© The Institute of Operational Risk

Institute of Operational Risk

2nd Scottish Annual Conference26th October 2012

(in conjunction with Glasgow Caledonian University)

Institute of Operational Risk26 October 2012

Data Capture, Accuracy and Recording of Operational Risk

Losses

Andrew Sheen (FIOR)Manager, FSA

Risk Frameworks team (PBU)

3

1. Context

2. Internal Data

3. External Data

4. Supervisory Concerns and Issues

5. Relevant Papers

4

1. Context

2. Internal Data

3. External Data

4. Supervisory Concerns and Issues

5. Relevant Papers

5

The nature and outcome of operational risk data collected ….affects not only the outcome of the bank’s quantification process but also operational risk management decisions.

(Observed Range of Practice in Key Elements of AMA, BCBS, July 2009)

6

So loss data collection is about:

• Risk management, including

– Risk events and impact

– RCSA

– Scenarios

• Risk measurement, including

– Scenarios

– AMA

– Pillar 2

7

1. Context

2. Internal Data

3. External Data

4. Supervisory Concerns and Issues

5. Relevant Papers

8

Business line / unit

Event type -to what level

Event description

Cause of event

Gross loss amount –Date of discovery

–Date of occurrence

–Date of accounting

Recovery –Insurance

–Other

Net loss amount -Management action taken

–Immediate to deal with event

–Changes to policy and controls

Lessons learnt

9

1. Context

2. Internal Data

3. External Data

4. Supervisory Concerns and Issues

5. Relevant Papers

10

• Data sources

– Consortium –

• May exclude key events (ie they did not happen to a member firm (rogue trading))

• Limited supporting information

– Public data –

• Is the information accurate

• What about events that did not get into the press

• Issues include-

– Data quality

• Completeness

• Consistency

– Thresholds

– Scaling

– That could not happen here

11

1. Context

2. Internal Data

3. External Data

4. Supervisory Concerns and Issues

5. Relevant Papers

12

1. Loss definition

• Range of practice between firms using gross and net loss for AMA calculations

• For the firm to justify its choice

• Problems calculating the insurance allowance if using net loss

13

2. Loss Data Thresholds

• Considerable variation in thresholds by firm and business line

• Influences the management and measurement of operational risk

• Should be based on statistical evidence showing items below the threshold are immaterial when calculating capital

• Should not omit operational risk loss event data that are material for operational risk exposure and for effective operational risk management

• Choice of threshold should not impact credibility

14

3. Date of Internal Losses– BIS does not provide any guidance - Banks have

several reference dates• Date of occurrence * • Date of discovery * ‘• Date of contingent liability• Date of accounting (first financial impact) * ‘• Date of settlement* Typically used by banks‘ Most prudent

– Supervisory concern – can the selected date result in the omission of large internal losses and therefore significantly impact OR capital at a given point in time and over time

– Firms can select which date to use as long as material loss data is not omitted

15

4. Grouped Losses– Banks sometimes group a number of losses

and treat the group as a single loss for recording, management and modelling purposes. Depending on the reasons for grouping the following different guidelines apply

• Losses caused by a common operational risk event should be grouped and entered into the loss calculation dataset as a single loss, unless the firm chooses to model causality or dependence among those losses in a different manner

• Small losses grouped with no causal relations for data collection and registration should be excluded from the calculation dataset

16

5. Review and Validation

– Has the data collection process been reviewed and validated by• Reconciling to the General Ledger• Internal audit• Third party • Using loss data and events to inform:

– RCSA– Scenarios– KRIs

17

6. Other Issues– Near Misses– What % of losses are missed– Frequency– How relevant is old data– How are losses allocated across

business lines– Boundary Issues– Losses, near misses and P2

18

1. Context

2. Internal Data

3. External Data

4. Supervisory Concerns and Issues

5. Relevant Papers

19

Key documents

• Enhancing frameworks in the Standardised Approach to Operational Risk, FSA, January 2011

– http://www.fsa.gov.uk/library/policy/guidance/2011/gn11.shtml

– http://www.fsa.gov.uk/pages/Library/Policy/guidance_consultations/2011/11_17.shtml

• Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches, BCBS, June 2011

– http://www.bis.org/publ/bcbs196.htm

• Observed Range of Practice in Key Elements of the Advanced Measurement Approaches, BCBS, July 2009

– http://www.bis.org/publ/bcbs160.htm

• Results from the Loss Data Collection Exercise for Operational Risk, BCBS, July 2009

– http://www.bis.org/list/bcbs/page_2.htm

20

Andrew Sheen (FIOR)

Risk Frameworks team (PBU)

Financial Services Authority

andrew.sheen@fsa.gov.uk

© The Institute of Operational Risk

Institute of Operational Risk

2nd Scottish Annual Conference26th October 2012

(in conjunction with Glasgow Caledonian University)

Institute of Operational Risk Scottish Conference

3 Lines of Defence

George Clark, Glasgow, October 2012

The 3 Lines of Defence

Internationally recognised go to model for financial services firms.

Referenced by:

• ECIIA/FERMA – Guidance on the 8th EU Company Law Directive, Sept 2010

• Basel Committee on Banking Supervision – Sound Practices for the Management and Supervision of Operational Risk, December 2010

• COSO – Exposure Draft: Internal Control Integrated Framework, December 2011

Key objective is sound internal governance but perhaps a better term is effective internal governance.

The 3 Lines of Defence Model

1st Line of Defence

Board/Audit Committee

Senior Management

2nd Line of Defence 3rd Line of Defence

Operational Management

Internal Controls

Credit

Compliance

Operational Risk

Others

Internal Audit

External Audit

Which in simple terms...

The first line:

• Identify, assess, control, mitigate and manage risk

• Comply with risk framework

• Ensure effective design, implementation and operation of controls

• Escalate material threats and risk exposures

• Operate good governance of the business function

The second line:

•Provide policy and framework

•Monitor, oversight of and challenge to 1st line

•Support good Governance of the company

•Report and escalate threats and risk exposures

The third line:

•Independent assurance over the first two lines of defence

•Quality assurance on the application of the framework

•Evaluation of control adequacy

Do Review Overview

Big 5 factors which influence success

• Context and Environment• Roles and Responsibilities• Training, Education and Communication• Data• Culture

Context and Environment

• Capability• Complexity• Scale and spread• Retail• Wholesale• Automation

Roles and Responsibilities

• NOT about structures but about “real world”• Clear, documented, understood and agreed• There will be grey areas – embedded risk• Align risk management silos• Don’t forget Senior Management and Board• Challenge for risk to be both trusted advisor

and policeman• Learn from others experience – HR and IT

Training, Education and Communication• Awareness both initial and ongoing• Skill and capability• Build reliance and resilience• Align with company objectives and strategy• Don’t forget Senior Management and the

Board nor the new entrant

Data

• Intelligence gathering• Monitoring• Relationship Management• Management information• Key measures of success• What gets checked gets done

Culture

“Banks in this country are “two decades behind” other keystone global industries like aviation and oil and gas in recognising the critical importance of individual behaviour and corporate culture in managing and minimising their operational risks. The dominant banking instinct is to “reach for the sticking plaster” rather than confront the root cause of risk failures”

Source: The Back Office front line, Chartered Banker Magazine October/November 2012

Culture

• Tone from the top• Communication• Paradigms and environments• Influences and drives business outcomes,

including the taking of risk and the quality of processing

• Major failings during the global financial crisis

The culture house

Closing observations

• Be proportionate and practical• Look for that “use test”• Ride out the storm, it gets worse before it gets

better• Expect progress not perfection• Implementation is king

Questions and Comments

??

© The Institute of Operational Risk

Institute of Operational Risk

2nd Scottish Annual Conference26th October 2012

(in conjunction with Glasgow Caledonian University)

Risk Culture + Behaviours

Reflections From A Reformed Banker

Scene Setting

•Culture and behaviours are highly prized and difficult to change•They’re not all standard•They’re not always rational.•They shift for the better...and worse

Culture & Behaviour Issues

And it gets worse

McKinsey Survey of 2,207 executives:28% say the quality of strategic decisions were generally good?

60% say good and bad decisions occur in equal measure

12% say nearly all decisions are bad

51% say major risk decisions are attributed to a single function?!?!?

Is it taken seriously?

Ivory Tower?

•ACCA survey – 2012

Where to start

•Root causes are ambiguous, multi faceted and outside your control•Be practical so start @ home:

•It’s not someone else’s responsibility•People or admin? •Risk MI identification & integration

Keep going

•Be mindful of barriers• ‘2nd line of defence’• fear•habit•history

•Use internal and external audit•Avoid orderly inaction•Engage senior management in your thoughts

Don’t Stop

•Don’t drop the ball•Events, issues and actions MUST be complete, accurate and managed through to completion

•Learn from other firms hard earned lessons•Map and assess the existence and design of the control environment•Focus on positive assurance arrangements•Keep communicating outcomes and next steps

That’s just the start

•Review and amend governance arrangements

•Adequacy of performance•Business engagement and ownership•Don’t think this is a Co Sec responsibility; below Board/Exec level it’s often a gap

•Recruit talent and relocate tasks•Build Risk IT capability•Then the fun starts...

The journey continues

• Recruit and reallocate existing talent• Integrate IT and Op risk processes

with business processes, including outsourcers

• Evaluate organisational and e2e process design• Use the Exec and Board using

‘position papers’

And continues

• Maintaining credibility• Benchmark your Op Risk unit• Horizon scanning and increased

engagement with ‘Corporate Change’

• Get a risk change budget!• Develop cross discipline expertise• Reward and recognition

Questions and thanks

alan.esson@swip.com;

0131 655 8809

© The Institute of Operational Risk

Institute of Operational Risk

2nd Scottish Annual Conference26th October 2012

(in conjunction with Glasgow Caledonian University)