Publications/Guidelines/
Fin al_EN _S o G _C lean .p d f). For PRA-regulated firm s, see PRA Supervisory erances for the most im portant business services could:
Statem ent 5/16 'Corporate governance: Board responsibilities', May
2016, w w w .bankofengland.co.uk/prudential-regulation/publication/2016/ a. support firms and FMIs in prioritising investm ent and
corporate-governance-board-responsibilities-ss. resource allocation;
398 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
b. provide a clear scope when firms and FMIs want to test 25.5 S U P E R V IS O R Y A S S E S S M E N T
their own resilience; and
O F O P E R A T IO N A L R E S IL IE N C E
c. provide a focus for supervisory engagem ent.
11. By setting and articulating a clear im pact tolerance at This section explains how supervisors could gain assurance that
the business service level, it is possible to define alternative firms and FMIs ensure the continuity of their most important
processing procedures that can be deployed in case of dis business services, and that boards and senior m anagem ent are
ruption to system s and processes in order to remain within sufficiently engaged. The supervisory authorities are reviewing
im pact tolerance. An additional benefit is that it is possible their existing approaches in light of the proposed focus on busi
for firm s to also consider substitute options more broadly. ness services, and are considering the role of scenario testing in
For exam ple, paym ents could be routed via other paym ent this context.
schem es in order to remain within im pact tolerance, although 1. Th e sup erviso ry authorities anticip ate that a focus on
this may not be econom ically feasible or straight forward at the operational resilience of firm s' and FM Is' m ost im por
present for many firm s. tant business services will offer the opp o rtunity to review
and consolid ate existing sup erviso ry tools and assessm ent
12. An im pact to leran ce approach could also address
p ractices.
other facto rs. For instance, firm s and FM Is may need to
m aintain policies for prioritising the provision of a certain 2. A future supervisory approach could cover four broad areas,
level of service in the event of a disruption. This will depend taking into account the specificities of the relevant regulatory
on the typ e and severity of the operational disrup tion, and regimes for firms and FMIs:
the particular im pact the disruption would have. For exam p le,
• sector-wide work, including any potential stress testing devel
if a bank sets an im pact to leran ce of delivering a p ercen t
oped by the Bank and the PRA with input from the FPC ;
age of total paym ent transactio ns during a disruption, it
• supervisory assessm ent of how firms and FMIs set and use
would also need a protocol for prioritising paym ents. Banks
im pact tolerances;
could process paym ents in order of arrival, or prioritise time-
critical paym ents such as house purchases or paym ents to • analysis of system s and processes that support business ser
vulnerab le p eo p le. vices; and
G) W hat are readers' views on producing an impact tolerance 6. In addition, the supervisory authorities already help to coor
statem ent as described? W hat relevant operational resil dinate the sector exercising programme sponsored by the
ience risk m anagem ent docum entation do firms and FMIs Cross M arket O perational Resilience Group (C M O R G ), which
already produce, and how does this differ from im pact toler is chaired by the Bank and industry. These voluntary exercises
ance statem ents? rehearse collective response m echanisms, including testing
400 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Supervisory Tools organisations of all sizes as they m anage their resilience in
a dynam ic environm ent. A focus on business services could
17. Regular supervisory engagem ent and review of firm s' and help increase the transparency of firm s' and FM Is' resilience
FM Is' own risk m anagem ent is already com plem ented by a w ork. It could drive better decision-m aking, as it would
range of specific tools which the supervisory authorities cur enable prioritisation of resilience w ork and the associated
rently apply on a proportionate basis. Such review w ork typ i investm ent. It would provide a basis for firm s and FM Is to
cally targets specific risks and can be undertaken in a variety of set im pact to leran ces, set with reference to the supervisory
ways including questionnaires, sim ulations, skilled persons' or authorities' o b jectives. The supervisory authorities them selves
exp erts' reports and w ider them atic review s. Firm s' recovery m ight also see the need to set im pact to lerances for som e
and resolution plans and O C IR arrangem ents, where ap p li business services.
cable, can also be useful sources of inform ation for the supervi
3. The concept of impact tolerance is core to the supervisory
sory authorities.
authorities' thinking and may challenge firms and FMIs to think
18. The supervisory authorities could make an increased use differently. It encourages them to assume operational disrup
of questionnaires to assess operational resilience in future, tions will occur. This means that attention can be directed
potentially drawing on existing fram eworks which support
towards minimising the impact of disruption on im portant busi
assessm ent of firms' and FM Is' capabilities. Existing fram eworks ness services. Impact tolerance focuses firms, FMIs and the
include the C PM I-IO SC O guidelines, the G7 Fundamental E le
supervisory authorities on the potential vulnerabilities in busi
ments of Cybersecurity, the National Institute of Standards & ness and operating models. The work they do to increase the
Technology (NIST) Cybersecurity Fram ework, and the National resilience of these need not be tied to specific threats, rather an
C yber Security Centre (N CSC) Cyber Assessm ent Fram ework.
im portant business service should be made resilient to a wide
19. A capabilities assessm ent questionnaire could be derived variety of threats.
from the existing NIST principles, which set out that companies
4. Firms' and FMIs' processes, practices and culture need to
should: identify potential vulnerabilities and sources of risk, seek
work effectively to achieve the increased level of operational
to protect them selves from threats, detect incidents, respond
resilience that they and the supervisory authorities seek. This DP
to, and recover from disruptions.
suggests an approach for potential supervisory expectations and
assessm ent:
Q u e stio n s
• Preparation: firms and FMIs identify and focus on the con
H) W hat operational resilience tests or scenarios do firms and
tinuity of their most im portant business services as a means
FMIs already consider and undertake for their own risk man
of prioritising their own analysis, work and investm ent in
agem ent purposes? W hat factors do firms and FMIs take
operational resilience. They set impact tolerances for their
into account when devising operational resilience tests or
im portant business services and are able to dem onstrate
scenarios?
substitutability or the capability to adapt processes during
I) How do boards and senior m anagem ent currently gain assur disruption.
ance over the operational resilience of their firm or FMI?
• Recovery: firm s and FM Is assum e disruptions will occur, and
J) W hat are readers' views on the proposed developments to the develop the m eans by which they can adapt their business
supervisory authorities' approach to operational resilience? processes and practices in the event of shocks in order to
preserve continuity of service.
• Com m unications: firm s and FM Is have strategies for com
CON CLUSION 1 m unicating with their internal and external stakeholders,
including the supervisory authorities and consum ers. This
1. This DP aims to promote an open and constructive dialogue should include how to handle the situation to minimise the
with stakeholders, and share the supervisory authorities' current consequences of disruption.
thinking on how the operational resilience of the financial ser
• G overnance: firm s' and FM Is' boards and senior m anagem ent
vices sector could be enhanced.
are crucial in setting the business and operational strategies
2. The supervisory authorities are exploring a busi and overseeing their execution in order to ensure operational
ness services approach because it could be of value to resilience.
firms, FM Is, consum ers, industry bodies, auditors, specialist assurance over the operational resilience of their firm
third-party providers, professional advisors and other regulators or FMI?
are welcom ed. K) W hat are readers' views on the proposed developm ents
to the supervisory authorities' approach to operational
2. The supervisory authorities will use these responses to inform
resilience?
current supervisory activity and future policy-making. The
supervisory authorities will share relevant information with the
FPC to inform its approach to building cyber resilience in the
UK financial system . They may publish extracts or summaries of A N N EX 1: GLO SSARY O F TERMS
views from respondents.27
402 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Clearing House Automated Payment Impact Tolerance Statement
System (CHAPS) For the purposes of this DP, the supervisory authorities envisage
C H A PS is a sterling same-day system used to settle high-value that how impact tolerances are derived and justified might be set
wholesale payments as well as time- critical, lower-value pay out in a single docum ent called an impact tolerance statem ent.
ments like buying or paying a deposit on a property.
Integrity
Cloud Services In the context of this DP, integrity describes data being accurate
Cloud services are remote access services and infrastructure. and com plete.
sion of a business service. the ability of firm s, FM Is and the system as a w hole to p re
ven t, ad ap t and respond to , recover and learn from , o p e ra
tional disrup tion. In this DP, the sup erviso ry authorities focus
Economic Functions on the continued d elivery of business services or econom ic
functions.
The broad set of services the financial sector provides to the
UK econom y, and hence an aggregation of business services
that one, or more, firms or FMIs provide. For exam ple, the eco Operational Risk
nomic function of retail m ortgages and secured lending would
Operational risk refers to the risk of loss from inadequate or failed
com prise a number of individual business services. If sufficiently
processes, people or systems or from external events. Threats to
significant in term s of both size and function, these econom ic
firms' and FMIs' operations take a wide variety of forms.
functions can becom e critical to the UK economy.
404 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Striving for
Operational
Resilience
The Questions Boards
and Senior Management
Should Ask
Learning Objectives
A fter com pleting this reading you should be able to:
Com pare operational resilience to traditional business Describe elem ents of an effective operational resilience
continuity and disaster recovery approaches. fram ework and its potential benefits.
E x c e rp t is rep rin ted from Striving for O perational Resilience: The Questions Boards and Senior M anagem ent Should A sk, by Rico
Brandenburg, Tom Ivell, Evan Sekeris, M atthew G ru b er and Paul Lew is, b y perm ission o f O liver Wyman.
405
E X E C U T IV E S U M M A R Y O perational resilience is the ability o f an organization
to continue to provide business services in the face o f
Operational resilience has becom e a key agenda item for boards adverse operational events by anticipating, preventing,
and senior m anagem ent. Increasing com plexity in processes and recovering from, and adapting to such events.
IT, dependence on third parties, interconnectedness and data BC and DR have historically emphasized physical events (e.g .,
sharing, and sophistication of malicious actors have made dis natural disaster, active shooter), are limited by organizational
ruptions more likely and their im pact more severe. High-profile boundaries, and are, by most organizations, primarily viewed as
exam ples of business and operational disruptions abound, cov a "check the box" exercise rather than true risk m anagem ent.
ering all segm ents of the financial services industry.
However, several trends in financial services have sharply
Resilience is fundam entally different from traditional business increased the need for more mature operational resilience
continuity (BC) and disaster recovery (DR). Th ese disciplines practices. Exh ib it 26.1 below explores the most im portant
have historically been heavily focused on physical events, trends, which we exp ect to continue to elevate the topic to
w ere designed and tested in organizational silos, and are, by discussions at the top table.
most organizations, prim arily view ed as a com pliance exercise.
These drivers have manifested them selves in high-profile busi
O perational resilience, instead, focuses on the adaptability to
ness and operational disruptions across the financial services
em erging threats, the d ep end encies and requirem ents for pro
industry, both through internally-driven operational failures and
viding critical business services end-to-end (crossing organiza
externally-driven malicious acts. These disruptions illustrate
tional silos), and the broader econom ic as well as firm -specific
some of the shortcom ings of traditional BC and DR approaches:
im pact of adverse operational events. It requires a m indset
shift in the organization away from resilience as a com pli • Firm have more dependencies for service delivery than ever
ance exercise to resilience as a key organizational capability before, but traditional approaches focus on assets in siloes and
that is everyone's responsibility to maintain and continuously ignore potentially critical components of end-to-end service
im prove. delivery.
• In a rapidly changing environm ent, traditional "check the
Financial regulators have started to stipulate expectations
box" and reactive approaches focused solely on recovery
around m anagem ent of resilience, resilience reporting, and
make firms much slower to adapt.
effective oversight. In response, many firms are embarking or
will need to em bark on transformational programs to strengthen • By focusing on a standard set of disruption scenarios, tradi
their resilience to disruption, incidents, and attacks across all tional approaches provide a false sense of com fort that insti
operational resilience domains - technology, data, third parties, tutions are prepared for all scenarios.
facilities, operations, and people. In addition, boards and senior Additionally, financial firms recognize the need for greater opera
m anagem ent need to provide effective challenge of their orga tional excellence (efficiency and effectiveness). Organizations that
nization's resilience am bitions, program, and critical risks that manage to effectively address the combined need for operational
remain to their day-to-day operations. resilience and excellence will be able to unlock significant benefits
Achieving operational resilience is inherently challenging given across the organization (e.g., operational loss, operational cost
the increasing com plexity of processes, technology infrastruc and com plexity reduction, ability to support faster innovation
ture, and organizational silos. However, the business benefits cycles, effective investment into operational capabilities).
go beyond pure risk and com pliance, often forming an inherent
part of a firm 's value proposition.
This paper explores the key questions that boards and senior 26.2 B E N D , BU T D O N 'T B R E A K :
m anagem ent should ask about their organization's level of O P E R A T IO N A L R E S IL IE N C E
operational resilience. APPROACH
Continuity of service has always been a priority for financial Even for many advanced institutions, adopting an operational
firms. A fter all, disruptions can impact revenue, client exp eri resilience approach will imply significant changes from tradi
ence, and franchise value. tional (more com pliance-focused) BC and DR. W hereas these
406 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
DRIVER IMPACT ON EXPOSURE TO DISRUPTION
Com petition and custom er dem and are driving Increasing com plexity of processes and infrastructure
S C A LE A N D P A C E
the need for more disruptive innovations and faster required for product and service delivery, and risk of
O F IN N O V A TIO N
innovation cycles im balance between tim e to m arket and security/resilience
Availability of new technology, custom er expectations, Traditional (manual) fallback m ethods no longer viable,
C O N T IN U ED and desires for efficiency are driving increasing levels and more challenging to identify the "w eakest link"
D IG ITIZA TIO N of automation and faster adoption of digital delivery among connected digital system s
capabilities
Incum bent institutions rely on older technology Challenging to em bed risk and resilience requirem ents
R E LIA N C E O N L E G A C Y infrastructure that is less flexible, requires specialized in technology, which increases the exposure
IN FR A S TR U C TU R E knowledge to maintain, and is difficult to integrate to disruptive events
with new technologies and processes
Institutions are increasingly adopting outsourcing More difficult to gain a com prehensive view of the
EX TEN S IO N as a business strategy, expanding their reliance on firm 's third-party dependencies and exposure, as well
O F T H E SU PP LY CH AIN third parties (and their third parties' third parties) as to assess the risk and resilience posture of all
relevant third parties
Financial institutions are sharing more information More likely to be affected by vulnerabilities
IN T E R C O N N E C T E D N E S S
and services more broadly (partly through deliberate and disruptions in another part of the ecosystem
A N D SH A RIN G
governm ent policy)
C O N T IN U E D RISE IN C yb er attackers are innovating rapidly to identify new More challenging to prevent, detect, respond,
SO P H IS TIC A TIO N O F means of attack and ways of exploiting firms' and recover from cyber attacks
M A LIC IO U S A C T O R S vulnerabilities
traditional approaches focus solely on recovery, operational avoiding system ic disruptions, while sm aller institutions' objec
resilience has a broader scope and needs to be integrated into tives will likely focus on maintaining shareholder value.
the risk-mitigation fabric of the organization.
Global institutions will need to pay particularly close attention to
Resilient organizations focus on anticipation, prevention and adap regulatory developm ents, as regulators in different jurisdictions
tation, rather than recovery actions once the "horse has bolted." have not yet aligned on their expectations for firms.
In addition, resilient organizations have creative ways to provide
critical business services in the event of a disruption, beyond simply
getting the technology up and running again (e.g., using branches
R EC EN T R ESILIEN C E-R ELA T ED
to service customers at scale when digital channels might be down).
REG U LA TO RY PUBLICATION S
Exhibit 26.2 shows the key characteristics of an operational
resilience approach com pared to most organizations' starting JULY 2018
point - traditional BC and DR. Bank of England/Prudential Regulation Authority/Financial
Conduct Authority discussion paper, "Building the UK
Financial services regulators have begun to take note and are
financial sector's operational resilience"
beginning to focus on promoting operational resilience, versus
traditional BC and DR. The principles outlined in Exhibit 26.2 are D ECEM BER 2018
reflected in an increasing body of regulatory consultation and European Central Bank guidance, "C yb er resilience over
guidance papers. sight expectations for financial market infrastructures"
With the lessons from the financial crisis still fresh, regulators European Banking Authority consultation paper, "G u id e
lines on ICT and security risk m anagem ent"
have overlaid a "system ic" lens, prompting firms to exp lic
itly consider and measure how disruptions would impact the M A R C H 2019
broader market. A t the same tim e, they are emphasizing that
Monetary Authority of Singapore consultation papers, "Pro
resilience is applicable to all institutions, even if the objectives posed Revisions to Guidelines on Business Continuity Man
for each institution might differ. For exam ple, Financial Market agem ent" and "Technology Risk Management Guidelines"
Infrastructure's (FMI) resilience objectives will likely focus on
• Clearly defined accountability • Role of board and senior m anagem ent limited
of board and senior m anagem ent to post-event response
• Resilience incorporated into risk appetite • Resilience not an explicit consideration in risk
statem ents and metrics across operational appetite statem ents and metrics
risk types
• "Com pliance-type" update on exercises
• Com prehensive and actionable reporting
to drive continuous im provem ent
408 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
2 6 .3 H AS T H E O R G A N IZ A T IO N G O T senior m anagem ent, and getting resilience right for one critical
service before expanding the program.
IT ?: IM PO R TA N T Q U E S T IO N S T O A S K
Exhibit 26.4 lays out an approach to establishing an effective
A B O U T O P E R A T IO N A L R E S IL IE N C E
operational resilience program that allows the organization to
Achieving operational resilience is inherently challenging and enhance its capabilities without being overwhelm ed by the scale
• It requires organizations to understand how all domains (tech Organizations that manage to establish effective operational
nology, data, third parties, facilities, operations, and people) resilience programs will be able to realize the benefits of better
impact critical service delivery and to build a consistent set of resilience as well as related business benefits:
resilience capabilities and controls across these domains. • Reduce and optim ize their risk exposure, with improved vis
• It depends on cross-functional, specialized expertise to evalu ibility into their risks, better monitoring, a more proactive
ate and measure the resilience of the organization in light of approach to controls, and ability to deliver services even
the specific risks it faces. when things go wrong.
• It relies on extensive coordination, collaboration, and prepara • Better focus the organization and drive investm ent towards
tion to ensure that the organization appropriately considers the most im portant areas, based on a prioritization of their
resilience in all activities and is ready when the worst happens. critical business services.
Given the com plexity of the topic, it is difficult for boards and • Be able to support the innovation agenda of the business
senior m anagem ent to assess the current level of operational and enable faster innovation cycles without compromising on
resilience and determ ine whether the organization is making risk m anagem ent by ensuring the organization is adaptable
I______________ I □ W hat KRIs and KPIs provide us with a com prehensive view of our
maturity and uplift program?
< > □ W hat are our critical business services and why?
□ W hat are the most im portant resilience risks for the organization?
410 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• Assign accountability and develop an operating model for resilience
ESTA BLISH
• Conduct a resilience maturity assessm ent to establish a baseline
T H E FO U N D A TIO N
of the organization's capabilities
A rbib, M. A . (Ed.) (1995), The Handbook of Brain Theory and Neural Basel Com m ittee on Banking Supervision (2000a), Range of Practice in
N etworks, The MIT Press. Banks' Internal Ratings System s, Discussion paper, Basel, Sw itzerland.
Adelson, M., and G oldberg, M. (2009), On the Use of M odels by Basel Com m ittee on Banking Supervision (2000b), C redit Ratings and
Standard & Poor's Ratings Services, w w w .standardandpoors.com Com plem entary Sources of C redit Q uality Information, Working
(accessed February 2010). Papers 3, Basel, Sw itzerland.
Akhavein, J ., Fram e, W. S., and W hite, L. J . (2001), The Diffusion of Basel Com m ittee on Banking Supervision (2004 and 2006), International
Financial Innovations: An Exam ination of the Adoption of Small Busi Convergence of Capital M easurem ent and Capital Standards. A
ness C redit Scoring by Large Banking O rganization, The W harton Revised Fram ew ork, Basel, Switzerland.
Financial Institution Center, Philadelphia, USA. Basel Com m ittee on Banking Supervision (2005a), Studies on Validation
A lbareto, G ., Benvenuti, M ., M oretti, S. e ta /. (2008), L'organizzazione of Internal Rating System s, W orking Papers 14, Basel, Switzerland.
dell'attivita creditizia e I'utilizzo di tecniche di scoring nel sistema Basel Com m ittee on Banking Supervision (2005b), Validation of Low-
bancario italiano: risultati di un'indagine cam pionaria, Banca d'ltalia, default Portfolios in the Basel IT Fram ew ork, N ew sletter 6, Basel,
Q uestioni e Econom ia e Finanza, 12. Sw itzerland.
Altm an, E. I. (1968), Financial Ratios, Discrim inant Analysis and Predic Basel Com m ittee on Banking Supervision (2006), The IRB Use Test:
tion of Corporate Bankruptcy, Journ al o f Finance, 23 (4). Background and Im plem entation, N ew sletter 9, Basel, Sw itzerland.
Altm an, E. I. (1989), Measuring Corporate Bond M ortality and Perfor Basel Com m ittee on Banking Supervision (2008), Range of Practices and
m ance, Jo u rn a l o f Finance, X L IV (4). Issues in Econom ic Capital M odeling, Consultative Docum ent, Basel,
Altm an, E. I., and Saunders, A . (1998), C red it risk m easurem ent: D evel Switzerland.
opm ents over the last 20 years, Jo u rn a l o f Banking and Finance, 21. Basel Com m ittee on Banking Supervision (2009), Strengthening the
Altm an, E ., Haldem an, R., and Narayanan P. (1977), Zeta Analysis: a New Resilience of the Banking Sector, Consultative Docum ent, Basel,
Model to Identify Bankruptcy Risk of Corporation, Jo u rn a l o f Banking Sw itzerland.
and Finance, 1. Basilevsky, A . T. (1994), Statistical Factor Analysis and Related M ethods:
Altm an, E. I., Resti, A ., and Sironi A . (2005), Recovery Risk, Riskbooks. Theory and A pplications, John W iley & Sons Ltd.
Bank of Italy (2002), Annual Report 2001, Rome. Beaver, W. (1966), Financial Ratios as Predictor of Failure, Jo u rn a l o f
Bank of Italy (2006), New Regulations for the Prudential Supervision of A cco u n tin g Research, 4.
Banks, Circular 263, w w w .bancaditalia.it (accessed February 2010). Berger, A . N., and Udell, L. F. (2001), Small Business Credit Availability and
Baron, D ., and Besanko, D. (2001), Strategy, Organization and Incen Relationship Lending: the Importance of Bank Organizational Structure,
tives: Global Corporate Banking at Citibank, Industrial and C o rpo ra te US Federal Reserve System Working Papers, W ashington, D C , USA.
Change, 10 (1). Berger, A . N ., and Udell, L. F. (2006), A more com plete conceptual
Basel Com m ittee on Banking Supervision (1999a), C red it Risk M odelling: fram ew ork for SM E Finance, Jo u rn a l o f Banking, 30.
Current Practices and A pplications, Basel, Switzerland. Berger, A . N ., Fram e, W. S., and Miller, N. H. (2002), C red it Scoring and
Basel Com m ittee on Banking Supervision (1999b), Principles for the the Availability, Price and Risk of Small Business C red it, US Federal
M anagem ent of C red it Risk, Basel, Switzerland. Reserve System W orking Papers, W ashington, D C , USA.
Berger A . N ., Klapper, L. F., and Udell, G . F. (2001), The A bility of Banks De Servigny, A ., Varetto, F., Salinas, E. et al. (2004), C red it Risk Tracker
to Lend to Inform ationally O paque Small Businesses, US Federal Italy, Technical Docum entation, w w w .standardandpoors.com
Reserve System Working Papers, W ashington, D C, USA. (accessed February 2010).
Berger, A . N ., Miller, N. H., and Petersen, M. A . (2002), Does Function DeYoung, R., Hunter, W. C ., and Udell, G . F. (2003), The Past Present and
Follow Organizational Form ? Evidence from the Lending Practices of Probable Future for Com m unity Banks, W orking Paper 14, Federal
Large and Small Banks, US National Bureau of Econom ic Research Reserve Bank of Chicago, USA.
W orking Papers, 8752, C am bridge, M A, USA. Diam ond, D. (1984), Financial Interm ediation and D elegated M onitoring,
Blochwitz, S., and Eigerm ann, J . (2000). Unternehm ensbeurteilung The R eview o f E co n o m ic Stu dies, 51 (3).
durch Diskrim inanzanalyse mit qualitativen M erkm alen, Zeitschrift fur Draghi, M. (2008), A System with More Rules, More C ap ital, Less Debt
betriebsw irtschaftliche Forschung. and More Transparency, Sixth Com m ittee of the Italian Senate, Fact
Bohn, J . R. (2006), Structural M odeling in Practice, W hite Paper, finding Inquiry into the International Financial Crisis and Its Effects
Moody's KMV. on the Italian Econom y, Rom e, http://w w w .bancaditalia.it (accessed
Boot, A . W. (2000), Relationship Banking: W hat Do We Know? Jo u rn a l o f February 2010).
Financial Interm ediation, 9. Draghi, M. (2009), A ddress by the G overnor of the Bank of Italy, Annual
Boot, A . W ., and Thakor, A . V. (2000), Can Relationship Banking Survive M eeting of the Italian Banking Association, 8 Ju ly 2009, Rome, http://
Com petition? The Jo u rn a l o f Finance, 55. w w w .bancaditalia.it (accessed February 2010).
Brunetti, G ., Coda, Y., and Favotto, F. (1984), Analisi, previsioni, simu- Dwyer, D. W ., Kocagil, A . E ., and Stein, R. M. (2004), Moody's KM V
lazioni econom ico-finanziarie d'im presa, Etas Libri. R iskcalc™ v3.1 M odel, Technical Docum ent, http://www.m oodyskm v
Brunner, A ., Krahnen, J . P., and W eber, M. (2000), Information .com /research/files/w p/RiskCalc_v3_1 _M o d e l.p d f (accessed February
Production in C red it Relationships: on the Role of Internal Ratings in 2010 ) .
Com m ercial Banking, W orking Paper 10, C en ter for Financial Studies Ely, D. P , and Robinson, K. J . (2001), Consolidation, Technology and
of University of Frankfurt, Germ any. the Changing Structure of Banks' Small Business Lending, Fed era l
Burroni, M., Q uagliariello, M ., Sabatini, E ., and Tola, V. (2009), Dynamic R eserve Bank o f Dallas E co n o m ic and Financial Review , First Quarter.
Provisioning: Rationale, Functioning, and Prudential Treatm ent, Engelm ann, B., and Rauhmeier, R. (Eds.) (2006), The Basel II Risk Param
Q uestioni di Econom ia e Finanza, 57, Bank of Italy. eters, Springer.
Buzzell, R. D. (2004), The PIMS Program of Strategy Research: A Retro Fisher, R. A . (1936), The Use of Multiple M easurem ents in Taxonom ic
spective A ppraisal, Jo u rn a l o f Business Research, 57 (5). Problem s, Annals o f Eu g en ics, 7.
Buzzell, R. D ., and G ale, B. T. (1987), The PIMS principles, The Free Finger, C . (2009a), IRC Com m ents, RiskM etrics G roup, Research Monthly
Press. (February).
Cangem i, B., De Servigny, A ., and Friedm an, C . (2003), C red it Risk Finger, C . (2009b), VAR is from Mars, Capital is from Venus, Risk-M etrics
Tracker for Private Firm s, Technical Docum ent, Standard & Poor's. G roup, Research Monthly (April).
Com m ittee of European Banking Supervisors (2005), G uidelines on the Fram e, W. S., Srinivasan, A ., and W oosley, L. (2001), The Effect of C red it
Im plem entation, Validation and Assessm ent of A dvanced M easure Scoring on Small Business Lending, Jo u rn a l o f M o n ey C re d it and
ment (AM A) and Internal Ratings Based (IRB) A pproaches. Banking, 33.
Christodoulakis, G ., and Satchell, S. (2008), The Analytics of Risk G anguin, B ., and Bilardello, J . (2005), Fundam entals of Corporate C redit
Validation, Elsevier. Analysis, M cGraw-Hill.
De Laurentis, G . (1993), II rischio di credito, Egea. G iri, N. C . (2004), M ultivariate Statistical Analysis: Revised and
De Laurentis, G . (2001), Rating interni e credit risk m anagem ent, Expanded, C R C Press.
Bancaria Editrice. G rassini, L. (2007), Corso di Statistica A ziend ale, Appunti sull'analisi
De Laurentis, G . (Ed.) (2005), Strategy and Organization of Corporate statistica dei bilanci, http://w w w .ds.unifi.it/grassini/laura/Pistoia1/
Banking, Springer. in d exEA P T2007_08.h tm (accessed February 2010).
De Laurentis, G ., and G ab b i, G . (2010), The Model Risk in C redit Golder, P. A ., and Yeomans, K. A . (1982), The Guttm an-Kaiser Criterion as
Risk M anagem ent Processes, in Model Risk Evaluation Handbook a Predictor of the Num ber of Common Factors, The Statistician, 31 (3).
(eds. G . N. G regoriu, C . Hoppe, and C . S. W ehn), M cGraw-Hill. G upton, G . M ., Finger, C . C ., and Bhatia, M. (1997), C redit M etrics, Tech
De Laurentis, G ., and G andolfi, G . (Eds.) (2008), II gestore im prese, nical Docum ent, W orking Paper, J P Morgan, http://w w w .riskm etrics
Bancaria Editrice. .com /publications/techdocs/cm tdow .htm l (accessed February 2010).
De Laurentis, G ., Saita, F., and Sironi, A . (Eds.) (2004), Rating interni e IASB (2009), Basis for Conclusions on Exposure Draft, Financial Instru
controllo del rischio di credito, Bancaria Editrice. m ents: Am ortized C ost and Im pairm ent, 6 N ovem ber 2009.
De Lerm a, M .; G ab b i, G ., and M atthias, M. (2007), C A R T Analysis of Ito, K. (1951), On Stochastic Differential Equations, American Mathematical
Q ualitative Variables to Improve C red it Rating Processes, http://www Society, 4.
.g reta.it/cred it/cred it2006/po ster/7_G ab bi_M atthias_D eLerm a.pd f Jackso n , P., and Perraudin, W. (1999), Regulatory Im plications of C redit
(accessed February 2010). Risk M odelling, C red it Risk M odelling and the Regulatory Im plica
De Servigny, A ., and Renault, O . (2004), M easuring and Managing tions Conference (June 1999), Bank of England and Financial Services
C red it Risk, M cGraw-Hill. Authority, London.
414 ■ Bibliography
Landau, S., and Everitt, B. (2004), A handbook of statistical analyses Sharpe, W. (1964), Capital A sset Prices: a Theory of M arket Equilibrium
using SPSS-PASW , C R C Press. under Conditions of Risk, Jo u rn a l o f Finance, 19.
Loehlin, J . C . (2003), Latent Variable M odels— An Introduction to Factor, Sobehart, J . R., Keenan, S. C ., and Stein, R. M. (2000), Validation
Path, and Structural Equation Analysis, Lawrence Erlbaum A ssociates. M ethodologies for Default Risk M odels, A lg o Research Q uarterly, 4
Lopez, J ., and Saidenberg, M. (2000), Evaluating credit risk models, (1/2) (M arch/June).
Journ al o f Banking and Finance, 24. Standard & Poor's (1998), Corporate Ratings Criteria, http://w w w
Lyn, T. (2009), Consum er C redit M odels— Pricing, Profit and Portfolios, .standardandpoors.com .
O xford Scholarship O nline. Standard & Poor's (2008), Corporate Ratings Criteria, http://w w w
Maino, R., and M asera, R. (2003), Medium Sized Firm and Local .standardandpoors.com .
Productive System s in a Basel 2 Perspective, in Industrial Districts Standard & Poor's (2009), D efault, Transition, and Recovery: 2008
and Firm s: The Challenge of G lobalization, M odena University, Italy, Annual Global Corporate Default Study and Rating Transitions.
Proceedings, http://w w w .econom ia.unim ore.it/convegni_sem inari/ Standard & Poor's (2009a), Annual Global Corporate Default Study and
C G _sep t03/p ap ers.htm l (accessed February 2010). Rating Transitions, http://w w w .standardandpoors.com .
Maino, R., and M asera, R. (2005), Im presa, finanza, m ercato. La gestione Standard & Poor's (2009b), Global Structured Finance Default and
integrata del rischio, E G E A . Transition Study 1978-2008: C red it Q uality of Global Structured
M asera, R. (2001) II Rischio e le Banche, Edizioni II Sole 24 O re, Milano. Securities Fell Sharply in 2008 Am id Capital M arket Turmoil, http://
M asera, R. (2005), Rischio, Banche, Im prese, i nuovi standard di Basilea, w w w .standardandpoors.com .
Edizioni II Sole 24 O re. Standard & Poor's (2009c), G uide to C red it Rating Essentials, 21 August
M asera, R., and Mazzoni, G . (2006), Una nota sulle attivita di Risk e 2009, http://w w w .standardandpoors.com .
Capital M anagem ent di un interm ediario bancario, Ente Luigi Einaudi, Steeb, W. H. (2008), The Nonlinear W orkbook: Chaos, Fractals, Neural
Q uaderni, 62. N etw orks, G enetic Algorithm s, G ene Expression Program m ing,
M erton, R., (1974), On the Pricing of Corporate D ebt: the Risk Structure Support Vector M achine, W avelets, Hidden M arkov M odels, Fuzzy
of Interest Rates, Journ al o f Finance, 29. Logic with C++, Java and Sym bolic C++ Program s: 4th edition, World
Modigliani, F., and Miller, M. H. (1958), The Cost of Capital, Corporation Scientific Publishing.
Finance and the Theory of Investment, Am erican Econom ic Review, 48. Stevens, J . (2002), A pplied M ultivariate Statistics for the Social Sciences,
Moody's Investor Services (2000), Benchm arking Q uantitative Default Lawrence Erlbaum A ssociates.
Risk M odels: a Validation M ethodology (March). Tan; P.-N., Steinbach, M., and Kumar, V. (2006), Introduction to Data
Moody's Investor Service (2007), Bank Loan Recoveries and the Role Mining, Addison-W esley.
That Covenants Play: W hat Really M atters? Special Com m ent (July). Tarashev, N. A . (2005), An Em pirical Evaluation of Structural C redit
Moody's Investor Service (2008), Corporate Default and Recovery Rates Risk M odels, Working Papers No. 179, BIS M onetary and Econom ic
1920-2007 (February). D epartm ent, Basel, Switzerland.
Nixon, R. (2006), Study Predicts Foreclosure for 1 in 5 Subprim e Loans, Thompson, M., and Krull, S. (2009), In the S&P 1500 Investment-Grade
N Y Tim es (20 D ecem ber 2006). Stocks Offer Higher Returns over the Long Term, Standard and Poor's
O eN B and FM A (2004), Rating M odels and Validation, O esterreichische Market Credit and Risk Strategies (June), http://www.standardandpoors
Nationalbank and Austrian Financial M arket Authority. .com.
Petersen, M. A ., and Rajan, R. G . (1994), The Benefits of Lending Rela Thurstone, L. L. (1947), Multiple Factor Analysis, University of Chicago
tionships: Evidence from Small Business Data, Journ al o f Finance, 49. Press, Chicago.
Petersen, M. A ., and Rajan, R. G . (2002), Does Distance Still M atter? The Treacy, W. F., and C arey, M. S. (1998), C red it Risk Rating at Large U.S.
Information Revolution in Small Business Lending, Jo u rn a l o f Finance, Banks, US Fed era l R eserve Bulletin (N ovem ber).
57 (6). Treacy, W. F., and C arey, M. S. (2000), C red it Risk Rating System s at
Pluto, K., and Tasche, D. (2004), Estimating Probabilities of Default on Large U .S. Banks, Jo u rn a l o f Banking and Finance, 24.
Low Default Portfolios, Deutsche Bundesbank Publication (Decem ber). Tukey, J . W. (1977), Exploratory Data Analysis, Addison-W esley.
Porter, M. (1980), Com petitive Strategy, Free Press. Udell, G . F. (1989), Loan Q uality Com m ercial Loan Review and Loan
Porter, M. (1985), Com petitive A dvantage: Creating and Sustaining O fficer Contracting, Journ al o f Banking and Finance, 13.
Superior Perform ance, Free Press. Vasicek, O . A . (1984), C redit Valuation, W hite Paper, Moody's KMV
Rajan, R. G . (1992), Insiders and O utsiders: the Choice Betw een Rela (March).
tionship and Arm s Length D ebt, Jo u rn a l o f Finance, 47. W ehrspohn, U. (2004), Optim al Sim ultaneous Validation Tests of Default
Resti, A ., and Sironi, A . (2007), Risk M anagem ent and Shareholders' Probabilities D ependencies and C redit Risk M odels, http://ssrn.com /
Value in Banking, John W iley & Sons Ltd. abstract=591961 (accessed February 2010).
Saita, F. (2007), Value at risk and bank capital m anagem ent, Elsevier. W ilcox, J . W. (1971), A G am bler's Ruin Prediction of Business Failure
Schwizer, P. (2005), Organizational Structures, in Strategy and O rganiza Using Accounting Data, Sloan M an ag em en t Review , 12 (3).
tion of Corporate Banking (Ed. G . De Laurentis), Springer.
Bibliography ■ 415
INDEX
418 ■ Index
business cycle, 191 assessing capital adequacy im pact, 261-263
business disruption and system failures (BD SF), 119-120 BH C scenario design, 245-246
business environm ent and internal control environm ent factors (B EIC Fs), capital policy, 243-245
123-126 estim ation m ethodologies for losses, revenues, and expenses,
key risk indicators (KRIs), 125 246-261
risk control self-assessm ent (RCSA), 124-125 foundational risk m anagem ent, 238-239
business im pact assessm ent (BIA), 380 governance, 241-243
business im pacts, of data quality, 152-153 internal controls, 239-241
business im pact view, 157 Capital Plan Rule, 236, 237, 242, 245
business indicator (Bl), 333, 338, 339 capital policy, 243-245
business indicator com ponent (BIC), 323, 333, 338, 342-343 contingency plan, 244-245
business-level use, of econom ic capital, 199-200 goals and targets, 244
business line m anagem ent, 134 w eak, 244
business perform ance capital requirem ents, 96
enterprise risk m anagem ent (ERM ), 30-31 Capital Requirem ents Regulation (CRR), 393
business planning process, 49-52 captive finance, 178
business process m appings, 8 capture the flag, 348
business process view, 157 cash flow m appings, 176
business resiliency, 5, 12 cash flows, 22, 176
business resum ption, service provider contracts and, 286 catastrophe bonds, 31
business risk, 209 catastrophe exposure, 154
business services, 402 C D S indexes, 176
availability and integrity of existing, 391 C D X .N A .IG , 176
building resilient, 388-389 Central Bank of Ireland, 267
focusing on, 387 central banks, 304
prioritising by, 387 central clearing, 294-296
supply of new, 391 central counterparty (C C P), 294, 299
system s and processes, 404 and bankruptcy, 300-301
business unit (BU), 4 1 ,4 6 , 47, 49 defined, 294
in O T C m arkets, 295
central risk function, 133-134
C challenger m odels, 240
calibration, quantitative validation, 168 change-control processes, 203
Cam pa, J . M ., 231 charge-off m odels, 250, 252
Canabarro, E ., 273 chief information officer (C IO ), 366
capital chief information security officers (CISO ), 366
for credit risk, 310-312 chief risk officer (C RO ), 14, 16, 31-32, 366
definition of, 320 China Banking Regulatory Com m ission (C B R C ), 96
for m arket risk, 308-309 chi-square test, 168
for operational risk, 313 Chrysler, 178
Tier 1 and Tier 2, 305 Citigroup, 89
capital adequacy assessm ent, 196-197, 202, 261-263 classification tests, for validation, 167
capital adequacy process (CA P), 236 Clearing House Autom ated Paym ent System (C H A PS), 385,
principles of, 237 392, 403
capital asset pricing model (CA PM ), 184 clearing houses, 295
Capital Assistance Program (C A P), 267 C learPo rt, 295, 301
capital budgeting, 192, 201 clients, products and business practices (CPBP) risk, 118-119
decision rule, 188-189 C L O , 177
risk-adjusted return on capital (R A R O C ), 185-186 closeout horizon, 226
capital conservation buffer (C C B ), 321-323 cloud service providers (CSPs), 378
capital m anagem ent regulatory cloud sum m its, 378
decisions, 183 cloud services, 403
process, 192 C M B S, 180
Capital M anagem ent Policy, 69 C M B X , 180
capital planning, 236-237 C M E G roup, 295
Index ■ 419
Cochrane, J . H .( 232 consistency
C o h eren t Stress Testing (Rebonato), 271 data quality, 154-155
C o le, Eric Dr., 352 rating system s, 164
collection threshold, 121-122 Consum er Financial Protection Bureau (C FP B ), 96, 326
Collins and Aikm an, 178 consum er loans, 229
com m ercial banking, 59 contagion approach, 219
com m ercial real estate (C R E), 330 context bias, 128
Com m ission de Surveillance du Secteur Financier (C SSF), 378 contingency considerations, of service providers, 287
com m ittee com position, 8 contingency plan
Com m ittee of European Banking Supervisors (C EB S ), 267, 268, 378 capital, 244-245
Com m ittee on Global Financial Stability (C G FS ), 231, 270 service provider contracts and, 286
Com m ittee on M arket Best Practices (CM BP), 38 contingent convertible bonds (CoCos), 324-325
Com m ittee on Paym ents and M arket Infrastructures (CPM I), 362 continuity m anagem ent, 12
Com m ittee on Paym ents System s and M arket Infrastructures (CPM I), 390 contraction risk, 229
com m ittee operation, 8 control and mitigation
com m ittee structure, 8 risk m anagem ent environm ent, 5, 10-11
Com m on Equity T ie r 1 (C ET1) capital, 328 Control O bjectives for Information and Related Technologies (CO BIT), 363
common risk currency, 209 convertible bonds, 176
Com m onwealth Bank of Australia (CBA ) G roup, 39, 71-75 Cooke ratios, 305
com m unications plans, FM Is, 394 coordinated defense, in cyber resilience, 351
com parative advantage in risk-bearing, 15 copulas, 195, 211, 212, 220
com parative analysis, 9 The C ore Principles fo r E ffective Banking Supervision (Basel
com pensation, service provider contracts and, 284 Com m ittee), 2
com pleteness Core Principles M e th o d o lo g y (Basel Com m ittee), 2
of databases, 122 core risk level, 187
of data quality, 154 core risks, 14, 187
of rating system s, 163 corporate culture, 106-108
com plex m etric, 156 corporate exposures, 312
com pliance risk, 239 corporate finance, 129
data quality, 152, 154 corporate governance, enterprise risk m anagem ent (ERM ), 33
com pliance risks, 282 corporate operational risk function (C O R F), 3-4
com prehensive approach, 310 corporate risk manager, 14
Com prehensive Capital Analysis and Review (C C A R ), 93, 236, 237, 325 corporate treasury, 14
com prehensive risk m easure, 319 correspondent banking, 291-292
com prehensive validation costs, service provider contracts and, 284
evaluation of, 143-144 Council for Registered Ethical Security Testers (C R ES T), 352, 367
ongoing monitoring, 144-145 countercyclical capital buffer (C C yB ), 321, 322
outcom es analysis, 145-146 counterparties
com puter em ergency readiness team (C ER T), 376 credit risk engines, 226
Com puter Incident Response C en ter (C IRC L), 376 defaults of, 257
com puter security incident response team s (CSIRTs), 376 high risk, 226
concentration risk, 282, 377 margined vs. non-margined, 225
identification, 226 counterparty credit exposure, 223
conduct, defined, 78 m easurem ent, 224
confidence-based im pacts, data quality, 152 range of practices, 225-227
confidence level counterparty credit risk, 273
risk-adjusted return on capital (R A R O C ), 188 m arket risk and, 255-256
risk aggregation and, 210 counterparty credit risk (CC R), 196, 197
risk m easures and, 207 ancillary processes and, 226
confidentiality challenges, 223-225
of information for third-party interactions, 381-382 model validation, 227
service provider contracts and, 284-285 operational-risk-related challenges, 224-225
conservatism , 248 country risks, 282
420 ■ Index
C P M I-IO SC O guidance, 369, 378, 380 cyber-fraud, 374
credit conversion factors, 307 cyber-resilience
credit equivalent amount, 307, 308 adaptation to changing conditions, 347
credit loan loss-estimation approaches, 250 business continuity planning and staff engagem ent, 347-348
Cred itM etrics, 187, 219, 271 challenge of, 349
credit portfolio m anagem ent, 199 communication and sharing of information, 371-376
credit portfolio m odels, supervisory concerns relating to, 221-222 defined, 362
credit risk, 23 gam ification, 348
assessm ent, 153 incident response planning, 351-352
capital for, 310-312 and independent assurance, 368-369
copulas and, 220 information security controls testing, 368-369
counterparty, 196, 197, 223-227 interconnections with third parties, 377-382
data quality, 153-154 negative attributes, 350
dependency m odelling, 195, 197, 218-222 nudging behavior, 348
interest rate risk and, 232-233 objectives, 350-351
internal ratings-based (IRB) approach for, 331-332 organization, attributes of, 349-351
and m arket risk, 224 positive attributes, 350
price of, 231 real-time crisis m anagem ent, 346-347
retail and w holesale, 249 response and recovery testing and exercising, 369-370
risk aggregation, 209 risk awareness in staff, 347
standardised approach for, 328-331 risk m anagem ent fram ew ork, 346
CreditRisk+ , 219, 220, 271 safety m anagem ent, 348-349
credit substitution approach, 313 security solutions, 352-355
credit support annex (C SA ), 225, 296 standards, 347
credit valuation adjustm ent (CVA), 256, 273, 323, 324, 332-333 standards and guidelines, 363, 364
C R E S T C ertified Sim ulated A ttack M anager (C C SA M ), 367 supervising m ethods, 368
C R E S T C ertified Sim ulated A ttack Specialist (C C SA S ), 367 threat detection, 352-353
C R E S T C ertified Threat Intelligence M anager (C C TIM ), 367 training program s, 347
Critical Infrastructure Notification System (CIN S), 374 cyber-risk controls, taxonom y of, 369
critical service providers, 394 cyber-security, 346
cross-industry architecture and standards, 366
high dependence on specialized skills, 85-86 information-sharing practices, interlinkage of, 371
ineffective leadership and m anagem ent skills, 86 m anagem ent roles and responsibilities, 365
lack of diversity, 85 and resilience m etrics, 370-371
misaligned incentives, 86 risk awareness culture, 365-366
presence of dom inant com panies, 85 strategy, 364-365
Cross M arket O perational Resilience Group (C M O R G ), 370, 399 threat analysis, 346
Crouhy, Michel, 188 w orkforce, 366-367
crow ded trades, 225 C yb er Security A gency (C SA ), 372
C-suite, 99, 100 Cybersecurity Fortification Initiative (CFI), H KM A's, 367
culture C yb er Security Summit, 348
dashboards, 107 cyber threats, 391
defined, 78 cyber war gam e, 370
of distribution, 108
of production, 108
cure period, 225 D
currency, data and, 155 Dai, Q „ 228
current exposure, 223 dam age to physical assets (DPA), 121
current exposure m ethod, 306 Dang, T. V., 278
custom er and product profitability analysis, 200 Das, S. R., 221
custom er com plaints, service provider contracts and, 286 databases
custom er due diligence (CD D ), 291 com pleteness of, 122
custom er segm entation, 199, 200 external, 126
Index ■ 421
data collection, 165 D epartm ent of Defense G uidelines on Data Q uality, 153
data, for loss estim ation, 249 dependency modelling
data governance (D G ), 152 in credit risk, 195, 197, 218-222
data quality, 253-254 shortcom ings of, 221-222
accuracy, 154 use of, 222
business im pacts of poor, 152-153 derivatives bonds, 31
checks, 216 Derm an, E ., 228
com pleteness, 154 Deutsche Bank, 32
com pliance risk, 152, 154 developm ent risk, 154
confidence-based im pacts, 152 differences of opinion, 96
consistency, 154-155 digital service providers (DSP), 376
control, 155-156 Dim akos, X . K., 213
credit risk, 153-154 direct m arket access, 132
currency, 155 directors, role of, 112
developm ent risk, 154 disaster recovery (DR), 406
dim ensions, 154 disclosure
em ployee fraud and abuse, 153 econom ic capital and, 203
financial im pacts, 152 role of, 5, 12
information flaws, 153 stress testing, 268, 275-277
inspection, 155-156 discrim inatory power, 166, 167
insurance exposure, 154 discussion paper (DP), 384
issues view, 156-157 integrity, 403
mapping business policies to data rules, 155 structure, 386-387
other dim ensions of, 155 dispute resolution, service provider contracts and, 285
oversight, 155-156 distorted risk m easures, 206, 207
productivity im pacts, 152 distributed denial of service (D D O S), 371
reasonableness, 155 diversifiable risk, 14
and revenue assurance, 153 diversification
risk im pacts, 152 assum ptions, 204
satisfaction im pacts, 152 effect, 189-190
scorecard, 156 inter-risk, 210-211
underbilling, 153 docum entation
uniqueness, 155 for capital planning, 241
validating rating m odels, 164-166 risk m anagem ent, 149
dataset, 162-165 docum enting decisions, BH Cs with, 243
deadw eight costs, 14 Dodd-Frank A ct, 236, 275
debt-to-equity ratio, 183 dom estically system ically im portant (D-SIBs), 321, 325
deception, in cyber resilience, 351 due diligence, service providers and, 283-284, 291
decision-m aking, 141 Duffie, D „ 221, 296
authority, 16 dynam ic simulation m odel, 229
econom ic capital to, 25-26
financial aspects of, 138
process, 42 E
decom position, of risk m easure, 208 earnings at risk (EaR), 228, 230
default econom ic capital, 182, 183. See also risk capital
events of, 296 adequacy assessm ent, 196-197, 202
service provider contracts and, 285 business-level use, 199-200
default m ode m odel, 220 challenges in, 198
default probabilities, 163 change-control processes, 203
default risk charge, 335 counterparty credit risk, 196, 197, 223-227
Delphi C o rp ., 178 to decision-m aking, 25-26
Delphi technique, 128 defined, 194, 198, 213
delta risk, 298 dependency m odelling, credit risk, 195, 197, 218-222
De N ederlandsche Bank (DN B), 95 governance and, 194, 199-205
422 ■ Index
for interest rate risk, 196, 198, 227-233 European Banking Authority (EB A ), 91, 267, 269, 274, 362, 363
internal model validation, 214-218 European Fram ew ork for Threat Intelligence-based Ethical Red Teaming
recom m endations, 196-198 (TIBER-EU ), 369
risk aggregation, 195, 197, 208-214 European Insurance and O ccupational Pensions Authority (EIO PA ), 314
risk identification, 197 European Securities and M arkets Authority (ESM A ), 362
risk m easures, 194-195, 197, 205-208 European Supervisory Authorities, 362
senior m anagem ent involvem ent, 202 events of default, 296
supervisory concerns relating to, 203-205 exception VAR, 309
transparency and m eaningfulness, 205 excess equity, 17
unit involved, 203 exchange-traded m arket, 294, 300
uses, 194, 199-205 execution, delivery, and process m anagem ent (ED PM ), 117-118
validation, 195, 197 "E xe rcise " Resilient Shield, UK/US, 370
econom ic functions, 403 existing regulatory requirem ents
econom ic value added (EVA), 34, 185 relating to financial stability, 394-395
econom ic value of equity (EVE), 228, 230 relating to harm, 394
econom ic value vs. accounting perform ance, 21-22 relating to viability of firm s and FM Is, 392-394
em ployee engagem ent, 107 exp ected losses (EL), 34, 188, 250, 311, 312
em ployee fraud and abuse, 153 exp ected operational losses, 123
em ploym ent practices and w orkplace safety (EPW S), 120-121 exp ected revenues, 185
end-to-end processing of paym ents, 395 exp ected shortfall (ES), risk m easures and, 206, 207
Enron, 219 exposure at default (EAD)
enterprise risk, 68 loss estim ation and, 250
enterprise risk m anagem ent (ERM ) value, 223
benefits of, 29-31 extension risk, 230
business perform ance, 30-31 external auditors, 2, 3
chief risk officer, 31-32 external com m unication, 202
com ponents of, 32-35 external databases, 126
corporate governance, 33 external data collection and analysis, 8
and corporate level risk com m ittee, 21 external dependencies, 12
data and technology resources, 35 external frauds, 120
definitions, 28-29 external loss data, 8
determ ining, 16-20 external resources, risk m anagem ent, 148-149
im plem enting, 20-26 extrem e value theory (EVT)
leadership, 21 defined, 228
line m anagem ent, 33-34 draw backs, 228
micro benefits of, 15-16
organizational effectiveness, 29
portfolio m anagem ent, 34 F
risk analytics, 34 factor-based capital allocation approach, 16
risk reporting, 29-30 factor loading, 232
shareholder value, 14-16 failure resolution m echanism s, 296
stakeholder m anagem ent, 35 Fannie M ae, 266
enterprise-w ide levels, 41 FASB Statem ents, 260
enterprise-w ide use, econom ic capital and, 200-202 fat tails, 22, 24
entities, 282 Federal D eposit Insurance Corporation (FD IQ ), 364
Equifax, 350 Federal Financial Institution Exam ining Council (FFIEC ), 282, 285, 363
equity capital, 24 Federal Insurance O ffice's (FIO ), 130
equity tranche, 178 Federal Reserve Bank, 236, 237
Ernst & Young, 154 Federal Reserve Bank of New York, 96
escrow agreem ents, 285 Federal Reserve's Capital Plan Rule, 236
estim ation m ethodologies feed er m odels, 240
general expectations, 246-249 Feldm an, M atthew, 32
loss-estimation, 249-257 Fender, I., 270
PPNR projection, 257-261 Financial Action Task Force's (FATF), 290
Index ■ 423
financial condition, of service providers, 286-287 debt, 19
Financial Conduct Authority (FC A ), 91, 384 internal controls, 394
Financial Consum er A gency of Canada (F C A C ), 96 m anagem ent and governance, 392-393
financial crisis outsourcing and critical service providers, 394
2000-2007, 131 risk m anagem ent, 393
2007-2009, 187 Fisher's r2, 167
financial distress, 17, 18, 24 Fitch rating, 182
financial im pacts, data quality, 152 fixed diversification, 211
Financial Industry Information System s (FISC), 367 Fixed Income, Currencies and Com m odities M arket Standards Board,
Financial Industry Regulatory Authority (FIN RA), 96 97, 104
financial institutions, 183 fixed-rate m ortgages, 229
contract provisions and considerations, 284-286 Flannery, M. J ., 266
defined, 282 flight to quality, 262, 272
failed, 304 floating-rate bond, 230
operations and internal controls, 284 Foglia, A ., 270
perform ance and condition, 283-284 Ford, 178
financial m arket infrastructures (FM Is), 362, 384, 389-397, 403 Ford M otor C red it C o. (FM C C ), 178
business continuity, 394 foreign-based service providers, 286, 287
com m unications plans, 394 foreign-exchange (FX) risks, 28
and contingency planning, 394 forensic investigation, 351
existing regulatory requirem ents, 392-395 foundational risk m anagem ent, 238-239
and expectations for firms and, 392-395 foundation IRB (F-IRB) approach, 331
im pact tolerances, 403 frailty approach, 221
internal controls, 394 A Fram ew ork fo r Internal C ontrol System s in Banking O rganisations
large firm s and, 395-396 (Basel Com m ittee), 2
m anagem ent and governance, 392-393 frauds
outsourcing and critical service providers, 394 cyber-fraud, 374
in practice, 395-397 em ployee fraud and abuse, 153
risk m anagem ent, 393 external, 120
small or mid-sized firm s, 396 internal, 120
very small firm s, 396-397 Freddie Mac, 266
Financial Policy Com m ittee, 326 Friedm an, Paul, 174
financial regulators, 406 full m odelling/Sim ulation, 211, 212
financial sector professionals, 378 full-revaluation m ethods, 257
Financial Security Institute (FSI), 367 fully diversified capital, 190
Financial Services and M arkets A ct 2000 (FSM A), 384, 385 funding liquidity, 278
Financial Services Information-sharing and Analysis C enter (FS-ISAC), 374 futures contracts, 295
financial stability futures exchange clearing, 295
existing regulatory requirem ents relating to, 394-395
im pact on, 391-392
Financial Stability Board (FSB), 97, 108, 318 G
Financial Stability O versight Council (FSO C ), 326 G am bacorta, L., 231
Financial Stability Report (FSR), 385 gam ification, 348
Financial Stability Strategy, 385 gam ing, 128
financial terrorism , 290. See also money laundering and financial gap risk, 225
terrorism (M L/FT) risk m anagem ent G A R C H (General Autoregressive Conditional H eteroscedasticity), 232
FinTech Know ledge Hub, 368 Gaussian copula, 220, 221
FinTech Lab, 368 Gaussian copula model, one-factor, 310
Fiori, R „ 232 G eneral Data Protection Regulation (G D PR), 403
fire sale, 187 G eneral Motors (GM ), 178
firms G eneral Motors A ccep tance C o. (G M A C ), 178
business continuity, 394 Germ an Banking A ct, 364
com m unications plans, 394 Germ an steel resilience, 353
and contingency planning, 394 G ibson, M. S., 270
424 ■ Index
Global Banking Education Standards Board, 97 IBM O pVantage, 126
global system ically im portant banks (G-SIBs), 321, 325, IC E Clear, 295
333-334 IFRI and C R O Forum (2007) survey, 201, 203, 205, 207, 212
global system ically im portant insurers (G-SII), 321 im plem enting ERM
G oldstein, I., 277 aggregating risks, 22-23
Gonzales-M inguez, J . M., 231 econom ic capital to make decisions, 25-26
good risk, 110 econom ic value vs. accounting perform ance, 21-22
G o o g le, 133 governance of, 26
G ordy, M. B „ 310, 311 inventory risks, 20-21
G ordy m odel, 319, 320 measuring risks, 24
G orton, G ., 278 regulatory vs. econom ic capital, 24-25
governance incentive com pensation review, 286
board of directors, 5-7 incident response planning, in cyber resilience
capital planning and, 241-243 forensic investigation, 351
cyber, 363-367 initial breach diagnosis, 352
econom ic capital and, 194, 199-205 income simulation m odels, 230
of ERM , 26 increm ental default risk charge (IDRC), 319
operational, 4-5 increm ental risk charge (IRC), 318-319
risk m anagem ent, 146-149 indem nification, service provider contracts and, 285
risk organization and, 134-135 inexpert opinion, 128
senior accountability and, 89-91 information flaw s, 153
senior m anagem ent, 5, 7-8 information security controls, 368-369
Gram m -Leach-Bliley A ct of 1999, 153 information security m anagem ent, 368
granular credit-risk rating system , 251 information-sharing
gross incom e, 313, 314 from banks to regulators, 373-374
gross loss, 340-341 cross-border cybersecurity, 375
group-level use, econom ic capital and, 200-202 fram ew orks across jurisdictions, 371-372
G roup Risk A p p etite Statem ent (RAS), 72-73 percentage of jurisdictions, 372
G roup Risk M anagem ent, 61 from regulators to banks, 375
with security agencies, 375-376
Index ■ 425
internal controls Kupiec, P. H., 270
for capital planning, 239-241 Kuritzkes, A ., 266
service providers and, 287
internal data collection, 253-254
internal dependencies, 12 L
internal frauds, 120 Large Exposures Fram ew ork, 320
internal loss data, 121, 340 leadership, 47, 49, 100
collection and analysis, 8 capabilities, 84
Internal Loss M ultiplier (ILM ), 324, 333, 338-339 legal exposures, 255
internal m odels approach, 225 legal risks, 282, 338
internal operational risk culture, 4 Lehm an, 266
internal ratings-based (IRB), 160 lending technology, 165
approach, 274, 310-311 Leung, Mona, 32
for asset classes, 331 leverage ratio
bank, corporate, and sovereign exposures, 312 Basel III fram ew ork, 333-334
for credit risk, 331-332 capital requirem ents, 321
retail exposures, 312-313 license, service provider contracts and, 285
internal rating system s, 162 limits on liability, service provider contracts and, 285
internal reporting, 201 line m anagem ent, enterprise risk m anagem ent (ERM ), 33-34
International Accounting Standards Board, 123 line of business (LO B) m anagem ent, 46
International Association of C red it Portfolio M anagers (IA CPM ), 218, liquidity, 299-300
220-222 liquidity coverage ratio (LCR), 323-324, 328
International Association of Insurance Supervisors (IAIS), 304 living wills, 324-325
International Financial Reporting Standard 9 (IFRS 9), 95 loan-to-value (LTV) ratio, 329
International M onetary Fund, 109 logistic regression, 163
International Organization of Securities Com m issions (IO SC O ), 300, 304, London Interbank O ffered Rate (LIBO R), 295
362, 390 long tail distribution, 22
International Organization of Standardization (ISO 31000), 29 look-back option, 187
International Sw aps and D erivatives Association (ISDA), 218, 220-222, Lopez, J . ; 312
296, 307 loss data identification
inter-risk diversification, 210-211 general criteria, 340
inventory risks, 20-21 specific criteria, 340-341
investor, 91 loss data set, 340
ISD A m aster agreem ent, 296 loss-distribution approach (LDA), 254-255
ISO 22301, 347 losses
ISO 27001, 347 exclusion of, 341
issuer defaults, 257 inclusion of, 342
loss-estimation m ethodology
available-for-sale (AFS), 252-253
J charge-off m odels, 252
Jap an ese Financial Services A g ency (JFS A ), 369 correlation with m acroeconom ic factors, 254
Jo in t Policy Statem ent on Interest Rate Risk, 271 counterparty and issuer defaults, 257
joint public-private exercising, 370 credit loan approaches, 250
Jo in t Statem ent on Innovative Efforts to Com bat M oney Laundering data and segm entation, 249
and Terrorist Financing, 290 expected loss approaches, 250
Jo rio n , R, 273 held-to-maturity (HTM ), 252-253
historical averages, 255
internal data collection and data quality, 253-254
K legal exposures, 255
Karolyi, G . A . , 107 loss-distribution approach (LD A), 254-255
Kaspersky Lab, 348 m arket risk and counterparty credit risk, 255-256
KMV, 187 operational-loss-estim ation approaches, 254
Koyluoglu, H. U., 271 operational risk, 253
426 ■ Index
overview , 249 capital for, 308-309
P/L estim ates, 257 counterparty credit risk and, 255-256
rating transition m odels, 251 counterparty EA D estim ation challenges and, 223-224
regression m odels, 254 credit risk and, 224
retail and w holesale credit risk, 249 defined, 209
revaluation, 257 risk aggregation, 209
risk m itigants, 257 M arket Risk Am endm ent, 168, 307, 309
roll-rate m odels, 251-252 m arket variables, 15, 52, 53, 160
scalar adjustm ents, 252 marking-to-model, 175
scenario analysis, 255 mark-to-market
stress scenarios, 256 m ode, 220, 221
translating scenarios to risk factor shocks, 256-257 value, 178
vintage loss m odels, 252 m atrix reporting, 134
loss given default (LG D ), 223, 273 maturity adjustm ent factor, 312
credit-risk-related challenges to, 224 M cKinsey & C o ., 32
loss estim ation and, 250 measuring risks, 24
Luxem bourg regulator, 378 mezzanine tranche, 178
migration m atrices, for validation, 167
minimum capital requirem ent (M CR), 315
M Minimum Requirem ents for Risk M anagem ent (M aRisk), 364
machine learning, 93 Mizuho Securities, 133
M acquarie University Risk Culture Scale, 110 model errors, 174-175
m acroeconom ic factors modeling
correlation with operational-risk, 254 balance sheet, 275
scenario analysis based on, 232 independent review of, 240
macro-prudential stress testing, 266, 268, 269 losses, 273-274
M adoff, Bernie, 131 revenues, 274-275
M alware Information-sharing Platform (M ISP), 376 model quality, 139
m anagem ent actions, econom ic capital and, 204 model replication, 216
m anagem ent incentives, 200 model risk m anagem ent, 139-140
m anagem ent information system s (MIS), 238, 241 model validation
m anagem ent oversight, 216 elem ents of com prehensive validation, 143-146
managing information risk and other third-party products, 146
business im pact view, 157 vendor validation, 146
business process view, 157 m odified loss-distribution approach, 254-255
data quality issues view, 156-157 M onetary Authority of Singapore (M AS), 96, 367, 372, 375
managing scorecard view s, 157 money laundering and financial terrorism (M L/FT) risk m anagem ent
Manheim index, 273 application of standard practices, 290
mappings correspondent banking, 291-292
business policies to data rules, 155 custom er due diligence and acceptance, 291
business process, 8 governance, 290
cash flow, 176 international scope, 292
risk m easures, quality of, 176 risk assessm ent, 291
margin, 294 specific activities, 290
marginal capital, 190 transaction and m onitoring, 291
marginal econom ic capital requirem ent, 184 wire transfers, 292
margin calls, 300 Monte Carlo Sim ulation, 196, 226
margined counterparty, 225 Monte Carlo VaR, 176
Mark, C ., 311 M oody's, 17, 174, 182
m arket data, 175, 176 M oody's/KM V (M KM V), 219
m arket participant identifier (M PID), 132 M organ, D. R , 278
m arket participants, 390 M organ, J . P., 321
m arket risk, 23, 174 m ortgage-backed securities (M BSs), 229
Index ■ 427
m ortgages, 229 business services, 387-389
m ortgage servicing right (MSR) assets, 260 focusing on, 387
Mosser, P. C ., 270 prioritising by, 387
capabilities, 402
428 ■ Index
retail banking, 129-130 PPNR projection m ethodologies, 257
retail brokerage, 132-133 net interest incom e, 259-260
risk organization and governance, 133-135 non-interest expense, 261
scenario analysis, 127-129 non-interest incom e, 260-261
setting collection threshold and possible im pacts, 121-122 observed practices, 258-259
tim e period for resolution, 123 robust projections, 258
trading and sales, 129 preferred risk, 56
O ption Adjusted Spread (O A S), 232 prepaym ent risk options, 229
options, scenario analysis based on, 232 pre-SCAP, 268
O rganisation of Econom ic Co-operation and D evelopm ent (O E C D ), 306 presentation bias, 127
organizational culture, 106 Presidential Policy D irective, 347
organizational design, 133 Pricew aterhouseCoopers, 153
organizational effectiveness, enterprise risk m anagem ent (ERM ), 29 Pricew aterhouseCoopers Survey, 202
organized trading facilities (O TFs), 297 pricing transactions, 184
original equipm ent m anufacturers (O EM s), 178 principal com ponents decom position, 232
original exposure m ethod, 306-307 principles for financial m arket infrastructure (PFM I), 389-390
other-than-tem porary im pairm ent (O TTI), 252, 253 privilege restriction, in cyber resilience, 351
outsourcing, 11, 394 probability of default (PD), 18, 188, 223
risk m anagem ent, 281-288 credit-risk-related challenges to, 224
oversight process, service providers and, 286-287 loss estim ation and, 250
over-the-counter (O TC ) m arket process verification, 144
bilateral clearing, 294, 296 Professional D evelopm ent Program (PDP), H KM A's, 367
C C P s and bankruptcy, 300-301 profitability analysis, 200
central clearing, 294-296 profit and loss attribution, 217
clearing in, 294-296 Prom pt Corrective Action (PC A ), 321
convergence of, 300 Prudential Regulation Authority (PRA), 368, 384
defined, 294 Prudential Standard C PS 234, 364
events of default, 296 putable bonds, 230
im pact of changes, 299-300
initial margin, 298-299 Q
netting, 296
qualitative processes, for validation, 215-216
post-crisis regulatory changes, 297-299
qualitative review, 215
role of C C P in, 295
quantitative approach, 138
uncleared trades, 297
Q uantitative Im pact Studies (QIS), 309
over/under confidence bias, 128
quantitative processes
ownership, service provider contracts and, 285
for validation, 216-217
P R
param eter review group, 191 ratings stability, 167
penetration test, 369 rating system s, 160
perform ance standards, service provider contracts and, 284 acceptance, 163-164
phishing attacks, 347 com pleteness, 163
Piazzesi, M ., 232 consistency, 164
Pillar 2, 309, 310 design, 162-164
Pillar 3, 309, 310 objectivity, 163
plan-do-check-act (PD CA) cycle, 366 supervisory validation of, 160
P/L estim ates, 257 rating transition m odels, 251
point-in-time (PIT), 188 real econom y, 403
portfolio m anagem ent, enterprise risk m anagem ent (ERM ), 34 Real-Time Gross Settlem ent (RTGS) Service, 385, 392, 403
position data, 175 Rebonato, R., 271, 273
post-crisis regulatory changes, 297-299 recovery, 340-341
post-SCAP, 268 recovery tim e objectives (RTO)
potential exposure, 223 operational resilience, 397
Index ■ 429
redundancy, in cyber resilience, 351 range of practices, 210-211
regression m odels, 254 supervisory concerns relating to, 213-214
regulation, 103 risk analytics, 34
regulators share inform ation, 374-375 risk appetite fram ew ork (RAF)
regulatory capital vs. econom ic, 24-25 capturing different risk types, 47-48
regulatory cloud sum m its, 378 case studies, 59-75
regulatory-type approach, 222 for firm s, 55-59
rehypothecation, 300 im plem entation, 41-43
relative risk m easurem ent, 204 practices, 43-55
reputational risks, 239, 282 principal, 39-41
required stable funding (RSF), 323 role of stress testing, 52-55
Research Task Force of the Basel Com m ittee, 210 risk appetites, 5, 14, 33, 38, 68-72, 166, 403
residential m ortgage-backed securities (RM BS), 176, 180, 253 benefits of, 41, 48-49
resilience, 347, 406. See also cyber-resilience; operational resilience into businesses, 45-47
backward-looking indicators, 370-371 and capital planning, 51
resilience engineering dynam ic tool, 48-49
hotel keycard failure, 349 evolution of, 74-75
safety m anagem ent, 348-349 and liquidity planning, 51
resilience m etrics, cyber-security and, 370-371 operational resilience, 397
resilient organizations, 407 and perform ance m anagem ent, 51
resilient softw are, 352 and risk culture, 44-45
retail banking, 129-130, 231 and strategic planning, 51
retail exposures, 312-313 Risk A p p etite Statem ent (RAS),62
return on assets (RO A), 260 risk assessm ent, 8. See also risk self assessm ent (RSA)
return on capital (RO C), 184 risk aversion, 7
return on capital at risk (R O C A R ), 201 risk awareness culture, cyber, 365-366
return-on-risk, 67 risk-based capital allocation, 16
return on risk-adjusted assets (RO RA A ), 184 risk-based pricing, 199-200
return on risk-adjusted capital (R O R A C ), 201 risk budget, 63, 65, 66
return trade off, 56 risk capacity, defined, 60
revaluation m ethodology, 257 risk capital, 182
revenue assurance, 153 active portfolio m anagem ent for entry/exit decisions, 183
revised IRB fram ew ork, 331 diversification and, 189-190
right to audit, service provider contracts and, 284 em erging uses of, 182-184
risk-adjusted perform ance m easurem ent (RAPM ), 182, 184-185 and incentive com pensation, 183
risk-adjusted return on capital (R A R O C ), 30 m easurem ent, 182
for capital budgeting, 185-186 perform ance m easurem ent, 183
and capital budgeting decision rule, 188-189 pricing transactions, 184
confidence level, 188 risk-adjusted return on capital, 184-192
default probabilities, 188 risk control self-assessm ent (RCSA), 8, 124-125
econom ic capital and, 199-200 risk culture (RC), 40, 73
horizon, 186-188 change and challenge, 110-113
hurdle rate, 188-189 culture dashboards, 107
for perform ance m easurem ent, 186-190 culture survey, 107
point-in-time (PIT) vs. through-the-cycle (TTC ), 188 custom er perceptions and outcom es, 107
in practice, 190-192 drivers and effects, 109-110
with qualitative factors, 191-192 measuring culture and cultural progress, 107
vs. shareholder value added (SVA), 201 reduce m isconduct risk, 112
risk-adjusted return on risk-adjusted assets (RA RO A ), 201 and risk appetite, 44-45
risk aggregation, 43, 54-55 scope and definition, 108-109
econom ic capital and, 195, 197 validation, 107
fram ew ork, 208-209 risk departm ents, 133-134
m ethodology, 209-210 risk diversification effect, 183
430 ■ Index
risk factor m odel, 310 risk posture, 50-52, 62-66
risk factor shocks, 256-257 risk reporting, 29-30
risk identification risk-return trade-off, 15-16
for bank holding com panies (BH Cs), 238-239 risks
econom ic capital and, 197 com prehensive capture of, 204
risk m anagem ent, 20 covariance m atrix of, 213
board of directors, 147 grouping of, 209
docum entation, 149 and perform ance indicators, 9
external resources, 148-149 risk self assessm ent (RSA), 8
financial m arket infrastructures (FM Is), 393 risk settings, 63, 65, 66
governance, 146-149 risk setting statem ents (RSSs), 67
internal audit, 148 risk tolerance, 5
macro benefits of, 14-15 risk types, 187
model developm ent and im plem entation, 140-141 risk-weighted assets (RW As), 258, 261-262, 273, 275, 305, 306, 321
model inventory, 149 roll-rate m odels, 251-252
model use, 141-142 advantages, 251
model validation, 142-146 Rosenberg, J . V., 213
overview of, 138-140 Royal Bank of Canada, 39, 59-62
policies and procedures, 147 Rudebusch, G . D ., 232
programs for service providers, 282-288 Rutter A ssociates LLC , 199
purpose and scope, 138
recom m endations for, 58-59
roles and responsibilities, 147-148 S
senior m anagem ent, 147 Sabre SynXis Central Reservations System , 349
Risk M anagement and Modelling Group (RM M G) (Basel Com m ittee), 198 safety m anagem ent, 348-349
risk m anagem ent environm ent, 8-11 Sapra, H., 277
business resiliency and continuity, 5, 12 Sarbanes-O xley A ct, 33, 152, 287
control and m itigation, 5, 10-11 Saunders, A ., 273
identification and assessm ent, 5, 8-9 S B C W arburg, 119
monitoring and reporting, 5, 9-10 scalar adjustm ents, 252
operational risk m anagem ent, 5 scenario analysis, 9, 127-129
risk manager, 175 for bank holding com panies (BH Cs), 255
risk m easures, 19, 24 based on G A R C H m odels, 232
bank holding com panies and, 238 based on historical distributions, 232
calculation of, 207-208 based on m acroeconom ic factors, 232
desirable characteristics, 205-206 based on options, 232
econom ic capital and, 194-195, 197 based on principal com ponent decom position of yield curve, 232
supervisory concerns relating to, 208 linking credit and interest rate risk, 232-233
types of, 206, 207 scenario design, bank holding com panies (BH Cs), 245-246
risk m easures, quality of scenarios, 127
C redit Correlation (2005), 176-179 Schuerm ann, T., 213
mapping issues, 176 scorecard view s, 157
model risk, 174-180 Scotiabank, 39, 68-71
subprim e default m odels, 180 Scott, H., 266
valuation risk, 174-175 Sector Exercising Group (SEG ), 370
variability of VaR estim ates, 175-176 Securities and Exchange Com m ission (SEC ), 96, 326
risk m etric, 210 Securities and Futures Authority, 119
RiskM etrics, 270, 271 Securities and Futures Com m ission's (SFC's), 96
risk m itigants, 257 securitizations, 176
risk organization security m aster data, 175
firm w ide policy, 134 segm entation
governance, 134-135 in cyber resilience, 351
risk departm ents, 133-134 for loss estim ation, 249
Index ■ 431
self-regulation, 107 spectral risk m easures, 206, 207
senior accountability sponsored access arrangem ents, 132
applicability, 90 spread duration, 231
board-level conduct m anagem ent reporting, 89-90 square root of tim e rule, 187
board responsibilities and involvem ent, 89 stakeholder m anagem ent, 35
data quality and availability, 89-90 stand-alone capital, 190
and governance, 89-91 standard deviation, 206, 207
modeling behavior, 90 Standard Initial Margin Model (SIM M ), 298-299
relevance and effectiveness, 90 standardised approach
role of asset ow ners, 90 application of, 339
third-party fund m anagers, 90 Basel II, 310-311
usefulness, 90 Basel III, finalising post-crisis reform s, 322
Senior Insurance M anagers Regim e (SIMR), 403-404 capital for, 313
senior m anagem ent, 161 for credit risk, 328-331
capital planning and, 242-243 loss data set, 340
com m itm ent, 191 operational risk capital requirem ent, 339
in cyber-security, 365 use of loss data under, 339-340
econom ic capital and, 197, 202 standardised credit risk assessm ent approach (SCRA), 329
governance, 5, 7-8 Standard & Poor's, 182
recom m endations for, 57-58 static simulation m odel, 229
responsibilities regarding service providers, 282 statutory capital, 22
risk m anagem ent, 147 Steering Com m ittee on Im plem entation (SCI), 38
Senior M anagem ent Function (SM F), 393 stranded capital, 24
Senior M anagers and Certification Regime (SM &CR), 393, strategic planning, 201
403-404 strategic risks, 239
Senior Supervisors Group (SSG ), 38 capital, 185
service-level agreem ents (SLAs), 156 stressed VaR, 318
service providers stress m etrics, 41
board of directors and senior m anagem ent responsibilities, 282 stress testing, 41 -4 3 , 168-171
business continuity of, 287 balance sheet and income statem ent dynam ics, 275
business m odel, 283 for bank holding com panies (BH Cs), 239
contingency plan of, 286 and Basel rules, 325
defined, 282 Bayesian approach, 271
due diligence and selection, 283-284 counterparty credit risk exposure and, 226
financial condition of, 286-287 designing the scenarios, 271-272
foreign-based, 286, 287 disclosure, 267, 268, 275-278
multinationals valued, 304 in interest rate m odelling, 231-232
oversight and monitoring of, 286-287 in literature, 270-271
risk m anagem ent program s, 282-288 losses and revenues, 272-275
risks from use of, 282 m acroprudential, 269
shareholder value added (SVA) vs. R A R O C , 201 role of, 52-55, 204
Sharpe ratio, 185 scenario-based, 239
Sheffield Elicitation Fram ew ork (SH ELF), 128, 129 validation and, 217
sim ple approach, 310 subcontracting, service provider contracts and, 286
sim ple sum m ation, 211, 212 supervision, 103
single-factor m odels, 228 supervisors, 93
Single Supervisory Mechanism (SSM ), 374 role of, 2-3
Singleton, K. J ., 228 supervisory assessm ent
software developm ent life cycle (SD LC ), 352 analysis of system s, 400
solvency capital requirem ent (SCR), 315 gaining assurance, 400
Solvency II, 314-315 people and processes that support business services, 400
sovereign exposures, 312 sector-wide work, 399-400
specific risk (SR), 308 supervisory tools, 401
capital for, 309 tolerances, 400
432 ■ Index
supervisory authorities, 404 trade control, lack of skills in, 116
factors relating to, 390-392 trading book vs. banking book, 233
objectives, 385 transition m atrix, 18
Supervisory Capital Assessm ent Program (SC A P), 236, 266-269 transparency, 197, 205
supervisory college m odel, 378 Treacy, W. F., 311
supervisory validation, 160 treasury bond, 295
suspicious activity report (SA R),287 Trump Hotels, 349
Sw apCIear, 295, 301 Turnbull, M alcolm, 82
swap execution facilities (SEFs), 297, 326
system developm ent risks, 153
system downtim e, 125
u
UAW, 178
system ically im portant financial institutions (SIFIs), 321
UBS, 32
system ic issues, 103
UK Financial Conduct Authority, 97
system im plem entation, 215
UK Senior M anagers and Certification Regim e (SM CR), 97
system integration, 144
unauthorised access, to m arket sensitive data, 391
system slow tim e, 125
uncleared trades, 297
underbilling, revenue assurance and, 153
Index ■ 433
value chain, availability of vital link, 391 W eibull distribution, 314
variance-covariance m atrix, 195, 211-213 W ells Fargo, 96
variation margin, 294, 300 w holesale credit risk, 249
vega risk, 298 w holesale funding, 320
vendor validation, 146 W ilks' A, 167
verification, 3 W illiam s, Jo h n , 96
vetting, 164 wire transfers, 292
vintage loss m odels, 252 w orkforces, cyber, 366-367
Visteon, 178 Working Group on Risk A p p etite (W G RA ), 39
vital services, 404 wrong-way risk, 224, 226
volatility, levels of, 19 W ym an, Oliver, 100
Volcker Rule, 326
Z
W zero tolerance, 40
W achovia, 266 Zhu, H., 222, 296
W ashington Mutual, 266
434 Index