You are on page 1of 136

OPERATIONAL RISKS IN FINANCIAL SERVICES

AN OLD CHALLENGE IN A NEW ENVIRONMENT

HANS-ULRICH DOERIG, VICE CHAIRMAN

CREDIT SUISSE GROUP
JANUARY 2001 PARTLY ADJUSTED APRIL 2003

ADVICE TO THE READER

Aware that the reader of this presentation is always under time pressure, I propose the following advice:

1.

The "really" hurried reader gains an overview from (17 pages): S S S Table of Contents Chapter 1 - Introduction Chapter 2 - Summary and Outlook: 12 Conclusions

2.

The "less" hurried reader gains an enlarged overview from (56 pages): S S S S Table of Contents Chapter 1 - Introduction Chapter 2 - Summary and Outlook: 12 Conclusions 12 Principles / or 12 Issues / 12 Checks / etc. (which are highlighted in yellow throughout the paper)

3.

The reader wishing a complete overview should read (135 pages): S the document in its entirety

CSG

Operational Risks in Financial Services

PREAMBLE

In view of the increasing industry discussion on Operational Risks and the BIS intention to charge banks with additional regulatory capital requirement, I held the original presentation at the Institut International d'Etudes Bancaires in October 2000. This Institute is a forum of 50 European top management members. Since then, I adjusted some texts and added a few pages, where appropriate.

ACKNOWLEDGEMENT

This presentation would not have been ready in time without the constructive and critical contributions by my CSG Risk Management staff. My thanks to them.

While having structured and written the presentation myself, Dr. Harry Stordel deserves a special mention of thanks - he concentrated on research for some chapters and some of his ideas have been included. My thanks also to Mrs. Annette M. Rouiller who handled the presentation appearance, a rather nerve-wrecking task in a hectic environment.

1

CSG

Operational Risks in Financial Services

Table of Contents

1. Introduction and Overview 1.1 The 100 Risks in Financial Services 1.2 Coping with Risk Complexity 1.3 Operational Risk in Risk Management 1.4 The 12 Golden Organisational Principles in Risk Management 2. Summary and Outlook: 12 Conclusions 3. Operational Risks: Framework for Definitions and Dimensions 3.1 Operational Risk Definitions 3.2 Five major OpRisk-Categories and their Sub-Categories 3.3 Overlaps between Risk Classes 3.4 Operational Risk ? Total Risk - Credit Risk - Market Risk 3.5 The Dimensions of OpRisk Management 3.6 The four Stages of OpRisk Management 4. Major OpRisk-Mishaps in Financial Services: 12 Lessons learned 4.1 Introduction 4.2 Overview of 8 selected Mishaps since 1991 4.3 The 1977 Credit Suisse Chiasso Case 4.4 OpRisk Scandals in Financial Services: 12 Lessons 5. Organisations with a 5000 Year OpRisk Experience: 12 Lessons 5.1 Introduction 5.2 Principles of the Military 5.3 Military OpRisk Experience: 12 Lessons 6. Managing Operational Risks: The 12 S's as a High Level Requirement Risk Management Framework Strategy and Structure 6.2.1 Corporate Governance 6.2.2 Segregation of Duties 6.2.3 Management Structure for OpRisk 6.2.4 Audit driven OpRisk Management 6.3 System and Systems 6.3.1 Framework of OpRisk Management 6.3.2 OpRisk Control Process: 12 General Rules to Watch 6.3.3 Top-down versus Bottom-up OpRisk Management 6.3.4 Risk Processes: Quantitative and Qualitative Approaches 6.3.5 Personal Attention by Senior Management 6.3.6 Compensation-System 6.3.7 Modern IT-systems lead to New Processes 6.4 Safety and Speed 6.5 Staff and Skills 6.6 Style and Shared Values 6.7 Stakeholders and Symbol 6.8 Synchronisation 7. Managing Operational Risks: Practical Instruments and Tools 7.1 Introduction 6.1 6.2

4 4 5 7 8 11 19 19 20 22 23 24 25 26 26 26 29 30 33 33 33 40 43 43 44 44 46 47 48 49 49 49 52 53 53 54 54 56 59 62 66 68 69 69

2

3 IT Migration 12.9 Communication 12.4.1 10.3 10. Selected Areas of Future Concern 12. Concerns of Supervisors 11.1 Insurance as Part of Risk Management 8.5.7 Fraud 12.5.4 Risk Indicators and Escalation Triggers 7.2 Statistical / Actuarial / Simulation-based Models 10.2 The OpRisk Regulatory Solution: 12 Points from a Banker's Point of View 12.3 Impact & Frequency Scorecard 7.3 Strategy and Structure for Insurance Coverage 8.2 Credit Suisse Group’s Approach: Scenario Based 10.6 OpRisk Quantification: 12 Conclusions 11.8 Applications and Limitations of Tools 8.3 Loss-Scenario / Qualitative Assessment Models 10.2 Availability of Insurance 8.2 Control and Risk Self-Assessment 7.1 Risk Data Methodology: 12 Issues 9.6 Money Laundering 12.2 Customer Complaints 12. The Data Challenge 9.CSG Operational Risks in Financial Services 69 71 72 73 74 74 75 76 76 77 78 79 79 80 83 83 86 90 90 91 95 96 98 99 100 101 101 102 102 104 104 106 114 114 115 116 117 119 120 122 125 127 129 132 134 7.5 Outsourcing 12.2 10.4 IT Security 12.7 Loss Event Database 7.1 The Three Pillar Approach by the BIS 11.10 Transformation Management List of Abbreviations Bibliography 10.5 Risk and Process Mapping 7.6 OpRisk Dashboard 7. Quantification of Operational Risks Introduction What is Quantified in OpRisk ? Purpose of OpRisk Quantification How to Quantify/Model OpRisk 10.1 Bankers’ Trust Approach: Combining Methods 10.4.4.1 Factor-derived / Indicator based Models 10.2 Using Data: 12 Issues 10.4 Funded Captives 8.5 Capital Allocation 10. Operational Risk Transfer: Insurance and Finance 8.8 Settlement 12.6 Risk Transfer: 12 Guiding Principles 9.1 Business Continuity Planning 12.4 3 .5 Alternative Risk Transfer 8.

1 indicates such variety. Good risk management is a decisive competitive advantage. complex and often interlinked. 4 . all the 100 risks have at least an "operational touch". Risk management is a daily struggle against uncertainty and a daily learning process: Risk management is not a program.as a matter of fact most banks live reasonably well by incurring risks. define. risk is manageable . Quantified risk is seductive. but a process for which senior management and Board of Directors are increasingly called upon to ensure. Chart 1. Risk management is an obligation to stakeholders. as the chances for rewards move towards zero. Good risk management is not only a defensive mechanism. especially "intelligent risks". Comprehensive. assess. institution-wide strategy and tactics towards risk can no longer be achieved by applying common sense only . but can be misleading or provide a "false sense of security". New governance requirements are quite explicit about this responsibility. A recognised risk is less "risky" than the unidentified risk. transfer. Today. Despite all the progress in the quantification of risks. especially "operational risks". Risk is part of corporate life. risk management will remain a blend of art and science. The greatest risk.albeit common sense remains crucial. avoid and manage risk. While not avoidable. Risk is highly multifacetted. however. Quality of leadership and governance is increasingly an issue of risk management.1 The 100 Risks in Financial Services Risk is uncertainty about a future outcome. reduce. It is the essence of financial institutions' activities. imperfections have to be acknowledged. The daily life of a human being is full of risks. diligent and intelligent risk taking is an "attitude" towards stakeholders. there is more pressure to avoid things going wrong while continuing to improve corporate performance in the new environment. There is a need for credible and relevant methodologies to identify. 1.CSG Operational Risks in Financial Services 1. is not taking one. Risk is to be managed. but also an offensive weapon.are exposed to a variety of risks. however. Introduction and Overview Risk management has always been an explicit or implicit fundamental management process in financial services. Financial services . It helps to maintain stability and continuity and supports revenue and earnings growth. Life without uncertainty is like a movie or a joke of which you already know the outcome.dealing with so many daily actions and reactions by human beings . not feared.

The 12 S's serve as a systematic base for general management. 1.presented in Chart 1.differentiates among 7 priority risk categories. 5 . Such a packaging often involves setting a priority focus. insurance underwriting and commission and fee income risks have become quantifiable in a more credible fashion. Strategy and reputation risks are tackled on a systematic and qualitative basis.CSG Operational Risks in Financial Services Chart 1. Chart 1.1: 100 Risks in Financial Services Interest Regulatory Strategy Systemic Credit Spread Business Volume Team Departures Insider Innovation Collateral Settlement Systems Revenues Custody Risk Culture Public Relations War Large Exposures Catastrophe Infrastructure Shutdown Credit Netting Cost FX Style Volatility Market Litigation Management Structure Rogue Trading Liquidity Proportionality Character Risk Appetite Priority Setting Counterparty Operations Pricing Reputation Brand Low ProbabilityHigh Impact Losses AL Management Intrusion Globalisation New Business Cross Border Balance Sheet Structure Know-How Competition Transparence Legislation Refinancing Complexity Capital Allocation Legal Segmentation Communication Court Decisions IT Product Capital Access Timing Commodity 100 Risks in Financial Services Partnerships-Alliances Bridge Finance Social Unrest Financial Models Centralisation-Decentralisation Concentration Know Your Client MIS Critical Size Hackers Risk Control Staff / Team Change Management Channels / Internet Risk Capacity Motivation Compliance Cadence of Change Syndication Emerging Markets Supervisory Risk Ratings Event Risks Project Future Commitments Flexibility Political Insurance Outsourcing Take-Over Data Integrity Theft / Crimes/ Fraud Deal Breakup Value Proposition Initiatives Overload Control Environment © H. Market. timing.2 Coping with Risk Complexity Credit Suisse Group . intensity and scope.albeit different for any specific situation as to priority. such variety is confusing and not helpful for coping with risks. Thereby. credit.-U.there are over 30'000 banks and estimated 20'000 insurance companies world-wide. An intelligent "packaging" of risks is needed. focused on OpRisk management. This focus might differ from one bank to the other .2 also indicates the scope and challenge of any integrated firm-wide risk management. any organisation has to build on what I call the 12 S's . 1998 Control Procedures Documentation Naturally. Doerig. The 12 S's will appear in the following chapters again and again.2 as one example of many .

for 3rd Parties: Insourcer for Outsourcers 2. Derivatives. 4. 4 Private 3. 2000 Retail ur s vio ion ha lat Be gu Re Markets & Economy Liquidity Risk Logistics: Back-/Mid office. Many will specialise . Syndication.constructive control attitude . 5 1. Finance. Wholesale and Logistics 9 Product or Activity Groups: Retail Banking: Individual and small/ medium sized Companies.CSG Operational Risks in Financial Services Chart 1. Doerig. Society & Politics & on ati gy ov olo Inn chn ns Te io at ct pe Ex Facts Ex pe rie nc Cli e en ts Action and Reaction by Management and Staff Knowledge Building on the organisation’s 12 S: .Speed .Synchronisation Ensuring a risk culture with: .modern methods / limits . Structured Financing. incl.discipline as to corrective actions Co mp eti tio Pe n rc ep tio n Strategy Risk Reputation / Brand Risk Market Risk Credit Risk Ins. 3. to retail or wholesale banking.Structure .-U.2: Building an Organisation for the Management of 8 Major Risks Major factors shaping the risk disposition of an individual and an organisation Scope and challenge of an integrated firmwide risk management Effective risk management provides focus on and control over 8 major risks Values. 5 3.proactive risk management . 4. 4 4.Shared values . Corp. wholesale banking or even concentrate on logistics as insourcer for outsourcers. Brokerage Investment Banking: Prim. Securitisation Comprehensive Risk Mgt for Risks of all Sorts incl. Private Banking. some of these challenges may only apply e.System/s .successfully so . 5. Underwriting Risk Business Risk Operational Risk Chart 1.Skills .continuous training .Stakeholders .in retail banking. An attempt is made here to find some of the more relevant common denominators. Chart 1. Mortgages Allfinanz Bancassurance Personal Financial Services Private Banking Asset Management for Institutions. Almost all will have similar challenges as to OpRisk. 5 Wholesale national = global 3. 5 3. 4 Logistics 6 . 5 5 Prime Value Generators for the Product or Activity Groups 1 = Operational Excellency: Standardisation. Funds Trading: Securities. 2. FX. 3. 4. Doerig. Commodities.3: Focused Universal Banking: Year 2000 onwards 4 Core Activities: Retail. Mkt. M&A Wholesale Banking: Loans.Simplicity .g.Safety . Rating & Standing 5 = Critical Size and/or Market Share © H.Strategy . 2000 & ies lic Po © H.Sustainability .-U.Symbol . Insurance Securitisation 1. Financial Engineering. The convergence of all sorts will lead to the focused universal banking concept for some.3 is a simplified attempt to visibly present my personal thinking as to the years to come for financial services. Segmentation 2 = Client Orientation: IT-Contacts plus physical Client Contact 3 = Excellency re Product. 5 2. 5. Risk Management 4 = Capital Strengths. 3. "Market Touch". private banking.

As a result. As management in financial services is dealing with people for people . OpRisk losses. It will call for significant and continuous adjustments in the way enterprises do business and adapt their operations.while not new but in a new environment . i. While dealing with "operational risks" more closely. academics impractical. The general environment for financial services will continue to change dramatically. Operational risks .are eager to get additional capital charges. This should make every manager humble.in a continuous process and ever changing environment .have received tremendously increased attention as of very recent. but the approach is more empirically founded. given the vast and reasonably reliable data and statistics. consultants looking for new assignments lack a track record. You can name anything out of the "banking-life".good management and close to quality management. Activism is abound. some negligible. also in the judgement on competitors. The confusion as to OpRisk and its management is quite impressive in the industry: Definitions not settled.in spite of all . This does not mean that misjudgements as to the future are rarer.e. Supervisors . data hazy. What an imbroglio to start with?! Operational risk management is . happen daily in every financial services organisation.simply put . data structures) E-Commerce Processing speed Business volume New legislation Role of non-government organisations S S S S S S S S S S S Globalisation Shareholder and other stakeholder pressure Regulatory pressure Mergers and Acquisitions Reorganisations Staff turnover Cultural diversity of staff and clients Faster ageing of know-how Rating Agencies Insurance Companies Capital Markets 7 . quants hungry for fresh challenges.3 Operational Risk in Risk Management The management of market and credit risks has made great progress as to its methodologies and quantification approaches. it almost certainly has an operational risk touch.CSG Operational Risks in Financial Services 1. I realised the breadth and complexity of such a task. Mistakes and failures. frameworks different. OpRisk will primarily be driven by: S S S S S S S S S S S New products Product sophistication New distribution channels New markets New technology Complexity (IT-interdependencies. models complex and/or not (yet) credible. very rarely they can be very grave.there cannot be an easy answer or a simple model. some more serious.

Chapter 6 deals with the more high level management issues. Having observed the financial scene for some years. The reader will also realise that I seem to have a "preoccupation" with the number 12. Over centuries. Reputation is increasingly also built on OpRisk management skills. A financial services organisation must be a learning organisation and increasingly also a "knowledge-organisation". 1.CSG Operational Risks in Financial Services With dramatically increased competition . my following 12 Golden Rules in Risk Management should be a guide throughout the presentation. It would be quite presumptuous to try for a complete paper on "good OpRisk management" or "good management": This paper contains suggestions based on personal opinion and observations.also from non-banks . including the ones from Credit Suisse Group (CSG). OpRisk transfer is discussed in chapter 8. There is often not "only one solution" in management. Let me stress. In chapters 4 and 5. In the future. while areas of future concerns for OpRisk management are in the final chapter 12.which is somewhat ambitious for an active banker. given the interdependencies of internal projects and external pressures. They also force a priority setting. More important. They are the result of observations and adjustments over the years and apply to OpRisk aspects as well. but probably are the more vital elements when it comes to implementation. Chapter 3 deals with the definition of OpRisk. I am fully aware that every organisation is always in different stages of quality performance and process sophistication.a successful OpRisk management is crucial for survival. I also know that there are many "paths to Rome". OpRisk and OpRisk management are not only about risks and threats. Concerns and issues of regulators and supervisors are presented in chapter 11. New approaches can solve many old problems. the market will be less forgiving of any colossal lapse. while chapter 7 presents some OpRisk instruments and tools. Some of the following 12 conclusions or issues sound banal. 8 . These are some of the reasons why OpRisk gets such attention at present. I have therefore included the experience of 9 mishaps in the financial world and the very concrete experience of the oldest organisation with operational risks: the military. Both are chances and opportunities as well. OpRisk data and quantification follow in chapters 9 and 10. the number 12 has played the symbolic role of completeness .4 The 12 Golden Organisational Principles in Risk Management Ahead of the OpRisk discussion. however. my observations tell me that "12 messages" are just about digestible to keep one's attention span.

comparable across the institution. The issue is not the intellectual level of the 12 principles but rather their diligent implementation which is challenging in a diverse. ƒ No conflicts of interest: i.Ensure the balance of gains versus losses. If not credible. allocation of responsibility and accountability and discipline are basic preconditions. ƒ Credibly quantified and relevant risks represent an opportunity. ƒ Focus on long-term initiatives versus short-term ones. Risk management is a tenacious process not a program. Completeness. ƒ Prevention ahead of correction. systems. 2. Watch harm by association. ƒ Risk taking = risk management. ƒ Know what you do not know. directives. ƒ Transparency as to policies. global and changing world. but as a "learning organization" in a dynamic environment. and above all they are relevant and credible as to facts and perceptions. Thereby no organization ever achieves an ideal or perfect positioning in every respect. Executing the Fundamentals 1. .1: The 12 Key Principles in Risk Management Our principles have not changed. 4. ƒ What is measured. ƒ Watch liquidity/flexibility aspects in turbulent times. S Management of risks for own organization comes ahead of risk management for supervisors/regulators. including attention to proportionality. observed and recognized gets attention. embedded in aggregated processes. concentration and diversification Æ active portfolio management. Clear structure. interpretable. However "best practice" must be applied intelligently – no "fads". front office versus support areas . 9 . structure. rather than controlling the numbers. 3. Risk is uncertainty about future results. "Ownership" of issues and risks.especially rigorous audit reports . not only legalistic form: "smell test" with "overall view". auditable. training and time to get everyone worldwide on an adequate control/compliance level. ƒ Never forget "extreme event" risks. standardized. ƒ Do not fear but respect risks. objective. ƒ Know the rules of the game: courage for unpleasant measures with a "culture of consequences". ƒ "Best practice" as goal. ƒ Adequate compliance environment: Responsibility lies not only with immediate heads Æ leadership function of each management level. Retaining the perspective 5. ƒ Data characteristics are ideally: Complete. ƒ It takes a lot of discipline. ƒ Emphasize furthering the risk culture. replicable. ƒ Thoughtful self-challenge . ƒ Risk and compliance awareness ideally with everyone. ƒ Care about substance. ƒ Clear and communicated responsibility and accountability. ƒ Capital allocation based on Economic Risk Capital. safety. 6. Rigorous measures in case of non-compliance/breaches. simplicity. ƒ Prioritise disciplined processes and structures. transparent. cynicism abounds. The 6 S's for the systematic mental discipline of an organization: the logical sequence.but "constructive tension" where appropriate. ƒ "Informed and intelligent" risk-taking. ƒ No diagnosis without information. consistent. Deal with consequences of the unexpected cases. etc. integrity and relevance of data/systems/information as a basis. we are continuously adjusting the contents with new priorities or refinements based on experience.can provide a formidable basis to avoid/limit operational risks.e. ƒ Ongoing questioning of strategy. ƒ Strategy Æ structure Æ system Æ systems Æ safety Æ speed.CSG Operational Risks in Financial Services Table 1. speed.

ƒ Lead by example – practice what you preach. Counterbalancing is a management task. professional and life experience. 12. open-minded and honest people with formal training. ƒ "Reductio ad absurdum" may lead to a "model figure" but is irrelevant in the overall context. ƒ Combine overall judgement by experienced people with specialist knowledge. ƒ Not all risks are relevant and/or quantifiable: also here. ƒ Faster race – higher bar: antennae out to receive and implement internal and external input.1 (continued): The 12 Key Principles in Risk Management 7. concentrated and controlled its management must be. ƒ Watch internal and external exuberances and paralysis. ƒ Data is ubiquitous and abounds: Timely sorting and packaging in the proper context creates relevant information and value added. A financial institution is a “knowledge and learning organization”. intuition and inspiration for risk and market direction. Limitation of models. the more specialized. Risk management is part art. perceptions. ƒ Facts. ƒ New external parameters and continuous restructurings can make models questionable. use 20/80 approach. ƒ To be right too soon is also wrong: timing is the issue. ƒ Models are as good as the underlying assumptions: "garbage in" – "garbage out effect". part science. People with authority especially must be educators: source. aptitude and attitude of the people involved: people shape the culture. ƒ Self-management and leadership with regard to a culture of open communication based on "experience" and know-how are increasingly challenging: Ban knowledge-hoarders and turn knowledge-givers into heroes as part of evaluation/incentive process. feel. ƒ The more complex a risk type is.-U. Human element is THE critical factor of success. ƒ Risk management is often the art of drawing sufficient conclusions from insufficient premises. ƒ Honesty includes intellectual honesty: Cover-ups are lethal. synthesize and save knowledge. reputation and brand equity. ƒ Risk culture on the whole is the final responsibility of the top management. S Common sense for reality checks. ƒ Knowledge alone is not enough: it is the rigorous implementation which leads to results. © H. ƒ Theoretical rigidity may not prevail over practical relevance and credibility. ƒ Complexity is the enemy of speed and responsiveness: try hard for simplicity. Doerig. ƒ Continuous learning and training is part of the evaluation/incentive process. ƒ Mistakes or misjudgements are unavoidable: The ways of correcting mistakes are part of culture. ƒ Those values count which are enforced. ƒ Models are always only part of an overall risk management approach and must include common sense. 9. integrity and character. Focus on human aspect 10. ƒ Good mix of professional. Responsible control/compliance/risk culture is as important as the most sophisticated quantification. ƒ Professionalism includes: inquisitiveness. share. ƒ Successful risk management is primarily the result of the capacity. Complex organizations. ƒ Learn from mistakes and determine causality.CSG Operational Risks in Financial Services Table 1. ƒ Markets might promise but never guarantee anything. especially for models. ƒ A model is always a strong reduction/approximation of a more complex reality. ƒ Specialists can "walk out" easily in good times. as there is no reliable base material. 2003 10 . 8. 11. expectations – all are important. ƒ Comparisons of absolute model figures with those of third parties are questionable: The prime internal value added of a good model – including the stress test – is its trend over time. restructurings and projects can add risks.

These are some of the reasons why the definition. define. Many institutions have moved away from this negative definition to a positive definition. "internal". interdependent. more analytical attempts to identify. in which OpRisk management takes place: boundaries increasingly blur. From respectability they have at least reached prominence. therefore. Contrary to market and credit risks. reputation and shareholder value. From obscurity they moved to respectability. Summary and Outlook: 12 Conclusions OpRisk management is nothing new per se. 1. more non-banks enter the turf. OpRisk management today is gaining prominence. quantify and partly transfer losses and risks Closer attention by regulators Attention by and responsibility of senior management and Board of Directors OpRisk seen in a broader context A fast changing environment. risk management especially for market and credit risks. OpRisks are not. contributes to client satisfaction. market and credit risks and not diversifiable. incredibly multifaceted. Its quantitative foundation . often not clearly discernible vis à vis e. measure. has reached the impact stage.CSG Operational Risks in Financial Services 2.cannot be expected in the near future. OpRisk is not "other risks": The term "other risks" stems from the obsolete notion of OpRisk as all non-market and non-credit risks. OpRisk management is often close or parallel to quality management and. OpRisks cannot be laid off in liquid trading markets: OpRisks are only eliminated if a bank ceases to be. often they are insignificant in an overall context. often judgemental. dis-intermediation and global capital markets grow faster 2. measurement and modelling of OpRisk is so difficult to come by. context dependent. consolidation and convergence in the industry continue.g. Also for reputation reasons. Over the last 10 years. Perhaps it never will be! What is new and will become a more prevalent development: S S S S S S Generally increased risk awareness. Market and credit risks are revenue driven. Risk management and OpRisk management in banking have been around since the inception of banking. but the stage of the full quantitative impact has not been reached. including OpRisk More rational. relevant and meaningful total figures . categorise.with credible. "bank made". OpRisks are avoided. OpRisks are primarily institutional. OpRisks are usually not willingly incurred. 11 .

and a common risk culture ." This definition needs categorisation: Organisation. management and staff. 12 . a suggested OpRisk definition could be: "Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors.will be one of THE challenges for a globally oriented organisation. The 2 major future drivers . Managing a modern company means managing on behalf of all core stakeholders. IRT changes everything.with its many advantages for the stakeholders of a modern firm . External.globalisation and Internet-related technologies will challenge the banks to take on additional and partly new OpRisk: Avoidance of a "double click imbroglio". Globalisation . The OpRisk management of the future has to be seen in the wider context of globalisation and Internet-related technologies. it also creates new ones: IT. especially in financial services. Old World and New World are moving towards One World. with no barriers. including environmental and social responsibility.usually adds complexity and diversity of cultures. IRT is no longer just a strategy supporter. The increasing globality of financial services increases the demands on governance.CSG Operational Risks in Financial Services Having recognised the above. A common culture . instantaneously. Such a "technical environment" represents a major new challenge for management and especially for OpRisk management. While computing solves many OpRisk problems. staff and business partners is a precondition for creating shareholder value. 3. Human. at decreasing prices. compliance. Sustained and sound profitability is also the best contribution for avoiding systemic risks and protecting savers. Creating value for clients. but a strategy enabler: it enables transactions and services any time. control. Ubiquitous computing and Internet-related technologies (IRT) make every business a data-based business in a new e-economy. Policy / Process. privacy protection etc. security. Technology.

the responsibilities for the disaster and the OpRisk management capability to deal with the aftermath become more visible.is a decisive base for enhancing the reputation of a bank: OpRisk deficiencies appear in every bank. e. With good OpRisk management an organisation manages its risks. The control and compliance environment is increasingly checked by supervisors. disciplined. Banks face continued dilemmas which have OpRisk ramifications: S S S S S S S S S S S S S The most venerable versus the most vulnerable E-commerce hype versus hybris Dot-com culture with rapid responses and change versus structured. shared values.CSG Operational Risks in Financial Services 4.for years. In a major crisis. the crisis itself often manages the organisation. style. shareholders and other stakeholders will be much less forgiving of a major OpRisk mishap in the future. symbol. Good OpRisk management prevents crises. staff. Good OpRisk management . systematic. stakeholders. A more analytical OpRisk management approach is emerging: The attention it receives is a multiple of what it was only 5 years ago. OpRisk has been controlled at least in some fashion .g. structure. All the more important is good management. sometimes slow structure / system and legacy systems Innovation "entrepreneurship" and "intrapreneurship" versus structure and processes Consistency and predictability versus change and innovation Long term orientation versus short term performance pressure Security versus speed Scale and standardisation versus scope and differentiation "Roots" versus "strong wings" of management and staff in global organisations Local conditions versus global pressures: "glocalism" Maximising activities where the outcome is controlled and minimising exposures for which there is little or no control over the outcome Operating and capital allocation efficiency versus compliance. 6. However. system/s. who more and more ask for individual responsibility. control and capital requirements of supervision Shareholder pressure versus other stakeholders' expectation The winners will be those who understand the forces of change best. It is now becoming more formalised and increasingly measured or at least consciously observed. Clear structures and processes with defined allocation of responsibilities are preconditions for a successful OpRisk management. 7. almost daily. consistent and effective communication as well as honesty show a fundamental financial value. safety. In a crisis situation. Thereafter. 13 . Thereby.in combination with quality management . synchronisation as discussed in chapter 6. 5. daily management of the 12 S's of an organisation: strategy. along the diligent. The only alternative to good OpRisk management is crisis management. skills. speed. implement accordingly and "synchronise" their efforts optimally in turbulent times. the impact on market capitalisation and reputation can be significant during the first few months.

complete. systems and staff. procedures. structure. not academics. The credibility of OpRisk measurement is enhanced if there is quantitative evidence of cost of collecting data versus benefits of measurement. 10. Existing OpRisk measurements and tools are usually not expressed in financial terms. quants. OpRisk measurement and internal loss information should . except for some subcategories which might not be relevant in the overall context.has made considerable progress over the last 2 3 years in OpRisk areas. but it will take years.not withstanding the major differences among banks . credible and implementable OpRisk analytical framework. aspects of strategy and planning.CSG Operational Risks in Financial Services Financial institutions and regulators / supervisors should be aware of the cost / benefit relationship of setting in place the quantification of OpRisk involving data gathering. capital allocation and risk transfer. I doubt whether there can be one "catch-all" OpRisk model with a credible outcome: "more sizzle than steak"? In addition. auditable and above all. 14 . models. transparent. The experience of setting up such systems for the quantification of market risks indicates the cost and inertia involved for changing the system and systems for a relatively little disputed analytical approach.also in the interest of rational data collection. tools and models. Based on this lesson: Think first. minimally standardised to be used across institutions. consistent.be guided by the following characteristics: Relevant in the overall context. it is a continuous. such as: definition.as shown in chapters 7 and 9 can be misleading. the momentum is building each year with improved data on hand. objective. Many statistics . risk transfer solutions and potential risk quantification . 9. diligent process throughout an organisation. with an incomparably better database. credible by facts and perception. tools. organise second and act third in the right and not the wrong direction. reporting. inconsistent. However. There is no credible and satisfying overall model applicable to "OpRisk at large" available for the quantification at present. 8. OpRisk management is a continuous learning process: OpRisk management is not a program. irritating and confusing. They became core and standard management tools. teachable. There is still a long way to go to reach an effective. it is management which is responsible for the reasonableness and credibility of models. or supervisors. concept. excepting loss databases. The financial services industry as a whole . interpretable. Remember the pains in building market and credit risk models over the years. There will be a convergence of a common definition.

Data sharing agreements in neutralised form get created. excepting very confidential data on legal disputes. Internal and external audit play a crucial role. straightthrough-processing. Risk management becomes TQM and. A simple number can be so intriguing. market and OpRisk control functions: internal and external audit. S A more conscious analytical and multi-disciplined integration of credit. there always has to be ample room for common sense. product control. A greater general awareness and institutionalisation of risk management. becoming a core competency of risk management and of general management. Strategic planning is linked with risk management and OpRisk. a path appears.CSG Operational Risks in Financial Services We should not overlook that an analytically sophisticated. Risk management is always and consciously an integrated part of good business management. Greater visibility of the risk management function and its place within the organisation. S S S S S S 15 .garbage out" effects. On the other hand. A better focused business approach: a move from a "defensive" posture of OpRisk management to an "offensive" positioning. For more. there are more traditional concerns about "high frequency. finance. system and systems. high impact" losses. especially if more ex-ante and not exclusively ex-post oriented. comprehensive and consistent as part of a modern risk management framework. Also. standardised. Credible and relevant internal database systems become more commonly defined. with corresponding risk transfers. operations. systematic. Sound OpRisk management is. Important. controls. Loss events are opportunities to improve structure. insurance. there is a pronounced concern for "low frequency. a sophisticated risk management framework with more analytical and predictive contents. however. which supports reputation and share price. therefore. therefore. On the one hand. see chapter 10. Tools become more integrated and are also used by line or front functions. synonymous with good customer service. 11. credible and accepted approach to risk management is only one important attribute of a strong risk management effort. low impact" losses with concerted efforts like quality management. including OpRisk. "As people are walking all the time in the same spot. remains the relevance and credibility of such attempts. legal and compliance. Developments to be expected: S S S Greater involvement and "buy-in" by senior management and Board of Directors. The focus on quantification attempts is increasing." (Lu Xun). but do not ever forget the "garbage in . structured. A "false sense of security" could lead to wrong priority setting and counterproductive outcomes.

CSG Operational Risks in Financial Services S S Internal economic risk capital models include OpRisk in view of more internal rational capital allocation targets. Close to 100% of the benefit of OpRisk management is derived from the fact of doing so.take on a greater interest and a rather pronounced responsibility in the OpRisk arena. Regulators and supervisors especially with the planned BIS Pillar 1 .3: sustained sound and diversified profitability as THE precondition and THE contribution to protect creditors and to avoid systemic risks. Understanding and managing OpRisk is more important than putting a regulatory value on it.end up in making the financial system more unstable.unfortunately .well-meaning in the name of creditors' and investors' protection and avoidance of systemic risks . Reliable and punctual insurance protection will have to be recognised by supervisors. Some insurance companies increasingly "detect" the huge potential in this market. difficult to evaluate credibly or ignores the relevant issues like "good management". good OpRisk management is core. especially Internet-related.g. The level playing field remains . as shown in chapter 8. rogue trading. More risk transfer to third parties which are able to analyse.3 approach . Risk transfer becomes part of an integrated OpRisk management. Regulators and supervisors should hopefully be positively impressed by the ongoing conscious OpRisk management efforts in the industry. (e. For such profitability and growth. There are many different ways other than "capital" to judge an organisation.an unresolved issue. but would have fostered the credibility of regulators. as presented in chapter 11. cooperation and information sharing between supervisors gets closer. S S 16 . which is just not fair. The BIS should be encouraged to add a Pillar 4 to the suggested and discussed Pillars 1 . New regulatory and supervisory standards and entities converge. Global rules? More intervention? More judgements on management? More influence on the strategy of a bank? Risk creates value. Various regulators and supervisors seem to prefer a simple "box-ticking OpRisk capital charge". Regulators and supervisors who do not take this truism into account . Extreme internal and external risks. hackers. diversify and bear OpRisk of banks: insurance for external risks and for integrated risk products as well as for standardised capital market transactions. Banking supervision is firmly risk-based. More outsourcing of non-core activities and partnerships with banks and non-banks. IT security) become increasingly insurable. profits come from taking risks. All this entails new aspects of OpRisk which need close attention.

which have nothing to do with regulatory capital. Convergence is observed in almost all financial activities. the supervisors take on an additional risk management layer for the respective bank. Why not convergence of the very same activities' regulatory environment? Non-banks are exposed to the same OpRisk as banks. Regulators and supervisors finally have to come to grips with the following issues: S S S Really threatening OpRisk issues for banks have been very rare in the past. represent similar "systemic risks". industry knowledge.CSG Operational Risks in Financial Services According to supervisors.presented in chapter 5 . The 9 major mishaps of financial institutions as discussed in chapter 4 were all issues of management. There are better "checks and controls by supervisors". Good OpRisk management relies on proper corporate culture with a diligent risk culture and a positive acceptance of control. Good OpRisk management may never get a Nobel Prize. they were not of systemic nature. there are continued arguments about the justification for Pillar 1 OpRisk capital requirements. is the challenge for supervisors. OpRisk should be supported by a Pillar 1 capital requirement for each bank and additional Pillar 2 capital for "special OpRisk situations". OpRisk management is only very partly rocket science and partly social science as the targeted objects and issues change continuously and the past does not repeat itself in the same context. including insurance. Civilian and military studies . management know-how and judgement capabilities. however. What are the measures of the regulators to avoid such potential systemic risks of non-banks? Why care about systemic risks by banks while ignoring those by non-banks? Why should banks be charged with a special OpRisk regulatory charge? Why should banks become less competitive? S S 12. Discipline is the discipline for good OpRisk management. With Pillar 2. not of regulatory capital. Both. 17 . but is still core for successful survival.reveal: Insufficient management and processes were responsible for 80% of the mishaps. OpRisk management is good management of the 12 S's of an organisation as described under chapter 6: Senior management is called upon to act.

every employee should ideally be a risk or control manager in his/her daily activity: A general pure awareness of risks is already a major step towards successful OpRisk management. arduous and daily OpRisk management supports the stability and continuity of a firm. OpRisk is not so much about capital and models. compliance Forward-looking internal audit and corresponding follow-ups Proper tools and analytical measurement of OpRisk Attempts for credible and relevant quantification Proper skills and style Continuous adjustments of safety measures especially related to Internetactivities and above all: A shared values attitude as to "acceptability of risks" When an organisation reaches and maintains such a challenging level. it achieves the most important steps towards a successful OpRisk management. mérite d'être bien fait.I hope it is strong enough . Good OpRisk management improves quality and reduces cost by cutting risks. The issue is not capital. This strong statement .is evidenced by the experience of the major mishaps in the past financial history and by the experience of the military with the longest OpRisk exposure of human history.CSG Operational Risks in Financial Services Good OpRisk management within a proper risk culture includes: S S S S S S S S S Proper structure and governance Risk management visibility Control. As a consequence. "Tout ce qui mérite d'être fait. good OpRisk management amounts to a competitive advantage and is reflected in the shareholder value. Finally." (Inconnu) 18 . therefore. visibility and acceptance within the organisation. Not surprisingly. credibility. it is about management: diligent. it is human beings in an organisation serving human beings with their actions and reactions. the critical OpRisk management success factor is management and staff: experienced people with integrity.

RMA.1 Operational Risks: Framework for Definitions and Dimensions Operational Risk Definitions Before managing anything. Operational Risk. 31% Source: BBA (1999). Therefore. however. This definition has to be understood. PricewaterhouseCoopers (1999). accepted and identical across an organisation. the next frontier. To summarise its results: S A consensus about the nature of OpRisk is emerging as regards OpRisk being the risk of losses resulting from inadequate or failed processes. ISDA. progressively opening the way for more convergence of its generic features. positive definition. 5% Exclusive (TR-MR-CR) definition. 29-38.1. 3. 49% Multiple definitions. 1 See British Bankers’ Association. does not mean that a unique. The survey of BBA (1999) 1 provides a good overview of the different views on OpRisk definitions. 19 . Theoretically. Chart 3.1: OpRisk Definition Types in the Financial Industry Single. 1999. there are as many definitions as there are financial institutions. RMA. This reference will be quoted BBA (1999) in the following. it is important to know what it is to be managed.CSG Operational Risks in Financial Services 3. This. and systems or from external events Definitions of OpRisk in each specific firm are different S The widespread confusion prevailing in the financial industry about OpRisk is somewhat fading. pp. 15% No formal definition. industry wide definition of OpRisk will emerge. Philadelphia. A common practical definition of OpRisk does not exist in the literature nor in the industry as shown in Chart 3. a definition of OpRisk is needed. people.

2. the devil lies in the details. 29. Other Risks (OR) Discussion Paper. systems failure and inadequate procedures or controls" (BIS)3 "OpRisk is the risk of direct or indirect losses resulting from inadequate or failed processes. Thus. individual and unique operational setting. Risk Management Group (2000). 5. people. Basel Committee on Banking Supervision.CSG Operational Risks in Financial Services The following sample of the major OpRisk definitions by the industry and regulators shows that. 3. and system or from external events" (BBA/ISDA/RMA)4 S With OpRisk. Organisation: risks arising from such issues as change management. project management. misdeeds or external events. April 2000. 2 3 This is the definition of 15% of the 55 institutions surveyed in BBA (1999). Policy and Process: risks arising from weaknesses in processes such as settlement and payment. Each institution has its own. 20 . non-compliance with internal policies or external regulation or failures in products or client dealings. 29. p. 4. Quoted as BIS (2000). allocation and business continuity planning. 4 BBA (1999). p. BS/00/27. Organisation Policy/Process Technology Human External" The 5 suggested categories are major and they present a valid base for solving problems for management. while there is a broad agreement on the general concept of OpRisk. to be able to manage OpRisk might require tailoring its definition and its sub-categories to the firm’s specific setting. 3. OpRisk may tangibly manifest itself in the likes of business disruption. responsibilities. 2.2 Five major OpRisk-Categories and their Sub-Categories The following OpRisk-definition is used by Credit Suisse Group: S "Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors. errors. control failures. The crucial issue is the intellectual framework and discipline for present and future problem-solving approaches under new paradigms: 1. The risk is associated with human error. and can be captured in five major OpRisk categories: 1. diversity in some detailed aspects will continue to prevail: S S S "OpRisk is the risk of everything other than credit and market risk"2 "OpRisk is the risk associated with the Operations department" (narrowest definition) "OpRisk is the risk that deficiencies in information systems or internal controls will result in unexpected loss.BIS. corporate culture and communication.

Subcategories have to be created which allow the adding of new OpRisk aspects and the subtracting of obsolete ones. Not surprisingly. 7. 3. 21 . 20. After all. 11. 16. Important is the intellectual. Employee Employer Conflict of interest Policy / Process 8. thereby providing management with an OpRisk framework. causation of OpRisk loss events.e. 2. 5. employer. By linking causation to relevant business activities.or software.and Software IT Security Human 15. as well as lack of physical security for the institution and its representatives. It is important that this sub-categorisation relies on a root analysis. 13. Communications Hard. 17. so will these sub-categories be refined or deleted. it is intended to use this structure as a tool with which to act upon OpRisk. The structure also lends itself to possible quantification by drawing upon data sources relevant for modelling as well as for qualitative reporting. i. failures in other technology such as networks or telecommunications. as well as breaches in IT security. 14. Governance / Structure Culture Communication Project Management Outsourcing Business continuity Security Technology 12. the 5 major OpRisk categories need further refining. 19. 4. Policy and process Compliance Product Client External 18. 10. 6. conflict of interest or from other internal fraudulent behaviour. Human: risks arising from failure of employees. 4. As methodologies and techniques advance at CSG. They allow one to be more specific on firm relevant risk drivers which require focus and responsibility assignment. complexity requires breaking down and simplification. 5. External: risks arising from fraud or litigation by parties external to the firm. 9. organisational and continuous discipline in categorising the risks and in doing something reasonable about them: Table 3. Physical Litigation Fraud These 20 sub-categories cannot be considered as complete.1 OpRisk Sub-Categories Organisation 1. Technology: risks arising from defective hard.CSG Operational Risks in Financial Services 3.

The main challenge for risk management is to separate them in an intelligent way. the pragmatic management angle should be taken.2 is an attempt to map the risks faced by a firm providing banking and insurance services. This exercise is complex and time consuming. 3. This requires a "positive definition" of each risk class. 22 . Intellectual honesty should prevail in identifying the most appropriate technique. The activity focus of the firm is at the basis for determining the priority risk classes and developing or refining appropriate management tools and techniques. particularly for risks that only allow an approximate quantification. These risks are partly overlapping or interdependent. The ability to use a common.2: Overlaps between Risk Classes Reputation Risk = Risk of losses by not meeting stakeholders' expectations Strategy Risk = Risk of losses from not choosing “to do the right thing" Credit Risk = Risk of losses from borrowers not meeting their obligations Market Risk = Risk of losses from value changes of financial instruments Business Risk = Risk of losses from business volume changes Insurance Underwriting Risk = Risk of losses from unexpected insurance claims volume Operational Risk = Risk of losses from not "doing things right" Source: Credit Suisse Group / GRM. The reliance on using available but misleading data should be carefully evaluated.3 Overlaps between Risk Classes Chart 3. 2000. important here is to focus on the structure. This separation exercise forms core risk classes for the daily management and quantification where possible and credible. and their relevance to the daily management of any financial services firm: Identify the format and follow it with discipline. the framework-basis.CSG Operational Risks in Financial Services While it is impossible to describe all aspects of each 20 sub-categories in this paper. Models should never prevent managers from using their common sense. To do this. uniform management technique based on the peculiar features of a risk class provides the rule for drawing the line to other risks. An essential component of the exercise is to identify the best way of managing a risk class in a uniform and coherent manner. Chart 3. whether quantitatively or qualitatively based.

Ideally for some supervisors. models would produce a regulatory capital for all "Other Risks" which is . commission and fee income. reputation. interest rate have each to be and can be handled in a different fashion. "Other Risks" include primarily risks as to strategy. i. Reputation is the outcome of the mix of doing the right thing and doing things right over an extended period. These risks are not covered here. Commission and Fee Income risk (C&F) is above all determined by outside forces: market moves. In contrast. 20%? What are the effects on total revenues. an earnings-at-risk model serves the purpose. 23 . but implementation which in turn is OpRisk.certainly not yet feasible in a credible fashion. except risks in the category "external". those who are significantly above average for interest rate risks.4 Operational Risk ≠ Total Risk .credit risk . Risk as to strategy. operations. Some supervisors define Total Risk = Market Risk + Credit Risk + Other Risk. liquidity. Strategy is doing the right thing at the right time. the relative stock performance.i. For Economic Risk Capital. perceptions and expectations and a key factor for the share price. "total risk . The best measure is relative share performance. Strategy risk deals with the existing base of a bank and its options. margin pressures.like litigation. dividends? What is the organisation's flexibility to adjust to a downturn over years? Regulatory capital is not the solution for every risk. The relative assessment comes from the market. commission and fee income. liquidity.are part of OpRisk. Credit and market risks originate form outside the bank. Reputation risk is the aggregation of the outcome of all risks plus other internal and external factors. based on a what-if analysis. OpRisk originates primarily from within the specific organisation. documentation issues . C&F risks are primarily revenue related and can be stress-tested with simple what-if analysis which can be easily compared across banks: What if business volume decreases by e.e.market risk" prevents from identifying a structured way of managing it. Reputation is a reflection of facts. i.CSG Operational Risks in Financial Services 3. Legal risks . It is not so much the strategy. Interest rate and liquidity risks are for my taste part of market risks. The legal environment and its changes are part of strategy risk. revenue growth.Credit Risk . Models are available for determining "outliers".e.e.Market Risk Defining OpRisk in an exclusionary way . interest rate.g. reputation. rating and attracting and keeping good staff. legal. number of clients growth. NIAT.

correct risk evaluation and pricing. confusion is ubiquitous. Control: Independent risk assessment. etc. What is new is: S S S S The increased explicit awareness and consciousness of managers and senior management for OpRisk issues The explicit and analytical approach The better awareness to gear an organisation's risk profile towards those risks for which it has a comparative advantage in managing The pressure to allocate capital more consciously Risk management can add value and represent a valid business case in two dimensions: 1. complying with rules and regulations. business continuity planning. reduction of regulatory capital.and consultants enjoy hey days. escalation. compliance. Naturally. nor quick-fixes. product enhancements. 2. There are neither ready-made solutions. complying with usual management needs. catching non-compliance and illegal actions. the line between control and shareholder value creation is difficult to draw. 24 . limits. if only implicit. corrections. management process. Shareholder value creation: efficiency. The spectrum moves from the Bottom to the Board Room. The dimension "2. including OpRisk management. it is as old as banks are. Shareholder value creation" adds a further stage which treats OpRisk more like a real business. competitive strategic advantage. OpRisk of a bank is not new. activism is widely-spread . supervisory requirements. etc.CSG Operational Risks in Financial Services 3. OpRisk management also gets close to quality management. The dimension "1. rational economic capital allocation. can move from one extreme to another one: Crisis management ´ business continuity planning ´ compliance ´ shareholder and other stakeholder value enhancement. duplicate control avoidance. progress reporting. attractive returns increasingly depend on excellent risk management.5 The Dimensions of OpRisk Management Sustained. Control" basically covers the following: avoiding accidents. Important is the direction to be chosen. therefore. To understand the risks has always been a fundamental. efficiency management and the concept of opportunity cost. OpRisk management. improved reputation.

internal acceptance and credibility of the tools and figures produced are not without doubts. Feb. insurance) • Investment in processes.(2000). New York. limited technology or manpower required • Prioritisation of risks • Significant business unit involvement • Limited technology usage • Significant use of manpower Source: Meridien Research. Einstein) 5 Meridien Research Inc.CSG Operational Risks in Financial Services Any major OpRisk management project has the following five preconditions for success: S S S S S Strong management support Credibility overall Small realistic steps: all at once is impossible A better organisation afterwards Respect the constraints: compliance also with supervisors' requirements Such a project may not be just "another project".to be checked with Meridien 25 . "Alles soll so einfach wie möglich gemacht werden. depending on the complexity and the size of an organisation. Aber ja nicht einfacher. But not simpler. The research indicates that most of the Top 500 financial institutions worldwide are still in stage 1 and 2.3: Stages of Operational Risk Management Development Stage 1: Identification • Data collection Stage 2: Metrics & Tracking • Finding quantifiable means to track risks • Creation of reporting mechanism • Significant business unit involvement • investment in automated data gathering & workflow technologies • Significant use of manpower Stage 3: Measurement • Development and continuous refinement of modelling approach • Creation of OpRisk data • Majority of effort born by OpRisk Group • Significant technology development effort • Limited use of manpower Stage 4: Integrated Management • integration OpRisk exposure data into management process • Significant senior management involvement • Management of OpRisk exposures (e. (A." Every thing should be made as simple as possible. . 2000 Meridien Research approximates the lead time for Stage 1 to Stage 4 with a minimum of 2 . "Time for a New Look at Operational Risk".6 The four Stages of OpRisk Management Implementing OpRisk management implies the progression through the following four stages5 in Chart 3. 2000.3 years.g. A handful has attained Stages 3 and 4.3: Chart 3. however. 3.

Gapper. Exploiting such opportunities requires a willingness and capacity to learn. J. Dec. 1994.CSG Operational Risks in Financial Services 4. In fact. 1997. the incurring of both these risks was exclusively as a consequence of an uncontrolled OpRisk. where market risk or credit risk were sometimes also at play. my approach in using the losses of a mishap is probably exaggerating the level of "pure OpRisk". This selection encompasses cases.g. Penguin Books. e. This allocation rule to OpRisk versus market or credit risk leads to an overestimation of the level of OpRisk. viewing mistakes as shameful and preferring to address new challenges rather than to resolve old ones. F. Articles and books discuss selected cases in more details.2 Overview of 8 selected Mishaps since 1991 The reviewed mishaps in Chart 4. (1997) All that Glitters – The Fall of Barings. Therefore. N. "Orange County Crisis Jolts Bond Market. 26 . Existing OpRisk literature devoted to the investigation of lessons learned from past losses focuses on a few highly publicised events. The New York Times. This should help us to devise priorities and areas of focus for a successful OpRisk management. Analysis of past internal or external mistakes is key to at least partially avoiding them in the future.. 4.1 were selected based on CSG’s definition of OpRisk: ".. To tackle OpRisk.com research team material.. 1997.. we must overcome this cultural barrier and refrain from turning the page of mishap before having read and re-read it attentively! The aim of this chapter is to do such a revisiting in order to derive lessons from past collapses commonly associated with an OpRisk event.. most individuals and institutions tend to avoid "twisting the knife in the wound". Computing.1 Major OpRisk-Mishaps in Financial Services: 12 Lessons learned Introduction Mistakes create opportunities. 8. Operational mishaps are primarily triggered by significant breaks through existing floors and controls set by market or credit limits.6 This is primarily due to a widespread cultural barrier leading firms and individuals to disclosing only a minimum of information concerning financial mishaps. 6 Based on Operational Risk.. Norris.: "Sumitomo losses show up poor links". adverse impacts to business as a consequence of conducting it in an improper or inadequate manner. Jun 20.". Denton. 4. However.

1996 Metallgesellschaft 1993 About 100% equity 70% Slow 44% 45% about 100% Fast Slow Fast Wide range of illegal activities including i. money laundering Top management Perpetrator Overexposure to leverage. fictitious deposits.1: Features of 8 selected operational risk mishaps since 1991 Mishap BCCI 1991 Feature Approx.6 1. duties allocation of responsibilities Policy / Process Regulatory and legal compliance.e. fraudulent loans. segregation of information flow. Governance. Inadequate documentation Change of market importance/size.4 2. culture.CSG Operational Risks in Financial Services Chart 4.6 LTCM 1998 Sumitomo Corp. bn) Loss in % of capital and loss to creditors Speed of irregularity maturating to mishap Irregularity description 10 4. communication breakdown Policy incoherence Technology Human Practical skills as to assessment of changed parameters External BoE action timing --Source: Credit Suisse Group / GRM compilations (2000) Fraud by owner --- Inadequate skills / understanding of instruments --- 27 . secrecy model belief. sovereign. insufficient model adjustment and stress testing. Culture of blind structure. model. total loss amount (in USD. Inadequate management reporting systems Missing electronic trade reporting links Fraud by staff member CEO. CFO and staff of subsidiary Unfavourable market turn Failures along the 5 major OpRisk-categories (CSG) Organisation Governance. allocation of responsibilities. liquidity and volatility risk with derivative instruments Top management strategists Persistent unfavourable market Unauthorised commodity trades (double of firms annual trading) over 10 years Dissimulation of excessive hedging exposure Branch office staff Crisis trigger Regulatory audit report on massive fraud Mistaken sending of document to finance office Information and communication flow weakness. culture of trust only Lax internal controls & audit.

regulatory compliance Technology Human Employee failure (faulty trading strategy) Employee failure (lack of character). agency risk Failures along the 5 major OpRisk-categories (CSG) Organisation Governance. loss concealment.1: Features of 8 selected major operational risk mishaps Mishap Feature Approx. regulatory compliance.2 1. losses concealed by management from regulators US branch office trader(s) Confession letter sent by trader to bank president Governance. management. Unauthorised transfers between options books. of duties Governance. management. employer misjudgement Software dependency (blind acceptance of systemgenerated valuations) Employee failure (fraud) External ----Source: Credit Suisse Group / GRM compilations (2000) --- Employee deficiency (poor trading skills). total loss amount (in USD. nonsegr. regulatory compliance failure. Subsidiary in Singapore Margin call Trader. potential losses Unauthorised and concealed trading in options and futures. information flow failure Policy / Process Inadequate policy (poor market risk management). deliberate option mispricing Perpetrator Orange County treasurer Warning to county executives by treasurer’s staff Crisis trigger Trader.6 1. information flow failure Breach of policy. agency risk Breach of policy. nondisclosure of massive. bn) Loss in % of capital Speed of irregularity maturating to mishap Irregularity description 1. information coordination and distribution Breach of policy. employee failure (fraud). employer misjudgement --- 28 . 100% Medium 3 years 100% Medium 3 years negligible Medium3 years 24% Slow 11 years Trading in securities not legally approved. management. lack of control culture diversity. Governance.3 0. management.CSG Operational Risks in Financial Services Chart 4. possible management involvement External audit investigation Unauthorised trading.1 Orange County 1994 Barings 1995 NatWest Markets 1997 Daiwa 1995 Approx. forgery of back office documentation. culture (superstar).

1969 and then again in 1976 about the practices of the Chiasso branch were dismissed or superficially investigated. Over time. a hasty and insufficiently prepared press statement about the fraud was issued. Management never wondered how the Chiasso branch could show a sustained impressive profitability track record. From the "Schweizerische Kreditanstalt" to Credit Suisse Group. Texon provided the Chiasso branch manager with a medium to "externalise" branch losses and a vehicle to circumvent CS controls on loans and investments. procedural and control failures. J. Only the concerns of tax authorities on withholding tax evasion triggered an internal investigation in 1969.had to turn down. Information about the identified irregularities remained limited to four individuals at the headquarters until late 1976.which failed due to similar practices as those practised by the Chiasso branch . The implementation of corrective measures was never verified. Internal audit was not requested to act. Several competitors’ complaints in 1968. The wildest speculations broke loose and triggered a major crisis. During this period and until the end of 1976. pp. 245-289. the breakdown of Weisscredit Bank . while other branches had to digest bad loans. Several initiatives were launched to investigate the links and exposure of the branch to Texon. 29 . the Chiasso branch manager set up an offshore trustee company (Texon). head office ignored several internal signals which hinted at irregularities.7 The reason for allocating the Chiasso scandal to an OpRisk event is that it occurred exclusively as a consequence of having conducted business in an improper and inadequate manner. Neither did it bother to inquire how Chiasso could provide loans which other branches . the fraud extended to transferring non-performing branch loans for their full value to Texon and converting the guarantees into participations. External signals raised to senior management were investigated on a minimalistic basis.CSG Operational Risks in Financial Services 4. In summary. despite documented evidence. Zurich (2000). What happened? In the early 1960s. 7 For a detailed discussion of the Chiasso case. In March 1977. These practices were to continue until March 1977. The fraud began with placing customers' saving deposits in high yield instruments against CS letters of guarantee for Texon.finally triggered concerns about the situation in Chiasso. headquarters followed a policy of "why bother as long as profits flowed". see Jung. errors and misdeeds were essential in building the Chiasso losses. (2000). In December 1976. Nor did it provide for a channel through which branch staff could escalate their concerns on possible irregularities to head office. NZZ Verlag. The latter remained restricted to ensure the compliance of guarantees with regulations. It contained neither precise information about the risk amount nor any assurances of a contingency plan. officially managed and controlled by an outside third party legal office. Structural. Fact finding mostly took place on a verbal basis and was satisfied by vague explanations.based on headquarter imposed restrictions .3 The 1977 Credit Suisse Chiasso Case The old Credit Suisse Chiasso branch scandal of 1977 is a good example of Murphy’s law in terms of a fraud induced OpRisk.

a vehicle allowing parallel accounting. The 12 S's of each organisation failed at work: Strategy. If used as a checklist. Lack of good governance at large and lack and/or breach of policies and processes are the common issues for all 9 cases. style.2 summarises the major ingredients of what ended in an approximate CHF 2 bn loss. 2. non-banks can equally present a potential systemic risk. crisis magnifying Internal communication: None: Investigation of problems exclusively on a bilateral base. A framework based on the OpRisk categorisation elements of chapter 3 constitutes a useful basis for identifying major OpRisk drivers. 2000 4. which could have been expected to trigger corrective operational action when conducting business in an adequate manner. 3.CSG Operational Risks in Financial Services Chart 4. happy with superficial explanations Communication: Hastily. quarterly management meetings with Chiasso branch managers) components were assumed to grow in a linear fashion over time and supplemented with "outbursts" at times when references to possible irregularities surfaced.4 OpRisk Scandals in Financial Services: 12 Lessons The total of 9 relevant cases of the past presented lead to the following 12 lessons for everybody: 1.4. high yield high risk investments circumventing headquarters’ controls Management: Not caring about repeated warnings. It is not intended to imply that there is a specific critical risk level which triggers the crisis outburst. just to name the most important here. speed. 30 . reporting generally only verbal Crisis outburst: Control: No search for Internal signals: Ignored Ability of branch to provide loans rejected by headquarters. 8 Peaks were allocated for a documented event.1977. market break downs. It is not only "Banks" which incur OpRisk. not sharing information. uninformed. system/s. irregularities investigations focus on settling immediate complaints. structure. The framework allows focusing management’s attention on major weak spots requiring particular and regular attention. Chart 4. it provides the basis for a disciplined and systematic review of the aspects commonly at the root of OpRisk. skills. impressive sustained profitability track record. The fraud and the documented internal signals (accounting reports. vague.8 It is used to reflect the progressive build up of fraud exposure at risk and the cumulating of the various OpRisk components. trust ahead of follow up checks 25. media boom on the affair External warnings: Ignored. competitors complaints Mar 61 Mar 63 Mar 65 Mar 67 Mar 69 Mar 71 Mar 73 Mar 75 Mar 77 Fraud Internal control failures Documented internal signals Management review failures Internal communication failures External warnings Communication mismgt Time Source: Credit Suisse Group / GRM. The depicted OpRisk level is only illustrative. safety. indication of possible accounting irregularities causes.2: What went wrong in Chiasso? Risk Level (indicative) Fraud: Time bomb Texon. tax investigation.

as well as a sharing of the personal assessment of the situation with colleagues. tax irregularities) Track record of generating competitors' complaints Sustained profits and absence of bad loans compared with others Feedback to inquiries Site visits Intuition. but must be complemented by diligent supervision and accepted controls.see transparent market developments. Co-ordination with authorities and experts from the public relations / communication department is essential. Based on this. Senior management and Boards have to take their supervisory function seriously and invest time in it.see documentation for loans with long tenors. Relative size of an operational mishap tends to be correlated with the level of the perpetrator. 7. 6. Unavailability of direct and reliable information is a problem. Operational irregularities tend to happen more often in branches or remote subsidiaries than at head-office. Trust is recommended. Human inadequacies are . In fact . However. The big "C" for character in banking is as alive as ever. audits. whether character or skill. External risks did not play a major role in any of the most severe cases of the past with the exception of the BCCI case.not surprisingly . Are the people involved really that much smarter? Internal and external communication and expectation management is crucial. MIS and generally higher "risk awareness".operational crises tend to be: S S Major when the perpetrator stems from management or owners Absorbable when the perpetrator stems from more junior positions 5. The speed of irregularity detection generally depends on the complexity of the financial instruments involved: S Short for more complex trading instruments . a professional communication strategy has to be defined ensuring explanatory. no hesitation in being more demanding on details. 10. additional checks are needed such as: S S S S S S Track record of irregularities (e. 31 . "gut feeling": Management is seldom an "IQ" issue only 9. the past is not an indicator for the future: Potential external hazards need appropriate attention. Therefore. It requires a crisis task force devoted to finding out all the facts and devising a clear contingency plan of measures to be taken to sort out the problem.with the exception of the Barings and the not discussed Kidder Peabody cases .g. fact based press releases. 8. Significantly higher returns than average over time deserve more attention. both are part of OpRisk management once the mishap is recognised. S Longer for standard financial instruments .relevant in all cases. 11. This often requires a personal follow-up.CSG Operational Risks in Financial Services 4.

"Lessons are not given. Extreme Value Theory. a financial services organisation cannot be a knowledge company . i. The prime issues for most of the 9 mishaps were lack of good OpRisk management: improper structure. Common sense and "gut feeling" which come from experience also are important. quantification and other tools are neither able nor meant to predict the "when" of a crisis outburst. system. as discussed in chapter 11. were unique in their constellation. all five questions are to be answered with a "no" which does not imply at all that I am against credible and relevant quantification of OpRisk or at least credible attempts to try and observe a few "provisional results" over some years.) have been of relevant use at the time of occurrence? Would such theoretical quantification ex-ante have avoided the mishaps? Would any of the today's quant-approaches have calculated a large enough capital requirement to avoid a total collapse of BCCI or Barings? And. as presented in chapter 10. If you do not learn from internal and/or external mistakes.which is what it should be. would these two organisations with such huge additional capital requirements have been competitive before the collapse? In my opinion." (C. They are taken. if so. All 9 cases had a very different context. Chaos Theory etc. Pavese) 32 .e.CSG Operational Risks in Financial Services 12. The 9 cases represent no good arguments for OpRisk regulatory capital solving the problem. you just make another mistake. systems. Otherwise. They are only one of various elements for our judgements and decisions in addition to the more relevant aspects of the management of the 12 S's as discussed in chapter 6. An organisation must be a learning organisation. shared values. The bank cases were all cases for Pillar 2 and 3. Models.with the smartest quant brains available worldwide? Would any of the present and potentially upcoming quantification approaches for OpRisk (including Value at Risk. Some interesting questions can be raised: S S S S S Did the models of LTCM work .

Norfolk.9 The OpRisk management methods developed by these sectors of activity are the result of many years of trial and error.. Va.J. The OpRisk management process used by US Military can generally be broken down into six steps. Most methods of operational risk management are therefore running under the heading "business process reengineering". 9 The manufacturing industry primarily views operational risk from the opportunity perspective. 10 See Capt. For decades. it was already a core concern for several sectors of life. Armies over the years have as an organisation developed certain principles which have been adjusted again and again. The general structure of these tools is common to all units. directly or indirectly relevant for financial services. given their higher exposure to risk events. OpRisk is not constrained to banking activities but involved in all activities and organisations of human beings.CSG Operational Risks in Financial Services 5. 33 . their detailing and implementation is very unit specific. Naval Safety Centre. the military as a managed human and technical organisation has been devising ways to manage operational risks. the pharmaceutical industry and the nuclear power generation industry. This should help to devise or confirm the key elements and rules that should feature financial sector's approach to OpRisk management. Since it exists. as shown in Chart 5. This leads again to 12 lessons. However.10 The US military has developed simple tools to help its leaders make sound decisions in a logical manner in order to manage identified risks. MCO 3500. of fine-tuning and of perfectioning.would be arrogant and represent another OpRisk opportunity loss. have focused on the operational risk management aspect for years. The aim of this chapter is to review a selected set of the methods of OpRisk management.2 Principles of the Military In the military. Bieberdorf W. Very briefly. methods for managing OpRisk.1. 5. Long before analytical OpRisk management came into fashion in the financial industry.also with technological challenges .1 Organisations with a 5000 Year OpRisk Experience: 12 Lessons Introduction Experience is often key to success. "Operational Risk Management". 5. Not to learn from this experience in financial services .27. the purpose of OpRisk management is to enhance hazard identification in the operational environment in order to eliminate risks or reduce them to an acceptable level. the manufacturing industry has been devising solutions for controlling their OpRisk. The oil and chemical industry. which have been developed by the US military with its recent experience are reviewed. April 1997.

2000 1. Therefore. which by analogies try to tailor this checklist to the needs in the financial industry. or an operational risk. USAF. the latter are only illustrative. machine.man.1 shows that interesting similarities can exist between the military and the financial sector in terms of OpRisk drivers. Table 5.provides the basic framework for analysing operational systems and determining the relationship between composite elements that work together to perform the mission. The main conclusion. "mission" is not discussed here as it is always specific to the task and cannot be presented in general terms. The specific risk drivers which would have to be integrated in a checklist are highly dependent upon the activities.. Table 5. However. The focus of the 5-M model is to identify in detail what could cause a mishap. management. the army places extreme importance on detailing the various elements of the 5-M model. The 5-M model . However.CSG Operational Risks in Financial Services Chart 5. There is a significant overlap between the elements of the 5-M model as they interrelate directly. the most crucial elements are leadership and management. It is crucial to obtain a complete list of the hazards to which an operation is exposed. Military and civilian safety studies cite management processes to amount to 80% of reported mishaps. We have added two columns. Based on its experience.1 summarises what the army uses as a checklist for the identification of hazards. adapted from Mjr. media. however. mission . is that the devil lies in the details. it has developed a detailing covering all risk origins for each of the elements of the 5-M model. because they define how this interaction takes place. 34 .4 Risk Control mentation Measures Make Control Decisions Select risk controls Clarify implementation Establish accountability Risk decision Provide support Supervise Review Source: Credit Suisse Group / GRM. Crowell M. Identify the Risk The first step is to identify the hazards or risks.1: USAF Operational Risk Management Six Step Process 1 Identify the Risk Supervise and Review 6 1 2 Assess the Risk Operational analysis Assess hazard exposure Identify risk control options List hazards Assess hazard severity List hazard causes Identify Mishap probability In-depth hazard identification Assess complete risk Prioritize risk controls 2 3 4 5 6 Evaluate control effects Risk 5 3 Analyse Control Imple.

values. limitations. ice. Management: Directing the process by defining Standards Procedures Procedures Crew rest. etc.CSG Operational Risks in Financial Services Table 5. tools. Selection Performance Performance Personal factors Personal factors Machine: Used as intended. Audit. discipline. restrictions. etc. MIS. etc. Insight. useable. adequate. stress. etc. air quality. etc. discipline. features of customer interfaces and IT Hiring profile. upkeep. etc. largely environmental forces Climatic visibility. speed limits. training requirements. training. Man: Area of greatest variation and thus of risks Selection Right person. Dependencies. adaptive skills. available DOC statements various criteria. interface with man Design Maintenance Logistics Tech data Design IT architecture Maintenance & Migration Service providers Work tool user manuals Standards Engineering and userfriendly Tool complexity. motivation survey. incentives. compliance manuals. useable. habit pattern. etc. Engineering and user-friendly Training. hilly. communication. etc. vegetation. communication. etc. etc. Job satisfaction. etc. values. repair Clear. culture. Governance principles & training Checklists. manuals. competitors behaviour (part of strategy risk) Offices.1: The 5-M Model Check List for a Comprehensive Risk Identification Element USAF Category Description of Check-list USAF Risk Drivers Financial Industry Category Equivalent Environment Description of possible Financial Industry Risk Drivers Medium: Environment External. Job satisfaction. Operational Market Hygienic Infrastructure Vehicular Communication Distribution channels. Personality. Paved. corrosives. etc. Policies. security. etc Terrain. adequate. precipitation. confidentiality. parts Supply. etc. peer pressure. skills-job profile matching. island solutions. education. Checklists. risk limits and flags. dirt. humidity. available Code of Conduct. Clients needs in term of frequency and speed of transactions Market features. wind. etc. training. reliance Clear. escalation. restrictions. man-made obstructions Ventilation. policy. time. lawful orders Source: USAF and Credit Suisse Group / GRM (2000) Controls Controls 35 .

Tools used to perform this task include change analysis. in order to be able to identify a possible management action. For each case. The financial industry also uses workflow and organisational charts for this purpose. it is attempted to identify the first link (root cause) in the chain of events leading to an OpRisk occurrence. risk is defined as "the probability and severity of loss linked to the hazard". the operational analysis boils down to making the key factors of an operation or issue more transparent. some method is required to assess and prioritise the list of hazards. Table 5. Once the list of hazards is established. 36 . brain storming and "what-if" analysis. Assess the Risk With the hazards identified. The focus is to link the hazard to one or several elements in the 5-M model. 11 The USAF employs flow charts as tools to analyse its operations and break them down into separate components. list the possible hazards Third. the USAF proceeds to listing the causes for each of the identified hazards. proceed to an in-depth hazard identification The operational analysis basically is breaking down the operation into "bite size" pieces. For this purpose.2 gives an overview of the approach used to determine the risk level for each identified hazard. The aim is to put the limited resources against the risk faced. 2. analyse the operations Second. list hazard causes Fourth. In the end.CSG Operational Risks in Financial Services How does one go about in identifying the OpRisk? The army provides a useful systematic and simple approach for going through each element of the 5-M checklist: S S S S First.11 In the financial industry this procedure is often employed in the elaboration of business plans or for project management.

complete the risk assessment 3. 37 . 2000 How does one go about assessing the OpRisk level? The army provides a useful systematic and simple approach for going through each element of the 5-M checklist: S S S S First.) Critical (partial disability.) Hazard Mishap Probability Frequent (occurs often in a career) Likely (occurs several times in a career) Occasional (occurs sometimes in a career) Seldom (possible to occur in a career) Unlikely (occurs very rarely in a career) Extremely high risk Extremely high risk High risk High risk Medium risk Extremely high risk High risk High risk Medium risk Low risk High risk Medium risk Medium risk Low risk Low risk Medium risk Low risk Low risk Low risk Low risk Risk Levels Source: USAF compiled by Credit Suisse Group / GRM. assess the hazard severity Third.2: USAF Risk Levels Event Severity Catastrophic (death.CSG Operational Risks in Financial Services Table 5. the USAF: S S S Identifies risk control measures Determines risk control effects Prioritises the list of available risk control measures The identification of risk control measures involves searching for as many risk control options as possible by referring to the list of causes. In the financial sector. etc. etc. etc. etc. reduction. major system damage.) Moderate (minor injury. minor system damage. assess the mishap event probability Fourth. assess the hazard exposure Second. Risk control options include avoidance. minor system impairment. spreading and transference. Tools used to perform this task are brainstorming.) Negligible (minor treatment. mission accident analysis and "what-if" analysis. For each hazard exceeding an acceptable level of risk. system loss. the analysis of past OpRisk events could offer interesting avenues in identifying relevant risk control measures. Analyse Risk Control Measures After having completed the risk assessment. the USAF analyses control measures.

In the financial sectors similar tools are used. scenarios and next accident assessments. Tools used in this context are mishap risk index matrices. It involves the use of tools such as computer modelling.3: The Law of Diminishing Returns Risk level high Allocated resources Accident reductions low Resources allocated to risk reduction Look for “happy medium” where cost of the control measure balance severity of risk Source: Credit Suisse Group / GRM. the person in USAF who is accountable for accepting the risk has to make the risk control decisions. considering the cumulative risk of all identified hazards. adapted from US Air Combat Command. Make Control Decisions After having prioritised risk control measures. The benefits of the operation are set against the level of risk of the operation. Best controls are generally consistent with mission objectives and the optimum use of available resources. For each hazard. The prioritisation of risk controls prepares the choice of measures to be taken. In the financial industry an important requirement for such a procedure would be a clear responsibility allocation for each OpRisk category.CSG Operational Risks in Financial Services The determination of risk control effects evaluates the effectiveness of each control measure. 2000 38 . the long term consequences of the decision and the law of diminishing returns of resources allocated to risk control (see Chart 5. Chart 5. Tools assisting in making this choice are databases of implementation decisions recorded in a standardised format. but not often in the context of OpRisk. but could benefit from enhancing mechanisms and standards for systematic learning from mishaps.3). In the financial sector these tools are also available. the accountable person selects those risk control measures that will reduce the risk to an acceptable level. opportunity assessment and a cost versus benefit analysis. 4.

command must support the control measures put in place. For this purpose. a roadmap for implementation as well as a description of the attempted end state are provided. Quick response times. directives. 2000 39 . pictures. etc. In the financial industry. These could be complemented by simple summaries of lessons learned from practical OpRisk cases. management should be aware of the common obstacles to the implementation of controls as summarised in Chart 5. this involves: S S S Making the implementation clear Establishing accountability Providing support Clarifying implementation entails making sure that control measures are understood. should not serve as an excuse to neglect documentation. job aids. directives and manuals are often used as well as training material. Accountability is an important element of OpRisk management. Tools used for this task are examples.CSG Operational Risks in Financial Services 5. In the USAF. charts. this aspect is critical given the relatively rapid turnover of staff. however. policies. In any case.limit opportunity • Get lost in the priority system • Misunderstood Source: Credit Suisse Group / GRM. It requires sign off and proper documentation of all relevant risk taking decisions.4. This requires getting command approval prior to implementing a control measure. In the financial industry.4: The Pitfalls of selected Control Measures • Inappropriate control for the hazard • Operators do not use them • Leaders do not use them • Cost too much • Impede the mission . Risk Control Implementation Once the operations are launched it is essential to ensure the implementation of the selected risk control measures. To be successful. this would possibly require making OpRisk an issue for the BoD and mandating the CRO or COO with the day to day management of OpRisk. Chart 5. In the financial industry. Possibly computer aided standardised decision making forms could provide an avenue for enhancing accountability. adapted from US Air Combat Command.

This entails the monitoring of the operation to ensure that: S S S Controls are effective and remain in place Changes in the operation which require further risk management are identified Actions are taken to correct ineffective risk controls and reinitiate the risk management steps in response to new hazards Tools assisting in performing supervision include inspection. "OpRisk management is a process. audits and controlling investigations are increasingly tailored to OpRisk management aspects. before. goals) Man Machine Media (environment) Mission or mishap Risk categories are categorised as to their severity and probability 4. 1. observation and feedback programs. 27 Fighter Wing (no date). during and after the operation Not a radical new way of doing things "Mission oriented" 2. Logic-based common sense approach to decision making Integrates the 5-M factors. US Navy (1997). procedures. not a program! It requires incorporating risk in decision making at all levels. The review process must be systematic. values. The operations must also be periodically reviewed. Once assets are expended to control risks.3 Military OpRisk Experience: 12 Lessons I have reduced the military experience to 12 lessons. Always use the proper methodology: The 5-M concept: S S S S S Management (standards. 5. In the financial industry management reviews. Apply the 6 steps process (Air Combat Command): S S S S S S Identify risk Assess risk Analyse risk Make control decisions Implement risk control Supervise and review 12 13 US Navy. Supervise and Review Once the operation is running it requires to be supervised.CSG Operational Risks in Financial Services 6. th 40 ."12 "OpRisk management is:13 S S S S 3. a cost benefit analysis must be accomplished to see whether risk and cost are in balance.

management should ensure that everyone when performing his or her tasks takes into account some risk management considerations. Ideally.5: Everyone’s Involvement is highly desired! A Judgement on different Levels of Involvement Involvement Level: • Personal ownership • Team member • Input provider • Coordinator • Comment and feedback provider • Robot: object of inspection or enforcement Source: Credit Suisse Group / GRM. Experience of military on the quality of involvement strongly supports this approach. it has to be led. created and sustained by effective communication" = enterprise culture14 14 US Navy (1997). adapted from US Navy 27th Fighter Wing 2000 Quality: Best Worst 6. "Safety is built on integrity.5 Successful risk management requires an enterprise culture which makes everyone a risk manager. 41 . Hasty = time critical: on the run consideration of the 6 steps above Deliberate: complete 6 steps application ´ add time and techniques In-depth: complete 6 steps application ´ add time. techniques and energy Civilian and military studies reveal: Insufficient management processes are responsible for 80% of mishaps Personnel is the dominant factor in mishaps. trust and leadership.CSG Operational Risks in Financial Services Intensity of risk management is different with time available: S S S 5. Such a culture ensures pro-active risk management Chart 5. Therefore. as shown in Chart 5.

Make risk decisions at the right level: This is a level where the decision-maker has the necessary information." (Admiral Grace Hooper) 14 15 US Navy (1997). the level of approval authority should be commensurate with the level of risk accepted. You lead people. Risks are more easily managed when addressed in the planning stage of an operation. The goal of OpRisk management is not to eliminate risk. Airtevron one.. Accept risk when benefits outweigh the cost: This rule recognises two key truths: S S There is some degree of risk associated with all operations. Accept no unnecessary risk: Leaders who accept unnecessary risk are gambling with others’ lives (in banking with others’ money).CSG Operational Risks in Financial Services 7. Normally risk decisions are made by the leader directly responsible for the operation. 42 . experience and maturity to make a good decision. VX. 9. However. "Introduction to Operational Risk Management". e. 11.g.1 Safety/Naptobs Dept. but to manage the risk so that the mission can be accomplished with the minimum amount of loss15 12. KISS: Keep It Short and Simple . Anticipate and manage risk by planning: This first rule is one of simple efficiency and economy. Take only risks that are necessary to accomplish the mission. Final risk decision-making authority resides with the agency or individual assigning the tasking within the chain of command. To establish a personal ownership as a risk culture. at the level where the risk taking can be influenced and is born. 10. five levels of OpRisk management training can be conceived:14 S S S S S Indoctrination: Making everyone aware of OpRisk User: Introduce concerned individuals to the five step OpRisk management process Advanced: Train relevant individuals to apply OpRisk management and its tools Leader: Enable responsible individuals to make OpRisk management decisions Senior leader: Provide a basic understanding of OpRisk management 8.This rule recognises three key truths: S S S Complexity is often at the root of risk Communication is essential to mitigate risks Others do not per se understand one’s thinking "You don't manage people: you manage things.

modern methods / limits . I repeat my chart from chapter 1: Chart 1.discipline as to corrective actions Co mp eti tio Pe n rc ep tio n Strategy Risk Reputation / Brand Risk Market Risk Credit Risk Ins.continuous training . asset management.Stakeholders . they all have very different prerequisites.Symbol . speed. 6. strategy.Sustainability . trading.CSG Operational Risks in Financial Services 6. symbol. skills. Retail banking.Synchronisation Ensuring a risk culture with: .Speed . structure. insurance. set-up.1 Risk Management Framework An analytical and conscious approach to solve management issues . structure.can be structured along the 12 S's for every organisation. irrespective of its peculiarities. style. & ies lic Po © H. investment banking. synchronisation.top-down viewpoint.Safety . safety. shared values. The 12 S's of such a management approach are: strategy.in this context in regard to OpRisk management . Underwriting Risk Business Risk Operational Risk Markets & Economy Cli e Each financial services organisation has its own peculiar history. system/s.System/s . 2000 ur s vio ion ha lat Be gu Re Liquidity Risk 43 . Here. Managing Operational Risks: The 12 S's as a High Level Requirement This chapter deals with OpRisk management from the high level . Doerig.Shared values .Skills .2: Building an Organisation for the Management of 8 Major Risks Major factors shaping the risk disposition of an individual and an organisation Scope and challenge of an integrated firmwide risk management Effective risk management provides focus on and control over 8 major risks Values. Society & Politics & on y ati log ov no Inn ch ns Te io at ct pe Ex Facts Ex pe rie nc e nts Action and Reaction by Management and Staff Knowledge Building on the organisation’s 12 S: . stakeholders.proactive risk management . brokerage.Simplicity .constructive control attitude .Strategy . By nature.Structure .-U. staff. I have tried to come up with some salient common and general OpRisk related denominators concerning any organisation. It is primarily concerned with setting the right management framework for dealing with OpRisk in the context of a fully integrated. the comments are more oriented toward high level issues. values and challenges. institution-wide risk management.

A structure for the 21st century has to take into account the need for continued innovation and creativity: structure with flexibility. Important is .also based on the respective legislation . especially for OpRisk management and its related issues like TQM.de lege lata or de lege ferrenda ." 6. The structure very much depends on the strategy. However. e. but correct for any risk management is the following formula: S S Inherent risk .Mitigants = Residual risk Mitigants can be the 12 S's management as well as e.the clear allocation of responsibilities and the establishing of functioning checks and controls. but it is not for that reason easy" (von Clausewitz). risk transfer 6. regulations etc.supervisors with prime role of an external referee Tier 6: Shareholders and other stakeholders as ultimate daily overall judges Simplified. This paper cannot deal with specific national or EU legislation .nor should it discuss the respective responsibilities of the Board of Directors versus the Executive Board. efficiency and effectivity. legal and compliance. any financial organisation without a dedicated.g. also in the European banking industry: "Accountability" has become the key issue. hedging. Implementation is the issue. set ambitious but realistic targets. The strategy should secure no undue risk taking. We also should not completely overlook Peter Drucker's statement: "No institution can possibly survive if it needs geniuses or supermen to manage it.CSG Operational Risks in Financial Services Basically.2 Strategy and Structure There are very few really original banking strategies. 44 . Tier 5: Regulators . rules.2. one can differentiate between "six tiers of defence" for risks: Tier 1: Business front line with the prime responsibility for taking and managing risks Tier 2: Support functions like product control.1 Corporate Governance Quality starts at the top. Only a logical structure can lead to the successful implementation of the S's. simple and continuously checked strategy is lost from the start: "Strategy is always simple. strategic risk management. We all observe the worldwide convergence of what constitutes good corporate governance. structure. It must be organised in such a way as to be able to get along under a leadership composed of average human beings. country management with focus on specific risk areas and concentrations Tier 3: Senior management and supervisory board with focus on the overall risk profile Tier 4: Internal and external audit with focus on deficiencies as to policy.g.

system Skill. a regular review of responsibilities? What committee deals with OpRisk? Who is the owner of an important issue? At a functional level. Questions could be raised like: Does your organisation have an accepted OpRisk definition.1 shows how these are linked with my 12 S's. not just a "separate exercise" or "to take risk into consideration". Corresponding 12 S's Strategy. structure and losses? Is there a clearly defined escalation process? Trend analysis? Impacts of OpRisk? Reports on OpRisk how often? Who reports to whom on legal cases. a formal policy statement. care and promptly. an Executive Board Risk Committee. objectives. system. style Structure. controls and proper reporting. Table 6. systems. independence with built-in checks. safety. on insurance issues? Is the information consolidated and fit for high level supervision? In this context. style. The Cadbury report. but also more recent supervisory and auditing requirements make it very clear that senior management today has an ever increasing responsibility to deal with risks. in a diligent and continuous fashion.1: BIS Essential Practices and the 12 S's BIS Practices Strategic objectives and a set of corporate values Clear line of responsibility and accountability Proper qualification of board of directors Appropriate oversight by management Internal and external auditors as independent checks Compensation consistent with bank's ethical values. I raise salient elements of BIS' 1999 report "Enhancing Corporate Governance for Banking Organisations". synchronisation The above. the recent Turnbull report and the EMI ECB recommendations. it is not so crucial whether the whole BoD or Executive Board. diligence. including OpRisk. The September 1999 Basle Committee on Banking Supervision on "Enhancing Corporate Governance for Banking Organisation" identifies 7 essential practices. Table 6. system. all call on the various boards' responsibility to identify the relevant risks and to have an "embedded" risk management system. 2000. system. 45 . shared values Structure. shared values. deadlines. who is responsible for OpRisk management? Documented as to policy. Important is that it is done with skill. symbol Structure. the Audit or Chairman's Committee. safety Structure. systems. shared values. safety Staff. These aspects have become more formalised lately.CSG Operational Risks in Financial Services As a catch-all for present or future requirements. the CEO or the CRO have such a responsibility. strategy and control environment Transparency as to corporate governance Source: Credit Suisse Group / GRM. stakeholders. with clear allocation of responsibility. This is essential for proper OpRisk management.

2000 IT Development 46 .2. asset management and investment banking. A balance has to be found between: S S Extreme alignment (too much = bureaucracy and demotivation) and Extreme adaptability and flexibility (too much = chaos or difficult control) The new decentralised structure initiated by Credit Suisse Group in 1996 served it well: Below a small Corporate Centre (= Holding Company). A reduction of complexity was achieved also for OpRisk by grouping similar skills and workflows in one unit. insurance.with their own Executive Board . including the information for the Supervisory Board.2: Managing OpRisks – Major Forces in a continuous Interplay Shareholders and other Stakeholders Supervisors Legislation BoD Senior Management Internal and External Audit Line / Business Management Legal & Compliance Product Control Financial Control IT Country Management Risk Transfer Insurance Operations Risk Management Competition © H. including OpRisk. Doerig. Each organisation has to strike the balance between what is to be managed tightly and what more loosely.and to a much more focused risk management.CSG Operational Risks in Financial Services The role of an Audit or Risk Committee of the Board has become much more visible. Chart 6. private banking. but also for Executive Board levels.2 Segregation of Duties Internal and external cases indicate that many of the significant OpRisk losses in history were related to the lack of segregation of duties: front versus support functions. Additional opportunity costs were avoided. ownership of risk more effective.are assembled: Retail banking. a total of 6 major Business Units . This fact holds true not only for lower level functions. personal financial services. Regulators take a more vivid interest in such or similar committees and Board functions related to risks.2. One benefit of the restructuring was clearly defined responsibilities and enhanced transparency and discipline. It also led to shorter decision making processes . The intensity and frequency of risk management discussions depend on the organisation's specific situation. 6. The major forces influencing the management of OpRisk are presented in Chart 6.under the Group guidance .-U.

but helping to prevent losses Offering constructive risk mitigation and pricing advice Assessing / quantifying risks Benchmarking with peers.3. legal & compliance.2. Such corporate structure acceptance and firmness of risk management is presented in Chart 6. Trading and Investment Banking report to different Executive Board members. separates trading versus support functions.CSG Operational Risks in Financial Services CSFB e. product control. 6. treasury. as it is not a profit centre.g. acceptance and firmness of risk management. where feasible 16 BBA (1999). operations. IT and country management. The Head Office OpRisk approach is receiving the widest acceptance. The following functions report directly to the Vice Chairman who has no line functions: Risk management. Risk management must add value by: S S S S S S S S Fostering risk awareness in various situations and cycles of a firm or market Setting standards Ensuring smooth running of the firm's risk processes and methods Disclosing and escalating relevant risks to senior management No positions. 47 .3 Management Structure for OpRisk A survey has identified 3 generic organisational models for OpRisk management: 16 S S S A Head Office OpRisk function A dedicated but decentralised support Internal Audit playing a lead role in OpRisk management. Chart 6.3: Corporate Operational Risk Organisation Model Board of Directors Senior Management Operational Risk Committee Internal Audit Operational Risk Related Staff Functions • • • • • Compliance Human Resources Insurance IT Legal Chief Risk Officer Business Unit Management Head of Operational Risks Head Office Operational Risk Staff Business Units Operational Risk Staff Source: BBA (1999) As important as the concrete structure is the visibility. financial control.

A comparison over years allows for some conclusions as to progress in especially OpRisk issues.especially revisited issues . forward looking and diligent audit reports are an excellent base for operational improvements and reduction or elimination of OpRisk: From ex-post assessments to ex-ante improvements. 6. Very unsatisfactory reports . procedures issues come up in 29% etc. As important as the audit reports themselves are the corresponding follow-ups and corrective actions by those concerned. Statistics based on internal audit findings can be revealing. Internal and external audits play a very relevant role. In my opinion. The tasks of internal auditors vary.4 Audit driven OpRisk Management It is self-evident that auditing and controlling activities are not reporting to those who are audited: Internal audit reports go to the Chairman or Audit Committee of the Supervisory Board. depending on business activity and the engaging in consulting on OpRisk management matters. methods. thus insuring independence. He monitors. At CSG e. audit reports are reviewed by the CEO. A limited CSG analysis of 12 banks indicates: Retail banking has 3 -5 and investment banking 7 . CFO and CRO as well. It is true that many conventional audits are more control-oriented or concentrating on symptoms. procedures.10 auditors per 1000 staff on average. terminology. the 6 major business units each have a CRO or CCO and an appointed OpRisk officer. The Group-CRO chairs 3 different risk related committees and has an overall topdown function as to creation and alignment of definitions. processes.are bonus relevant. Example: documentation issues at large are mentioned in 31% of all reports. At CSG. Unsatisfactory major reports are subject to additional follow-up requests by Group Management. he promotes the creation of a "proper" risk culture by following the previous 12 Golden Rules on page 9. he exercises formal and informal influence. encourages and intervenes if needed and advisable. the audit driven approach is the most pragmatic and readily implementable approach in OpRisk management. However.g. percentage data on items for correction are established for each BU and then consolidated.CSG Operational Risks in Financial Services At CSG. At Group level. bottom-up approaches are encouraged. also on higher levels. 48 . especially in the OpRisk arena.2. the Business Units have their own audit tracking system.

12-13. Additional risk mitigation is dealt with in chapter 8. pp.4: Enterprise-wide OpRisk Management Framework Integrate with Market and Credit Risk S Strategy Risk Policies Risk Mgt Process Controls Assessment Measurement Reporting Align with Stakeholders System and Systems Risk Mitigation Operations Management Company Culture Source: Credit Suisse Group.3.1 Framework of OpRisk Management A common framework for OpRisk management for banks which has emerged recently includes integrated processes. BIS (1998). while Systems are their corresponding IT and communication tools. we deal with the risk management process.3. Risk assessment. completeness and timeliness of financial and management information (information objectives) Compliance with applicable laws and regulations (compliance objectives) 17 18 BBA (1999).2 OpRisk Control Process: 12 General Rules to Watch In its September 1998 framework on internal control the BIS mentions three main objectives and roles of the internal control framework:18 S S S Efficiency and effectiveness of activities (performance objectives) Reliability. 49 . measurement and reporting as tools are presented in chapter 7. Chart 6. 6.3 System and Systems System as one of the 12 S's stands for processes.4.CSG Operational Risks in Financial Services 6. tools and mitigation strategies. primarily control aspects.17 This framework has 6 components as presented in Chart 6. 6. Here. based on BBA (1999) Strategy and structure aspects were discussed previously.

It cannot be quantified or modelled. "owner" of specific activity. An appropriate control and compliance culture is part of the risk culture. "Operational Risk Control. key risks. 2. Map regulatory requirements directly to compliance control. controls.2: OpRisk Control: 12 General Rules as a Check List19 1. CMS. and you must do". Individuals are increasingly held responsible by supervisors. S. including: Structure. regulatory requirements. 19 This section is partly based on: Morris. records. Regulators' standards are continuously being raised. Integrate OpRisk functions/responsibilities in job descriptions. Table 6. 4. activity. Supervisors increasingly discipline breaches of responsibilities. does "owner" know what he/she owns. This "cultural aspect" needs close and continued attention by senior management. Organise the activities so that they can be controlled: Establish clear structures and procedures. I have summarised some existing and / or increasingly upcoming requirements as a "checklist" with 12 general rules to watch in the context of OpRisk.. London.. allocate responsibilities to suitable individuals. "Culture" is qualitative. Construct procedures relevant for the concrete activity. In Table 6. checks organised.2. what FSA expects. the risk culture aspect is the most decisive factor and base for good risk management. Control is a difficult balance between action making the fortune and "the cautious seldom err" (Confucius): Have a control environment and a compliance culture which accepts internal supervision: Compare some of the "S" of an organisation: strategy ´ structure ´ system ´ systems ´ safety ´ speed ´ staff ´ skills ´ style ´ shared values. especially in today's environment. Document the procedures and maintain the relevant documents: You might have to prove something.. workflow. 50 .CSG Operational Risks in Financial Services Internal control consists of 5 interrelated elements: S S S S S Management oversight and the control culture Risk recognition and assessment Control activities and segregation of duties Information and communication Monitoring activities and correcting deficiencies The control and compliance process of a firm represents one of the most decisive OpRisk management tasks. 3. For me. June 2000. 6. especially in OECD countries. 5.

. role of temps and consultants Monitorable Instructing: what is to be done in case of. Compliance plays an increasingly core role for OpRisk control S S S S S S S S S S Proper positioning of compliance for a specialised activity: e. internal data Client privacy protection. 9. private banking has very different requirements compared to investment banking Compliance officers becoming risk managers: from a rule based approach to a function based approach? Enough and suitable compliance staff? Adequate procedures and reporting lines? Access to senior management? Staff understands compliance function? Compliance monitoring? Elevation procedures? Investigation on breaches? Follow-up on rectification? 11.. Train management and staff: Train the supervisors of staff: supervisors also check.CSG Operational Risks in Financial Services 7. Special attention for control procedures should be paid to the following: S S S S S S S S S S S S S New business / activity / product Internet activity.. see staff turnover.g. Teachable: so it can be used as a training aid Implementable: use simple check lists Auditable 8... Procedures should ideally have the following characteristics: S S S S S S S S S Single document as to rules and requirements Structured along the activity flow Comprehensive Clear: so someone else can pick it up. E-commerce presents a new control/compliance challenge S S S Entrepreneurs and creative innovators also need structure and systematic approaches in management: e-nablement = e-compliance E-business within the firm's regulatory and compliance framework Monitoring by senior management 51 . safety: access to infrastructure. including data on clients Insider trading Conflicts of interest Money laundering Suitability of clients Branch/subsidiary offices. e-business Outsourcing Security. especially far away from HO Overly profitable areas Internal communication/information flow Change management 10.

there are arguments for both top-down and bottom-up approaches in OpRisk management.3. the ability to generate reliable. meaningful and relevant information and a well functioning early warning system. Table 6. evaluation. measurement. often origin of risk Close interaction between events and people. priority setting.3: The Choice of an OpRisk Management System Top-down S S S S S S S S Close to strategy. assessment. both have advantages and disadvantages. For me. Table 6. processes and technology Local quality controls Sense of duty as a main driver? Dependence on staff initiative? Own standards? Incentives? Source: Credit Suisse Group / GRM. 2000. 52 . As to be expected in the art of management. Most important seems to me the clear ownership of an activity. unified standards Comparable statistics High level mitigation Accountability? Compliance and/or acceptance? S S S S S S S Bottom-up Close to the concrete activity. Top-down and bottom-up.3 Top-down versus Bottom-up OpRisk Management There is no commonly accepted benchmark or model as to the methodology of managing OpRisk. control and mitigation. Not surprisingly therefore.CSG Operational Risks in Financial Services 12.3 indicates some of the aspects of the two models. policy and corporate governance Management driven Loss events knowledge Defined. the OpRisk management process includes identification. I believe in a mix. reporting. Supervisory board and senior management have an increasing responsibility for controls and compliance: from back to board room S S S S S S S S Key functions and procedures? Control environment? Adequate compliance function? Controls: serious breaches and their remedial follow-ups? Database on breaches? Clear areas of management responsibility? Management support for controls? Compensation impact? 6.

one element often overlooked is the personal senior management attention to support functions and to details in regard to OpRisk aspects. Chart 6. 1999 6. if feasible • for possible qualitative improvements k Ris tors ca i In d Analysis ve ati alit qu financial implement improvements or transfer the risk appropriately Source: Credit Suisse Group / GRM. as presented in Chart 6.3.CSG Operational Risks in Financial Services 6. Both should be combined and must induce management actions.overall unimportant .detail. system and systems presented up to now. Honestly: S S S S S S How often is senior management visiting and discussing with support / control functions? How often and how long is senior management in the "machine room"? How often is senior management showing a vivid interest in some . OpRisk management can be based on quantitative and qualitative assessments. but important for a department or issue? What is the time allotted at management meetings for support functions? What "pats on the shoulders" do they get? How large is the compensation difference between front producers and excellent or even crucial support people who are so relevant for mitigating OpRisk and fostering reputation? or on a ti e r tig sf Mi Tran Risk Based Internal Charge Management Decisions • determine what kind of action is necessary.5.5: Qualitative and Quantitative Operational Risk Management Process • establish a set of indicators • regularly monitor risk indicators • use as basis for management reporting analyse trend of indicators: • for their financial impact.5 Personal Attention by Senior Management With all the requirements as to strategy.3.4 Risk Processes: Quantitative and Qualitative Approaches Whether top-down or bottom-up. if any • create incentives to encourage best practice 53 .

with a longevity premium Some support functions. instant communication. 24h x 7 availability of e-commerce services with realtime execution of transactions. Internet related technologies enable much higher and more sophisticated levels of co-ordination. They first and foremost enable business development.a modern compensation scheme should take the following into account: S S S S S Serious negative control and compliance performance is included for the overall performance judgement.CSG Operational Risks in Financial Services 6. the higher the longer-term component of compensation. The new technologies lead to unique opportunities to modify and/or overhaul business processes as to workflow. 6. efficiency and flexibility. Important is to rethink or even reinvent processes.6 Compensation-System Banks are regularly being criticised for the .in modern processes is immense.7 Modern IT-systems lead to New Processes The pressure from everywhere to invest continuously and dramatically . Integrated IT networks are central.including OpRisk .appear. the more relevant the above suggestions become. harmonised and stable over time.in the interest of a proper risk management in the medium term . the organisation and even the individual concerned. For my personal taste. such as higher automation. While all banks are under massive competitive market pressure. However. including for "producers" Seriously negative audit issues . Pure short-term orientation can be damaging for the shareholder. such as reducing OpRisk. support for quick decision making.3. effective after a few years and/or with a knock-in performance The higher the management level.bonus systems according to "plain volume performance".including in the interest of risk reduction . there is a suspension of the bonus-entitlement until full compliance has been achieved A meaningful portion of a bonus is in shares and/or options.are part of the yearly bonus fixing In case of doubt in regard to the clean-up of previous or real OpRisk performance issues. That is the time when certain risks . monitoring against given standards. The assessment of a line manager has to include control and reputational performance. quick storage and retrieval. they open the door for chaos and risks if they are not consistent. it is a serious issue which is relevant for OpRisk management as well. actual work steps in processes. increasing the operational quality and fostering the reputation are as core as the contribution of "producers" S The more diverse management and staff on a global scale. In my opinion . especially for a global institution. The new IT in conjunction with process re-architecture has many advantages related to the reduction of OpRisk. structured. that is when good management shows. service delivery and risk reduction. support of process work functions.Anglo-Saxon influenced . senior management should only get their bonuses in shares: either you have a medium-term commitment or you do not.g. e. globality. other stakeholders. The higher the seniority. the higher the number of years for the potential blocking of shares.especially repeated weaknesses .3. 54 .

avoid island solutions. data should have a single assigned owner. 10. One source of data throughout . 5. but they most probably add new ones: any solution breeds new problems. 11. Quality will no longer be a differentiating factor but a precondition for a decent survival. As little manual intervention as possible: great sources of mistakes are manual interventions ´ minimal reconciliation ´ more ideal is straight-throughprocessing. Security protection. 12. 9. because the users are ill prepared and resist. New systems/processes should eliminate many risk sources. No core systems without backup. Not maximum performance. high tech combined with high touch. with potential conflicts between the interested parties: co-operation. 55 . but the handling of bottlenecks mostly determine the quality and risk limitation potential. Quality is parallel to reducing OpRisk. there are some basic rules in regard to OpRisk to consider: Table 6. Many. 2. 8. data can be audited. 4. Communication and training is the issue. 3. especially recurring mistakes need re-examination of manager/supervisor/system/systems. Future-oriented and fully compatible architecture for operational demands of business.by their nature . Processes and systems are standardised across regions and product lines. even technically perfect IT-solutions fail. consensus and compromise are management functions: follow the KISS-rule. firewalls and business continuity plans are key. 7.CSG Operational Risks in Financial Services Without even trying to be technical. Business line processes are separated from IT: no overreaching access of line function for data and IT-systems.4: OpRisk-Systems: 12 IT related Basics 1.especially market data. cost / benefit of a backup for backup? Systems . Reassess the existing process on a regular basis.are interdependent and complex. 6.

we must make sure that we fulfil regulatory requirements and observe all laws. not a differentiation factor for a bank A bank's appetite for safety risks has to be smaller than the one of a non-bank Banks need safety in their speed: trust builds confidence "E-commerce-ready" management structure and system/s 3. e-commerce.5: Safety and Speed: 12 Principles 1. restructurings and new products of all sorts. cost. J. 20 See Randall. Is the planned US "safe harbour" approach the answer? Table 6. May 30. this can imply slowness which in turn hampers competitiveness. the fast beats the slow. The damage caused by serious security / safety failures of an Internet activity most probably has a negative effect on other activities of the same organisation. Confidence and credibility of a bank .is an issue of confidence and trust for which aspects of safety and security play such a crucial role. The challenges are great: managing heterogeneous systems. A bank's reputation . more often than the big the small one. Only confidence at large builds reputation . The EU directive of 1998 has 4 basic principles:20 S S S S Individuals should be able to obtain and make corrections to information that is held about them by companies or institutions Companies must gain their customers' consent before storing or using information about them Companies must only use data for the original purpose that was expressed at the time of collection.(2000): "Digital Buccaneers Caught in a Legal Web" Financial Times. position . Safety and security foster accident free quality Prevention is often cheaper in the long run than damage control . A general legal risk is the data protection problem. size. 2000 56 . unless the customer agrees otherwise Companies must not obtain more data on individuals than they need to carry out their stated purpose There is a privacy gap between the USA and Europe which poses problems for global marketers: What is sacred in Europe generally is for sale in the USA. Today. However.besides capital strength.so hard to get.cost / benefit dependent Perception is as important as facts Safety / security come ahead of speed: S S S S Safety is a precondition. Internet.CSG Operational Risks in Financial Services 6. financial or other. Whatever we do.its most valuable asset .4 Safety and Speed One of the most distinguishing elements of competitiveness of a bank is its safety and security.rely largely on its safety and security: S S S 2. so easy to lose. rapid IT changes. especially by Webcommerce information plays.

CSG

Operational Risks in Financial Services

4.

Proactive business continuity planning - as a business imperative - is as much a prevention as a cure. Logical system threat is perceived as more important than physical threat: S S S S Regular checks on the relevant safety / security issue Combine traditional disaster recovery and fault-tolerant computing Speed of crisis response mostly more important than perfectionism Outsourcing increasingly possible, but outsourcer's responsibilities vis à vis clients remain

5.

Any transformation project - restructuring, M&A, new systems, new process, new products - entails additional special and complex safety and security issues. Key success factors for projects: S S S S S Strong senior management support and involvement Thinking before acting Good planning Convincing business case Good discipline and controlling

6.

7.

High systems availability and user friendliness are a crucial - factual and perceived - indicator for safety and security: S S S S 99.99% availability for mission-critical systems is becoming a priority Minimise downtime with review of hardware, software, systems compatibility, processes and staff training Proven systems normally are more secure and reliable Watch the cumulative effect of systems downtime

8.

More security breaches - especially IT related - stem from inside the organisation than from outside - ignorance, carelessness, complexity, deliberately: S S S S S S S S S Security starts with identifying and planning Identify own weak areas and the real assets to be protected Protection of intellectual property, client list, computer codes etc. is as important as protection of money Preventive controls (biometrics password etc.) Documented detection and remedy controls Corporate style and culture Training Clear disclosure to employees that any and all communication they engage in on company time and equipment is subject to potential surveillance Watch also ex-employees

57

CSG

Operational Risks in Financial Services

9.

Safety management is - besides having the right infrastructure, technology, service level agreements, processes and recoverability - primarily a matter of OpRisk management applying discipline, e.g.: S S S S S S S S S Rigorous password security and changes; cumulative barriers to overcome for access Rigorous Chinese walls Rigorous control mechanisms for new business activities, involving sign-offs by all concerned parties (including operations, L&C, tax, risk management) Continuously updated anti-virus software Immediate virus notification Regular checks and controls of logical security Backup Regular awareness management Rigorous discipline as to breaches

10.

Piracy on privacy and denial of service scare away clients, anywhere: transactions and data must be safe, secure, private, verifiable, auditable and defensible. E-commerce especially allows transaction information to be tracked, collected, compiled and used, respectively, misused. Protection of privacy and safety can be fostered by: S S S S S S S Protection from "cookies" (software tracking what you do on www.) Regular checks on new processes, new technology Terrestrial links (with two or more access points, satellite as stand-by) Secure Sockets Layer (SSL) Home Banking Computer Interface Standard (HBCI) encryption plus chip card with digital signature Existing (challenge response logic) and upcoming encryption technology with unique codes Public Key Infrastructure (PKI) increasingly enables users of Internet to securely and privately exchange data through the use of a public and a private cryptography key pair that is obtained and shared through a trusted authority. PKI's allow the use of digital certificates, which can identify individuals or organisations to authorise secured and private transactions across the Internet21

11.

The legal ramifications of the virtual online world are in flux and need careful examination. The EU has started various initiatives with directives on electronic signatures, e-commerce, distance marketing of financial services, distance selling, data protection. The legal aspects are potentially also relevant in the context of comprehensive general liability insurance. Watch for: domain name infringement, sale of keywords, copyright infringements and patent infringements, invasion of privacy, defamation, unfair competition, contractual risks, jurisdictional risk, employment practice liability, health and safety of staff, local legal specifics.

21

Norton, J. (no date), Security and Data Protection, FKM.

58

CSG

Operational Risks in Financial Services

12.

Every major financial institution has the task of supporting industry-wide efforts and organisations to standardise transactions and foster safety and security, such as Global Straight-Through Processing Association (GSTPA), SWIFT, Continuous Link Settlement (CLS), CHIPS, etc.

6.5

Staff and Skills

The value of a financial services institution increasingly lies in its intangibles: data, knowledge, skills, people, network, reputation and brand. These are bundled together in the organisation and can also reflect in OpRisk. Worldwide, a battle for talent is going on. Human capital has become more important than financial capital. Human capital with its creativity will become THE core asset. The brain ware is the issue, not the hardware! For financial institutions, employee selection, retention and development is at least on the same level as customer loyalty or shareholder support. As a matter of fact, the last two stakeholders' aspects very much depend on proper management and staff. Despite all the quantitative and analytical methods used in disciplined and structured organisations, people still base their decisions on personal inclination, ad-hoc influences, group dynamics, belief systems, cultural norms and values.

Table 6.6: Staff and Skills: 12 Principles 1. Personality of a person is probably the most important core trait for a successful long term survival in an organisation, followed by motivation and ability. If above statement is correct, personality aspects should be the key selection and retention arguments. There is seldom a large difference between what a person is privately versus professionally. These aspects should never be forgotten as the ultimate source of OpRisk is always human in nature. This is important for risk management in general as risks are perceived subjectively: when a risk taker is in a relevant gain position, he/she becomes more conservative; in a position of loss, he/she normally becomes more risk seeking, having not much to lose (Prospect theory). A common bias is also the personal confirmation bias: more attention is given to information which confirms a personal hypothesis than information which contradicts it. All this requires employees with character, integrity and ability to be self critical.

59

but watch the drag factor of a 80% commitment only: another OpRisk issue. retention and development of people becomes even more crucial. dress-downs. If the difference between very good and not so good employees is 2 to 1. childcare. Excellent performers in front functions or specialists are not necessarily good people managers . New skills needed in a competitive world include the management of change. especially among younger people: S S Be part of a fashionable job with positive vibrations. Example: "Team of the month" as an official firmwide announcement. Make entrepreneurship and creativity an issue. This does not imply that aspirations and expectations of support people can be kept low! Take into account the aspects shown under 3. but not all. Managers and staff in Operations and Support often are not in the limelight like front people. of confrontation without hostility and of conflicts. privileged early-stage investments. 60 . special leave. compensation and colleagues attract excellent staff. difficult to do. then the selection. part-time or term-time working. paternity leave. or Ensure balance between private and professional lives Both attitudes can lead to personal growth. Hire people who understand what they do and what they decide. it only leads to additional OpRisk. Recruiting and nurturing skills of managers and HR will be challenged even more in regard to this OpRisk. This is easy to say.1784). and knowledge without integrity is dangerous and dreadful" (S. empowerment. Some aspects of management can be learned. Not only the responsibility. for job-sharing. 3. no-strings attached sabbaticals. always hire somebody who is interested in developing him. outlook. More flexibility is needed for e. Be aware that different attitudes exist.which can mean OpRisk. experience and EQ remain important. For tasks of some importance. stock options. 6. position. Never hire or keep anybody where there are question marks as to integrity and intellectual honesty. Intuition. telecommuting. Johnson. but also include some limelight.g. 1709 . even if very demanding and hyperactive.or herself. also in operational or support areas. 5. "Integrity without knowledge is weak and useless.CSG Operational Risks in Financial Services 2. 4.. tax advice.

It leverages existing intellectual information assets.and Intranet makes a very efficient. Coming to other regions from the USA. EQ and leadership.Webucation . high-utility data from the low-value data. Staff pressure. at the right time to the right people becomes the key to success.CSG Operational Risks in Financial Services 7. People with the most attractive personality and best skills are the most mobile. management and staff issues in regard to discrimination. knowledge management is also information management: the right contents in proper form. Therefore. This is even more crucial. The new technology of Inter. given the new economic environment. Acquiring knowledge ≠ applying knowledge. Management and staff of a global organisation need to demonstrate four key qualifications: S S S S Attitude Awareness Knowledge and Skills Without these. high turnover rates and the coming termination of loyalty and lifetime employment. harassments of all sorts and infrastructural environment aspects have to be a senior management's OpRisk concern today. 8. Therefore. technological literacy. 61 . 9. 10. continuous in-house education and training . given the growing diversity of staff and high turnover rates. Organisations are being challenged to identify and separate the high-value. Global markets require a mix of management skills. It is probably correct that a proper culture of an organisation improves people's attitudes and strengths. mobbing. multicultural perspective. including sensitivity. litigation and/or media pressure in those areas are becoming more prevalent in Europe. This is another OpRisk mitigant. Knowledge management is an increasingly important and conscious corporate activity. People's ability to change/learn is not primarily a function of capacity. but of choice. Continuous training and retraining becomes crucial for each employer and employee. from "know-how" to "feelhow" to "do-how". Staff is mostly over-newsed and often under-informed. IQ. 11. a global organisation is bound to have problems. diversity of staff.possible: B2E. Tougher legislation will come up. bullying. corporate experience and best practice.

such an expression can be difficult to describe. Table 6.6 Style and Shared Values Style and shared values are core issues for the risk management of a financial organisation. actions and reactions.is this formal and informal. Culture is core for the identity of people. including for OpRisk management matters.CSG Operational Risks in Financial Services 12. written and unwritten and often invisible totality of common norms. including for OpRisk management. The control culture acts above all at the very place where risks are taken: At the level of the individual acting on behalf of the firm. values and beliefs? Corporate culture . national and perhaps regional level. internally and externally. New mass media and Internet seem to be forging tomorrow's global culture with an internationalisation of activities and staff. Each organisation has its very specific corporate culture. Some consultants are playing on fears about vulnerability rather than providing relevant and credible solutions.even more important than the most sophisticated quantitative risk models which also need intellectual honesty. Traditionally. This aspect is . customs and beliefs on a local. including trading rules The consulting hey days for the introduction of the Euro and for Year 2000 are over. The engagement of outside consultants has become an important skill feature for almost any financial institution.7: Style and Shared Values: 12 Guidelines 1.in my judgement . thinking and acting which determines the behaviours of management and staff. some of their representations vis à vis regulators do not make life easier for banks. New engagements must be found among which OpRisk matters are most welcome. 6. 62 . It is a qualitative expression of the organisation. culture has been linked to common language. values. 2. Such a temporary skill acquisition can be successful as long as the following conditions are met: S S S S S S S S Well formulated specified mandate with time limit Right experience Your project must be a consultant's priority Qualification of team members with specific responsibilities Acceptable financial situation of the consulting firm No conflict of interest Credibility as ambassador for the institution Compliance with internal rules during the contract. values.is THE most crucial factor for a successful risk management generally and in OpRisk management in particular.an expression often used and misused . Is the culture of global identification and cyber citizenship going to be enough of roots.besides people . The following guidelines address OpRisk at the root as they touch the individual's attitudes. Risk culture .

but also as to admitting and learning from mistakes and correcting them properly. risk conscious behaviour. energy and avoidance of risks. 63 . such contract between employee and employer should be attractive for both partners. mistakes happen daily as the future turns out differently than expected.CSG Operational Risks in Financial Services What is acceptable may differ from one individual or organisation to the next. Therefore. Discipline must be in place as to following structures. proper system and systems Properly formulated policies Clear guidelines and manuals Continuous risk oriented training Alert staff. not by ideas that people live" (Anatole France). 3. Important are the shared aspirations. system and systems. At the same time. 5. Not every decision can have or should have written rules: Managers and staff have to be able to make the majority of their decisions within a cultural framework. sense of belonging Financial services is largely a judgement business. Honesty. Some components of a good risk culture: S S S S S S S S S S S S S 4. risk-adjusted compensation Elimination of undesirable managers and staff Prevention of risks ahead of correction Identification with the company. The style of a company should be inspiring . the employer cares for competitive employment terms and conditions short-term and commits sustained investment in employability long-term.with the following parameters: The employee brings competitive performance short-term and continuous competence building long-term. creativity. intellectual honesty. Purely and formally ruled staff is an excellent recipe for getting mediocre quality only. It follows that a key factor in risk management and risk culture is discipline and perseverance as THE message of senior management. "It is by acts. Given the environment today and tomorrow. openness and the ability to work in a team. 6. even if he or she acts far away. integrity. innovation.according to my perhaps still idealistic taste . Such processes often are the sources of initiatives. "acceptability" needs formal and informal processes. Top responsibility for the risk culture lies with senior management. supportive management Active and constructive communication Open agendas Acceptance of controls Natural. The role of internal communication through informal processes and structures must not be underestimated. fairness Flat structure.

125. All should know what others . 64 . certainly much more than "box-ticking". a performance appraisal process must be designed to pick-up poor shows at an early stage. never-ending process. You will never know how good a company's risk culture is until it is put to the test.relevant for their responsibilities .22 Avoid "silo thinking and acting" in OpRisk management.in the context of corporate culture and specifically for risk / control culture . London (1998). Senior management's action and reaction should take this into account when working towards mitigating OpRisk.CSG Operational Risks in Financial Services 7. Rinks Books. One recipe for OpRisk management is the removal of a "blame culture".are doing and planning. While it is the most crucial aspect of risk management.is a continuing. Risk management . given the "dilution" of other institutions' credibility. The 12 internal core values of the code as one example are shown in Table 6. not a program. A "full picture" environment. 11. professionalism and motivation will be improved. (1998): "Operational Risk in Retail Banking" in Jameson. To singularly judge an organisation with maturity and experience must be highly challenging for an outside supervisor. Common denominators and shared values of an organisation are becoming much more relevant. (1998): Operational Risk and Financial Institutions. Staff must feel less concerned about admitting mistakes. Compare the military experience in chapter 5. psychologically. the diversity and fluctuation of staff and the globalisation of business. The direct non-quantifiable characteristics of risk culture make regulators uneasy. These are the reasons why CSG introduced an internal global and self-imposed Code of Conduct for close to 80'000 staff as part of their employment contract. p. the rapid change. 8. To sack or reprimand staff after an incident can lead to covering up future problems.it should provide the individuals around the globe a sense of focus and belonging. Whether an organisation has a good or bad risk culture is a highly qualitative judgement. C. there can be a very fine line between the two. Therefore. R.it will be part of the regular internal auditing . Subordinates or staff fully realise this. Avoid the "knowledge is power" syndrome. 10. "To take care" of management and staff is not synonymous with "caring for people". 12. 9. it cannot be mathematically quantified. Controlling and disaster simulation are good measures for judging the overall state of the organisation and using as base for improvements. While the daily application of such a Code of Conduct is the issue .8: 22 See also Rachlin.

We believe in achieving more for our stakeholders by working together to draw upon our individual and collective strengths and abilities worldwide and across business lines. their clients and employees. We acknowledge the importance of all relevant laws. unless required by law.8: 12 Core Values for Employees of Credit Suisse Group 6 Core Ethical Values INTEGRITY RESPONSIBILITY FAIRNESS COMPLIANCE TRANSPARENCY CONFIDENTIALITY We realise that our global franchise is based on our core ethical values and our long standing reputation for integrity. 65 . trust. We believe in independent risk management. compliance and audit processes with proper management accountability for the interests and concerns of our stakeholders. Every employee contributes her/his best to reach our common goals. fairly compensate our staff and achieve an attractive return for our shareholders. by maintaining focus and intensity of effort. Legality. policies and standards. We treat confidential information as such and do not disclose non-public information concerning the Credit Suisse Group companies. shareholders. We promise only what we can deliver. media) and of society as a whole. We are committed to exemplary management discipline and a first class control and compliance environment. transparent and open dialogue with our stakeholders based on fairness. service providers. regulations. financial regulators. compliance and our core ethical values. Problems or mistakes are viewed as a chance to improve. confidentiality. We are committed to excellence through continuous improvement of our management practices and know-how. both internal and external. We do not mislead our stakeholders. make long-term investments. We seek constructive. We believe that knowing our clients and offering them value by combining good judgement. government authorities. mutual respect and professionalism. come before profits. and comply with them. We respect the interests of our stakeholders (clients. We recognise individual contribution to the current and future success of our firm and reward it objectively. taking into account the personal contribution to targets. governance and teamwork. disciplined and intelligent risk taking. employees. however. We believe in courteous and respectful treatment of our stakeholders. 6 Core Performance Values SERVICE EXCELLENCE TEAMWORK COMMITMENT RISK CULTURE PROFITABILITY We are committed to providing superior service to our clients. fairness and professionalism. We base our business operations on conscious. We support equal opportunities and a work environment free of discrimination and harassment of any sort. competitors.CSG Operational Risks in Financial Services Table 6. We are committed to sustained profitability which enables us to carry out our strategies. in-depth knowledge and prompt and courteous service leads to success. We honour our commitments and take personal responsibility for our actions.

quality. But the preconditions for a successful partnership in society remain: profitability and growth. Operational skills of an institution are crucial for nurturing customer loyalty: reliance. the client expects privacy for his/her personal financial transactions. 66 . anywhere-anytime connected. OpRisk management is especially challenged in restructuring and M&A situations. The expression "symbol" stands for identity. Every one of these characterisations entails challenges for OpRisk management. Influences and interdependencies between an organisation versus its stakeholders are manifold.are not cared for. often informal and hardly quantifiable. pilots and field tests can reduce the OpRisk involved. innovative. Such a record will be a crucial differentiation argument vis à vis non-bank competitors. which leads to a world which is highly global. speed. Up to now. brand.7 Stakeholders and Symbol This pair of the 12 S's is another "soft" area of an organisation and increasingly key for a successful survival.9: Stakeholders and Symbol: 12 Issues 1. 2.primarily customers. Creating value for financial institution customers is the greatest challenge. The client or end-user is the final arbiter on a new service or process . 5. Shareholders cannot be satisfied if other stakeholders . With globalisation and a gradual demise of traditional states and politics. complex. banks do not seem to have had any major problems with operational e-safety. employees. access. Table 6. interdependent. Stakeholders and other described factors influence the "symbol". Customer "ownership" is probably still the key strategic barrier for competitors. Corporate performance is increasingly judged by global standards. IT-driven. risk-free means "reliable" for many clients. 3. partners. reputation. There is a trend away from the sole shareholder towards a more integrated stakeholder orientation. Most clients are primarily interested in the quality he/she receives during the transformation.not the enthusiastic internal project team. OpRisk management is close to quality and operations management. the corporation's responsibility as a "partner in society" increases. Early inclusion of potential clients. Perhaps such social responsibility is a trade-off for more freedom to move. Managing for shareholders means managing for stakeholders. A proactive social responsibility will have a more pronounced advantage vis à vis stakeholders.CSG Operational Risks in Financial Services 6. The better and "risk-free" the ongoing service. government and nongovernment organisations . all stakeholders drive the financial success and the share price which leads to sustainability. mobile. 4. customer orientation and "risk-free" activities. The new environment is fast. time-pressured and competitive. the better also the internal and external credibility of the transformation project itself. transparency. but also supervisors.

including in OpRisk areas . Activists win when genuine problems are ignored. embarrassment and humiliation. an identity. The 12 S's are partly directly related to the symbol. Such organisations have very different shapes and shades. Key is a formal and informal mutually acceptable understanding between employer and employee.simply put .whether in fact or perceived internally and externally: every organisation is a symbol for something: it has a reputation. A company's social. Financial institutions also have to protect themselves from the customer. J. 8. a brand.create "a symbol" and support a brand. (1998). they have little choice but to move on. In the context of "symbol management" and of social cohesion. 7. Good reputation is . a brand and affect the share price.discussed in detail up to now . Financial institutions are more and more challenged in regard to their environmental consciousness for their own infrastructure. at least in the medium term. Without it. environmental and working practices can make or break the reputation. Social cohesion has become a component of success. 67 .with commensurate internal processes . Effective corporate communication is the lifeblood of any financial institution which is so heavily dependent on confidence and trust. mostly in unquantifiable and intangible ways. NYC. White Plains. The 12 S's of an organisation . perception. the activities of the non-governmental organisations become increasingly relevant. or behaviours simply don't pass the smell test.and what others say about it. but good communication needs good facts. Satisfying its employees enables a company to satisfy its clients. Good reputation is the greatest intangible asset of a financial institution. Activists success requires energetic. 1998. negative responses from their targets. an experience. There may be momentary damage. 23 Lukaszewski. Some of their aspirations have to be taken very seriously. Good OpRisk management calls for proper disclosure and suitability checks on counterparties. issues remain unexplained. Good communication can reinforce reputation. Environmentally conscious lending and investing . ethical. Certification of the latter is a proof of the seriousness in OpRisk management. "Activists rarely win against honourable organisations."23 10. Various staff aspects were discussed above. which should provide the needed identification.have an OpRisk content as well. what it does .the result of what a company says about itself. 9.CSG Operational Risks in Financial Services 6. all this creates expectations in regard to the "trusted bank" which also have to be managed. Every organisation stands for something . often indirectly.

This is the "compensation" for the consistency driving value. This makes up the "individualised corporation". shared values etc. system and systems. Corporate communication . right cost/price. The priorities must be different. each organisation having its own orientation and aggregate skills and expertise. 6.as an organisation in itself . but also emotional human beings who make efforts and mistakes every day. given the specifics of tradition. We are dealing internally and externally with not only rational. right efforts and intensity. distribution channels. "The difference between stumbling blocks and stepping-stones is how you use them" (Source unknown) 68 .CSG Operational Risks in Financial Services 11. OpRisk is rather different from one organisation to the next. structure. The art in financial services is not the perfect application of one of the 12 S's: The art of managing a bank or another business is the combination and synchronisation of the various S's: right strategy and priority. measurable and quantifiable issue. 12. strategy. style. A strategy or concept might well be perfect. This is the reason why management including OpRisk management . This is the reason why financial institutions have different results or different long-term success. Operational skills combined with a successful OpRisk management are an instrumental base for sustained earnings and the management of reputation and brand. each employee takes some responsibility for risk management as well as for corporate reputation.is exposed to OpRisk.is less of a science. but more of an art. An ineffective communication organisation combined with a concrete risk or major OpRisk issue can lead to disaster: from cracks to crisis in extremis. right people. right structure. Ideally. The most relevant singular factor for establishing an excellent reputation long-term is earnings stability combined with growth. right time.8 Synchronisation The 12 S's-discussion and the previous chapters show that OpRisk management is not an easily definable. Good OpRisk management is largely good management. right form. but a bad synchronisation of all the efforts leads to a poor implementation. different share price valuations and different expectations in the market. stage of risk management. global reach.

as well as diverse practical applications for every department and every employee function. In many cases. . A facilitator is designated to assist the workteam whose members should be people who are key to the achievement of the specific business objective or are influencing the operation that has been selected for review.1 Chapter 6 focused on OpRisk management from a high level point of view. a cross-functional workteam helps to develop the broadest possible coverage for the achievement of the business objective. The ultimate objective of this process is to foster the identification. Such an approach leads to integrated risk management. self-assessment is the most widely used tool among banks. some of which are still being developed and may be CSG specific. 69 . more high level approaches of general management .CSG Operational Risks in Financial Services 7. These objectives can include diverse areas. CRSA uses a formally documented process in which management and/or workteams review the effectiveness of the business controls to contain risks and to meet defined objectives. pp 55 ff. Managing Operational Risks: Practical Instruments and Tools Introduction 7. "Synchronisation" of the tools combined with previously discussed. assess.Response from 55 banks. assessment and mitigation of OpRisk. Chapter 7 concentrates on a more bottom-up point of view with corresponding tools. control and manage OpRisk in its day-to-day specific area of activity.is the issue.2 Control and Risk Self-Assessment According to a recent study.24 Control and Risk Self-Assessment (CRSA) is a workteam-based technique to help managers identify and measure OpRisk through estimates based on the consensus opinion of a group of knowledgeable managers and staff. each has its limitations. 24 BBA (1999). Management must clarify the relationship between the organisation's primary corporate objectives and the specific business line objectives for each participating unit.including audits and compliance measures . these tools have received closer attention. With the increased awareness of senior management for risks in general and for OpRisk in particular. 110 banks approached. 7. This is similar to the military approach as discussed in Chapter 5. No one tool on its own is sufficient. Management of operations has always used some sort of tools to identify.

capability. commitment. Procedure in place. the employee by his/her involvement and management due to the bottom-up feedback provided. Level of external audit standard met 4. direct controls.activities that provide additional assurance that objectives are met Agreed residual risk . Due to the dynamic nature of a firm's risk profile. on average) Self-Assessment Checks 1. Local best practice 5. The objectives are analysed in terms of: S S S Threats .1.events that could prevent the achievement of an objective Controls .1: Process Self-Assessment Risk level (results.CSG Operational Risks in Financial Services Workshops are conducted with employees from participating departments using a framework consisting of control categories.the real or possible events or situations where a business/quality objective is not being met or may not be met given the controls in use/place. It is obvious that CRSAs benefit the organisation. to review the controls in place to achieve each business objective under analysis. CRSA findings should periodically be updated. No procedure in place. Source: Credit Suisse Asset Management. controls and risks is captured for each business objective. summarised and reported to senior management. possible audit remark 3. International best practice This approach is used for different functions and locations. audit remark 2. The information is then documented. planning. process oversight and culture. The framework's categories may include: purpose. A simplified CRSA example of CSG's Asset Management Business Unit is presented in Chart 7. The information on threats. 1999 100% 0% 70 . Chart 7. measurement. employee well-being and morale.

likelihood of 1 in 50 years Frequency Score Range: 5 Very High [Almost Certain .1 in 50 years] 1 Very Low [Rare . i.2: IMPACT SCORING SYSTEM (example) Impact Alternatives & related words Impact No. IMPACT SCORE: Impact Score Range: 5 Very High [Devastating/ Catastrophic] 4 High [Substantial/ Major] 3 Medium [Tolerable/ Moderate] 2 Low [Negligible/ Minor] 1 Very Low [No Impact/ Insignificant] IMPACT ASSESSMENT: Regulatory Local regulator questioning the adequacy of the controls of traders’ limits – early feedback indicates that the regulator is satisfied that all feasible controls are installed and followed.e. The impact of this event is assessed using the Impact Scoring tool. Based on the fact findings from these analytical tools. 5 4 3 2 1 Very High High Medium Low Very Low Questions Impact: financial Impact: reputational Impact: regulatory Impact: human Impact: organisational Medium Tolerable/ moderate 3 Does the occurrence of this risk event: S have a tolerable effect? S prevent you from operating efficiently? High financial loss up to USD 25m Some negative press Regulatory scrutiny/ noticeable resource impact on normal activities Tolerable loss in terms of: S loss of Key Staff S loss of expertise S erosion of culture Noticeable resource impact on normal activities Tolerable loss in terms of: S loss of control S quality of system/ procedures S legal exposure S erosion of culture Example Irregular trading activities spotted by local controllers that may be classified as rogue trading. Chart 7.1 in 100 years] 71 .3 Impact & Frequency Scorecard It can also be useful to assess the impact and frequency of identified and relevant OpRisk events.1 in 10 years] 2 Low [Unlikely . appropriate management response can then be deployed. In particular OpRisk events that are identified as having potentially significant impact can be isolated for further analysis which may include frequency estimator and investigative study.1 in 2-5 years] 3 Medium [Moderate .3: FREQUENCY ESTIMATOR (example) Frequency Alternatives & related words Unlikely Frequency Score 2 Descriptions Questions Low 1 in 50 years Is this risk event: Unlikely to happen? Say 1 in 50 years? ROGUE TRADING INCIDENT: Internal loss history indicates that this type of events. has a FREQUENCY rating of LOW. Chart 7.A number of times a year] 4 High [Likely . This may be done using an impact and frequency scoring system quite similar to that presented in chapter 5 for military purposes. given the level of existing controls.CSG Operational Risks in Financial Services 7.

4 is based on the structure applied by CSG. settlement staff monitor mistakes resulting from inaccuracies in their operation etc.CSG Operational Risks in Financial Services 7. red flags are triggered if the indicators move outside the established range. Typically. absence levels and customer satisfaction surveys. IT security breaches. They all choose certain indicators which can be sensibly tracked over time. Key Risk Indicators (KRI) are primarily a selection of KPIs and KCIs. systems downtime. breaches in Service Level Agreements. If skilfully used. severity of errors and omissions. unfilled vacancies. Key Control Indicators (KCI) demonstrate the effectiveness of controls. number of outstanding confirmations. Examples: number of audit exceptions. cancel and corrects. Sales people would monitor performance. such trend analyses can serve as an early warning system and provide directional input for senior management involvement. A KRI gives insight on the extent of stress of an activity. KRIs must be used as a time series to monitor and foresee trends. A selection of the most valuable of these indicators are then elevated to "key indicator" status. change management events. Examples: failed trades. a business unit or department uses 10-15 different KRI's. The example of chart 7. 72 .4 Risk Indicators and Escalation Triggers OpRisk literature is full of fancy terms like KPI. staff turnover. KCI and KRI. This selection is made by risk managers from a pool of business data/indicators considered useful for the purpose of risk tracking. These are nothing but abbreviations of the superlative of one and the same thing: All departments in a bank watch certain figures or trends related to their work. The market has coined three different names for such indicators which are relevant for OpRisk management: Key Performance Indicators (KPI) are normally used for monitoring operational efficiency. contract staff versus permanent staff. A few important KRIs are more relevant for management tracking and escalation triggering than the unimportant many. volume. Examples include a number of failed trades.

This gives an indication of how long a risk may exist before its controls discover it.Rolling up from Base Data to Group OpRisk Indicators Group OpRisk Indicators Group OpRisk Indicators OpRisk Indicators used for OpRisk Reporting to Ex Board and BoD [Group-wide specific KRI + common BU KRI’s] BU KRI . Lack of control to prevent a risk may be a consequence of a process inadequacy. simple KRI’s] BU KRI .a. KCI/KPI). it is designed to provide a reflection of the diverse activities that take place within the departments.Simple BU Simple KRI’s Simple KRI’s used for local management at the Business Unit’s level BU Base Data BU Base Data Departmental/functional Units’ control and performance data and statistics (a.Composite BU Composite KRI’s OpRisk Indicators used for OpRisk Reporting to Ex Board [Rolled-up/Aggregated BU level.5: Example of an OpRisk Mapping OpRisk Category Technology OpRisk Subcategory Software Specific OpRisk Programming error Control & Residual OpRisk Control: Continual program of checking/up dating of critical systems Residual OpRisk Rating Medium Resp. Source: Credit Suisse Group / GRM. / Action IT department Process or activity mapping is a technique employed to describe business processes in a clear. analyse and assign: S S S S Specific risks against a standard template Controls or other tactics to manage identified risks Residual risks and desired levels of residual risks Responsibility for management of identified risks Chart 7. visible way.CSG Operational Risks in Financial Services Chart 7.4: Group-wide KRI . 73 . 2000 7.5 Risk and Process Mapping OpRisk mapping is based on self-assessment / perception survey and is a qualitative technique to identify. categorise. It can also help highlight issues such as: S The time delay between the risk and the control that identifies it. S S More than one control to prevent the same risk may indicate over-inspection and inefficiencies or lack of confidence in the process. In the context of OpRisk.k. identifying risk drivers and controls.

6 OpRisk Dashboard Risk versus Process Mapping is a detailed bottom-up tool and reflects the staff's skills and understanding.7 Loss Event Database A loss event database captures and accumulates individual loss events across business units and risk types. thus. A loss event database is the only tool which measures. Risk indicators aggregated to categories as BU-specific composites or via group-wide sub-categories are evaluated and given a weighting which contributes to the overall OpRisk category risk grade. The dashboard works on the traffic light principle. which denotes fields for which no data is being reported. as shown in Chart 7.Acceptable Caution . This version. CSG’s OpRisk Dashboard is intended to provide senior management with a simple overview of operational risk levels and directional trends at the highest reporting aggregation level per business unit.assuming apples and apples are compared! 74 . however.Unacceptable Source: Credit Suisse Group / GRM 2000 0 1 Improving Constant Deteriorating 7.CSG Operational Risks in Financial Services 7. quantifies and provides financial OpRisk data. For reporting of data aggregated below the category level.Marginally Acceptable Danger . too detailed for senior management use.6: OpRisk: Risk Category by Business Unit (example): Organisation Process Policy Technology Human External CSPB CSFB CSAM BU 4 BU 5 BU 6 Legend: 1 0 0 0 0 0 1 1 1 0 0 1 0 0 1 0 Trend: Safe .6. A more relevant presentation is the one attached and presently being introduced at CSG. grading category-aggregated risk per BU by colour. An established and complete database can potentially be used for modelling purposes and be applied to external loss events . makes use of the additional grading colour black. Chart 7. a similar dashboard is used.

CSG Operational Risks in Financial Services 7." (Danish Proverb) 75 . 2000. 71. p. reputation.7: Applications and limitations of each tool Tool Self. Combined they support a comprehensive OpRisk initiative. The applications and limitations of each tool are outlined in Chart 7.some are more robust than others and can provide greater insights and buy-in Some alternatives can be time consuming Primarily qualitative Impact Scorecard Assess the impact of identified risks by examining its impact on finance.7. they work best in concert.too detailed for senior management Limited value to senior management Difficult to maintain current Primarily qualitative Risk/indicator correlations are unproven Some operational risks difficult to measure Uncertainty if the right measures are being used or just where data are available Depends on the quality of the target setting and the risk indicators used Data difficult to collect on a consistent basis Frequency Scorecard Risk maps/ process * flows Detail understanding of the operations and the specific operational risk Risk indicators * Measure effectiveness operational risk management Objective. human and organisation Assess the frequency of identified risks by examining its likelihood of occurrence Scoring consistency depends on correct interpretation of a well-defined scoring system Scoring consistency depends on correct interpretation of a well-defined scoring system Determination of frequency score may be validated by internal loss history which may be incomplete Tool for lower level staff use . Chart 7. Source: Credit Suisse Group / GRM. "Act in the valley so that you need not fear those who stand on the hill. regulatory.or risk assessment* Applications Reinforce responsibility with business units Gain agreement on the operational risks and required next steps Bring together independent views Limitations Depends on method employed .8 Applications and Limitations of Tools While each tool is valuable. quantitative As often as daily updates Escalation triggers * Predetermine decision or intervention point for management * Loss event database Provides financial loss-based measures Tool for empirical analysis Tool for risk modelling and support for cost/ benefit analysis Note: * = BBA (1999).

CSG

Operational Risks in Financial Services

8.
8.1

Operational Risk Transfer: Insurance and Finance
Insurance as Part of Risk Management

Risk avoidance, risk reduction and control were discussed previously. This chapter deals primarily with risk transfer through commercial insurance and also with risk financing through special purpose vehicles and other financing options. Some argue that insurance is a waste of money: "Buying a bank stock is implicitly buying an industry which is exposed to OpRisk fluctuations; losses disappear between the cracks as part of doing business and often disappear in the P&L." Insurance - in my opinion - is a valuable instrument to transfer risk and to complement also OpRisk management; it forces a bank to analyse its OpRisk and to differentiate between their impact and frequency; it avoids the high risk/low frequency situation; it helps to optimise economic risk capital and regulatory capital requirements - if the insurance coverage can be deducted; it smoothes earnings and provides liquidity assuming a proper contract: insurance is part of OpRisk management (see Chart 8.1).

Chart 8.1: Insurance - Part of the Risk Management Process
Evaluation of the Risk Situation Risk Strategy: • Avoid • Reduce • Transfer
Avoid Reduce

Transfer

Insurance Options

Financing Options Bear

Non-transferable Risk
Cash Flow

Source: Credit Suisse Group / GFF, 1999

A bank should - if possible - hedge non-core risk areas that cannot be diversified within the bank itself as they most often represent low probability high impact risks. An insurance company per se is in the business of pricing and holding a portfolio of such risks; it can diversify these risks across many banks, corporations and non-correlated risk classes. Naturally, what should be insured depends on a bank's strategy, activity, size, stakeholders and risk appetite. In my opinion, it is only good OpRisk management to insure diligently against unexpected catastrophic losses.

76

CSG

Operational Risks in Financial Services

8.2

Availability of Insurance

At this stage, various forms of insurance related to Organisational risks (see structure, system, IT etc.), Human risks and especially External risks are usually available, presently at reasonable prices. What the coverage - see Chart 8.2 - in reality represents, depends on the fine print, the historical relationship and the standing of the insurance company as well as the competitive situation in the insurance industry.

Chart 8.2: OpRisk Insurance: general Availability
Organisational Risks (Structure, System, IT) Loss to Bank • Directors & Officers Liab. • Entity Liab. (organisational Liab.: loss scenario to 3rd parties, customers etc. 3rd Party loss • Employment Practises Liab. • Bankers Profess. Liab. • Directors & Officers Liab. Human Risks External Risks

Loss to Bank • Unauthorised Acts (incl. trading) • Crime Ins. 3rd Party loss • General comprehensive Liab. • Employers' Liability • Employment Practises Liab. • Bankers Profess. Liability • Directors and Officers Liab. • Unauthorised acts • Crime Ins.

• Property Insurance • Accident and Health • Criminal Acts: Computer crime Hacking Cyber Attacks • Bankers Blanket Bond • Theft • Kidnapping and Extortion • Business Interruption

Increasing coverage is available for the protection of information assets and e-business activities
Source: Credit Suisse Group / GRM based on Kessler Consulting, Zurich, 2000

Innovative insurance companies are developing more integrated risk cover products for OpRisk. Swiss Re New Markets has recently created a product labelled FIORI (Financial Institutions Operational Risk Insurance).25 It adopts a rather broad-based OpRisk definition and - contrary to traditional contracts - provides a more preferable and timely reimbursement of loss. AON has come up with e-business risk insurance solutions.

25

Avery, R.,Milton, R. (2000): "Insurers to the rescue?" in Operational Risk Management, p. 65.

77

CSG

Operational Risks in Financial Services

8.3

Strategy and Structure for Insurance Coverage

The insurance strategy of any bank varies by nature: own cash-flow, self-insurance, captive insurance, finite insurance, reinsurance are solutions of varying degree. A possible model is presented in Chart 8.3.

Chart 8.3: Insurance Program Strategy: a possible Model
(amounts for illustrative purposes only)

Amount of Loss (USD MM) > 250

Impact

Frequency

catastrophic

Principles of Risk Management avoid/prevent/ reduce

101 -249 51 - 100

major significant

rare

Possible Insurance Strategy reinsure at reasonable premium / Captive insurance/ self insurance/ Captive insurance/ self insurance/ Cash Flow self insurance/ Cash Flow

11 - 50

small

< 10

low

frequent

observe/ manage

Source: Credit Suisse Group / GFF, 1998

At CSG, the insurance set-up is structured the following way: Group responsibility S S S S S S S S Focus on strategy Provide protection for catastrophic and large sized losses Set uniform insurance framework for all BUs, including minimum retention levels Management of captive Claims handling and administration outsourced, but monitored by CSG Assist in loss prevention initiatives at BUs Receive potential claim notifications and losses exceeding a certain amount Place cumulative/aggregate risks

Business Unit responsibility S S S Analysis of BU's needs Implementation of strategy Responsibility for first losses remains entirely with BU which strengthens loss prevention discipline at BU

The allocation of the insurance activities by the Group is based on a %-weighting along the following components: loss history, allocated capital, number of employees, trading activities, US/UK activities (see greater litigation risks), common basis.

78

R. While the financial justification remains essential. It is estimated that there are around 5000 captives worldwide today. 95-109. Important is that captives regularly have to prove their value relative to market alternatives.. The move from risk transfer to risk finance equals the move from standard "off the shelf" products to "structured product solutions". N° (1998). 2. Occasional limitation in the supply of certain contracts and insurance pricing in the market have fostered this growth. Equity based securitization takes the form of a contingent claim on equity markets. offering the investor an uncertain return. O. but a low systematic risk. 79 . Some are transforming captives into profit centres by writing policies for 3rd parties. 8. The underlying insurance losses are largely random which is attractive for a portfolio diversification. FT 6/6/2000.can be layered between traditional insurance programs and selfinsurance.5 Alternative Risk Transfer Over the last few years. Finite insurance . Therefore. for which the number of specialist providers decreases substantially. capital is only raised when a large loss takes place. Centralised buying of insurance and greater flexibility vis à vis reinsurance and for loss settlements are the most relevant justifications for captives. Captives will be used to manage more OpRisk. it is not surprising that the only really active insurance derivatives market is the property catastrophe options market at the CBOT. (1998) . funding employee benefits and purchasing reinsurance on a direct basis. Finite risk insurance is an extension of traditional insurance with 3 .5 years contracts. increasing to more than 40% within a few years.4 Funded Captives Captives today enjoy an important integrated role in many companies' risk and financial strategy. we have observed a complementary shift from Traditional Risk Transfer (TRT) to Alternative Risk Transfer (ART). 3. captives enter the mainstream of corporate financial strategy with a focus on shareholder value. See also Gerry Dickinson: Insurance finds a blend of innovation and tradition.the naming implies limits .McKinsey Quarterly. de Perregaux. We estimate that some firms will even diversify by writing more of their own risks including "nontraditional" risk. pp. Three types of ART solutions27 can be differentiated: 1.CSG Operational Risks in Financial Services 8. 26 27 Weczel. involving a tailor-made packaging of different types of insurance. Securitization or "Insuritisation" based on bond products are modelling the underlying loss experience of an insurance risk portfolio. Insurance derivatives have their limitations as there are no suitable indices to track with underlying economic variables being rather heterogeneous. not just hazard type risk. writing unrelated business insurance. including some risks normally difficult to place. McKinsey26 estimated in 1998 that more than a 20% share of insurance coverage is taken up by self-insurance and captives.

In a more litigious society. AON and Milliman & Roberts assessment. 28 Based on internal. given the current tendency of the majority to self-insure CAT Exposures .can discourage the purchase of insurance by those potential policyholders that are of perceived lower risk profile in comparison to their peers.the likelihood that insurers will get a riskier-than-average sample.thus implying that an OpRisk regulatory capital charge should not be based on volume/size Claims tend to grow in terms of number of claims as well as size of institution Any large losses of financial institutions can have a negative impact on competitors due to the cross-linking among the banks. 4. Insurance can help to mitigate economic and reputational consequences. 2. Insurance has become a more integral part of risk and financial framework insurance and can replace capital or represent "contingent capital". increased pricing. 5.there may be a tendency for insured parties to exercise less care and control and potentially experience greater losses than the uninsured S "Adverse selection" . Insurance must not be a safety net for management failures. direct access and/or reporting to senior management has become best practice. There was a limited choice of coverage offered. management is recognising that insurance is a risk transfer tool and has an impact on the firm's value. globalisation. Actuarial analyses on financial institutions since 198528 suggest S S S S S Known claims/losses in the market can potentially rise beyond USD 2bn (very rare) The database suggests that larger companies are more exposed to large claims Risk does not increase proportionally to the assets .CSG Operational Risks in Financial Services 8. regulators' requirements and pressure for rational capital allocation. It is not a substitute for sound OpRisk management. Up to recently. new technology types of risks. 80 . etc. insurance buying was an independent function among others. Today. there will be a growing scope for liability insurance. Insurance complements risk management and is part of an integrated approach. resulting in temporary stock market reactions. Therefore.6 1. Risk Transfer: 12 Guiding Principles The need for risk transfer solutions will increase arising from factors like complexity. 3. 1999. often dictated by insurers. Confidentiality of existence and/or terms of insurance coverage is key due to the following: S "Moral hazard" . reporting to the firm's secretary or chief accountant.

8. An improved base of mutual trust between bank and insurance company and of confidentiality assurance is needed. risk transfer pricing remains somewhat opaque. 10.cover the risk they can measure. including capital markets. have come up with rather extended coverage for new risks. Third party insurance is a complementary OpRisk management instrument. Such a situation is also a function of the insurance cycle and/or availability of coverage through alternative risk transfers. SEC reporting Regulatory requirements Perception in the market 81 . however. Some of the banks' OpRisk areas seem to be difficult to assess. Risk transfer by third party insurance and risk financing through special purpose vehicles and other financing options have to be carefully structured.with 300 years experience .CSG Operational Risks in Financial Services 6. This is especially the case when it also includes an insurance consulting service by a knowledgeable 3rd party as to: S S S S S S Risk assessment Risk monitoring On site inspection Risk statistics Requirements on risk management systems Senior management contacts 7. There is limited data-exchange between insurance companies. Insurers . This is the reason why they are good in statistically proven areas. diversify and comfortably assess.g. e. OpRisk losses are mostly kept confidential or are part of doing business. especially for integrated seamless cover. Regulators should give credit against any potentially upcoming capital charge. deductibility in the USA US GAAP. A risk categorisation by insurance companies along an "all banks carry the same risk" methodology may lead to unfair pricing of the risk. highly conditional and often illiquid instrument. and to some extent still is. Some insurance companies. 9. statistics / figures are not readily available as in credit and market risks. Comparable pooled OpRisk statistics are rare or under construction. What is known to one is not known to the other insurance company. particularly in view of: S S S S Tax aspects. a largely ring-fenced. The increasing "insurability of OpRisk" and a firm effectively being able to get coverage and integrated seamless cover of new types of risks should be a very positive indicator for supervisors as well: another 3rd partyspecialist has seriously screened an operation and considers the respective bank as an attractive professional partner. some also have improved on more accommodating payout solutions. Insurance has been.

insurance companies could provide improved capital and liquidity protection. OpRisk issues are somewhat in the same situation today. whereas external risks are largely insurable. mostly being management issues The confidentiality aspects The difficulty of standardising OpRisk accordingly Few new inventions for the financial industry have actually been completed.given the 35'000 banks worldwide with over USD 35 trillion assets The differing "individual" causes. Increased insurance demand might lead to major insurers becoming market-makers for capital market transactions. Banks traditionally have spread risk coverage among various insurers in order to spread their counterparty risks. In addition. There is little transparency on the track record of executed transactions. capital availability and the anticipated consolidation of the industry become an issue.low probability / high impact events . OpRisk transfers into "Alternative Risk Transfer" solutions have been limited up to now because of: S S S S S The absence of credible banking OpRisk statistics The low number of catastrophic events in banking . However. all the other counterparty exposures to insurance companies have to be judged on a consolidated basis (e. there remains the crucial major difference between market/credit risks and OpRisk: the individual bank itself is the major OpRisk. With data improvements. With increased insurance coverage. 12. thereby spreading the risks on a global scale. A stronger insurance market. there are concepts. "Call on God. Perhaps one can compare the situation with the one 10 years ago when the banks started developing modern credit risk management systems. The market is working on OpRisk bonds with embedded options: the option would allow to retain the principal if an OpRisk loss of a predetermined size takes place. trading exposures). supervisors and consultants concentrate on the relevant issues. but only rare solutions.CSG Operational Risks in Financial Services 11. In addition. the transactions are complex and time-consuming. Insurance company quality. They all knew that available data were far from perfect. lending. but row away from the rocks" (Indian Proverb) 82 .g. if banks. the reinsurance aspect becomes more important. combined with lots of efforts and creativity might change the situation. but would improve over time.

is it possible for data points to be combined in a reliable and credible database system and turn them into real information. 83 . it is like taking a photograph. Clearly. These data types are just like pictures taken by two totally different instruments . formats. garbage out" is of extreme importance when quantifying OpRisk. source-. organisation-. In OpRisk particularly. 2. century based data? There is a tendency to argue. 3.say a camera and a tape recorder. monthly. etc. transparent and relevant databases. while recording many of their actions. most banks have "photographed" only bits and pieces of the big OpRisk picture in the past. Risk Data Methodology: 12 Issues Data availability is a precondition. In this context it is extremely important that the information to be captured in the data is clearly defined.1 1. many banks can already find OpRisk data at the overall level (such as litigation costs) of their organisation or for very specific areas (such as transactions or IT). business lines or clusters. the more frequent the better. S Presently. that it will still take some years until OpRisk data availability is such that it provides credible. which would call for daily data. frequency . however. Accordingly. In fact. quarterly. Activities only turn into data. useful data with information content is limited. time-. This is a precondition for standardisation and tracking possible failures of reporting. what do we still need and by which means to get it? In particular. financial institutions cannot record everything in permanence. we can also think of having OpRisk data systematically collected for all departments. I would say this is neither realistic nor relevant. They therefore also require different treatment. in terms of content. Probably. 9.CSG Operational Risks in Financial Services 9. Only with this discipline. The Data Challenge Models and quantifications are only as good as the data they build on. While more OpRisk data are now being collected on a regular basis and sometimes even down to the business line level. we will have to establish clarity on two aspects: S The frequency in which OpRisk data are available or should be available. to be able to make use of them.references. However. if they are recorded in a form which can be retrieved at a later stage. Basically. I believe. interpretation and analysis. unit. The level of detail at which OpRisk data are or should be available. The question for OpRisk data is: what do we have already. Many risk areas just cannot be measured. etc. feature. annual. the rule "garbage in. Structured data is a key rule to success: discipline is required in allocating tags to OpRisk data such as definition. Do we have and do we need daily. qualitative data and quantitative data must be distinguished. They require judgement. two types of data.

Caveat vendor? 84 . Cumbersome data collection can significantly distract from important risk management tasks. geography. size of companies. Are the OpRisk figures pure OpRisk or are they combined with an element of market. definition of losses.CSG Operational Risks in Financial Services The financial industry has experienced restructurings and M&A. In the data structure. 5. causality. Data quality and its consistency over time is the issue. be inquisitive if line people want to change the format. Any decent analysis is useless without it. characteristics. 4. and will continue to do so. data structures . evaluation on causes of losses. loss is not the same for a large and a small entity. garbage out effect". availability. Filtering data into useful decision-supporting information is like extracting a diamond out of tons of mud. The lack of data credibility results in scepticism and cynicism and undermines any risk management framework. earnings and equity of the respective company? A USD 25 Mio. turnover. Consistency of statistics is core. transactions and portfolio types. subjectivity. It is a prerequisite of fully integrated risk management and risk aggregation. credit or other risks? Are they insurance claims or estimated losses? Are the figures gross or net figures? Do they include the cost to fix the damage? Are the known OpRisk losses relating to banks or to insurance companies or to corporations in general? What are the specific losses compared with revenues. Disciplined tagging enables comparability across structure and consistency over time. In such situations. run and compare the old and the new approach parallel for some time. External loss and pooled data known in the market have to be carefully interpreted.help prevent us from comparing apples and oranges or the loss of information.g. OpRisk data of an entity is unique as to e. significant challenges arise when transforming an organisation or putting two different firms together. See "garbage in.which are flexible and dynamic in terms of the "sorting" angle from which they can be looked at . The third party data providers normally do not explicitly publish statistics on OpRisk along industry segments.

Times do change. Banks have very different activities. loaded and updated. Constant surveys and checks of the type of data being used must be performed to avoid "white noise" or unrealistic indicators. Set procedures and automation help to minimise the error potential of loading wrong data and the time resources necessary to perform the data maintenance. less trust-worthy and nonsense data must be weeded out. 8. structures and processes. Such fundamentally different risk drivers can make the credibility of data comparisons and transfers between the banks highly suspect. Relevance has to be ensured. adjustments are normal practice. This is an ongoing process. It is important that we remain aware of these issues if we do not want the "figure-evidence" to mislead us! 9. Pollution of databases happens. if you are not sure what to measure and to compare? How can you have confidence in answers on questionnaires of all sorts and even use such for modelling? Assuming a bank collects all operational losses diligently.CSG Operational Risks in Financial Services "Ten crates of data and one little envelope of information. This process has to include quality checks within a predefined structure. How can you measure and compare. Moreover. is there a credible benchmark as a guideline? The only really reliable benchmark is most probably the relative stock market valuation . a database engine cannot run. OpRisk data of an entity is unique as to e. Polluted and fake data produce not only incorrect or incomplete but also misleading indicators. subjectivity." © Ted Goff. management styles. 85 . Sign here.g. characteristics. sizes. New data content needs have to be assessed and old. New environments. Without maintenance.which naturally also includes various performance indicators and other factors. 1999 6. in any database development. These adjustments can provide data users with non-transparent or undocumented indicators. availability. Once more. transactions and portfolio types. 7. Awareness of IT issues for automated loading could avoid many "operational risks of operational risks". Data must consistently be reported. new products are put in place. causes.

the data collection must be in a reasonable cost/benefit or cost/risk mitigation relationship. respective built-up provisions could be interpreted as evidence of a liability admission by the adversary. replicable. 12. auditable. interpretable. Sources on OpRisk data can be created through data sharing agreements or consortiums. What is the rationale for a statistic? Who is the provider of data? How trustworthy is the source? Is there a mismatch between intention and interpretation? H. objective. confusing and misleading. teachable and. and the BBA's Global Operational Loss Database (GOLD). These aspects should be fully appreciated for the transfer of data and by the regulators. 9. Truman's word: "If you cannot convince them. 1879 -1955). User transparent data are essential to have control of OpRisk. earnings and capital. especially when apples are compared with oranges. For example. These initiatives encountered various obstacles to build a credible and efficient consortium structure.2 1. credible by facts and perceptions. The diffusion and spreading of data are essential for a properly functioning management process and to ensure a control of OpRisks: get the right data to the right person at the right time in the proper form. media. Using Data: 12 Issues Never forget the purpose for which you require data! "Not every thing that can be counted. 11. above all. counts. Data access issues have to be settled.understandably so given specific circumstances such as confidentiality aspects. and plain embarrassment.which might potentially even be modelled with great pains . assuming apples are compared with apples. especially legal / court disputes which are mostly under a client . Assuming that ways and means for guaranteeing anonymity and confidentiality are found. specific individual OpRisk exposures . Some of the data are and have to be highly confidential. There are various market initiatives for risk data sharing including Multinational OpRisk Exchange (MORE). For senior management purposes. comparable across the institution.03%? 86 . complete. OpRisk statistics should to enable a business view on future potential risks and to take corresponding action.CSG Operational Risks in Financial Services 10. a data sharing pool for hopefully only relevant figures could become one way for better OpRisk management and benchmarking. How relevant and value adding is such an approach if the relevance amounts to 0. In addition.attorney privilege. Legal disputes and their OpRisk losses are not ideal candidates for data pooling. Statistics can be irritating. Legal disputes may take long until settlement. can be counted" (A. consistent. PWC's Op VaR Consortium.should be judged in the overall context vis à vis total revenues. Einstein. Many shy away from such an approach . And not every thing that counts. transparent. confuse them" is dangerous in a serious risk management framework! Serious data and statistics show the following characteristics: relevant.

Data information extraction tools. "Life leaps like a geyser for those who drill through the rock of inertia. primarily oriented towards control and measurement of performance and past developments. At CSG. including for senior management reporting have to be agreed. systematic and consistent .raise OpRisk awareness and widen the scope of reference points for decision-making.just by the effort of collecting data . It fosters transparency and is good modern management. You cannot manage risks if you do not have information about them. there is also a better ITconnectivity potential. rating agencies.along the suggested 5 major categories: organisation. The tools . analysts' requirements and regulators' concerns. technology. identical definitions. At the minimum we can say: "What gets measured and observed gets done. capital. expenses? Can the collection cost involved be justified? Are the data complete (if not. human and external. 3. Connections between cause and effect of losses have often not been proven statistically. Is such minimal data collection exercise setting the right priorities? How about the relevance vis à vis total revenues. This must happen along the line suggested in previous chapters. the model might prove wrong)? 2." (A. I am a proponent of a credible and relevant internal database system. Chapter 7 presented some of the tools. cost efficient. Good management is a bargaining position vis à vis insurance companies and potentially capital markets. even if they are frequent. The internal set-up should ideally be structured so it can be an adjunct to external databases. Carrel) A credible internal OpRisk data set should be part of the risk management strategy and framework. Most organisations have worked on this internally and often in a vacuum. 87 . human and external. policy and process. accounting codes and relevant key data sets. transformations. a renewed attempt has started to collect loss data along the 5 major categories: organisation. standards.CSG Operational Risks in Financial Services I personally have reservations about attempts to collect loss data below USD 50’000 or USD 25’000 in the case of transaction processing events. as well as data measurement systems have to be efficient and avoid errors. In spite of my critical observations on data and statistics. 4." Identifying and measuring relevant data and even quantifying risks is good discipline and can be an opportunity. the existing tools do not usually produce results in financial terms. Today. At least within the organisation. policy and process. Measurement encompasses a wide variety of concepts. turnover. With the exception of the collection of loss data. Only the "hard hits" in the overall context are relevant. tools and information bases. which is structured. Data collection can help enhance transparency. technology.

Collecting data constitutes an important step for fostering a learning knowledge organisation. Credible data based risk aggregation measures are more easily accepted. The latter must primarily reflect the firm's specific needs. more and more data and relevant information on financial institutions’ actions will be readily available. particularly if this exercise also includes more qualitative elements. reporting and maintenance is an important part of a good OpRisk management. particularly for OpRisk. which are presently experienced in such areas as OpRisk. because it is reproducible and the result of clear criteria. such as best procedures to handle customer complaints. Due diligent data collection. particularly when data exist and could be used to perform this exercise at reasonable cost.CSG Operational Risks in Financial Services 5. 11. 88 . Data based aggregation provides the structure and system for treating business lines equally. Communication of data to outsiders requires credibility. A "common language" among banks is difficult. It requires devoted personnel resources and extended IT-support tools. The possibility of destroying or not reporting material data has to be kept to a minimum. if we provide them with contradicting. 8. particularly for OpRisk data. if we do not have a credible framework for the relevant data and information extraction to help the insurer assess these risks? Insurance providers and capital markets are more reluctant to take on OpRisk of a bank as long as there is neither: S S Serious internal data or information base of an individual bank nor Pooled and credible industry wide. 10. its application and interpretation could still vary widely. will be filled in small but realistic steps. Nevertheless I am convinced that the gaps. They result from a mix of top-down co-ordination and focussing and bottom-up information collection. How can we convince our shareholders that we know our risks. Even if regulators were to require a specific approach for "measurement". Automated data loading and the limitation of access to records and the creation of data backups is key to controlling OpRisk resulting from staff fraud. Compliance with documentation duties requires data. before including other stakeholders’ concerns. Data and information collection and maintenance is expensive. 7. 9. irrelevant or no data at all? How can we expect to perform a risk transfer. This is particularly important when OpRisk capital is allocated to specific business lines. relevant database for a major push of insurability 6. Their background is more easily understood. A more judgementally driven capital allocation could be perceived as a "dicing-out". A cost / benefit analysis is imperative and bound to set priorities and focus. It allows to internalise the know-how of individuals into the firm thereby ensuring that it is not lost once these leave the company and to make it accessible to other staff. As time goes by.

data and information cannot and should not substitute for using judgement. Data assists us in gaining transparency and making founded decisions." (P. However. otherwise your organisation is not a learning organisation. Data should never prevent from relying on good judgement. Knowledge without risk is rather useless.CSG Operational Risks in Financial Services 12. Relevant losses should always be the subject of senior management discussion and have a post mortem and conclusions for the future. Jennings. "Risk without knowledge is dangerous. ABC) 89 .

have also been raised about the limitations and less desirable consequences of blind quantification.31 Chart 10. J. 1979. control • Necessity for untested assumptions on OpRisk limits application to capital allocation 29 See Young. "On the Quantification of Operational Risk. Pluto. R. Risk Books. 90 . despite the numerous conferences convened on quantifying OpRisk and involving the top specialists. Mgt control: bottom-up approach. M. M. It is thus not surprising that in the financial industry managers and regulators have an increasing interest in quantifying OpRisk. quantitative Cause/effect vs. in Irvine. eds.) Why 2. M. qualitative risk change monitoring What How . mitigation Economic capital loss buffer Capital allocation Efficiency optimisation Regulatory pressure Source: Credit Suisse Group / GRM. modelling OpR Multidimensional & qualitative features make it exponentially more difficult to quantify than say MR or CR QUANTIFY 3. et al. R. 30 See Young. (1998). 31 See Ong. (1979). 63-75.30 In addition.. assessment) • Data analysis (statistical distr. with the Scientific Revolution in Western Europe. etc) • Modelling (EVT. little substantive has emerged. London 1998. scenarios. etc. Critiques. the quest for knowledge has focused on the quantifiable aspects of phenomena or events. as long as it is credible. Operational Risk and Financial Institutions. causal link Direct observability Depends on purpose: ..1: Issues in quantifying OpRisk 1. Quantification of Operational Risks 10. Purpose Management control Prevention vs. Demystifying Social Statistics.29 This has allowed significant progress in both science and technology and in management techniques. (1998). R. Method OpR • Expert inputs (quali. 182-184.. 2000 OpR • OpRisk features suggest potential for improving mgt.17th century. (1979). pp. Risk level quantification: top-down approach.CSG Operational Risks in Financial Services 10. pp. however. "Why Are Figures so Significant? The Role and the Critique of Quantification". A Short Polemic" in Jameson.1 Introduction Quantification is a powerful tool for enhancing transparency. K. Since the 16th. Object • • • • Dimension Qualitative vs.

Also.people and organisation .is generally high for OpRisk as its major drivers . 91 . "Characterisation of Tremor". as each might require a specific quantification method. the less the past will be a good indicator for the future. The context dependency describes whether the move size is different in different situations or not. the higher the context dependency. The interaction describes the interlinkages between moves.2 What is Quantified in OpRisk ? Chapters 3 and 9 show that OpRisk includes a vast variety of different elements. Quantification / measurement generally involves looking at four aspects of a phenomenon within an organisation:32 S S S S Its size. it is thus necessary to look at each element of OpRisk one by one. The frequency describes the number of times a move of a given size occurs within say a given time period or a given organisational unit.are unique and change permanently. why. In the area of OpRisk . and how is it to be quantified? This will help us to identify 1) OpRisk quantification possibilities and limitations. before considering an aggregate OpRisk.as for market risks .1: what object. These aspects are at the core of the quantification of market and credit risk. To ensure a credible outcome of the quantification. we will look whether it is possible to measure each element of OpRisk separately or whether only a qualitative assessment can be performed. Context dependency . fewer elements are effectively observable. (1996). This is why the use of databases of industry OpRisk events has limited relevance for the specific firm.with other events The size describes the observed extent of a move.CSG Operational Risks in Financial Services This chapter investigates the three major questions to be answered when proceeding to quantification.this aspect is very important as several OpRisk elements are highly interrelated. 32 See also for example Boose.contagion/correlation . University of Tübigen 1996. A. This tells whether every OpRisk event is unique in itself or shows regularities in occurrence as drivers do not alter. as shown in Table 10.in contrast to market and credit risk . as shown in Chart 10. Both require the ability to observe the phenomenon. In this exercise. severity or intensity Its frequency Its context dependency: different in different situations Its interaction . For OpRisk.1. 2) the areas of OpRisk where a measurement could be performed and 3) the most appropriate methods for this measurement in order to thrive for: S S S The relevance of OpRisk vis à vis the total risks Acceptable costs of gathering OpRisk information The credibility of the OpRisk quantification outcome 10.

most are difficult to measure. while some elements should be measurable. You should not make a rule of something unique. "Organisation.CSG Operational Risks in Financial Services Table 10. CS Chiasso.1 shows that. policy and process". The lower the observability of moves in terms of size and frequency and the higher their context dependency and interaction. rather judgemental assessment of the observability of the size and frequency of moves as well as of the relevance of context dependency and interaction for each OpRisk sub-category. Barings.1 provides a crude. Table 10. however. For these elements of OpRisk. Fields marked in green indicate a somewhat credible data based measurement. the more difficult it will be to measure the OpRisk sub-category. "Technology" and "external risks" should allow for a database based quantification. In such cases a qualitative assessment offers the best alternative for quantification. quantification would allow identifying and tracking changes of the risk level over many years. only permit a quantification based on qualitative assessments. as presented in chapter 4 in the case of BCCI. but not determine the absolute level of this risk. 92 . similar to the one performed for market or credit risk. etc.

CSG Operational Risks in Financial Services Table 10. 93 . The scaling is not absolute but relative.g.particularly in assessing the relevance of context dependency and interaction.1: Features of the 20 CSG Operational Risk Sub-categories33 Observability Observability Relevance of Relevance of OpRisk Sub-category of size of frequency context dependency: different in different situation interaction: correlation with other subcategories Organisation Governance/Structure Culture Communication Project Management Outsourcing Business Continuity Security Policy/Process Policy and Process Compliance Product Client Technology Technology Infrastructure Software and Hardware IT Security Human Employee Employer Conflict of interest External Physical Litigation Fraud High High Low High High Low Low Low High Low Low High High High Low High High Low Low High Low Low High Low High High High High High High Low Low Low High Low Low Low High Low Low Low High Low Low High High High High High High High High Low Low Low Low Low Low Low Low Low Low Low Low Low Low High High High High High High High High High High Low High High High Source: Credit Suisse Group / GRM (2000) 33 The assessment of the various dimensions in the table is based on a crude .Low/High .intuitive scale to allow simple preliminary understanding. Each individual line assessment is made relative to all the other lines (sub-categories) of the table: e. context dependency is high for Governance as compared to say for Software. Clearly the quality of the assessment highly depends on the number and degree of refinement of each individual OpRisk sub-categories. The subjectivity implied by the coarseness of the assessment forbids a generalisation and founding decisions on quantification on it. Refinements of the scale should be made within the particular context of each institution .

it would boil down to attempting to make a rule out of something unique . the quantification of the overall level of OpRisk will be subjective.g. These changes include: S S S S S S Restructured . as only HIGH PROBABILITY LOW IMPACT OPRISK EVENTS provide enough observable data to allow the measurement of the OpRisk LEVEL. based on qualitative OpRisk assessment Risk-return considerations question the building up of databases: => No relevance in overall context => No priority for data search and quantification Low Risk Medium Risk Severity of Impact Source: Credit Suisse Group / GRM. significant changes have occurred in the area of OpRisk making the past a bad indicator of the future in OpRisk. the focus on the more realistic "high probability low impact" and "low probability high impact" events would allow better possibilities in progressing in the quantification of OpRisk.2 summarises the major issues involved in this managerial challenge. BCCI. etc. but the important measurable. high impact" OpRisk box are twofold. Barings. 2000 Limitations of databases of past losses from numerous sources to quantitatively fill a hypothetical "high probability. Using external data to populate the internal database on such events is of limited help: often. THE LOW PROBABILITY HIGH IMPACT OPRISK EVENTS merely allow the tracking of the CHANGE of the risk level over time. 34 McNamara.e.merged entities Increased transaction volume and interdependencies Changes in delivery channels and underlying business processes Greater distribution of control responsibilities New technology Organisation and cultural changes Therefore. it is essential on the management level not to make the measurable important. 94 . Such databases consider different definitions and causal environments of OpRisk and are thus difficult to apply to a specific firm environment. Also.2: Major Challenge in OpRisk Quantification resides in Low Probability High Impact Events OpRisk evidence shows that this option is common: • High probability low impact events are a feature of some OpRisk sub-categories • Measured data exist => Potential for quantification => Measurement of risk level is possible. but is it relevant in overall context? OpRisk evidence shows that this option is highly unlikely: • Extreme events are very rare and Probability of Event not comparable across firms or over time Medium Risk High Risk OpRisk evidence shows that this option is the most common: • Low probability high impact events are a feature of several OpRisk sub-categories • Problem of few measured data => Priority for quantification => Scenario based risk level quantification => Measurement of the change in risk level possible.34 Chart 10. Chart 10. However.CSG Operational Risks in Financial Services Given the challenge that only relatively few elements in OpRisk are credibly measurable and quantifiable.

several management needs can be distinguished. The decision of which purpose OpRisk quantification should primarily serve will determine its output and. all mgt units • Initially top-down • Advancing to bottom-up Note: OpR = OpRisk Mitigation Prevention Capital loss buffer • Quantitative OpR level assessment • Identification of overall OpR risk appetite • • • • • • • • • Quantitative OpR level indicator Credible or industry standard method Link of OpR indicator to economic capital Quantitative time-mapping of work flow 80/20 focus on core processes Cost allocation on work flow elements Quantitative OpR level for each mgt unit Units’ OpR level correlation matrix Allocation rule based on unit’s risk level Regulatory demand Efficiency optimisation Capital allocation Source: Credit Suisse Group / GRM.it requires.335 indicates that for OpRisk control. 95 . Qualitative assessments . In the "coverage & approach" column. mitigation and prevention purposes.whether via modelling or another method . one has to be clear about the purpose it should serve. by the same token. In other words.such as periodic checklist-based reviews requiring relatively simple input . Here we have to make sure that the quantification of OpRisk . the input .are sufficient to perform such tasks. Each has a different requirement on the approach to and output of an OpRisk quantification. 35 In the column on "output requirements". the less resource intensive coverages / approaches are shaded in green. we have to ensure that: S S Quantification output is geared for management needs Quantification makes the most efficient use of existing resources and is relevant and credible As discussed in chapters 6 to 8 and summarised in Chart 10.is focused on and compatible with the business needs of the firm.3. while the more resource intensive ones are shaded in pink.1.3 Purpose of OpRisk Quantification Before starting quantifying OpRisk. 2000 Chart 10. Their output could be a scaling or rating of the OpRisk level to monitor its development over time.are shaded lighter than the more difficult requirements . only a coarse assessment of the CHANGE OF OPRISK OVER TIME is required.3: Focusing OpRisk Quantification on Management Needs Management need Control Minimum output requirement • • • • • • • • • Qualitative OpR assessment OpR change over time Accountability allocation OpR driver identification Qualitative assessment of OpR drivers OpR mapping & contingency plans OpR driver identification Qualitative assessment of OpR drivers OpR mapping & early action triggers Coverage & Approach • Selected mgt units • Bottom-up / line mgt • Selected mgt units • Bottom-up / line mgt • Selected mgt units • Bottom-up / line mgt • Overall firm • Top-down • Overall firm • Top-down • Selected mgt units • Bottom-up / Top-down • Overall firm. it also helps to avoid trying to crack a walnut with an air drill! Chart 10. However. These are loosely summarised in Chart 10. the simpler requirements .quantitative and level OpRisk assessments. Using elaborated databased OpRisk systems for such purposes would at best be overdoing the job and most likely wasting precious time and human resources. Such assessments can be implemented on a stand alone basis by a management unit.qualitative and overall OpRisk assessments .in terms of data or qualitative assessments .CSG Operational Risks in Financial Services 10.

3.and top-down approaches mobilise much less resources.36 Very often therefore. D (1998a). 40. In contrast. As indicated in Chart 10. focused bottom-up approaches limited to key parts of the firm . They also allow a coarse quantification of the overall OpRisk capital. generally relying on large databases of KPIs and KRIs.4 How to Quantify/Model OpRisk Once the questions are solved of what and for which purpose OpRisk is to be quantified. See Hoffman. 96 . Risk. The methods used to perform these tasks have to allow for integration in the market and credit risk quantification and cover a large part of the firm activities. the most suitable quantification or modelling method can be chosen. This requires many data points and thus a more complex input.covering the entire organisation of a firm are resource intensive and costly. top-down approaches offer a more pragmatic and adequate alternative to quantify OpRisk. This is because bottom-up information gathering is time intensive and cumbersome as long as no automatically loaded OpRisk database exists.and an OpRisk correlation-based capital or cost allocation mechanism. They offer the advantage of providing a firm-wide. " Getting the measure of the beast". p. 10. The output that would have to be produced for such purposes can range from a precise overall level of OpRisk to a risk adjusted return on capital (Raroc) or an OpRisk-VaR. Bankers Trust abandoned quantifying OpRisk based on a bottom-up information gathering. Nov.1 shows that there are a number of choices including: S S S A qualitative assessment A process mapping A quantitative modelling 36 Because of this. 1998. standard and systematic framework to OpRisk. the most suited approaches to and extent of coverage of OpRisk quantification differ. All encompassing bottom-up approaches . depending on the management need.CSG Operational Risks in Financial Services The improvement of operational efficiency and the generation of a capital allocation taking OpRisk into account require the assessment of the OpRisk level ideally for each individual organisation unit . Chart 10.

in Operational Risk and Financial Institutions. which range from quantitative sensitivity analysis to . therefore. "New Trends in Operational Risk Measurement and Management".at least theoretically .4 under "Modelling" and "Data Analysis". p. See also Hoffman.4: Modelling Methods of OpRisk Data Analysis Best suited when: Modelling Best suited when: Expert Input Best suited when: • High context dependency • All types of events • Observable & qualitative data • Low context dependency • High frequency events • Many observable data • High context dependency • Low frequency events • Few observable data Methods: Methods: • Statistical / Actuarial / Empirical distribution • Stochastic Simulation • Fit parameter / Regressions • Stochastic processes • Extreme value theory (EVT) • Factor / Indicator-based / Causal theories • Decision/Event/Fault trees • Scenarios / Influence diagrams Methods: • Delphi method • Relative fractiles assessment • Preference among bets • Log of odds assessment • Bayesian approach Possible OpR application: • Organisation risk • Policy / Process risk • All other categories of OpR => using quali & quantitative data Possible OpR application: • Technology risk • Employee risk • External risk => Using quantitative OpR data Possible OpR application: • Organisation risk • Policy / Process risk • Conflicts of interest risk => Producing qualitative OpR data Note: OpR = OpRisk Source: Credit Suisse Group / GRM.g.4.qualitative assessments It is to note that the trend is not to use particular models and techniques on a standalone basis but increasingly in combination with each other to do justice to the complexity of OpRisk.4 under "Expert Input" . In this section we concentrate.such as for example the "Delphi method" or the "Log of odds assessment" .e. on the techniques depicted in Chart 10. aggregating various components of OpRisk-– if their calculation is based on different models .as well as the most simple forms of "decision trees" and "influence diagrams" are essentially qualitative assessment and process mappings. Chart 10. 1998. D.to quantify and model OpRisk.4 provides an overview of the methods at disposal . one should not aggregate the results of say an extreme value theory inspired model with the results of a normal distribution inspired model. 97 . These have been discussed under the US Army experience in chapter 5 and also in chapter 7. This trend of combining various quantification approaches allows firms to tailor make quantification approaches to their own specific OpRisk environment. as they are more quantitative by nature.in their simplest form . otherwise one might end up comparing apples with oranges. 2000 The techniques depicted in Chart 10. 34 ff.38 37 Underlined in chart 10. We will focus on three of the most discussed methods in the OpRisk debate:37 S S S The factor-derived or indicator-based quantification models The statistical/actuarial or simulation based quantification models The scenario models. Risk Books. The consistency of the assumptions underlying to the various models used should then be ensured . (1998).could be questionable. 38 In such cases.CSG Operational Risks in Financial Services Chart 10.

41 See Shih J. the most important drawback of the BIS causal theory model is that an OpRisk quantification based on exclusively measurable indicators is bound to produce incorrect and misleading approximations of OpRisk. It assumes a linear link between the level of OpRisk and business activity.40 The level of OpRisk is identified by a multiple of a simple observable indicator or a combination thereof.42 For example. (2000). p. BIS. Samad-Khan A. Suggested indicators include: gross revenues.39 Along these lines. low and high frequency events. thereby offering the advantage of being easily implementable. 2000.. This is because the high context dependency of most OpRisk elements makes qualitative. the OpRisk literature has remained nebulous about OpRisk explanatory variables. Lowering fee income would save capital. 42 See for example Swiss Bankers’ Association (2000). The drawback of relying exclusively on measurable indicators in factor / causal methods can be overcome by integrating qualitative aspects of OpRisk. fee income.41 But. 35. For example. employee training expenditure. 13. operating costs.4. they would use a combination of error rates. They tend to produce a figure for the relative future value of the causal factors on OpRisk. 50f. A new capital adequacy framework. the BIS has suggested an indicator-based quantification as a possible method for the quantification of OpRisk and the corresponding regulatory capital allocation. They are also considered to be only partially representative of OpRisk root causes. Mimeo Jan. but also crowd-out the regulated fee-income banking activities in favour of unregulated financial actors and thereby increase the systemic risk within the financial markets. D. indicators for the quality of governance. These methods could be particularly useful in top-down frameworks to gain insights in both. Basle June1999. there is still a long way to go. nonmeasurable OpRisk aspects critical in determining its level. p. staff turnover. in: Operational Risk. but also raise the OpRisk. etc. Medapa P. to project a level of OpRisk. Preliminary Draft.1 Factor-derived / Indicator based Models These models apply causal factors to build a prediction of the LEVEL of RISK.43 39 40 See Hoffman. 98 . p. Empirical tests show that this assumption is not verified. Up to present times.. indicators of the IT system complexity. p. "Is the Size of an Operational Loss Related to Firm Size". See Basle Committee on Banking Supervision (1999). Comments on the Paper "A New Capital Adequacy Framework" of the Basle Committee on Banking Supervision. but not necessarily of the operational LOSS amount. 2000. lowering control related costs would save capital. managed assets or total assets adjusted for off-balance sheet exposures. 181. The BIS method is a factor / causal theory model simplified to its extreme.CSG Operational Risks in Financial Services 10. failed reconciliations. However. Feb. 43 See Ong (1999). The BIS method also bears the danger of creating perverse incentives. (1998).

2000 or Samad-Khan A. 2000 44 See for example: Austega.4. To do this.5) is familiar to market and credit risk specialists. The outcome of this exercise (see Chart 10.2 Statistical / Actuarial / Simulation-based Models These models use actual loss data to construct representations of operational loss frequencies and severity in the form of statistical probability distributions. Q4 1998.thousands of hypothetical years are simulated. "Banking and Risk Management". particularly the actuarial inspired Monte Carlo simulation technique. These would require reviewing the entire underlying simulation setting.CSG Operational Risks in Financial Services 10. will have a significant impact on the generated distribution. The flaw is that the present state of OpRisk data does not allow for any backtesting of the correctness of the generated distribution. they require many data points and have to rely on the existence of complete OpRisk databases. "Measuring Operational Risk". In addition. For each OpRisk category or sub-category these models generate a loss distribution. until a stable "empirical" loss distribution is produced. due to the high context dependency of OpRisk. Chart 10. 99 . (1998). 34f. Simulation-based quantification models are very popular in the literature on OpRisk. 5: Possible Monte Carlo Simulated OpRisk Loss Distribution for a given OpRisk Sub-Category Expected loss Unexpected loss Severe Catastrophic Probability of loss Loss level given confidence level (might be a function of OpRisk appetite) appetite) Severity of Loss To be covered by pricing To be covered by OpRisk capital Source: Credit Suisse Group / GRM. Interdependencies among OpRisk elements can also be taken into account. in: Global Trading.44 The prime reason for this is that they allow filling the data gap prevailing in OpRisk for low probability events.. Gittleson D. loss distributions for each of their relevant OpRisk sub-subcategories can be generated. To do this . Jan. The process can also be scaled down to individual business lines. slight changes in the environment. p.applying randomly generated inputs to the underlying risk distribution of an OpRisk sub-category .

They also allow a proactive management of the level of OpRisk. This could involve four core elements:46 S S S S A check list for a periodic and systematic qualitative assessment of each element of OpRisk A grading scale-based assessment considering criteria such as severity. 3-12. Kimball also points to the three major challenges this approach to risk faces: Orienting capital on the tail or the "hundred-year-storms" of a correctly estimated distribution. their distribution was. the present state of data augurs for having to wait several years before backtesting or validation is possible. 46 For more details see also chapter 5. pp. 100 . However. 45 An interesting discussion of the features and weaknesses of a distribution function based risk measurement can be found in Kimball. e. getting a correct estimation of the distribution of outcomes. not ignoring risks particularly in new business lines. holding period) consistent with those employed for market and credit risk A specification which would allow the model to generate OpRisk Raroc or VaR measures A high degree of integration in the overall risk framework allowing to derive bottomup capital allocation mechanisms for OpRisk However. Jan. the section on the US army experience. Weaker assessment forms could just require ranking of the OpRisk level for each elements of a risk map or checklist. However./Feb. as they are particularly well suited for tackling both the frequent inobservability of OpRisk and its high context dependency. 10. assumptional intransparency and its implementation will require important resources. probability and time horizon of occurrence Grading dependent management escalation procedures. recognising that a risk exposure exists. e. 2000. while individual outcomes are not predictable. Qualitative assessment models have been put forward. Kimball notes that two major advances in risk management have been to: 1) describe risk in terms of the distribution of potential outcomes and. "Failures in Risk Management". confidence interval. 2) recognise that. once validated with sufficient firm specific data Methodology parameters (distribution.4. New England Economic Review. they are only appropriate for a crude quantification of the OpRisk economic capital level and OpRisk capital allocation. as shown in Chapters 6 and 7 A transformation of the grading into an OpRisk level expressed in say USD Such methods have the advantage of enhancing transparency of the CHANGE of OpRisk. based on the experience and expertise of key managers.3 Loss-Scenario / Qualitative Assessment Models These models produce a subjective loss estimate for a given time horizon (say one year) and confidence level (say 99%).g. the simulation method has also the drawback of a high degree of complexity. as they rely on the subjective judgement of experts. measuring correctly. or compensation rules and reports in.g. action triggers.45 Also.CSG Operational Risks in Financial Services The simulation method offers four advantages: S S S S Strong quantitative support. A purely qualitative assessment can also be turned into a quantification method. R (2000).

5. the characteristics of which . To perform both these steps. It involves two steps: S S The risk measurement The capital attribution In the risk measurement process. people. technology resources. 47 This section bases on Hoffman. The factor-based model produces OpRisk weights for each business line. few financial institutions have used modelling techniques to derive or aimed at deriving an OpRisk economic capital or establishing an OpRisk capital allocation mechanism. These classes are more geared to risk management purposes than control oriented. an actuarial model and Monte Carlo simulation is applied to the loss database combined with a loss scenario modelling. the overall firm OpRisk capital is then allocated/distributed to the individual business lines. The capital attribution process builds on a factor-based modelling using a broad array of risk factors. These risk factors are detailed at the individual business line and profit centre level. 10.g. Very few are really happy with their approach. However. The database consists of two sections: internal losses and losses from other firms. however. etc. the firm relies on its well-populated OpRisk database covering the whole range of the loss distribution. D. Based on these weights.and defined based on causation sources such as: resource. This has led to the creation of five classes: relationships. A loss potential is generated for each OpRisk class and for the overall firm. e. and external issues. including the long-tail losses. Significant efforts have been devoted to developing ways of making the external loss information relevant to the firm’s features in order to combine both sections and make them complementary. physical assets. the training expenses of a given business line or the settlement error rate.given that operational loss events are relatively sparse .5 Capital Allocation As yet. A top-down approach is followed for the attribution of OpRisk capital to business lines. 101 .a one-year time horizon and a 99% confidence level – being particularly well suited for an integration of OpRisk in the general risk framework. asset. did not prevent it from incurring other problems! BT has been building and expanding an operational loss database since 1993. (1998) and (1998a). The loss events are classified in the database within one of the firm’s OpRisk classes. It applies Raroc since the 1970s.CSG Operational Risks in Financial Services 10. This. BT's approach is most suited for financial firms in possession of a sophisticated OpRisk MIS.1 Bankers’ Trust Approach: Combining Methods47 Bankers Trust is seen by many as the leading thinker in quantifying OpRisk. These classes have been kept to a minimum . more plan to do so in the years to come.

Monte Carlo simulation models can be useful in tackling low probability high impact events.6 OpRisk Quantification: 12 Conclusions 1. the CFO and the CRO of the Group were asked to come up with a figure based on past experience. 3.2 Credit Suisse Group’s Approach: Scenario Based In the process of allocating Economic Risk Capital (ERC) for OpRisk. Quantitative OpRisk models have a long way to go before they can be backtested or validated: until then they suffer from the garbage in garbage out syndrome. For many such risks. thereby requiring a credible scenario analysis. 10.including restoring to normal operational conditions. Both.5. OpRisk is extremely multifaceted. time. While market. but excluding market and credit losses. securing consistency is almost impossible.CSG Operational Risks in Financial Services 10.of many OpRisk categories / sub-categories The priority to deal with low probability high impact events. We asked OpRisk specialists of the business units to come up with a 99% confidence figure on each business unit's estimates on their OpRisk . An overall quantification of OpRisk is exponentially more complex than the quantification of market or credit risk. credit and business volume risks are based on an ever improving and accepted model for all the various business units. market and literature observation. OpRisk is very different in nature to market or credit risk. CFO and CRO. 5. 2. They also require important resources (staff. for which only very few internal data are available. Model outputs cannot only be wrong but also misleading. 6. past experience and allocated activity. The OpRisk quantification faces two major challenges: S S The high context dependency .with all the complexity and limitation of such an approach described above . insurance coverage is increasingly available 4. IT). Make the important measurable not the measurable important (McNamara). the OpRisk ERC . This figure X was then allocated to the business units based on a mix of size of assets and staff. Not surprisingly.different in different situations . CSG went through an interesting bottom-up and top-down exercise. 7. these specialists could not agree even after heated deliberations. bending it into one simple figure requires making a significant amount of unstable assumptions. Each element of OpRisk has a preferred method for its measurement. with different backgrounds came up with a very similar overall figure X.has been and will continue to be an issue of discussion. 102 . Therefore. so when bringing it back to the whole OpRisk. based on practicability and experience over time. The figure X and its allocation to business units are subject to regular review.

9. 12.CSG Operational Risks in Financial Services 8. ΓΗΝ. Models. relevant and validated models. it is more realistic / relevant / credible to rely on measures capturing the CHANGE of OpRisk than on measures capturing its doubtful absolute level. based on fee income." ∆ΟΣ Give me a place to stand on. but not for an active management of OpRisk. 11.as long as there are no credible. An OpRisk management based on relevant and credible OpRisk CHANGE measures is more effective than if it would rely on partial OpRisk LEVEL measures. 10. (Archimedes) 103 . and I will move the earth. "∆ΟΣ ΜΟΙ ΠΟΥ ΣΤΩ ΚΑΙ ΚΙΝΩ ΤΗΝ ΓΗΝ. A benchmark based capital charge is counterproductive to the control of OpRisk. on the other hand. OpRisk management tends to benefit more from the use of risk control indicators (RCIs) than from complex models which would compute and /or allocate an OpRisk amount. The pragmatic good judgement approach generally provides a valid base for good OpRisk management . would only provide for a more or less precise estimation of the overall level of OpRisk and thereby for an ex-post measurement. In the near future. A combination of qualitative and quantitative approaches offers the most promising avenue to get a grip on OpRisk.g. cap or reduce OpRisk. RCIs dive into the business process and help to effectively control. e.

Pillar 1: Minimum capital requirement Two alternatives are being studied for credit and other risks: S S A "standardised" approach to be used by a large number of banks Internal risk ratings to be used by major international banks Supervisory discretion Pillar 2: S A strong national supervisory and regulatory process ensures the maintenance of adequate capital. Concerns of Supervisors 11. Supervisors expect that banks will exceed the regulatory minimum requirements. Banks must have internal procedures and tools to determine their own risk profile with corresponding capital. They have the authority to require from banks to hold more than the minimum capital. they must have a strategy for the maintenance of a proper capital level. The BIS Porposal targets four main goals: S S S S Promote safety and soundness in the financial system. S S S 48 BIS (1999). 104 . the new framework should at least maintain the current overall level of capital in the system Enhance competitive equality Establish a more comprehensive approach addressing risks Refocus orientation towards internationally active banks. In the following pages. In general terms. Supervisors must examine the internal capital measurements and the strategy of the banks. I do not wish to forego any conclusions or predict the outcome of the final version. which includes the avoidance of systemic risks. underlying principles take into account the varying levels of complexity and sophistication The BIS is moving from the single pillar of minimum capital requirement to a 3 pillars approach. and add some of my own concerns and ideas.CSG Operational Risks in Financial Services 11. I want to describe the original intentions of the Basel proposal as to the treatment of Other Risks. the role of regulators is the protection of the saver / creditor and the assurance of well functioning banking and financial systems.1 The Three Pillar Approach by the BIS The Basle Committee on Banking Supervision48 has taken a bold step towards updating the international capital framework for banks. They must examine the compliance with the regulatory capital requirements. Supervisors should intervene early if there is a threat of capital inadequacy and require prompt remedial action. Consultations with market participants are still going on.

Such a Pillar 4 . I would argue that a clearly stated Pillar 4 is needed. including OpRisk. sound and diversified profitability is THE precondition for protecting creditors and avoiding systemic risks. it is interesting that a lot of efforts are devoted to Pillar 1. the savers save less. In addition. Simplified.directly or indirectly part of a bank's risk management. Pillar 3: S S Market discipline Greater disclosure of timely and reliable information relating to capital structure and risk exposures by banks is proposed. Back to the traditional. regulators move from primarily macro-regulation to micro-management of a bank. but also vis à vis non-banks. 105 . Management. they increasingly invest in non-traditional savings products. A bank can comply with all existing and future capital changes. the level playing field issue needs serious attention. While supervisors cannot and should not be directly responsible for profitability. money is actively managed through other vehicles than "savings". This approach puts a heavy burden on the supervisors' judgemental capability. Sustained. have an outstanding qualitative risk approach with the most sophisticated quantitative models and still represent a supervisory problem: lack of profitability. Asset.CSG Operational Risks in Financial Services The Pillar 2 principles effectively extend the current capital ratio approach to a more active and comprehensive framework for managing capital standards. there is convergence of almost all aspects of financial activities. They are concerned that services are offered by respectable.I would have preferred calling it Pillar 1 . market participants have become emancipated. Confusion of greater transparency with huge data quantity and increased market pressures should encourage banks to manage risks and capital more effectively. Earnings. well trained people with appropriate standards of probity. My suggestion Pillar 4: From a practitioner’s perspective.should always be in the minds of the supervisors for the overall judgement of a bank and its risks. but intensified CAMEL approach: Capital. Liquidity. At the same time. EARNINGS CAPACITY IS MORE IMPORTANT THAN CAPITAL. Supervisors are concerned about systemic risks and the role of the banks in the ecommerce environment. Supervisors may become . Why do regulators not apply the same requirements for converged and changed activities? Is there not a unique chance to level the field for banks and non-banks? A meaningful contribution would support the credibility of the new 3 Pillar requirements which are targeted at banks only. this not only among banks.

One million investors buy or hold a favourite stock. proportionate and consistent manner. with cross comparisons on strategies and industry development. it is also about performance: revenue growth and its diversification. sound and diversified earnings and profits. One million judgements cannot be that wrong. etc.CSG Operational Risks in Financial Services 11. provisions. geographic distribution. many of them clients. Survival is not only about capital. compliance and controls. To complete the picture. 2. which are based among others on good OpRisk management. even as Pillar 2 may not become that relevant for regulatory capital purposes. There is a lot of information to digest for 50 major banks worldwide: 500 reports. For argument's sake. While stock markets can temporarily overshoot both ways. opine every trading day on these banks' total risks. Such power should be exercised in a transparent. sometimes twice or more often per year. fully knowing that a major portion of banking is taking and incurring daily risks. potentially even applying new standards to old frameworks. for which banks have no option but to "agree". Pillar 3 should improve the risk transparency even more. years of uninterrupted dividend record. at least not all the time. It takes quite an irrational attitude to take risks with the aim to fail. also by supervisors. major clients gained or lost. With their requirements and interventions. Supervisors pursue disciplinary and other actions with the benefit of hindsight. How important is confidence in market signals for supervisors? Supervisors seem to have an increasing interest in exercising their power along Pillar 2. including OpRisk. clients distribution.2 1. Such new judgemental capability. rating agency reports could also be a major source for a supervisor's judgement. management know-how and industry knowledge will be a unique challenge. There are at least 10 different analysts' reports on any major bank per year. should banks have a choice to select their supervisors? 3. much more than 10 years ago. supervisors can replace a firm's business judgement. what mechanisms are there for banks to fall back upon if there is a misjudgement by supervisors? Will this result in banks not establishing official policies because supervisors might not agree with them? Unfairly treated staff can leave the bank for better shores. They can be quite revealing for supervisors' concerns. How predictable will future supervisors' actions for banks become? In reality. efficiency ratios. new activities. Markets judge and discipline every working minute. the relative share price performance should be revealing also for supervisors. The OpRisk Regulatory Solution: 12 Points from a Banker's Point of View A prime concern for supervisors should be my Pillar 4: sustained. There has to be a reasonable amount of trust in the checks and balances of a market. 106 . there are 50 major quoted banks with an assumed 20'000 shareholders each: 1'000'000 professionals and other intelligent individuals. In addition.

but was saved by banks under FED leadership . if the Board of Directors and/or the shareholders have not done so before.any bank with a major LTCM exposure would have survived based on the direct LTCM exposure in case of an LTCM collapse.CSG Operational Risks in Financial Services Audits and regulatory requirements by one established supervisor have to be acceptable to other regulators. It only depends on your perspective of life. To be fair. Cumbersome. Regulators and supervisors should re-examine this simple "fixation" on capital. your assumptions and your model. numerous questionnaires. It is equally true that banks are still around. 4. supervision based on media gossip. Regulators are aware that OpRisk measurement and its quantification is questionable somehow but they want it for regulatory charge purposes anyway. It is a truism that misjudgements by banks will happen in the future. with reasonable assumptions. irrelevant issues in the overall context. External shocks can increasingly be mitigated with risk transfer. whether positive or negative. Good regulators intervene before the "capital" is called upon. A material. the supervisors have the power to oust them. Capital serves as a cushion for unexpected market situations or an immediate buffer against a bank's quality deterioration. given the circumstances. Banking and its supervision make no exception there. It may also be worth mentioning that LTCM was not a bank. the Year 2000 transition and the e-commerce security design rather well. the timely resolution of a deficiency and how it was handled by management should be recognised. capital? What could such a hit imply for the rating? How is it insured against OpRisk? What kind of insurance does it get compared with others? 107 . anytime. uncoordinated requirements. What kind of hits can the firm sustain with regard to revenues. without constantly bringing up past or insignificant deficiencies. "real crisis" cannot be managed by regulators. You can stress any bank to death with all its capital. Assume the past handling of a deficiency as a lesson from which management has learnt and as a new base for handling future deficiencies. net income before tax. they have to be taken into account. Doubling up efforts is unacceptable. However. Good regulators and supervisors know when to start and when to stop. e. But this is not how successful business is orchestrated. Senior management should be able to concentrate on managing the organisation. calls on branches around the world are increasingly becoming a burden for banks. Doomsayers find doom anyhow. No bank can avoid deficiencies: the issue is. Regulators and supervisors should be concentrating on the real issues: what-if analyses. choosing publicly one bank to set a new industry-standard. to control and prevent undue risk taking for which it needs the necessary time. Supervisors should be positively motivating. 5. anywhere. Banks have managed up to now the more recent OpRisk challenges such as the introduction of the Euro.g. how they are handled. capital does not ensure that banks are immune from any failure or a global nuclear war. only by management. If management is not "fit and proper". Materiality is the issue. the FED initiative was appropriate.

reputation. legal. third party ratings allow cross-checks. expressed in the share price. access to a history of daily prices of tens of thousands of stocks.CSG Operational Risks in Financial Services 6. Can a similar framework also be applied for OpRisk. but would certainly not solve the problem: the issue is good OpRisk management or good management in general. With all this background.with the potential introduction of Pillar 2 and its close monitoring. In addition. One of the justifications for the planned Pillar 2 must be to react to insufficient OpRisk management. there are close to USD 40 trillion bonds and notes outstanding. Would the mishaps have been avoided or would they at least have been smaller? Yes or maybe.an additional risk management layer by an official outside third party. To "punish" the banks today for major mishap cases in the past . Pillar 2 is . empirically validated and produce capital requirements that are comparable across institutions. at least theoretically. bonds and derivatives. business volume. They should be of prime concern for the shareholders. "Other Risks" should include . as Pillar 2 with its supervisory intervention should have worked. 8. To ask them for only a "promemoria" capital charge might revive the memory. 9. In today's context. models would produce one regulatory capital for all "Other Risks". conceptually sound. 108 . Market risk management models have. worldwide. and this over many years. assuming non-banks are equally supervised.according to some supervisors . context dependent OpRisks as a whole identified (yet). theoretically speaking. Credit risk models combine. intervening and additional capital requirement power for sub-standard banks . they all should be typical cases for the proposed Pillar 2. The 9 major mishap cases presented in chapter 4 and others were cases unfit for a modelling approach.generally and simplified . operations. Ideally for some.simplified . also assume there has been no Pillar 1 charge for OpRisk since 1988. But life is more complicated: Risks as to strategy. Would any of the mishaps in chapter 4 have been greater than actually was the case? No.there should be at least as much capital in the banking system as at present? Let us assume: the BIS proposal was introduced already in 1988 instead of the BIS 1988 scheme.including those incurred by non-banks .primarily risks as to strategy. Why is it that . interest rate. Various supervisors prefer . regulators require the following for internal credit risk models: a model must be well integrated with the bank's day-to-day credit risk management. the experience of more than 30'000 banks around the world with assets over USD 35 trillion.with "corresponding" regulatory capital requirements in the future would erase banks' competitiveness. an area which is so much more in-house oriented? There is no credible model for multidimensional. 7. reputation and business volume should be handled separately."objective boxticking" for capital requirements based on the formula: Total Risk = Market Risk + Credit Risk + Other Risks.

The latter could actually create perverse incentives. OpRisks are primarily internal risks or "bank made". Risk awareness in general and for OpRisk specifically. The value of loss distribution based modelling with proper data for a subOpRisk or a sub-sub OpRisk might be limited if the modelling approach of another sub-group is completely different. Checks and controls of the market and reputation aspects entice every bank to NOT occur operational losses as they increase expenses and/or affect the share price. The characteristics of OpRisk are markedly different from other risks S Market and credit risks are . how about measuring. More attention to a more analytical approach is increasing. S 109 .parallel with other factors expressed in the share price and its level above book value. if based on some of the suggested indicators and statistical methods. Reasonable tolerance of defaults or mistakes should not be risks burdened with capital requirements. is much higher today than 5 years ago. Therefore. modelling is highly complex or not credible. S S S S S S S 11. If a common definition of "other risk" or OpRisk already presents a problem.CSG Operational Risks in Financial Services 10. often not clearly discernible from other risks like market or credit. The value is certainly limited if the risk figure is not relevant in the overall context. quantifying and modelling. OpRisk management is largely good general management with quantitative and qualitative targets and is .with relatively objective market prices or ratings willingly taken for revenue’s sake. Data on OpRisk are often vaguely defined. OpRisks are unique in terms of context dependency. OpRisk methodology is in infancy stage. External risks have to be handled differently and are largely insurable. even if only internally? How about industry commonality? OpRisks are incredibly multifaceted. a major portion is qualitative / judgemental. incomplete. Arguments against an OpRisk Pillar 1 regulatory charge: S S The completely differing characteristics of OpRisk vis à vis other risks are described above. rapid industry efforts might be hampered by a regulatory charge. OpRisks are usually not willingly incurred and not priced in the market. this is part and cost of doing business. and often not relevant in the overall context of risk exposure. or increasingly will be. and of limited comparability over time for benchmarking purposes. unreliable. interdependent.

why not reduce this multiplier . as proven in the past.is selected Only for credible unexpected losses A credible attempt is made to create a level playing field with non-banks S OpRisk management is much more than a capital charge. Assuming a reasonable position of such affected bank excluding the OpRisk mishap. Then comes earnings power after which the "capital" is affected only. My concerns about the feasibility of OpRisk models and Pillar 1 do not imply that OpRisk management is not a serious issue. I would proceed the following way. The real issue is liquidity and funding.which includes OpRisk issues . If I were a supervisor. In case of a "reasonable" OpRisk disaster of a firm. An OpRisk Pillar 1 charge could be interpreted to mean that the supervisors are not convinced about their successful implementation of Pillar 2. considering the previous points raised: 110 . If regulatory market risk capital has a "safety multiplier". it is the shareholders who suffer first.with the introduction of an OpRisk Pillar 1 charge? One-size-fits-all basically is an unsatisfactory approach. Pillar 2 is the vehicle that disciplines a bank which represents a serious threat to the system. structural and control issues. S There should be no charge under Pillar 1 until: S S S S S S S S S Sensible definitions for OpRisk are agreed (including clear boundaries to Market and Credit Risks) Relevant risks have been determined No double counting is ensured Existing multipliers for Market Risk are reduced Assurances have been given that less capital will be needed for lending Risk transfer is made deductible Only quantifiable risk . they were about good management. assuming the supervisors have done their job before. S S 12. The 9 mishaps in chapter 4 were not "cases for capital".credible and relevant in the overall context . Allocating regulatory capital is not the most effective way to improve OpRisk management.in an overall context serious can be "penalised" with a regulatory charge.CSG S Operational Risks in Financial Services A minimum charge might provide a false sense of security and not foster adequate controls. what an acquisition opportunity for third parties! Such reasonable position should prevail. especially if the charge is in no relation to the underlying risk. It is very much so. Any "unreasonable" charge makes banks uncompetitive. Use Pillar 2 for "outliers": serious deficiencies . it is about good management.

Effect on ratings. or losses irrelevant in the overall context (even if convincing as to calculation).also in relative terms indicate? What is the opinion of rating agencies / analysts? How often are interbank premiums of an institution checked? S Above all and of prime concern: What is the loss absorption capacity of an institution? Apply simple models and stress testing such as: "hit absorption capacity" versus earnings and capital. system."if there has to be one" . not the modelling of a sub-group risk. policy and processes. I would suggest: that some of the S's could be used for simple weighting of deductions or add-ons for Pillar 1 . skills. Forget the broad "other risk" definition and concentrate on what OpRisk really is. Ask for major legal disputes on a confidential. Check regularly on the 5 major OpRisk-categories. systems and safety measures.CSG S Operational Risks in Financial Services What is more important: a regulatory charge or good management? What does the stock price of a financial institution . What are the really relevant OpRisks in the overall context of an organisation? Concentrate on high impact – low frequency risks. Are there significant problems. including IT aspects: This is crucial risk awareness and disaster preparation management. not on specific judgements on counterparties and personalities. systems: Safety: Staff.or of a potential Pillar 2 charge for outliers. style: Synchronisation: 20% 20% 20% 20% 20% 111 . a majority of potential OpRisk issues can be judged and ticked off quickly and easily. unnamed basis. technology. What is the organisation doing about high impact – low frequency risks? Become knowledgeable on OpRisk insurance. issues. What is the high impact – low frequency risks exposure of the organisation after having transferred risk to third parties? S S S S S Check regularly on business continuity plans. This is the real issue. Agree with the industry on a definition of OpRisk and its categories. clients. Example: S S S S S Structure: System. S Go through the 12 S's of an organisation as presented: Supervisors should be concentrating on structures. capital raising? This way. plans. along the lines described in chapter 3. human and external risks and their subcategories. Organisation. including IT. solutions? Ask for over-budget projects.

simple to manage and cost efficient. a low percentage on assets managed for asset gatherers. Pillar 2 provides the supervisors with enough power to correct a situation. Have accessibility to all major counterparties. Credible insurance contracts. Pillar 2 concerns with a regulatory charge should primarily be oriented towards a reasonable probability of systemic risk or towards failure of the respective firm. They will calibrate according to their idea of the charge desired. not capital charges of OpRisk or semi-credible OpRisk models. Ask regularly for the 3-5 major. etc. mergers etc. Establish a rapid deployment force in case of crisis. Check on ongoing or planned efforts handling them. then it has to be a low in amount. major IT-projects. the level playing field becomes even more rocky. S S S 112 . this is an unfair approach for larger entities. If the percentage becomes too high. Re-check and supervise closely if the firm has missed a major one ex-ante. There are various ways to calculate a simple charge for Pillar 1: a simple low percentage of the "other regulatory capital" for lenders and traders. deserve special attention. because the issue is not capital. a decreasing scale would reduce unfairness.for lack of better arguments .CSG S S Operational Risks in Financial Services Check regularly on the status of data collection and modelling efforts. as there are no correlations between size and risk. Support and recognise each bank's contribution to improved settlement mechanisms: These are the real issues for avoiding systemic risks. new activities. because regulators .simply decide so". S S S S S Add-ons based on Pillar 2 assessments would be eliminated in a timely fashion after the clean-up of a deficiency. Check on netting arrangements of all sorts. Major restructuring cases. The capital charge under Pillar 1 seems to be a foregone conclusion for the supervisors. self-assessed concerns in the OpRisk area. If "there has to be a minimum OpRisk capital charge. teach-ins. credible models for OpRisk with credible statistical evidence have to result in lower capital requirements. Check on the contribution of each firm regarding OpRisk industry efforts. Again. I personally argue against it. but management.

Co-ordinate with other supervisors. it is also carrots! "Half the failures of this world arise from pulling in one's horse as he is leaping" (August Hare) 113 . Do not double up. Life is not only sticks.CSG S S S Operational Risks in Financial Services Become more flexible and market oriented: If parameters of the industry and the industry have changed. Make it attractive for banks to remain supervised as a BANK. they have changed. Be more credible with level playing field efforts.

IT and external services. irrespective of size and scope. 9. 7. 5. but also paper archives? How often a year are backup procedures tested for IT-modules and ITproduction? How about connectivity. 3.1 Business Continuity Planning Business Continuity Planning (BCP) is defined as disaster prevention and disaster recovery planning: the goal of disaster prevention is to reduce the threat of a disaster before it takes place.also for low probability / high impact situations . 2. In this final chapter. Business Continuity Planning: 12 Basic Checks 1. 8.CSG Operational Risks in Financial Services 12.is essential for perception and reputation. 4. Business Continuity Planning Customer Complaints IT Migration IT Security Outsourcing Money Laundering Fraud Settlement Communication 12. Good OpRisk management . Does the BCP fit the activity? What are the core activities to prioritise? What are the non-core activities? How much and what information can a core activity afford to lose? How much time can be allowed to restore a core activity normal activity? What activity needs to be fully mirrored with a back up facility? Does the BCP cover all essential business processes and locations and not only IT and communication infrastructure? Clear responsibilities for shared facilities? Does the BCP include not only electronic data. disaster recovery seeks to re-establish the critical functions after an interruption or disaster. application and user awareness testing? Does the BCP include all IT platforms. 114 . 6. I have selected . 4. Selected Areas of Future Concern As mentioned in the introduction. 1. including e-commerce? Is the market for emergency procurements large enough or is a two-vendor-policy more advisable? 2. location.some areas of future concern. These are concerns for any financial institution. 3. In contrast. 6. BCP depends mainly on 4 resources: people.there are more . almost anything in daily banking life has an OpRisk touch. Effective and efficient management of such a situation is overall probably more important for the stakeholders than the economic contribution of an insurance. 5.

is it corrected to the customer's satisfaction? 2. But how many really have a proper set-up to live up to this promise? Good customer complaints' handling is good quality and retention management. 5. but an evaluation of a plan? Are outsourced activities included in rehearsals? Is the PR department included? Is the BCP regularly updated. but they tend to tell many others. especially concurrent to transformation projects? Is it checked at least once a year? Is a backup of a backup needed? Is the BCP consistently a subject for internal audit for all relevant activities and locations? Are the reporting lines in a crisis clear? Is an emergency call list at hand? 9. which again helps to maintain a good reputation. 12. 11.CSG Operational Risks in Financial Services 7. within 1 day and within 2 weeks? 8. How often and thoroughly is the BCP tested and rehearsed with disaster simulation? Is the BCP user awareness sufficient? Does staff understand that a rehearsal is not a performance evaluation. Customer Complaints: 12 Basic Checks 1. In case of building outages: what percentage of normal business volume has to be functioning e. A proper OpRisk management requires these questions to be addressed periodically. 115 . 10.g. 6. Do you have a clearly communicated customer complaints organisation with corresponding service lines? Is the service line available 24 hours and accessible in reasonable time? Toll free? Do you have appropriate communication channels to third parties to speedily investigate and respond to a client's complaint that concerns a third party mistake? Is your staff properly trained to counsel irate and even unreasonable customers? Is personnel trained to not trivialise the client's account? Is your staff empowered to make on the spot decisions and gestures? How long does the customer have to wait? How are the complaints referred to specialists or specifically responsible management and staff? How long does the customer have to wait for an answer? Are written complaints answered in writing? In a positive tone? When the bank makes a mistake. It can be an OpRisk mitigation tool. 12. 3. 7. 4.2 Customer Complaints Every financial institution pledges customer service and customer satisfaction. Only a very small percentage of unhappy customers actually complain.

Managers need to prioritise their functions and sign up to a 1 year business plan to ensure that the business remains stable.CSG Operational Risks in Financial Services 8. Planning and scheduling of the project and line activities across the Back Office need to be transparent. Projects must plan and budget to keep the core project team in place through the implementation and beyond to manage post-migration issues. system. Users have to be involved early with their buy-ins. it may be layering existing software with updates. While accountability cannot be delegated.3 IT Migration IT migration is the process of shifting or adapting an organisation’s current IT platform in order to accommodate new products/services or regulatory conditions. Once it has been decided that an existing IT infrastructure is no longer suited to a product line or fails to meet regulatory requirements. tasks can. the attributes of the new system need to be agreed upon. as changes after the design has begun may cause expensive delays. the OpRisk potential is vast. 2. as well as regulatory repercussions. Time for a New Look at Operational Risk. 4. It should secure that the common involvement of software specialists. or brand new software may be employed altogether. February 2000. 3. 12. Good project management skills for non-IT related areas are key: leadership is required to complete a successful IT migration. 10. IT migration: 12 features for success 1. 49 Meridien Research Inc. 5. systems or unqualified staff? Do they suggest an operational risk? Are customer complaints a KRI? Do you have an institutionalised control mechanism for follow-ups? Even if only a very small percentage actually complains. 11. 12. staff and end users remain open and viable. In doing so. As IT migration involves the inception of new methods and systems. 3. 116 . Does your staff handle the situation correctly in case the client made the mistake? Do you keep a complaints log? Does management look at the complaints log? Do recurring complaints lead to action? Do they indicate a faulty organisation.49 A poorly performed IT migration can have long lasting effects on the operation of a business unit. do you use customer satisfaction surveys? Do the surveys lead to action? 9. The business strategy and product list should be kept constant throughout the development of the software. Strong top management support for the project is required. team leaders. A "project building culture" should be fostered in order to create an open and collaborative environment in which a successful IT migration can occur.. p.

access to infrastructure and data becomes a primary concern. If an interim scenario exists where the old and new IT platforms run simultaneously. Standard controls on new processes need to be enforced. 7. As networks become ubiquitous. Project teams and their management need to be located appropriately in order to ensure better resource-utilisation. along with the associated MIS. staff and user training and preparedness is key. controls need to facilitate the take-over of the new system as smoothly as possible. This figure will arise in the foreseeable future. 117 . adequate staff training or data storage and backup. 50 For example. Accountability of all individuals is key. Laws can change regardless of a firm's preparedness: expedient completion of a project becomes even more important. firms come under pressure to understand the security implications of these advances. Testing of the new system should occur across a set number of days and production data and in a "parallel run" against the old system. the incentive to take advantage of this time lag is great. 9. Implementation ownership should be given to those who will be responsible for the new processes. All significant projects should go through a formal review against project objectives. 8. failure to provide sufficient security is perhaps the greatest worry. After delivery and thorough testing of the new system.50 As IT continues to develop at a rapid pace. 10. the cost measured in lost productivity due to denial-of-service attacks to the US economy last year was estimated at USD 10 billion. and therefore firms which fail to recognize the urgency of a security culture will bear the brunt of those costs. Furthermore. 11. From the perspective of OpRisk. For competitors. the loss of public goodwill and client confidence will vastly outweigh the costs of installing and maintaining satisfactory security.4 IT Security The central concept that unites all security related issues is that of a "securityawareness culture". 12. as networks virtually define the operations of the business. Be it the availability of safe networks. the absence of a focused security work ethic will undermine protection efforts. A weak security infrastructure is increasing the number of people gaining access to the skills required to attack a network or data. 12.CSG Operational Risks in Financial Services 6.

Protections significantly reduce the number of infiltrators who can break in. erratic. a false sense of security should never be allowed to blossom. Users can be changing. documented user rules available? Is regular awareness training assured? E-mail technology. An organisation must have a security culture approach to protect its data and IT. there are commonly used tools which allow the sender of e-mails to change his/her identity and claim to be someone else. is one of the least secure methods of communicating. as the messages leave the closed network of the firm. Computer security is about minimising risk. Use specialists who are engaged to try to infiltrate your systems. 7. None of the present precautionary measures and future variations of them will ever ensure a system that is 100% secure. capricious and unreliable. However. A breach at any one of these points could cause damage or theft. although asked to change network or software passwords frequently. The password is the first mode of data and network protection. 8. detecting intrusions and tracking down perpetrators. contact from travelling employees or communication via e-commerce platforms. 2. deletion is more complex than usually imagined. Users need to be made aware of these and similar facts before a casual error results in damage. E-mails that are sent to external addresses pose further risk. Most typically.CSG Operational Risks in Financial Services IT security: 12 issues 1. Are training manuals. An e-mail may be intercepted. effectively doing so? Are passwords shared just for convenience sake? Are the passwords complicated enough to be "safe"? Network of networks have to be protected by firewalls which monitor the flow of information from the outside world. E-mail encryption is one part of data transmission security. which is harder to fake. Is staff. Do we have a culture that minimizes reaction times and the frequency of lapses and errors? Can data and files become lost or vulnerable because of unclear storage habits in shared drive networks? Are there clear and systematic rules for data access and storage? It is the responsibility of management to create a security culture that is equipped to handle the pace of change. IT security begins with the front line user on a day-to-day basis. ID cards. 118 . Some infiltrators will always be able to break firewalls. The system in place is only as good as the training provided to users. 4. Proper IT security will. and since multiple copies are usually generated. 3. Virus authors and hackers are creative. 10. 6. this will include traffic from the Internet. and remain motivated to further improve systems. have to verify additional sender information. while common. E-mail security also involves the sender information. therefore. signature files and encryption codes. 9. 5. support focal points.

5. irrespective of the duration and scope of the attack.51 Outsourcing: 12 issues 1. 12. A clear and efficient contingency planning is necessary. 12.CSG Operational Risks in Financial Services 11. while an operation or service may become outsourced. 3. 51 For example the UK Banking Act of 1987. particularly as the firm retains the inherent risk. however this too requires a clear structure. security. The final responsibility of the outsourced service remains with the firm. January. damage in some form is highly probable. Managers should establish clear Service Level Agreements in order to mitigate the risks. which must be considered in turn. the institution loses some flexibility and potentially its availability to judge whether the provider remains at the cutting edge in the service it provides. outsourcing is not free of operational risk issues. The FSA then must consider the proposal at hand and may object to it. 2. User awareness promotion and training is the answer. the first step in preventive measures is following common sense rules of conduct. Key processes and core competences should not be outsourced. Guide to Banking Supervisory Policy. Too much is at risk. the selection of the provider has to include an assessment of sustainability of his/her financial health and the extent of the mutual dependence. These cannot be recalled within short notice. Therefore. With this in mind. Know-how. The FSA also requires that banks inform them if outsourcing an operation may have a "material" effect on the risk profile. Primarily. See: FSA. This involves communicating precise minimum quality and reliability expectations. Nevertheless. The Act states. transparency and management reporting of the service(s) are sufficient. the ultimate responsibility for it is not. 4. This principle is firmly enshrined in law. Outsourcing an operation allows a firm to focus on core activities. 119 . Computer virus attacks are not going to disappear. "The FSA continues to hold a bank’s management accountable for the adequacy of systems and controls for the outsourced activity". As outsourcing generally extends over long periods of time. gain efficiency and save costs. Backing up crucial information is the most obvious (and simplest) form of a contingency plan.5 Outsourcing Outsourcing remains an avenue by which a firm can attain a competitive edge. These advantages have to outweigh the loss of direct control over the service. Broader IT contingency planning should be done by each separate business unit by the respective IT Security Officer. information and some infrastructures are lost when activities are outsourced. 2000. It retains the obligation towards its customers and supervisors to ensure that quality. Once a virus has infiltrated the network.

BCCI). This is yet another management concern which every financial organisation has to take very seriously. 6.6 Money Laundering Financial Service institutions are . 9. Trade Related Money Laundering . Physical disposal of cash (art.exposed to money launderers using and abusing the financial system.factually and by perception . 4. It is. Money Laundering: 12 Techniques and Schemes 1. therefore. These can involve a wide ranging number of issues. An outsourcer must be convinced that the insourcer has adequate safeguards in place.).CSG Operational Risks in Financial Services 6. 7. 120 . 11. Open channels of communication must exist between the outsourcer and the contracted firm in order to make contingency plans realistic. Structured cash transactions through currency exchange bureaux and ATM’s (automated teller machines). such as the supply and/or software failure that the service provider relies upon. Profiting from commission-driven brokerage or securities firms willing to invest huge sums on the behalf of money launders. 7. sometimes using elements of the legitimate economy. Placement of funds into real estate. Data that is used by the outsourcing firm may include proprietary information. 12. The dependence on external entities may pose hidden risks which could only become apparent at a much later time.trade in international goods and services. Service Level Agreements must exist even if the outsourcing takes place between units of the same firm. or even controlled by criminal elements specifically for that purpose (e. as well as recovery efforts should they be required. over which managers will lose direct control. outsourcing can become inefficient and ineffective. 2. Confusion in this regard will hamper both the operation of the contracted service. The transparent segregation of duties to be performed has to be made clear to both sides. vital that a Service Level Agreement includes provisions for securing confidentiality. Alternative remittance scheme involves shifting value from location to location. as well as other commercial transactions are used as a cover. 10.g. Exploitation of varying VAT rates in different countries facilitated by the legal import/export of goods. 5. including the services of regulated institutions (layering). Without satisfactory management reporting structures in place by both parties. 12. 3. According to FSA rules. 8. precious stones etc.

law enforcement agencies.Online Banking: Opening and transacting through an online account can remove the face-to-face contact between customer and institution which often is the point at which suspicion initially arises. Internet banking allows for a single individual to simultaneously control several accounts with different institutions without attracting attention from those institutions with whom the accounts are maintained.will have an explicit and adequately empowered role in setting and enforcing standards in regard to money laundering. specifically "shell companies". however.52 The role is no longer implicit as to ensuring firms' "fitness and properness". 11. The proposed rule on compliance: "A firm must take reasonable care to establish and maintain adequate systems and controls for compliance with its regulatory obligations and for countering the risk that it might be used for further financial crime. 121 . financial services and supervisors worldwide are faced with an enormous challenge. to communicate them to the authorities To ensure senior management oversight and control (without impeding the communication of individual suspicions to the criminal investigation authorities) To secure and maintain the informed participation in these systems of all relevant employees of the business To keep records which may prove significant for subsequent criminal investigations and prosecutions Traditional money laundering methods pose serious problems for the financial industry already: the e-money technology widens the scope of criminal activities available for the laundering of money today: establish systems which follow unusual transactions Governments. and subsequently. are often unverifiable. 12. especially from one country to a less vigilant one. A major new issue is Internet .individuals or entities . allowing unrestricted access to and control of accounts from any location. These activities are used to layer and integrate illegitimate funds. This must happen by adherence to a policy as suggested above and development of IT solutions that resist the trend towards unrestricted size. The identity and location of persons accessing the online account (via the ISP).as one example . movement of value and anonymity of users of e-commerce technology." The essence of counter measures and controls are: S S S S S S S To exercise care when commencing business with a new customer At that stage. 4/2000. financial institutions which arguably bear the lion’s share of responsibility in limiting the spread of illicit money via ecommerce.create juridical persons or legal entities. It is.CSG Operational Risks in Financial Services 8. 52 FSA Consultation Paper 46: "Money Laundering: the FSA's new role". Company Formation Agent: Such agents . to give alert and informed consideration to the possibility of money laundering by a customer or prospective customer Where suspicion of money laundering arises. Placing large scale regular bets through casinos. Smuggling of cash. 9. Cash purchase and early encashment of life insurance policies. 10. or companies with no registered assets or operations where they are registered. Counter Measures for Financial Services: The UK FSA . London.

To put it simply: reinforcement of the KYC - Know Your Client - policy is a core OpRisk issue. Fraud53

12.7

Fraud: 12 Issues 1. It is people, not businesses or systems that commit fraud. In today's "connected economy" fraud is increasing. Fraud permeates every area of business. Almost one third of all frauds are committed by management. Since management usually makes up a much smaller portion of the workforce, this finding suggests that managers are more likely to commit fraud than other staff. Frauds are "disasters waiting to happen". They often start with a small incident, followed by some sort of a "spiral". 2. What makes people to commit fraud? In simple terms, fraud is being committed when a motive coincides with an opportunity. Among the main initiating factors are: S S S 3. Pressure to perform: a key factor Personal pressure: debt, excessive lifestyle, gambling, etc. Other triggers can be: beating the system, greed, revenge, boredom

Watch for the unusual as well as for some common fraud indicators: S S S S S S S S S S S S Autocratic management style; mismatch of personality and status; unquestioning obedience of staff Unusual behaviour; expensive lifestyle; untaken holidays Illegal acts of any sort Poor quality staff; low perceived status Low morale; high staff turnover; lack of intellectual challenge Results at any cost; compensation tied to nominal performance Poor commitment to control; poor reputation Remote locations poorly supervised; several firms of auditors Poorly defined business strategy; no "buy-in" by managers and staff Continuous profitability in excess of firm and industry norms Mismatch between growth and systems development Complex structures

The following points illustrate some means and tools to combat fraud: 4. Management and staff being alert to fraud and to warning signs, help stopping fraud in the early stage.

53

Partly based on Fraud Watch 2 information, London.

nd

Edition, Davies, D., KPMG, ISBN 185355 958 X abg professional

CSG

Operational Risks in Financial Services

5.

Management structures and systems: Structures are the foundation of internal control. Problems with structure and system may therefore completely undermine good controls. The following issues should therefore be given particular consideration: S S S S S S S S S S S Degree of collective responsibility Role of the chief executive Dominant personalities on board and management level Interaction between top management Relationship between head of division and division staff Status of support functions, including risk management Remoteness of the reporting lines Business unit defensiveness: "them and us" Status of front office. i.e. "front office heroes" Reward structure undermining the management structure Risk alertness

6.

Matrix management structures while not inherently more risky, simply involve different kind of risks which are not always easily recognised. Possible points of friction can be: S S S S S S S Loyalty to a local business head rather than the functional head Incentives not aligned with structural responsibilities Special arrangements outside the normal management structure Lack of relevant expertise to operate a new structure Structure impedes implementation of risk management procedures Conflicting business objectives Culture and ethics

7.

Style and shared values: There are many ways of expressing what is an accepted standard and what is not. Essential is that all staff at all levels in a company are bound to work under a set of rules which everyone has to accept. Disciplined acting by management according to what is not acceptable is essential. A good mean to identify the hallmarks of a company’s culture is to ask employees which adjectives describe best what it is like to work there. Where there is excessive pressure, risk increases. Problems can also occur where staff or a local entity is not assimilated into a group culture.

8.

Communication: Effective communication contributes to a successful operating environment by securing staff buy-in to strategies and policies and giving management early warning signs of issues.

123

CSG

Operational Risks in Financial Services

9.

People and technology: In more recent times computer fraud has become a global issue. The Internet age has removed the traditional safety previously provided by physical boundaries and can replace it potentially within an information and communication "free for all" environment. The attitude of needto-know is being replaced with need-to-share. The "job for life" ethos has disappeared and - along with it - the traditional loyalty to the firm. IT departments are increasingly staffed with high levels of contractors or are outsourced all together which poses risk culture issues. Technology cannot provide all the controls necessary. There remains a high reliance on staff and the application of manual controls. Organisations with loyalty are hard to develop and to retain. The "modern" culture can quickly move toward the "something for nothing" attitude. In such an environment, an increasing number of employees - given the opportunity - will commit fraud.

10.

IT Security: The growing reliance on the Internet for communication makes the issue of IT securities more critical. The days are gone when security could be viewed as an IT activity delegated to the IT department. Today, security practices need to be an integral part of the way in which every employee carries out his or her job. To test one's own IT security, the same tools are employed as those used by the hackers. An example is the program SATAN, which was developed in the USA and can be downloaded for free from the Internet. Penetration testing has become another major tool for organisations to look for assurance over one's security arrangements. The testing is normally carried out by an "independent" who will attempt to intrude into the system in one or more scenarios such as "an unknowledgeable outsider" or "a knowledgeable outsider", etc. Good testers will use a variety - technical and social engineering techniques to break into the system only to draw corrective measures. Digital signatures are likely to become the most common method of verifying a user's identity in the electronic environment.

11.

For each category of business risk there is in principle always an equivalent fraud risk. A "fraud shadow profile" can visualise fraud risks more clearly.

12.

12 Rules for limiting hackers' attacks: S S S S S S S S S S Use regularly up-dated virus software Do not allow online merchants to store your credit card information purchases Use hard-to-guess passwords and change frequently Use different passwords for different Web sites and applications Use the most up-to-date version of your Web browser Send credit card information only to secure sites Install firewall software to screen traffic if you use DSL or a cable modem to connect to the net Do not open e-mail attachments unless you know the source of the incoming message Have an regular awareness and training program Act fast to attacks and coordinate the virus control mechanism worldwide

124

but is not a shareholder or involved in liquidity management. b) the debiting and crediting of accounts held at CLS and finally. and strict adherence to paying-in times and limit checks are crucial. January 2000. At present. c) the liquidity movement between users. the Bankhaus Herstatt was rendered insolvent in 1974 due to settlement problems. "Settlement Members" are shareholders of the Bank. 125 . The first. Most famously. A "User Member" also inputs trades directly into the CLS books. p.54 The term "Herstatt risk" has since been used to describe the risk that involves banks making and receiving payments at different times. intra-day trades will not be accommodated. That solution will come with the Continuous Linked Settlement (CLS) system in the form of the CLS Bank.55 Without going into any further detail of the settlement risk complexity.CSG Operational Risks in Financial Services 12. KPMG Continuous Linked Settlement Survey. and settle trades using their own accounts held at the Bank. 6. The final user type are the "Third Parties" which conduct settlement via the previous two member types. 54 55 BIS (1996). The CLS Bank will not allow counterparty substitution.8 Settlement The concept of settlement risk is not anything new to the financial community. which received regulatory approval in the United States. p. Report. 32. The CLS settlement process itself will follow three steps: a) the matching of trades. the basic structure involves three types of users. The degree to which a bank is at risk will depend on trade and settlement window size. a live-feed system that simultaneously settles transactions is the obvious preferred solution. I am listing key issues that can be used as a check list. While it would be possible to mitigate Herstatt risks via speeding up reconciliation across settlement systems. As discussed in the KPMG survey of the CLS Bank. but these may be feasible later.

Time series of trade volumes over time show changes in trade volume (expressed in percent or units). Monitoring and analysis is necessary: Detailed daily analysis should be monitored at the lowest operations management level. 9. Risk rating reports: Senior operations management should be made aware of the development of settlement risks.if required . 7. Management plans should be drawn up: Action plans . but delays longer than 30 days raise serious questions. at least on a monthly basis. 10. including its monitoring by management. 6. 4. e. allowing management to allocate resources and recognise potential critical issues.should be produced. the frequency of reviews should decrease. As the seniority of operations management increases. Failed trades over a certain amount of days vary from institution to institution. acceptable. Speak to operations staff: All statistics should only be seen as a means of control. 8. 3. warning zone. unacceptable. Data on trade volumes have to be collected: Statistics should be available to provide daily evidence of trade volumes for both securities and monies transacted. Benchmarking emulates excellence: Establish benchmarks for each division. reflecting their respective action/influence parameters. sub-division or any group/entity within the organisation: Monitor the discrepancies versus the benchmark and allocate a rating. 126 . 11. e.CSG Operational Risks in Financial Services Settlements: 12 Checks 1.g. for whatever reason. Accountability drives the implementation of control actions: Senior operations management must be accountable for actions after warning signs have been analysed.to be an informed manager it is necessary to speak to staff in regular intervals. Ageing of failed trades is critical: The ageing of failed trades has to be monitored. they cannot always tell "the whole story" . Make the report more easily readable by applying a different colour to each level.lead to the identification of concrete remedial actions.for cleaning up the ongoing business issues . 2. This is especially relevant when comparing these statistics to a third party benchmark. 5. Know your failed trades: It is imperative that a financial institution knows quickly if trades have been successfully concluded or failed. The monitoring and analysis should . Drill-down reviews should be performed: Statistical evidence should be reviewed regularly on the lowest level of operations management.g. cash trading volume on a selected number of stock exchanges.

Companies should identify the risk proactively in order to get the trust of the internal / external world that everything in its power is being done to manage the risk. Too early an information might endanger the accuracy . Corporate Communication: 12 Priorities 1. internally and externally. Be honest. Listen to the internal and external world: "Machine room visits". The Conference Board of Canada. 284 . Ideally. it is only a question of time. It is not easy to separate internal and external communication in crisis situations. Listen to communication specialists. media clippings and discussion with constructive but critical in. regardless whether external confidence in the institution is low or high. communication is a must. a core group has practised before and knows each other well from experience. but senior management determines the message and the audience.9 Communication Communication is the lifeline of any financial institution. 4. In addition. Design the message: Assess the consequences of releasing an information early or later. develop the objective.waiting too long is an invitation for third party speculations. Credible specialists provide details or background information. processes and organisation in regard to communication is an OpRisk as such.or your credibility will suffer. 56 Some suggestions for the 12 Priorities are based on Thiessen.and outside sources can reveal real concerns significantly. however: internal communication has to take place at least at the same time as external announcements. In a high external risk concern situation. Each of the following 12 priorities or mitigants has OpRisk inherent56. risk or crisis situation needs careful judgement of external risk concerns versus external confidence and trust. 3. an ineffective communication set-up can escalate any other loss or risk situation. K. processing of new instruments. entering new markets) it is imperative that senior operations management is well connected with the front office business drivers (see synchronisation). It basically is a demanding task in regard to all of the 12 S's of an organisation: easy in wording.g. Understand the context: Get the right information on a problem. Co-ordinate business plans with front offices: To avoid unforeseen settlement problems (e. 127 . whether factual or by perception: from cracks to crisis.00 Report.: "Don't gamble with Goodwill". Build the communication team: Turn to the specialist for specific problems. Important. system. determine the risk communication type. unexpected significantly higher and unmanageable volumes. 12. open and frank . sometimes awesome in implementation. Below is a short description of a risk mitigants framework for communication risks.CSG Operational Risks in Financial Services 12. The structure. Communication in a loss. 2.

emotional. What might be old for a bank. drama. 128 . Simplification of all the above is a means to differentiate in the ever increasing "Information-Gau". etc. sports plus envy. emotions. crime. Conflicts always help to dramatise: Chairman. might well be new for media. hate and hope. the more visible. Circumstances are less important than loss quantification. the following four "R's" apply: regret. Test and practice the program internally and externally with a trusted. repeat your real message over and over. special interest groups in the audience? Complete the "four R's" in crisis situations: Should a loss or risk situation develop into a crisis situation. administration. fear. Review the communications program prior to implementation: Communication has to be integral and consistent: "use same language". touchable. Quotes are often taken out of context. consultants. 5. Co-ordinate and co-operate with other credible sources: Examples include: regulators. Align the message with the target audience: Where does the audience live? Profile? Concerns? Opinions? Perceptions? Specific issues for specific "high interest" group? Spokespersons of stakeholders? NGO's. Quotes used imply seriousness of research: selection along newness value. politicians. Moralisation along "good" and "bad": moralisation is always personification. reform.myth of money and size at work. Banks with their losses and risks are especially interesting: it is so easy to put up a headline . Therefore. communicate with supervisors ahead of public statements. personalities involved and "victims". Personification reduces the factual issue complexity: "bad guy" in a complex loss situation. e. The headlines these days: money. New is what is new to media. Deviations from factual and normative expectation make the news. Quantification implies preciseness of research. conflicts. "Telling a story" is more "attractive" than factual description.g.CSG Operational Risks in Financial Services The media has an immense influence on many employees of the company concerned. 8. so that outside message / media is also relevant for internal people management. Depending on the situation. CEO and ExB Members are prime targets. Bank activities are complex and difficult to understand: dealing with large sums are ideal media targets. restitution and responsibilities have to be covered. a large fraud in a trusted bank. auditors. Localisation gives a sense of identification: the closer. sex. money. experts. Always consider the "12 Priorities for media: Complexity-reduction criteria in a complex world" S S S S S S S S S S S S 9. but critical group. 7. despair. We have to live with it. 6.

12. not order Top-projects are top-tasks for top-management Get advocacy through "committed champions" 4. 11. not on problem Look hard how organisation / target / project really function WILLINGNESS to change and COMMITMENT to the transformation process: S S S S S S S Hope = engine for achievements: perpetual triumph of hope over experience Have a clear mission and a clear purpose Have a common vision and a "clear and simple" strategy Capitalise on sense of urgency: "burning platform" Never forget human emotions Absolute priority: desire and ability to change and commitment to lead by example Earn the trust of the audience: credibility throughout the process is the issue 3. The CUSTOMER / END-USER is the final arbiter: S Limit internally generated enthusiasm for projects: include customer / end-user early 129 . but only in lay terms.program. Be brief.10 Transformation Management Common denominators for major restructurings. Challenge core assumptions: intellectual and emotional honesty is the issue If environment / parameters change: * transform even if still successful * ideally: be ahead of change or force change Focus on opportunity. 12.improved . Evaluate the communication program after implementation: An evaluation should be the base for the next . Self-critical SWOT analysis: S S S S 2. empathy rates higher than competency. clear and concise. Goals and activities must generate ADDED VALUES and be perceived as such: S S S S Focus on what mission really is in its environment Use power of argument. Mobilise a FORWARD-LOOKING corporate culture: S S S New mission sent to everybody Key to success: work WITH and not AGAINST the organisation "Stretching and pain for everybody" as policy 5. Risk communication programs deserve at least the same attention as the usual corporate programs. Be credible: Professionalism and credibility are precondition for effective risk and loss communication. Avoid negativisms: it takes four positive words to erase the meaning of one negative word. Delivery is at least as important as the content: Depending on the situation.CSG Operational Risks in Financial Services 10. Use statistics and research. mergers and acquisitions: 12 Imperatives 1.

TIMING and TEMPO are key success factors: S S S S Trade off between speed of execution (short-term) and building a common culture (long-term) Fight of large global Goliath against flexible. with lifetime learning: create a winner-mentality Detect and support new talents Foster the brand as HR tool 10. Major transformation projects only have ONE CHANCE: S S S Execute the decisions in the spirit of the mission If environment / parameters change during transformation project: change the shift Continuously monitor control / supervise: guarantee for early corrections and an objective final assessment 130 . Intranet responses by top management "Over-communication" is mostly better than "under-communication" 12. synthesise and store knowledge of past projects Both . Recognise the "NEW VALUES": S S S S Transform the whole organisation. "town hall meetings" with global reach. transformation team Be careful on early retirements: watch the need for organisational knowledge Implement with "high-performance" team: those who cannot follow are not part of the team 8. local and e-Davids Allow for "productive impatience": allow for mistakes Cut through "permafrost" of people's attitude: people do not welcome consequences of transformation. Avoid RESIDUAL COST BURDENS: S S Examine old structures and processes Outsource non-core activities 11. generally 9. the better the internal and external credibility of the project Continuously adjust Business Continuity Plans 7.CSG Operational Risks in Financial Services 6. not just the "bottom" Promote a culture of success. Manage INTERNAL AND EXTERNAL EXPECTATIONS: S S S Use open. simple and ongoing communication Use surveys. CREDIBLE ORGANISATION and CREDIBLE TOOLS: S S S S S S S Source. incl. Client only interested in QUALITY he / she receives during transformation: S S S View the world through your customers' eyes The better the ongoing service.rational and emotional reactions are to be taken seriously Avoid "not-invented-here" syndrome Get and keep key talents: money and opportunities Have a retention program for key players. share.

CSG Operational Risks in Financial Services "People may doubt what you say. but they believe what you do" (Lauris Cass) 131 .

CSG Operational Risks in Financial Services List of Abbreviations ART ATM BBA BCCI BCP BIS BoD BT C&F CAMEL CBOT CEO CFO CLS COO CORE CR CRO CRSA CS CSFB CSG CSPB DSL ECB EMI EQ ERC EU EVT FED FIORI FOBO FT FSA GFF GIGO GOLD GRM GSTPA HBCI HO IQ IRT ISDA ISP IT KCI KISS KPI KRI KYC L&C LTCM M&A MIS MGT MORE MR NGO NIAT OECD OpRisk Alternative Risk Transfer Automated Teller Machine British Bankers’ Association Bank of Credit and Commerce International Business Continuity Planning Bank for International Settlements Board of Directors Bankers' Trust Commission and Fee Capital. Liquidity Chicago Board of Trade Chief Executive Officer Chief Financial Officer Continuous Linked Settlements Chief Operations Officer Compendium of Operational Risk Events Credit Risk Chief Risk Officer Control and Risk Self-Assessment Credit Suisse Credit Suisse First Boston Credit Suisse Group Credit Suisse Private Banking Digital Subscriber Line European Central Bank European Monetary Institute Emotional Quotient Economic Risk Capital European Union Extreme Value Theory Federal Reserve Financial Institutions Operational Risk Insurance Front Office Back Office Financial Times Financial Services Authority UK Group Corporate Development / Finance Garbage In Garbage Out Global Operational Loss Database Group Risk Management Global Straight-Through Processing Association Home Banking Computer Interface Standard Head Office Intelligence Quotient Internet Related Technologies International Swaps and Derivatives Association Internet Service Provider Information Technology Key Control Indicators Keep It Short and Simple Key Performance Indicators Key Risk Indicators Know Your Client Legal and Compliance Long Term Capital Management Mergers and Acquisitions Management Information System Management Multinational Operational Risk Exchange Market Risk Non Governmental Organisation Net Income After Tax Organisation of Economic Cooperation and Development Operational Risk / Risks 132 . Management. Asset. Earnings.

CSG Operational Risks in Financial Services PKI PR PwC RAROC RMA RMG SEC SSL SWIFT TQM TRT USAF USGAAP VAR VAT WGR Public Key Infrastructure Public Relations PriceWaterhouseCoopers Risk Adjusted Return on Capital Robert Morris Associates Risk Management Group Securities and Exchange Commission Secure Sockets Layer Society for Worldwide Interbank Financial Telecommunications Total Quality Management Traditional Risk Transfer US Air Force US Generally Accepted Accounting Principles Value at Risk Value Added Tax Winterthur Group 133 .

From the Schweizerische Kreditanstalt to Credit Suisse Group. (1998a). Risk.The Fall of Barings. Hoffman.7-8. ed. BIS. 2000. 1998. (1998). 2000. University of Tübigen 1996. (1997). Zurich. (2000). Naval Safety Centre. 1999. KPMB. Boose. Philadelphia. P. Basel Committee on Banking Supervision (1999a). Apr. Fraud Watch 2 nd Edition. Risk Books. Pluto. Sept. FSA Consultation Paper 46.61-69. R. D. C. Special Issue on Operational Risk. RMA. 1998. Quoted as BBA (1999). Damned Lies and Usable Statistics". Quoted as BIS (2000). (1979). Basel. Demystifying Social Statistics. Bieberdorf.J. 1999. Arthur Andersen. "Enhancing Corporate Governance for Banking Organisations". "Other Risks (OR) Discussion Paper". G. 2000. BIS. FSA (2000). BIS. Operational Risk and Financial Institutions. Financial Times. Basel Committee on Banking Supervision (1999). J. A. "Operational Risk Management". Operational Risk Manager. (2000). Basel Committee on Banking Supervision (1998). J. Quoted as BIS (1999a). Quoted as BIS (1999). Hoffman. Guide to Banking Supervisory Policy. 1997. Kiang (no date). Avery. Risk Books. British Bankers’ Association. London. "Settlement Risk in Foreign Exchange Transactions". Operational Risk and Financial Institutions. Jun. Spring 2000. Apr. "A New Capital Adequacy Framework". "Operational Risk . 6. 2000. Jameson. Basel. NZZ Verlag. "Protecting Your Information Assets and e-Business Activities". Norfolk. "Insurance Finds a Blend of Innovation and Tradition". "Introduction to Operational Risk Management". H. 1998 pp. VX. W. Jan. UK. Net Secure . Sept. 1998. Denton (1997). TM Kessler & Co. P. Hanebeck. ISDA. Milton (2000) "Insurers to the Rescue?". 1997. London... Arthur Andersen. (1998).. in Jameson. FSA (2000). London.Can it be Quantified?". Airtevron one. Davies. Basel. Basel. 2000.. (1998). RMA.. "Money Laundering: the FSA's new role". Gapper. "Framework for the Internal Controls Systems in Banking Organisations". Penguin Books. A. "Getting the Measure of the Beast". 2000. N. "A short Course on Business Process Re-Engineering with ARIS". Jung. C. 2000. RiskProfessional.27. (2000). Risk Management Group (2000). "Characterisation of Tremor". IDS-Gintic Pte. pp. "New Trends in Operational Risk Measurement and Management". CORE (1999). BIS. Operational Risk. "Lies. (2000). Basel. 134 . Dickinson. R. Nov. Apr. All that Glitters . Basel Committee on Payment and Settlement Systems (1996). Jun.. Austega (2000) "Banking and Risk Management". J. Jan. (2000).1 Safety/Naptobs Dept. pp. D. MCO 3500. CMG. 1979. Jewell. Basel Committee on Banking Supervision. March 1996. Jun. (1996). Irvine. 2000. Ltd.1999. BS/00/27. Quoted as BIS (1996). CORE Database. PricewaterhouseCoopers (1999). Zurich. the Next Frontier. Va. R. et al. 38-41. 2000.CSG Operational Risks in Financial Services Bibliography Aichele. BIS.

R. M. Shih. (no title). Feb.. Randall. US Navy (1997). in Irvine. C. Air Combat Command. (1999). 2000. Norton. "Finding Value in a Collection of Losses". (no date). Jun. J. 2427. Feb. Sommer. London. Comments on the Paper "A New Capital Adequacy Framework" of the Basel Committee on Banking Supervision. in Jameson.. 3 -12. J. (2000). and You Must Do. (1998). 8. Dec. R. Senior. Mimeo. "Is the Size of an Operational Loss Related to Firm Size?" reprint of Operational Risk. (1979). CMS. 20. Young. NYC. Financial Times. Demystifying Social Statistics. McKinsey Quarterly. Kimber. 1994. Time for a New Look at Operational Risk. RiskProfessional. London. "Digital Buccaneers Caught in a Legal Web". "Operational Risk in Retail Banking". The Conference Board of Canada.CSG Operational Risks in Financial Services Kimball. pp. Global Trading. 1998. Centre for Operational Risk Research & Education. Risk Books. (2000). What FSA Expects. 36-40. The Conference Board of Canada. (2000). 1979. D.. Swiss Bankers’ Association (2000). Samad-Khan. 2000. 2000. A. US Navy 27 Fighter Wing (no date). 1998. 2000. US Air Force (no date). "Failures in Risk Management". E. Feb.. Submarine on Board Training. 1997. Continuous Linked Settlement Survey. Preliminary Draft. The Role and the Critique of Quantification. pp. B. 2000. (1994) "Orange County Crisis Jolts Bond Market". (2000). pp. (2000). Jan. pp. Rachlin. Norris. J. Jan. 1998 Meridien Research Inc. K. Jan. R. (2000). Global Council on Risk Management. th 135 . pp. "Measuring Operational Risk". eds. P. "Operating the Learning Curve". London. Quantification of Operational Risk.. "On the Quantification of Operational Risk. Young. Saunderson. (1998). M. 2000. New England Economic Review. K. 1996. A. White Plains. A. Medapa (2000). Operational Risk Training. A Short Polemic" in Jameson. 2000. 2000. Weczel. 1998. (2000). de Perregaux (1998) "Must It Always Be Risky Business?". New York. Jun. 2000. Banking Technology. (1998). Thiessen.. Jun.39". KPMG (2000). pp. Q4 1998. Samad-Khan. D. (2000). Security and Data Protection. O. "A Modern Approach to Operational Risk". Morris. J. Don't Gamble with Goodwill. Ong. May. Operational Risk Control. Risk Books. "OPNAVINST 3500. P. S. Issue 1/3 May 1999. Operational Risk and Financial Institutions. Lukaszewski. et al. Operational Risk and Financial Institutions. F. M. Pluto. FKM. 2000. 34-35. (1988). (1998). Operational Risk Manager. The New York Times. 2000. 30. Computing. 284-00 Report. 95-103. J../Feb. R. Gittleson (1998). (2000). "Why Are Figures so Significant?". "Sumitomo Losses Show Up Poor Links". Apr. N°1.11-13. 2000.