© the institute of operational risk institute of operational risk 2 nd scottish annual conference...
Post on 11-Jan-2016
219 Views
Preview:
TRANSCRIPT
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)
Institute of Operational Risk26 October 2012
Data Capture, Accuracy and Recording of Operational Risk
Losses
Andrew Sheen (FIOR)Manager, FSA
Risk Frameworks team (PBU)
3
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
4
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
5
The nature and outcome of operational risk data collected ….affects not only the outcome of the bank’s quantification process but also operational risk management decisions.
(Observed Range of Practice in Key Elements of AMA, BCBS, July 2009)
6
So loss data collection is about:
• Risk management, including
– Risk events and impact
– RCSA
– Scenarios
• Risk measurement, including
– Scenarios
– AMA
– Pillar 2
7
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
8
Business line / unit
Event type -to what level
Event description
Cause of event
Gross loss amount –Date of discovery
–Date of occurrence
–Date of accounting
Recovery –Insurance
–Other
Net loss amount -Management action taken
–Immediate to deal with event
–Changes to policy and controls
Lessons learnt
9
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
10
• Data sources
– Consortium –
• May exclude key events (ie they did not happen to a member firm (rogue trading))
• Limited supporting information
– Public data –
• Is the information accurate
• What about events that did not get into the press
• Issues include-
– Data quality
• Completeness
• Consistency
– Thresholds
– Scaling
– That could not happen here
11
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
12
1. Loss definition
• Range of practice between firms using gross and net loss for AMA calculations
• For the firm to justify its choice
• Problems calculating the insurance allowance if using net loss
13
2. Loss Data Thresholds
• Considerable variation in thresholds by firm and business line
• Influences the management and measurement of operational risk
• Should be based on statistical evidence showing items below the threshold are immaterial when calculating capital
• Should not omit operational risk loss event data that are material for operational risk exposure and for effective operational risk management
• Choice of threshold should not impact credibility
14
3. Date of Internal Losses– BIS does not provide any guidance - Banks have
several reference dates• Date of occurrence * • Date of discovery * ‘• Date of contingent liability• Date of accounting (first financial impact) * ‘• Date of settlement* Typically used by banks‘ Most prudent
– Supervisory concern – can the selected date result in the omission of large internal losses and therefore significantly impact OR capital at a given point in time and over time
– Firms can select which date to use as long as material loss data is not omitted
15
4. Grouped Losses– Banks sometimes group a number of losses
and treat the group as a single loss for recording, management and modelling purposes. Depending on the reasons for grouping the following different guidelines apply
• Losses caused by a common operational risk event should be grouped and entered into the loss calculation dataset as a single loss, unless the firm chooses to model causality or dependence among those losses in a different manner
• Small losses grouped with no causal relations for data collection and registration should be excluded from the calculation dataset
16
5. Review and Validation
– Has the data collection process been reviewed and validated by• Reconciling to the General Ledger• Internal audit• Third party • Using loss data and events to inform:
– RCSA– Scenarios– KRIs
17
6. Other Issues– Near Misses– What % of losses are missed– Frequency– How relevant is old data– How are losses allocated across
business lines– Boundary Issues– Losses, near misses and P2
18
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
19
Key documents
• Enhancing frameworks in the Standardised Approach to Operational Risk, FSA, January 2011
– http://www.fsa.gov.uk/library/policy/guidance/2011/gn11.shtml
– http://www.fsa.gov.uk/pages/Library/Policy/guidance_consultations/2011/11_17.shtml
• Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches, BCBS, June 2011
– http://www.bis.org/publ/bcbs196.htm
• Observed Range of Practice in Key Elements of the Advanced Measurement Approaches, BCBS, July 2009
– http://www.bis.org/publ/bcbs160.htm
• Results from the Loss Data Collection Exercise for Operational Risk, BCBS, July 2009
– http://www.bis.org/list/bcbs/page_2.htm
20
Andrew Sheen (FIOR)
Risk Frameworks team (PBU)
Financial Services Authority
andrew.sheen@fsa.gov.uk
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)
Institute of Operational Risk Scottish Conference
3 Lines of Defence
George Clark, Glasgow, October 2012
The 3 Lines of Defence
Internationally recognised go to model for financial services firms.
Referenced by:
• ECIIA/FERMA – Guidance on the 8th EU Company Law Directive, Sept 2010
• Basel Committee on Banking Supervision – Sound Practices for the Management and Supervision of Operational Risk, December 2010
• COSO – Exposure Draft: Internal Control Integrated Framework, December 2011
Key objective is sound internal governance but perhaps a better term is effective internal governance.
The 3 Lines of Defence Model
1st Line of Defence
Board/Audit Committee
Senior Management
2nd Line of Defence 3rd Line of Defence
Operational Management
Internal Controls
Credit
Compliance
Operational Risk
Others
Internal Audit
External Audit
Which in simple terms...
The first line:
• Identify, assess, control, mitigate and manage risk
• Comply with risk framework
• Ensure effective design, implementation and operation of controls
• Escalate material threats and risk exposures
• Operate good governance of the business function
The second line:
•Provide policy and framework
•Monitor, oversight of and challenge to 1st line
•Support good Governance of the company
•Report and escalate threats and risk exposures
The third line:
•Independent assurance over the first two lines of defence
•Quality assurance on the application of the framework
•Evaluation of control adequacy
Do Review Overview
Big 5 factors which influence success
• Context and Environment• Roles and Responsibilities• Training, Education and Communication• Data• Culture
Context and Environment
• Capability• Complexity• Scale and spread• Retail• Wholesale• Automation
Roles and Responsibilities
• NOT about structures but about “real world”• Clear, documented, understood and agreed• There will be grey areas – embedded risk• Align risk management silos• Don’t forget Senior Management and Board• Challenge for risk to be both trusted advisor
and policeman• Learn from others experience – HR and IT
Training, Education and Communication• Awareness both initial and ongoing• Skill and capability• Build reliance and resilience• Align with company objectives and strategy• Don’t forget Senior Management and the
Board nor the new entrant
Data
• Intelligence gathering• Monitoring• Relationship Management• Management information• Key measures of success• What gets checked gets done
Culture
“Banks in this country are “two decades behind” other keystone global industries like aviation and oil and gas in recognising the critical importance of individual behaviour and corporate culture in managing and minimising their operational risks. The dominant banking instinct is to “reach for the sticking plaster” rather than confront the root cause of risk failures”
Source: The Back Office front line, Chartered Banker Magazine October/November 2012
Culture
• Tone from the top• Communication• Paradigms and environments• Influences and drives business outcomes,
including the taking of risk and the quality of processing
• Major failings during the global financial crisis
The culture house
Closing observations
• Be proportionate and practical• Look for that “use test”• Ride out the storm, it gets worse before it gets
better• Expect progress not perfection• Implementation is king
Questions and Comments
??
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)
Risk Culture + Behaviours
Reflections From A Reformed Banker
Scene Setting
•Culture and behaviours are highly prized and difficult to change•They’re not all standard•They’re not always rational.•They shift for the better...and worse
Culture & Behaviour Issues
And it gets worse
McKinsey Survey of 2,207 executives:28% say the quality of strategic decisions were generally good?
60% say good and bad decisions occur in equal measure
12% say nearly all decisions are bad
51% say major risk decisions are attributed to a single function?!?!?
Is it taken seriously?
Ivory Tower?
•ACCA survey – 2012
Where to start
•Root causes are ambiguous, multi faceted and outside your control•Be practical so start @ home:
•It’s not someone else’s responsibility•People or admin? •Risk MI identification & integration
Keep going
•Be mindful of barriers• ‘2nd line of defence’• fear•habit•history
•Use internal and external audit•Avoid orderly inaction•Engage senior management in your thoughts
Don’t Stop
•Don’t drop the ball•Events, issues and actions MUST be complete, accurate and managed through to completion
•Learn from other firms hard earned lessons•Map and assess the existence and design of the control environment•Focus on positive assurance arrangements•Keep communicating outcomes and next steps
That’s just the start
•Review and amend governance arrangements
•Adequacy of performance•Business engagement and ownership•Don’t think this is a Co Sec responsibility; below Board/Exec level it’s often a gap
•Recruit talent and relocate tasks•Build Risk IT capability•Then the fun starts...
The journey continues
• Recruit and reallocate existing talent• Integrate IT and Op risk processes
with business processes, including outsourcers
• Evaluate organisational and e2e process design• Use the Exec and Board using
‘position papers’
And continues
• Maintaining credibility• Benchmark your Op Risk unit• Horizon scanning and increased
engagement with ‘Corporate Change’
• Get a risk change budget!• Develop cross discipline expertise• Reward and recognition
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)
top related