![Page 1: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/1.jpg)
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)
![Page 2: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/2.jpg)
Institute of Operational Risk26 October 2012
Data Capture, Accuracy and Recording of Operational Risk
Losses
Andrew Sheen (FIOR)Manager, FSA
Risk Frameworks team (PBU)
![Page 3: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/3.jpg)
3
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
![Page 4: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/4.jpg)
4
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
![Page 5: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/5.jpg)
5
The nature and outcome of operational risk data collected ….affects not only the outcome of the bank’s quantification process but also operational risk management decisions.
(Observed Range of Practice in Key Elements of AMA, BCBS, July 2009)
![Page 6: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/6.jpg)
6
So loss data collection is about:
• Risk management, including
– Risk events and impact
– RCSA
– Scenarios
• Risk measurement, including
– Scenarios
– AMA
– Pillar 2
![Page 7: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/7.jpg)
7
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
![Page 8: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/8.jpg)
8
Business line / unit
Event type -to what level
Event description
Cause of event
Gross loss amount –Date of discovery
–Date of occurrence
–Date of accounting
Recovery –Insurance
–Other
Net loss amount -Management action taken
–Immediate to deal with event
–Changes to policy and controls
Lessons learnt
![Page 9: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/9.jpg)
9
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
![Page 10: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/10.jpg)
10
• Data sources
– Consortium –
• May exclude key events (ie they did not happen to a member firm (rogue trading))
• Limited supporting information
– Public data –
• Is the information accurate
• What about events that did not get into the press
• Issues include-
– Data quality
• Completeness
• Consistency
– Thresholds
– Scaling
– That could not happen here
![Page 11: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/11.jpg)
11
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
![Page 12: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/12.jpg)
12
1. Loss definition
• Range of practice between firms using gross and net loss for AMA calculations
• For the firm to justify its choice
• Problems calculating the insurance allowance if using net loss
![Page 13: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/13.jpg)
13
2. Loss Data Thresholds
• Considerable variation in thresholds by firm and business line
• Influences the management and measurement of operational risk
• Should be based on statistical evidence showing items below the threshold are immaterial when calculating capital
• Should not omit operational risk loss event data that are material for operational risk exposure and for effective operational risk management
• Choice of threshold should not impact credibility
![Page 14: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/14.jpg)
14
3. Date of Internal Losses– BIS does not provide any guidance - Banks have
several reference dates• Date of occurrence * • Date of discovery * ‘• Date of contingent liability• Date of accounting (first financial impact) * ‘• Date of settlement* Typically used by banks‘ Most prudent
– Supervisory concern – can the selected date result in the omission of large internal losses and therefore significantly impact OR capital at a given point in time and over time
– Firms can select which date to use as long as material loss data is not omitted
![Page 15: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/15.jpg)
15
4. Grouped Losses– Banks sometimes group a number of losses
and treat the group as a single loss for recording, management and modelling purposes. Depending on the reasons for grouping the following different guidelines apply
• Losses caused by a common operational risk event should be grouped and entered into the loss calculation dataset as a single loss, unless the firm chooses to model causality or dependence among those losses in a different manner
• Small losses grouped with no causal relations for data collection and registration should be excluded from the calculation dataset
![Page 16: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/16.jpg)
16
5. Review and Validation
– Has the data collection process been reviewed and validated by• Reconciling to the General Ledger• Internal audit• Third party • Using loss data and events to inform:
– RCSA– Scenarios– KRIs
![Page 17: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/17.jpg)
17
6. Other Issues– Near Misses– What % of losses are missed– Frequency– How relevant is old data– How are losses allocated across
business lines– Boundary Issues– Losses, near misses and P2
![Page 18: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/18.jpg)
18
1. Context
2. Internal Data
3. External Data
4. Supervisory Concerns and Issues
5. Relevant Papers
![Page 19: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/19.jpg)
19
Key documents
• Enhancing frameworks in the Standardised Approach to Operational Risk, FSA, January 2011
– http://www.fsa.gov.uk/library/policy/guidance/2011/gn11.shtml
– http://www.fsa.gov.uk/pages/Library/Policy/guidance_consultations/2011/11_17.shtml
• Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches, BCBS, June 2011
– http://www.bis.org/publ/bcbs196.htm
• Observed Range of Practice in Key Elements of the Advanced Measurement Approaches, BCBS, July 2009
– http://www.bis.org/publ/bcbs160.htm
• Results from the Loss Data Collection Exercise for Operational Risk, BCBS, July 2009
– http://www.bis.org/list/bcbs/page_2.htm
![Page 21: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/21.jpg)
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)
![Page 22: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/22.jpg)
Institute of Operational Risk Scottish Conference
3 Lines of Defence
George Clark, Glasgow, October 2012
![Page 23: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/23.jpg)
The 3 Lines of Defence
Internationally recognised go to model for financial services firms.
Referenced by:
• ECIIA/FERMA – Guidance on the 8th EU Company Law Directive, Sept 2010
• Basel Committee on Banking Supervision – Sound Practices for the Management and Supervision of Operational Risk, December 2010
• COSO – Exposure Draft: Internal Control Integrated Framework, December 2011
Key objective is sound internal governance but perhaps a better term is effective internal governance.
![Page 24: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/24.jpg)
The 3 Lines of Defence Model
1st Line of Defence
Board/Audit Committee
Senior Management
2nd Line of Defence 3rd Line of Defence
Operational Management
Internal Controls
Credit
Compliance
Operational Risk
Others
Internal Audit
External Audit
![Page 25: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/25.jpg)
Which in simple terms...
The first line:
• Identify, assess, control, mitigate and manage risk
• Comply with risk framework
• Ensure effective design, implementation and operation of controls
• Escalate material threats and risk exposures
• Operate good governance of the business function
The second line:
•Provide policy and framework
•Monitor, oversight of and challenge to 1st line
•Support good Governance of the company
•Report and escalate threats and risk exposures
The third line:
•Independent assurance over the first two lines of defence
•Quality assurance on the application of the framework
•Evaluation of control adequacy
Do Review Overview
![Page 26: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/26.jpg)
Big 5 factors which influence success
• Context and Environment• Roles and Responsibilities• Training, Education and Communication• Data• Culture
![Page 27: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/27.jpg)
Context and Environment
• Capability• Complexity• Scale and spread• Retail• Wholesale• Automation
![Page 28: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/28.jpg)
Roles and Responsibilities
• NOT about structures but about “real world”• Clear, documented, understood and agreed• There will be grey areas – embedded risk• Align risk management silos• Don’t forget Senior Management and Board• Challenge for risk to be both trusted advisor
and policeman• Learn from others experience – HR and IT
![Page 29: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/29.jpg)
Training, Education and Communication• Awareness both initial and ongoing• Skill and capability• Build reliance and resilience• Align with company objectives and strategy• Don’t forget Senior Management and the
Board nor the new entrant
![Page 30: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/30.jpg)
Data
• Intelligence gathering• Monitoring• Relationship Management• Management information• Key measures of success• What gets checked gets done
![Page 31: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/31.jpg)
Culture
“Banks in this country are “two decades behind” other keystone global industries like aviation and oil and gas in recognising the critical importance of individual behaviour and corporate culture in managing and minimising their operational risks. The dominant banking instinct is to “reach for the sticking plaster” rather than confront the root cause of risk failures”
Source: The Back Office front line, Chartered Banker Magazine October/November 2012
![Page 32: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/32.jpg)
Culture
• Tone from the top• Communication• Paradigms and environments• Influences and drives business outcomes,
including the taking of risk and the quality of processing
• Major failings during the global financial crisis
![Page 33: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/33.jpg)
The culture house
![Page 34: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/34.jpg)
Closing observations
• Be proportionate and practical• Look for that “use test”• Ride out the storm, it gets worse before it gets
better• Expect progress not perfection• Implementation is king
![Page 35: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/35.jpg)
Questions and Comments
??
![Page 36: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/36.jpg)
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)
![Page 37: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/37.jpg)
![Page 38: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/38.jpg)
Risk Culture + Behaviours
Reflections From A Reformed Banker
![Page 39: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/39.jpg)
Scene Setting
•Culture and behaviours are highly prized and difficult to change•They’re not all standard•They’re not always rational.•They shift for the better...and worse
![Page 40: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/40.jpg)
Culture & Behaviour Issues
![Page 41: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/41.jpg)
And it gets worse
McKinsey Survey of 2,207 executives:28% say the quality of strategic decisions were generally good?
60% say good and bad decisions occur in equal measure
12% say nearly all decisions are bad
51% say major risk decisions are attributed to a single function?!?!?
![Page 42: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/42.jpg)
Is it taken seriously?
![Page 43: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/43.jpg)
Ivory Tower?
•ACCA survey – 2012
![Page 44: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/44.jpg)
Where to start
•Root causes are ambiguous, multi faceted and outside your control•Be practical so start @ home:
•It’s not someone else’s responsibility•People or admin? •Risk MI identification & integration
![Page 45: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/45.jpg)
Keep going
•Be mindful of barriers• ‘2nd line of defence’• fear•habit•history
•Use internal and external audit•Avoid orderly inaction•Engage senior management in your thoughts
![Page 46: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/46.jpg)
Don’t Stop
•Don’t drop the ball•Events, issues and actions MUST be complete, accurate and managed through to completion
•Learn from other firms hard earned lessons•Map and assess the existence and design of the control environment•Focus on positive assurance arrangements•Keep communicating outcomes and next steps
![Page 47: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/47.jpg)
That’s just the start
•Review and amend governance arrangements
•Adequacy of performance•Business engagement and ownership•Don’t think this is a Co Sec responsibility; below Board/Exec level it’s often a gap
•Recruit talent and relocate tasks•Build Risk IT capability•Then the fun starts...
![Page 48: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/48.jpg)
The journey continues
• Recruit and reallocate existing talent• Integrate IT and Op risk processes
with business processes, including outsourcers
• Evaluate organisational and e2e process design• Use the Exec and Board using
‘position papers’
![Page 49: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/49.jpg)
And continues
• Maintaining credibility• Benchmark your Op Risk unit• Horizon scanning and increased
engagement with ‘Corporate Change’
• Get a risk change budget!• Develop cross discipline expertise• Reward and recognition
![Page 51: © The Institute of Operational Risk Institute of Operational Risk 2 nd Scottish Annual Conference 26th October 2012 (in conjunction with Glasgow Caledonian](https://reader035.vdocuments.us/reader035/viewer/2022062423/56649e155503460f94aff320/html5/thumbnails/51.jpg)
© The Institute of Operational Risk
Institute of Operational Risk
2nd Scottish Annual Conference26th October 2012
(in conjunction with Glasgow Caledonian University)