550 likes | 1.34k Views
Basel II Operational Risk. An Overview of where we are as at 30 th September 2004. This presentation is annotated. Session Overview. Why should we be interested? What is Operational Risk? Background to BIS, the Basel Committee, and the original Basel Accord What is Basel II?
E N D
Basel IIOperational Risk An Overview of where we are as at 30th September 2004 This presentation is annotated
Session Overview • Why should we be interested? • What is Operational Risk? • Background to BIS, the Basel Committee, and the original Basel • Accord • What is Basel II? • The Implementation Guide? • What about the FSA and the EU? • Joint Forum’s Consultative Document “Outsourcing in Financial • Services” • Some thoughts going forward
“Internal and/or external auditors must perform regular reviews of the operational risk management processes and measurement systems. This review must include both the activities of the business units and of the independent operational risk function” ( paragraph 666 (e)
“The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” This definition includes legal risk, but excludes strategic and reputational risk Paragraph 644 Definition of Operational Risk
The Context “Trading on the world’s foreign exchange markets has soared to a record $1,900bn (£1,048bn) a day……………. London retained its position as the world’s forex capital, with almost a third of global currency trading…………. The rapid growth in financial markets transactions, far in excess of the growth in world trade, is a sign of increasing global capital market integration and more sophisticated risk management by companies and investors” Financial Times 29 September 2004
www.bis.org The Bank for International Settlements (BIS) is based in Basel in Switzerland. The BIS serves as a bank for central banks. It was established on 17 May 1930 and is the world’s oldest international financial organisation.
The Basel Committee on Banking Supervision was established by the central bank Governors of the Group of Ten Countries in 1975. It currently consists of senior representatives of bank supervisory authorities and central banks from Belgium, Canada, France, Germany, Italy, Luxembourg, The Netherlands, Spain, Sweden, Switzerland, the United Kingdom, and the United States. It usually meets at the Bank of International Settlements in Basel, where its permanent Secretariat is located. Who are the Basel Committee?
The Basel Capital Accord was published in 1988 and set out the first internationally accepted definition of, and a minimum measure for bank capital. It required banks to divide their exposures up into broad “classes” In 1996 the Committee supplemented the Accords original focus on credit risk with requirements for exposures to market risk. What was Basel I? INTERNATIONAL CONVERGENCE OF CAPITAL MEASUREMENT AND CAPITAL STANDARDS (30 pages)
A revised framework issued on 26th June 2004, by the Basel Committee on Banking Supervision: What is Basel II The overarching goal for the Basel II Framework is to promote the adequate capitalisation of banks and to encourage improvements in risk management, thereby strengthening the stability of the financial system through market discipline and enhanced transparency. 251 pages
Basel II It recognises that capital serves as a foundation for a bank’s future growth and as a cushion against its unexpected losses. The technical challenge for both banks and supervisors has been to determine how much capital is necessary to serve as a sufficient buffer against unexpected losses. Safety – Soundness - Stability
What is the scope of Basel II? There is a “three pillar” approach Minimum Capital Requirements Supervisory Review Market Discipline
Provides three methods for the calculation of capital to align more closely with the bank’s activities and sophistication of risk management activities Establishes an explicit capital charge for a bank’s exposure to the risk of losses caused by failures in systems, processes, or staff, or that are caused by external events, such as natural disasters. Provides explicit incentives in the form of lower capital requirements for banks to adopt more comprehensive and accurate measures of risk as well as more effective processes for controlling their exposure. Minimum Capital Requirements The First Pillar
Recognises the necessity of exercising effective supervisory review of banks internal assessment of their overall risks to ensure that bank management is exercising sound judgement and has set aside adequate capital for these risks. Supervisory Review The Second Pillar
It sets out the public disclosure that banks must make that lend greater insight into the adequacy of their capitalisation Market DisciplineThe Third Pillar
How are minimum capital requirements calculated? “There is a three pillar approach” Position Risk Credit Risk Operational Risk
Operational Risk ( page 141 paragraph 660) “There are three measurement methodologies Basic Indicator Approach Standardised Approach Advanced Measurement Approach “Banks are encouraged to move along the spectrum of available approaches as they develop more sophisticated operational risk measurement systems and practices”
Operational Risk ( pages 137- 149, Annex 6 221-225) In order to qualify to use these approaches, a bank must satisfy its supervisors that, at a minimum: Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework. It has an operational risk management system that is conceptually sound and is implemented with integrity, and It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas ( page 141 paragraph 660)
Operational Risk ( paragraph 663) The bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function. The operational risk management function is responsible: for developing strategies to identify, assess, monitor and control/mitigate operational risk; for the design and implementation of the firm’s operational risk assessment methodology; and for the design and implementation of a risk-reporting system for operational risk.
Operational Risk ( paragraph 663) The bank must systematically track relevant operational risk data including material losses by business line (slide 21). The bank must have techniques fro creating incentives to improve the management of operational risk throughout the firm The bank’s operational risk management system must be well documented ( internal policies, controls and procedures, which must include policies for the treatment of non-compliance issues).
Operational Risk The tracking of internal loss event data is an essential prerequisite to the development and functioning of a credible operational risk measurement system( paragraph 670). Internally generated operational risk measures used for regulatory capital purposes must be based on a minimum five-year observation period of internal loss data, whether the internal loss data is used directly to build the loss measure or to validate it ( paragraph 672). A bank must have an appropriate de minimis gross loss threshold for internal loss data collection, for example 10,000 euros ( paragraph 673).
Business Line Mapping Annex 6 Corporate Finance Corporate Finance Municipal / Government Finance Merchant Banking Advisory Services Trading & Sales Sales Market Making Proprietary Positions Treasury Retail Banking Retail Banking Private Banking Card Services Commercial Banking Commercial Banking Payment & Settlement External Clients Agency Services Custody Corporate Agency Corporate Trust Asset Management Discretionary Fund Management Non-Discretionary Fund Management Retail Brokerage Retail Brokerage
Loss Event Type & CategoriesAnnex 7 Internal Fraud Unauthorised Activity Theft and Fraud External Fraud Theft and Fraud System Security Employee Practices and Workplace Safety Employee Relations Safe Environment Diversity & Discrimination Client Products & Business Practices Suitability, Disclosure, Fiduciary Improper Business or Market Practices Product Flaws Selection, Sponsorship & Exposure Advisory Activities Damage to Physical Assets Disasters and other events Business Disruption & System Failure Systems ( hardware, software, telecoms, utility outage and disruptions) Execution, Delivery & Process Management Transaction Capture, Execution & Maintenance Monitoring and Reporting Customer Intake Documentation Customer / Client Account Management Trade Counterparties Vendors & Suppliers
“How we look at things determines what we see!” Small things can have big impacts
“How we look at things determines what we see!” The Space Shuttle “tile” disaster The Fawlty Towers TV Series The potential problem of insider dealing Small things can have big impacts
We see the visible tip! Operational Risk
“The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” This definition includes legal risk, but excludes strategic and reputational risk Page 137 Definition of Operational Risk
Implementing Basel II Basel II aims to build on a solid foundation of prudent capital regulation, supervision, and market discipline, and to enhance further risk management and financial stability. July 2004 40 pages
The Components of a “Solid Infrastructure” for a Country The legal-regulatory infrastructure in place Human resources The current disclosure regime The status of corporate governance Accounting and provisioning practices Page 2
Internal Audit In evaluating the effectiveness of internal audit, supervisors may want to consider: The extent to which external audit places reliance on the work of internal audit. The quality of board and audit committee reports prepared by internal audit and how report findings are used by the board and senior management. The use of a risk-based, rather than traditional inspection based, approach to internal audit. The independence of the function. Page 27
Summary A move away from “one size fits all” Provides alternatives that recognise the appropriateness of the risk management capabilities of a bank to control the underlying business risks Focuses on “Internationally Active – Complex – Significant” Banks Takes account of the “Nature – Size – Complexity”
“The Committee intends the Framework to be available for implementation as of year end 2006 However, the committee feels that one further year of impact studies or parallel calculation will be needed for the most advanced approaches, and these therefore will be available for implementation as of year end 2007” The Timetable
The FSA As a result of Financial Services and Markets Act (FSMA) the FSA became the single regulator of financial services in the UK with effect from 1st December 2001 The FSA has FOUR statutory objectives: £ Maintain market confidence £ Promote public understanding of the financial system £ Secure appropriate consumer protection £ Reduce financial crime
The FSA July 2002 March 2003 July 2003 Originally due for Implementation 31/12/2004 EU Capital Requirements Directive (CRD) 31/12/2006 EU Markets in Financial Instruments Directive (MiFID) ? www.europa.eu.int 15/9/2004*** Implementation deferred for all except Insurance Companies FSA due to issue Consultation Paper in January 2005 FSA due to issue Consultation Paper in June 2005 The FSA also plan to carry out a further Quantitative Impact Study during 2005 *** www.fsa.gov.uk/psb/psb_letter_15sept04.pdf
Outsourcing Financial services businesses throughout the world are increasingly using third parties to carry out activities that the businesses themselves would normally have undertaken. “Out of sight” “Out of mind” “Out of control?”
28 pages Outsourcing in Financial Services In these situations: How can financial service businesses remain confident that they remain in charge of their own business and in control of their business risks? How do they know they are complying with their regulatory responsibilities? How can these businesses demonstrate that they are doing so when regulators ask? Consultative document August 2004
The Joint Forum’s High-level Principles I A regulated entity seeking to outsource activities should have in place a comprehensive policy to guide assessment of whether and how those activities can be appropriately outsourced. The board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy. II The regulated entity should establish a comprehensive outsourcing risk management program to address the outsourced activities and the relationship with the service provider. III The regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by regulators. Page 3
The Joint Forum’s High-level Principles IV The regulated entity should conduct appropriate due diligence in selecting third party service providers. V Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties. VI The regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities. VII The regulated entity should take appropriate steps to require that service providers protect confidential information of both the regulated entity and its clients from intentional or inadvertent disclosure to unauthorised persons. Page 3
Some thoughts going forward Root Cause Analysis Service Management Enterprise Risk Management 30th September saw the publication of the COSO Enterprise Risk Management Framework, the new two volume set are available from the IIA www bsi-global.com www coso.org www iia.org.uk By Max Ammerman ISBN 0-527-76326-8 Also take a look at Octave at www.cert.org/octave/pubs.html
Session Overview • Why should we be interested? • What is Operational Risk? • Background to BIS, the Basel Committee, and the original Basel • Accord • What is Basel II? • The Implementation Guide? • What about the FSA and the EU? • Joint Forum’s Consultative Document “Outsourcing in Financial • Services” • Some thoughts going forward
Thank you for your time and attention Roger Southgate CISA,CISM, FCCA, MBA, MBCS 07714-769617 rsouthgate@isaca-london.org
Octave Catalog of Practices Operational Practice Areas Strategic Practice Areas General Catalog of Practices Also take a look at Octave at www.cert.org/octave/pubs.html
Octave Strategic Practice Areas Strategic Practice Areas Contingency Planning/ Disaster Recovery Security Management Collaborative Security Management Security Awareness and Training Security Policies and Regulations Security Strategy Also take a look at Octave at www.cert.org/octave/pubs.html
Octave Operational Practice Areas Operational Practice Areas Information Technology Security Staff Security Physical Security Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices Also take a look at Octave at www.cert.org/octave/pubs.html
Octave disclosuremodificationloss/destructioninterruption accidental inside disclosuremodificationloss/destructioninterruption deliberate network asset disclosuremodificationloss/destructioninterruption accidental outside disclosuremodificationloss/destructioninterruption deliberate Human Actors - Network Access asset access actor motive outcome Also take a look at Octave at www.cert.org/octave/pubs.html
Octave disclosuremodificationloss/destructioninterruption accidental inside disclosuremodificationloss/destructioninterruption deliberate physical asset disclosuremodificationloss/destructioninterruption accidental outside disclosuremodificationloss/destructioninterruption deliberate Human Actors - Physical Access asset access actor motive outcome Also take a look at Octave at www.cert.org/octave/pubs.html
Octave System Problems disclosuremodificationloss/destructioninterruption software defects disclosuremodificationloss/destructioninterruption viruses asset disclosuremodificationloss/destructioninterruption system crashes disclosuremodificationloss/destructioninterruption hardware defects asset actor outcome Also take a look at Octave at www.cert.org/octave/pubs.html
Octave Other Problems disclosuremodificationloss/destructioninterruption natural disasters disclosuremodificationloss/destructioninterruption third party problems asset disclosuremodificationloss/destructioninterruption telecommunications problems or unavailability disclosuremodificationloss/destructioninterruption power supply problems asset actor outcome Also take a look at Octave at www.cert.org/octave/pubs.html