Download - Objective: Shed some light on ………
Operational Risk ManagementOperational Risk Management
Jaidev Iyer, Managing Director Jaidev Iyer, Managing Director Head of Operational Risk - Markets & BankingHead of Operational Risk - Markets & Banking
IstanbulIstanbulMarch 6, 2007March 6, 2007
2
Objective: Shed some light on ………
What is Operational Risk?
How do we manage Operational Risk?
OpRisk Capital
3
For over 5 decades, Operators had taken larger and larger risks to save money
Greater attention to Amenities than to Safety..engineers did not have last (any) word
Lifeboats ate up deck space .. Board of Trade dominated by Shipbuilders
Poor procedures: 2200 passengers, only 1200 could have been saved, only 700 were
Safety drills (including at the lifeboats)…mere custom
The good news: Disasters bring change…Change for the good, despite all the costs
What sank the Titanic? What made it a big tragedy?
4
Is there Operational Risk in these Headlines?
EnronVolatility inLatin America
Structured Finance
Research Conflicts
CorporateGovernance
Integrity of Integrity of
Financial ReportingFinancial Reporting
Predatory Lending
IPO Allocations
ArgentinaArgentina
WorldCom
WorldCom
Losses Recognized Following
Discovery of Trader’s Unauthorized
Activity
Disciplinary Action for Alleged
Manipulation of Market Prices
Mutual Fund
Mutual Fund
Probe Expanded
Probe Expanded
Private Bank to discontinueOperations in Japan
Innovative Transaction in European Government Bond Markets
SEC Investigation of
Transfer Agent Matters
5
Losses in $Bns
Merrill Lynch & Co
Orange County
Mettallgesellschaft AG
Kidder, Peabody & Co
Barings Plc
Daiwa Bank Ltd
Sumitomo Corp
Deutsche Bank AG
NatWest Markets
UBS
LTCM
0 0.5 1.0 1.5 2.0 2.5 7.5
??
1987 - Unauthorized Mortgage Trading
1994 - Liquidity Mismanagement
1994 - Oil Futures
1994 - Joe Jett Phantom Trades
1995 - Nick Leeson Trading Losses
1995 - Treasury Bond Trading
1996 - Unauthorized activity by fund managers
1997 - Mispriced Options
1997 - Mispriced options
1998 - Over leveraged convergence arbitrage
Allied Irish Banks 2002 – Fraudulent trades
National Australia Bank 2004 – Fraudulent trades
Citigroup 2004 – Regulatory settlements and related litigation reserves
1996 - Copper Trading
…………….Or in these ?!
6
Fraud, Theft & Unauthorized Events
Clients, Products & Business Practices
Employment Practices and Workplace Environment
Physical Asset & Infrastructure Events
Execution, Delivery & Process Management
Operational Risk and OpRisk Event Types
Operational Risk is the risk of loss resulting from inadequate or failed
Internal processes People Systems External events
It specifically excludes market and credit risk judgments, except in Boundary conditions
7
Key Operational Risks for the CIB
1. Business Practices: Inappropriate business practices or market conduct ………..
2. Business Selection: Inappropriate business selection due to inadequate due diligence or non adherence to credit, market or operational risk policies and limits ……………
3. Infrastructure Adequacy/Capacity: Inability to support business growth due to weaknesses or deficiencies in the underlying infrastructure or applications ……………
4. Financial Integrity: Incorrect financial books and records and delayed or inaccurate reporting …….
5. Compliance with Laws and Regulations: Failure to comply with the spirit and letter of laws and regulations applicable to our products and services …………..
6. Information Security: Inappropriate safeguarding of customer or Citigroup information assets ……..
7. Continuity of Business: Inability to continue business during a contingency event ………..
8. Employment Practices: Inappropriate employment practices …………….
What is Operational Risk?
…risk of loss …from inadequate or failed internal processes, people and systems or from external events.
Process Risks
Execution, Delivery, Processes..
Business Disruption, Systems …
Conduct Risks
Clients, Products, Business Practices
Employment Practices
Internal Theft, Fraud
External Risks
External Theft and Fraud
Damage to Physical Assets
8
OpRisk Event examples: Conflicts
May 2004: Citigroup Inc. agrees to pay $2.65B to settle a lawsuit claiming the firm issued fraudulent, misleading, and otherwise flawed research reports on WorldCom. Citigroup and Salomon also allegedly granted WorldCom CEO Bernard Ebbers large loans and access to stock offerings in exchange for investments banking business.
October 2004: Lehman Brothers agrees to pay $223MM to settle a lawsuit claiming the firm created false investments and completed fake sales of nonexistent Enron assets to hide loans. Enron executives reported revenue increases and removed billions of dollars of debt from its balance sheets, which falsely increased securities prices, and deceived investors.
:
July 1992: First Reserve Corp, a US financial institution, agrees to pay $73M in a lawsuit stemming from it's takeover of McMurray Oil Tools. Houston Monarch, which sought financing from First Reserve to buy McMurray Oil Tools, claimed that First Reserve dragged its heels on the financing and then bought McMurray Oil Tools for itself.
Operational Risk is not just about “operations” or the “back-office”
9
June 2005: Morgan Stanley, agrees to pay $187MM to settle litigation with Italian dairy, Parmalat Finanziaria SpA. In February 2005, Parmalat sued Morgan Stanley, alleging that it knew Parmalat was failing when it helped raise capital, including a $362M bond issue in June 2003. The dairy went bankrupt in December 2003.
October 2004: Nextra, an Italian asset management company, agrees to pay $197MM to settle allegations that the firm knew about Parmalat’s financial condition when it placed a 300M EUR bond issue in June 2003. Nextra later resold the bond back to Parmalat and demanded repayment of the funds, indicating possible prior knowledge of financial mismanagement at Parmalat. As a result, Parmalat lost 37.6M EUR.
July 2004: Banca Intesa SpA, an Italian financial institution, agrees to pay $223MM to customers who lost money from the collapse of three Italian companies. Customers allege improper promotion and sale of investments. In some instances, investors switched their life savings from other Italian corporate bonds into one of the three companies.
OpRisk Event examples: Product Suitability
10
OpRisk Event examples: Business Practices
February 1989: Drexel Burnham Lambert Inc. agrees to pay $650MM to settle charges of securities fraud. An ex-Drexel managing director repaid $11.6MM in illegal gains from insider trading, the use of nonpublic information to profit in stock transactions obtained through misappropriation or in breach of a fiduciary duty owed to a client of Drexel.
October 1993: Samuel Montagu, a UK investment advisory firm, agrees to pay $209MM to settle a lawsuit alleging breach of contract. The lawsuit claims Samuel Montagu provided false assurances on behalf of its client, Quadrex Corp., who breached a contract with British & Commonwealth.
October 1993: Salomon Brothers agrees to pay $30MM to settle a lawsuit claiming the firm inflated its fees for investment advice. The transaction related to the Los Angeles-based HF Ahmanson’s purchase of Bowery Savings Bank in 1987.
11
June 2005: Morgan Stanley appeals a $1.6B verdict in a lawsuit related to its role in the collapse of Sunbeam Corp. Ron Perelman claimed the firm knowingly allowed Sunbeam Corp to acquire Coleman Holdings using inflated Sunbeam stocks. MS acknowledged that it arranged for the deal but claimed that it did not know that Sunbeam had inflated the company’s sales and earnings from 1997 until 1998 to boost share price.
OpRisk Event examples: Fraud
November 1992: Kidder Peabody & Co. agrees to pay $165MM to settle charges of insider trading. Maxus Energy Corp., a client, alleged that Ivan Boesky received information from a Kidder VP, and Boesky admitted paying the VP between $700-$800M for secret information about deals that Kidder was handling. Maxus claimed Boesky pocketed $7.4MM in illegal profits.
January 1999: Barclays Bank agrees to pay $192MM to settle claims alleging it advised the purchase of a company that turned out to be insolvent. British & Commonwealth bought Atlantic Computers following assurances that Atlantic was financially sound, but it turned out that Atlantic's books had been falsified. Its failure brought down British & Commonwealth.
How do we manage
Operational Risk ?
13
What can we learn from other risk disciplines?
Risk Discipline Modern History Risk Mitigation ToolsRisk Measurement
Credit Risk Age > 40 years
Portfolio view > 25 years
Quantitative > 15 years
Active mitigation > 10 years
Target market/portfolio
Risk-based capital
Credit approval process
Assignments / participations
Credit derivatives
Value at Risk based on
• Probability of Default – ORR
• Loss Given Default – FRR
Operational Risk Age < 5 years
Portfolio view… still TBD
Quantitative < 3 years
Active mitigation… culture++
Risk-based capital
Pace of business growth
Infrastructure investment, planning
People management, training
Value at Risk based on
• Loss frequency
• Loss severity
Metrics / Key Risk Indicators
Market Risk Age > 25 years
Portfolio view > 15 years
Quantitative > 10 years
Active mitigation > 10 years
Risk-based capital
Boundaries
Diversification
Hedging / unwinding positions
Value at Risk based on
• Factor Sensitivity
• Potential Losses
14
Op Risk Management Basics
Op Risk Management is the management of the frequency AND severity of operational losses
The goals of Op Risk Management are to:
Dimension operational risk exposure (quantitative, qualitative) to confirm an acceptable level of risk
By ensuring adequate controls, maintain exposure (financial/reputation risk) within acceptable levels
Determine the appropriate level of capital to absorb extreme losses associated with risks that do not lend themselves to control, and for control failures
The tools of Op Risk Management are:
Loss capture enables causal analysis (to determine preventive measures) and capital modelling
Assessments (Self, Audit, Regulator) provide a view on control effectiveness and residual risk
Metrics (KRIs) warn of risk/control imbalances & serve to attract appropriate management attention
Scenario analysis dimensions potential frequency and severity, especially for unexpected losses
Capital protects the firm’s solvency; capital allocation informs management decisions
Regulatory capital required under Basel II
Economic capital used for all management purposes
15
Building a New Risk Discipline
OpRisk Management structure & objectives
Education and awareness
Streamlined RCSA hierarchy
Loss data as foundation for OpRisk Capital
Senior mgmt reports
2004-2005
PURPOSE & STRUCTURE
OpRisk integrated suite
Key Risk Indicators (KRIs)
Loss data content, integrity
Refined Policy, Procedures
Use of AMA for ERC
2006
TOOLS & DATA
Streamline data capture
Integrated analysis
• RCSA• Losses• KRIs• External Experience• Scenario Analysis
Payment Systems Risk
Proactive risk mitigation
Implement Basel II
Risk based Capital allocations
2007-2008
ANALYSIS & MITIGATION
• Data and analysis to support mgmt decisions– People and infrastructure investment– Business growth, acquisitions
• Build a portfolio view of operational risk– Directionally up or down – major drivers, their potential impact
16
CapitalRCSA(ORCA Catalyst)
Audit Data(AutoAudit)
OpRisk Metrics Scenario Analysis
Scaling Data(Finance)
External Losses
(SAS / First)
Internal Losses
(EDCS)
Op Risk Data & Analytics Foundation
Shared UtilitiesHierarchies
Report WriterEntitlements, etc
• Five data elements are independently assessed– Internal & External loss data– Control assessment results– Op Risk metrics– Scenario analysis
• An integrated view remains difficult– Data Structure, Characteristics, Completeness– Technology– Inadequate understanding of Op Risk drivers
TODAY• Five data elements assessed in relation to each other
– Incongruities identified, e.g. losses up, RCSA very clean
– Individual data elements improved, e.g. oversight in RCSA process, revised metrics, loss data capture
• Data comparisons made possible by– Uniform views through meta-data (“hooks”)
• “Deep Dives”) identify and dimension OpRisk drivers
• Capital “reality check” using all the data elements
2007 - 2008
17
What is Integrated Op Risk Analysis“Deep Dive” Analysis of Losses to Connect OpRisk DATA and FUNDAMENTALS
Identify Op Risk Drivers
• What could have prevented the loss?• What factors influenced the size of the loss?1
Assess RCSA Effectiveness2
• What controls failed / didn’t exist?• Covered in the Assessment/s of the Entity that caused the loss?• Where else could such a control failure occur?
Identify Existing and Needed
Metrics3
• Could existing metrics have warned of trouble?• What metrics could track the risk drivers or warn of weakness?• What set of metrics could best capture the end-to-end risks?
Dimension Potential Size
and Frequency4
Thinking about the risk drivers…• Under what circumstances might the loss have been much larger?• Could such losses occur more frequently? How? Where?• What do external events tell us?
Understand Capital
Implications5
• Does capital adequately cover stresses?• What about the “perfect storm”?
18
Markets & Banking OpRisk Organization
PSR = Payment Systems Risk
Paula ArgueraAdmin.
Husam Arabiat
Lynley Ashby
Jaidev IyerCapital Markets
& Banking
Joe PerrottaBetty Sandhop
Eva LeightonGTS
& Infrastructure
Richard BilbyChris Bechtle
John WertheimEMEA
Ahmed Rahim
S. Abe
M. Makiguchi (NCL Japan)
Teresa YiuAsia
Anna StephensonJapan Bank
Asha SubramanianFred YuMilica Stojnic
Hal Gross (Data Management)
Artemis YuRob Carey
David Mazza (PSR Analysis)
Ryan Butkus (Capital)
Raj MittalOpRisk Assessment
Jaidev IyerHead of Operational Risk
Greg Fell (PSR)
Operational Risk Capital
20
9.811.8 12.1 12.6 12.3
13.3 13.9 13.5 13.214.4
5.8
4.6 3.84.3
3.94.0
3.7 3.2 3.6 4.44.0
4.01.3
4.3 4.44.0 4.5
4.4 4.2 4.3 4.14.3
4.4
4.4
14.2 13.6
0
5
10
15
20
25
1Q04
2Q04
3Q04
4Q04
1Q05
2Q05
3Q05
4Q05
1Q06
2Q06
3Q06
4Q06
Credit Risk Market Risk Operational Risk
CIB Operational Risk Losses and Economic Capital
Op Risk Losses($MM) Risk Capital ($Bn)
$21.0 $20.7$20.4$20.7$16.9 $21.7 $21.9 $21.7 $21.3
*2005 does not include $600MM adjustment to Worldcom/Research reserve; an OpRisk “gain”
$22.2 $21.6 $22.9
2002 2003 2004 2005* Q1 Q2 Q3 Q4
Clients, Products & Business Practices
1,979 127 7,973 243 30 36 10 18
Employment Practices & Workplace Environment
5 5 0 7 2 2 1 1
Execution, Deliver & Process Mgmt
151 101 124 194 45 41 22 28
Fraud, Theft & Unauthorized Events
27 12 34 7 1 2 1 1
Physical Asset & Infrastructure Events
1 0 0 1 0 1 0 1
Total CIB 2,163 244 8,131 451 78 81 34 48
2006
21
Q4’06 Economic Capital
-10 0 10 20 30 40 50 60 -85 -65 -45 -25 -5 15 -70 -50 -30 -10 10 30 50 70-30 -20 -10 0 10 20 30 40
Allocation Qualitative Adjustment Net Variance
Variance Analysis
Frequency
1.00
1.10
1.20
1.30
1.40
1.50
1.60
1.70
1.80
Equities GFI Munis EMST CM Other Advisory GPM EM ABF GSS Cash Trade
4Q QAF
3Q QAF
QAF (Qualitative Adjustment Factor)
Standalone Intra-Risk Capital
Inter-Risk Diversified Capital
4Q 3QEquities 1,678 1,748 GFI 3,077 3,012 Munis 424 420 CM Other 88 62 Advisory 513 494 GPM 64 70 EM ABF 16 22 EMST 457 436 SFS 104 94 Cash 76 75 Trade 33 30
6,530 6,463 -10 0 10 20 30 40 50 60
4Q 3QEquities 1,112 1,128 GFI 2,178 2,157 Munis 276 290 CM Other 66 47 Advisory 335 340 GPM 42 46 EM ABF 11 12 EMST 309 305 SFS 55 51 Cash 42 43 Trade 18 17
4,443 4,436 *
22
Q4’06 Economic Capital
4Q 3QAsia 467 458EMEA 1,692 1,584Japan 256 256LatAm 157 147Mexico 96 103North America 3,862 3,916
6,530 6,463 0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
Asia EMEA Japan LatAm Mexico NorthAmerica
4Q
3Q
Risk Capital by Region($MM)
Risk Capital in Asia
4Q 3QEquities 131 137GFI 124 113Advisory 25 31GPM 16 16EM ABF 7 10EMST 122 110GSS 15 14Cash 16 16Trade 12 11
467 458
0
20
40
60
80
100
120
140
160
Equities GFI Advisory GPM EM ABF EMST GSS Cash Trade
4Q
3Q
Asia Risk Capital by Product($M
23
0.55 1.94 125 101
0.65 0.83 173 141
0.90 2.90 3,865 3,145
0.55 1.17 94 77
0.75 15.90 3,493 2,842
0.75 1.00 439 357
NA 23.74 8,184 6,664
RLOB
Stand-alone
Agency Services
Commercial Banking
Corporate Finance
Payment and Settlement
Trading and Sales
Intra-Risk Diversified
Tail Parameter
Ann. Freq $ 1MM
Capital at 99.97% ($MM)
Unclassified
•CIB OpRisk capital is concentrated in Corporate Finance and Trading & Sales. The lower event frequency in Corporate Finance is compensated by higher severity.
•Processing businesses in GTS have low severity and contribute little capital.
Total (Diversified)
Input to CIB allocation model
Q4’06 Op Risk Parameter Choices and Capital
24
Issue Severity Weight
BI = 1
MBI = 3
Issue Aging Wt.
0-29 days = 1.00
30-59 days = 1.25
60-89 days = 1.50
90+ days = 2.00
Risk Level Weights
Low = 1.00
Medium = 1.10
High = 1.25
ARR
Residual Risk Weights
Low = 1.00
Medium = 1.10
High = 1.25
Control Rating Weights
Unsatisfactory = 1.50
Needs Improvement = 1.25
Satisfactory = 1.00
RCSA
Post QAF Capital =
Intra Risk Diversified Capital * QAF (n) / QAF (n-1)
@ Note: Support group QAF allocations follow budget lines
QAF Application
Qualitative Adjustment Factor in OpRisk Capital
25
Summary
Operational Risk Management is the management of the Frequency and Severity of Operational Losses
Operational Risk – established as a formal risk discipline
Basel II, SOx and FDICIA are key drivers, but much more so is “better business management”
Operational Risk is incorporated in economic and regulatory capital calculations
Event data is captured for capital modelling, and causal analysis to manage risks and controls
Loss Analysis, RCSAs, Capital, Stress and Key Risk Indicators form the current basic framework for identifying and managing Operational Risk at the business level
The goal is to determine the operational risk profile that is acceptable to the business and support it with the appropriate level of controls and capital.