250 likes | 512 Views
Operational Risk Management Jaidev Iyer, Managing Director Head of Operational Risk - Markets & Banking Istanbul March 6, 2007. Objective: Shed some light on ………. What is Operational Risk? How do we manage Operational Risk? OpRisk Capital. What sank the Titanic? What made it a big tragedy?.
E N D
Operational Risk ManagementJaidev Iyer, Managing Director Head of Operational Risk - Markets & BankingIstanbulMarch 6, 2007
Objective: Shed some light on ……… What is Operational Risk? How do we manage Operational Risk? OpRisk Capital
What sank the Titanic? What made it a big tragedy? For over 5 decades, Operators had taken larger and larger risks to save money Greater attention to Amenities than to Safety..engineers did not have last (any) word Lifeboats ate up deck space .. Board of Trade dominated by Shipbuilders Poor procedures: 2200 passengers, only 1200 could have been saved, only 700 were Safety drills (including at the lifeboats)…mere custom The good news: Disasters bring change…Change for the good, despite all the costs
Is there Operational Risk in these Headlines? SEC Investigation of Transfer Agent Matters Enron Innovative Transaction in European Government Bond Markets Disciplinary Action for Alleged Manipulation of Market Prices Argentina IPO Allocations Volatility in Latin America Structured Finance Research Conflicts Losses Recognized Following Discovery of Trader’s Unauthorized Activity Predatory Lending WorldCom Mutual Fund Probe Expanded Integrity of Financial Reporting Private Bank to discontinue Operations in Japan Corporate Governance
…………….Or in these ?! Losses in $Bns 0 0.5 1.0 1.5 2.0 2.5 7.5 Merrill Lynch & Co 1987 - Unauthorized Mortgage Trading Orange County 1994 - Liquidity Mismanagement Mettallgesellschaft AG 1994 - Oil Futures 1994 - Joe Jett Phantom Trades Kidder, Peabody & Co Barings Plc 1995 - Nick Leeson Trading Losses Daiwa Bank Ltd 1995 - Treasury Bond Trading Sumitomo Corp 1996 - Copper Trading Deutsche Bank AG 1996 - Unauthorized activity by fund managers NatWest Markets 1997 - Mispriced Options UBS 1997 - Mispriced options LTCM ?? 1998 - Over leveraged convergence arbitrage Allied Irish Banks 2002 – Fraudulent trades National Australia Bank 2004 – Fraudulent trades Citigroup 2004 – Regulatory settlements and related litigation reserves
Clients, Products & Business Practices Employment Practices and Workplace Environment Physical Asset & Infrastructure Events Execution, Delivery & Process Management Operational Risk and OpRisk Event Types • Operational Risk is the risk of loss resulting from inadequate or failed • Internal processes • People • Systems • External events • It specifically excludes market and credit risk judgments, except in Boundary conditions Fraud, Theft & Unauthorized Events
Key Operational Risks for the CIB What is Operational Risk? 1. Business Practices: Inappropriate business practices or market conduct ……….. 2. Business Selection: Inappropriate business selection due to inadequate due diligence or non adherence to credit, market or operational risk policies and limits …………… 3. Infrastructure Adequacy/Capacity: Inability to support business growth due to weaknesses or deficiencies in the underlying infrastructure or applications …………… 4. Financial Integrity: Incorrect financial books and records and delayed or inaccurate reporting ……. 5. Compliance with Laws and Regulations: Failure to comply with the spirit and letter of laws and regulations applicable to our products and services ………….. 6. Information Security: Inappropriate safeguarding of customer or Citigroup information assets …….. 7. Continuity of Business: Inability to continue business during a contingency event ……….. 8. Employment Practices: Inappropriate employment practices ……………. …risk of loss …from inadequate or failed internal processes, people and systems or from external events. Process Risks Execution, Delivery, Processes.. Business Disruption, Systems … Conduct Risks Clients, Products, Business Practices Employment Practices Internal Theft, Fraud External Risks External Theft and Fraud Damage to Physical Assets
OpRisk Event examples: Conflicts May 2004: Citigroup Inc. agrees to pay $2.65B to settle a lawsuit claiming the firm issued fraudulent, misleading, and otherwise flawed research reports on WorldCom. Citigroup and Salomon also allegedly granted WorldCom CEO Bernard Ebbers large loans and access to stock offerings in exchange for investments banking business. October 2004: Lehman Brothers agrees to pay $223MM to settle a lawsuit claiming the firm created false investments and completed fake sales of nonexistent Enron assets to hide loans. Enron executives reported revenue increases and removed billions of dollars of debt from its balance sheets, which falsely increased securities prices, and deceived investors. : July 1992: First Reserve Corp, a US financial institution, agrees to pay $73M in a lawsuit stemming from it's takeover of McMurray Oil Tools. Houston Monarch, which sought financing from First Reserve to buy McMurray Oil Tools, claimed that First Reserve dragged its heels on the financing and then bought McMurray Oil Tools for itself. Operational Risk is not just about “operations” or the “back-office”
OpRisk Event examples: Product Suitability July 2004: Banca Intesa SpA, an Italian financial institution, agrees to pay $223MM to customers who lost money from the collapse of three Italian companies. Customers allege improper promotion and sale of investments. In some instances, investors switched their life savings from other Italian corporate bonds into one of the three companies. October 2004: Nextra, an Italian asset management company, agrees to pay $197MM to settle allegations that the firm knew about Parmalat’s financial condition when it placed a 300M EUR bond issue in June 2003. Nextra later resold the bond back to Parmalat and demanded repayment of the funds, indicating possible prior knowledge of financial mismanagement at Parmalat. As a result, Parmalat lost 37.6M EUR. June 2005: Morgan Stanley, agrees to pay $187MM to settle litigation with Italian dairy, Parmalat Finanziaria SpA. In February 2005, Parmalat sued Morgan Stanley, alleging that it knew Parmalat was failing when it helped raise capital, including a $362M bond issue in June 2003. The dairy went bankrupt in December 2003.
OpRisk Event examples: Business Practices October 1993: Samuel Montagu, a UK investment advisory firm, agrees to pay $209MM to settle a lawsuit alleging breach of contract. The lawsuit claims Samuel Montagu provided false assurances on behalf of its client, Quadrex Corp., who breached a contract with British & Commonwealth. October 1993: Salomon Brothers agrees to pay $30MM to settle a lawsuit claiming the firm inflated its fees for investment advice. The transaction related to the Los Angeles-based HF Ahmanson’s purchase of Bowery Savings Bank in 1987. February 1989:Drexel Burnham Lambert Inc. agrees to pay $650MM to settle charges of securities fraud. An ex-Drexel managing director repaid $11.6MM in illegal gains from insider trading, the use of nonpublic information to profit in stock transactions obtained through misappropriation or in breach of a fiduciary duty owed to a client of Drexel.
OpRisk Event examples: Fraud June 2005: Morgan Stanley appeals a $1.6B verdict in a lawsuit related to its role in the collapse of Sunbeam Corp. Ron Perelman claimed the firm knowingly allowed Sunbeam Corp to acquire Coleman Holdings using inflated Sunbeam stocks. MS acknowledged that it arranged for the deal but claimed that it did not know that Sunbeam had inflated the company’s sales and earnings from 1997 until 1998 to boost share price. January 1999: Barclays Bank agrees to pay $192MM to settle claims alleging it advised the purchase of a company that turned out to be insolvent. British & Commonwealth bought Atlantic Computers following assurances that Atlantic was financially sound, but it turned out that Atlantic's books had been falsified. Its failure brought down British & Commonwealth. November 1992: Kidder Peabody & Co. agrees to pay $165MM to settle charges of insider trading. Maxus Energy Corp., a client, alleged that Ivan Boesky received information from a Kidder VP, and Boesky admitted paying the VP between $700-$800M for secret information about deals that Kidder was handling. Maxus claimed Boesky pocketed $7.4MM in illegal profits.
Credit Risk Age > 40 years Portfolio view > 25 years Quantitative > 15 years Active mitigation > 10 years • Value at Risk based on • Probability of Default – ORR • Loss Given Default – FRR Target market/portfolio Risk-based capital Credit approval process Assignments / participations Credit derivatives Market Risk Age > 25 years Portfolio view > 15 years Quantitative > 10 years Active mitigation > 10 years • Value at Risk based on • Factor Sensitivity • Potential Losses Risk-based capital Boundaries Diversification Hedging / unwinding positions Operational Risk Age < 5 years Portfolio view… still TBD Quantitative < 3 years Active mitigation… culture++ • Value at Risk based on • Loss frequency • Loss severity • Metrics / Key Risk Indicators Risk-based capital Pace of business growth Infrastructure investment, planning People management, training What can we learn from other risk disciplines? Risk Discipline Modern History Risk Measurement Risk Mitigation Tools
Op Risk Management Basics • Op Risk Management is the management of the frequency AND severity of operational losses • The goals of Op Risk Management are to: • Dimension operational risk exposure (quantitative, qualitative) to confirm an acceptable level of risk • By ensuring adequate controls, maintain exposure (financial/reputation risk) within acceptable levels • Determine the appropriate level of capital to absorb extreme losses associated with risks that do not lend themselves to control, and for control failures • Thetools of Op Risk Management are: • Loss capture enables causal analysis (to determine preventive measures) and capital modelling • Assessments(Self, Audit, Regulator) provide a view on control effectiveness and residual risk • Metrics (KRIs) warn of risk/control imbalances & serve to attract appropriate management attention • Scenario analysis dimensions potential frequency and severity, especially for unexpected losses • Capitalprotects the firm’s solvency; capital allocation informs management decisions • Regulatory capital required under Basel II • Economic capital used for all management purposes
PURPOSE & STRUCTURE 2004-2005 • OpRisk Management structure & objectives • Education and awareness • Streamlined RCSA hierarchy • Loss data as foundation for OpRisk Capital • Senior mgmt reports TOOLS & DATA 2006 • OpRisk integrated suite • Key Risk Indicators (KRIs) • Loss data content, integrity • Refined Policy, Procedures • Use of AMA for ERC ANALYSIS & MITIGATION 2007-2008 • Streamline data capture • Integrated analysis • RCSA • Losses • KRIs • External Experience • Scenario Analysis • Payment Systems Risk • Proactive risk mitigation • Implement Basel II • Risk based Capital allocations Building a New Risk Discipline • Data and analysis to support mgmt decisions • People and infrastructure investment • Business growth, acquisitions • Build a portfolio view of operational risk • Directionally up or down • major drivers, their potential impact
TODAY 2007 - 2008 • Five data elements assessed in relation to each other • Incongruities identified, e.g. losses up, RCSA very clean • Individual data elements improved, e.g. oversight in RCSA process, revised metrics, loss data capture • Data comparisons made possible by • Uniform views through meta-data (“hooks”) • “Deep Dives”) identify and dimension OpRisk drivers • Capital “reality check” using all the data elements • Five data elements are independently assessed • Internal & External loss data • Control assessment results • Op Risk metrics • Scenario analysis • An integrated view remains difficult • Data Structure, Characteristics, Completeness • Technology • Inadequate understanding of Op Risk drivers Op Risk Data & Analytics Foundation Internal Losses (EDCS) RCSA (ORCA Catalyst) Capital Shared Utilities Hierarchies Report Writer Entitlements, etc Scenario Analysis OpRisk Metrics External Losses (SAS / First) Scaling Data (Finance) Audit Data (AutoAudit)
What could have prevented the loss? • What factors influenced the size of the loss? Identify Op Risk Drivers 1 • What controls failed / didn’t exist? • Covered in the Assessment/s of the Entity that caused the loss? • Where else could such a control failure occur? Assess RCSA Effectiveness 2 • Could existing metrics have warned of trouble? • What metrics could track the risk drivers or warn of weakness? • What set of metrics could best capture the end-to-end risks? Identify Existing and Needed Metrics 3 • Thinking about the risk drivers… • Under what circumstances might the loss have been much larger? • Could such losses occur more frequently? How? Where? • What do external events tell us? Dimension Potential Size and Frequency 4 Understand Capital Implications • Does capital adequately cover stresses? • What about the “perfect storm”? 5 What is Integrated Op Risk Analysis “Deep Dive” Analysis of Losses to Connect OpRisk DATA and FUNDAMENTALS
Jaidev Iyer Headof Operational Risk Paula Arguera Admin. Jaidev Iyer Eva Leighton John Wertheim Teresa Yiu Raj Mittal Capital Markets GTS EMEA Asia OpRisk Assessment & Banking & Infrastructure Joe Perrotta Richard Bilby Ahmed Rahim Husam Arabiat Hal Gross (Data Management) Betty Sandhop Chris Bechtle M. Makiguchi (NCL Japan) Lynley Ashby Asha Subramanian S. Abe Fred Yu Milica Stojnic Anna Stephenson David Mazza (PSR Analysis) Japan Bank Artemis Yu Rob Carey Ryan Butkus (Capital) Markets & Banking OpRisk Organization Greg Fell (PSR) PSR = Payment Systems Risk
CIB Operational Risk Losses and Economic Capital Op Risk Losses($MM) Risk Capital ($Bn) $20.4 $21.0 $20.7 $20.7 $21.7 $21.9 $21.7 $21.3 $22.2 $16.9 $21.6 $22.9 *2005 does not include $600MM adjustment to Worldcom/Research reserve; an OpRisk “gain”
Standalone Intra-Risk Capital Variance Analysis Frequency Allocation Qualitative Adjustment Net Variance Inter-Risk Diversified Capital Q4’06 Economic Capital *
Risk Capital in Asia Q4’06 Economic Capital
Q4’06 Op Risk Parameter Choices and Capital Capital at 99.97% ($MM) Tail Parameter Ann. Freq $ 1MM Stand-alone Intra-Risk Diversified RLOB Agency Services Commercial Banking Corporate Finance Payment and Settlement Trading and Sales Unclassified Total (Diversified) Input to CIB allocation model • CIB OpRisk capital is concentrated in Corporate Finance and Trading & Sales. The lower event frequency in Corporate Finance is compensated by higher severity. • Processing businesses in GTS have low severity and contribute little capital.
Issue Aging Wt. 0-29 days = 1.00 30-59 days = 1.25 60-89 days = 1.50 90+ days = 2.00 Issue Severity Weight BI = 1 MBI = 3 Risk Level Weights Low = 1.00 Medium = 1.10 High = 1.25 ARR Control Rating Weights Unsatisfactory = 1.50 Needs Improvement = 1.25 Satisfactory = 1.00 Residual Risk Weights Low = 1.00 Medium = 1.10 High = 1.25 RCSA Post QAF Capital = Intra Risk Diversified Capital * QAF (n) / QAF (n-1) @ Note: Support group QAF allocations follow budget lines QAF Application Qualitative Adjustment Factor in OpRisk Capital
Summary • Operational Risk Management is the management of the Frequency and Severity of Operational Losses • Operational Risk – established as a formal risk discipline • Basel II, SOx and FDICIA are key drivers, but much more so is “better business management” • Operational Risk is incorporated in economic and regulatory capital calculations • Event data is captured for capital modelling, and causal analysis to manage risks and controls • Loss Analysis, RCSAs, Capital, Stress and Key Risk Indicators form the current basic framework for identifying and managing Operational Risk at the business level • The goal is to determine the operational risk profile that is acceptable to the business and support it with the appropriate level of controls and capital.