1. Trang chủ >
  2. Kinh Doanh - Tiếp Thị >
  3. Quản trị kinh doanh >

2 OR: How can we define it?

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (7.03 MB, 811 trang )


Operational Risk: Definition, Measurement and Management



513



more generally, problems of incompetence and negligence of the financial institution

human resources. There are many examples of significant losses suffered by major financial institutions which can be related to this factor:

• In May 2001, a Lehman Brothers dealer in London wrongly input a 300 USD million

value for a stock market trade rather than USD 3 million, causing a 120 points reduction

in the FTSE 100 stock market index;

• In December 2001 UBS Warburg suffered a USD 50 million loss in its Japanese equity

portfolio due to a data entry error regarding the number of shares of a stock trade;

• At the beginning of 2002 Allied Irish Bank suffered a USD 750 million loss on a

significant trading position built by a trader of its US subsidiary who clearly violated

the internal rules of the bank (see Box 17.1).



Publisher's Note:

Permission to reproduce this image

online was not granted by the

copyright holder. Readers are kindly

requested to refer to the printed version

of this chapter.



514



Risk Management and Shareholders’ Value in Banking



Systems. This factor includes the events related to information systems and technology in

general. They include hardware and/or software failures, computer hacking or viruses, and

telecommunications failures. The growing reliance of the financial industry on information systems and, more generally, on technological resources, has significantly increased

the importance of this type of risk. A number of examples of significant losses suffered

by financial institutions are also extensively documented, regarding this type of risk factor. They typically include losses originated by events such as unauthorized access to

information and systems security, excessive risk taking due to software failures, loss of

data due to information system failures, and utility outages.

Processes. This factor includes the losses that originate from inadequacies in the internal

processes and procedures. Examples include events such as the violation of the information system security due to insufficient controls (security risk), errors in the execution

and/or settlement of securities and foreign currency transactions (transaction and settlement errors), inadequate record-keeping, accounting and taxation errors, mispricing and

errors in risk measurement due to problems in the internal models and methodologies

(model risk), and breaches of mandate.

External events. This final factor includes all the losses a bank may suffer as a consequence of a wide range of external events which typically are not under the control of

the bank’s management. These include events such as changes in the political, regulatory

and legal environment that negatively affect the bank’s profitability, operational failures

at suppliers or outsourced operations, criminal acts such as theft, vandalism, robbery, or

terrorism, and natural events such as fire, earthquake and other natural disasters. This

type of OR losses are significantly different from the ones related to people, systems and

processes. Indeed, while the latter can be minimized, both in their frequency and their

impacts, through the development of adequate internal procedures (e.g., clearly defining individual responsibilities, and adequate internal control policies), the occurrence of

external events does not depend on the banks’ internal investments, policies and efforts,

although the bank management plays a role in trying to minimize their impact on the

P&L account, e.g. through adequate contingency plans.

External factors might also cause reputational losses (although these do not fall into

operational risk, as defined by the Basel Committee). Think, e.g., of a bank financing a

company which is subsequently found guilty of selling weapons to a rogue state supporting

terrorism: if the bank’s brand and the company’s name are repeatedly mentioned together

in the press, the bank is likely to suffer a damage, e.g., because customers may want to

move their accounts.2

Table 17.1 reports the above classification of OR main factors.

17.2.2 Some peculiarities of OR

Before moving to the analysis of the alternative criteria to measure OR, it is important to

take a look at some peculiarities of this type of risk.

2

At the beginning of 2002, a medium-sized US bank was threatened (and its senior management actually

attacked) by an environmentalist action group, because of financing a company operating in biotechnologies

and genetically-modified food.



Operational Risk: Definition, Measurement and Management



515



Table 17.1 Operational risk and its main factors

PEOPLE



SYSTEMS



Fraud, collusion and

other criminal

activities



IT problems

(hardware or software

failures, computer

hacking or viruses,

Violation of internal or

etc.)

external rules

(unauthorized trading, Unauthorised access

insider dealing, etc.)

to information and

systems security

Errors related to

management

Unavailability and

incompetence or

questionable integrity

negligence

of data

Loss of important

employees (illness,

injury, problems in

retaining staff, etc.)

Violations of systems

security



Telecommunications

failures

Utility outages



PROCESSES

Execution,

registration,

settlement and

documentation errors

(transaction risk )

Errors in models,

methodologies and

mark to market

(model risk )

Accounting and

taxation errors

Inadequate

formalization of

internal procedures.

Compliance issues.

Breach of mandate



EXTERNAL EVENTS

Criminal activities

(theft, terrorism or

vandalism)

Political and military

events (wars or

international sanctions)

Changes in the

political, legal,

regulatory and tax

environment (strategic

risk )

Natural events (fire,

earthquake, flood, etc.)

Operational failure at

suppliers or outsourced

operations



Inadequate definition

and attribution of

responsibilities



The most relevant one is related to the fact that OR, contrary to market and credit risks,

is not taken on a voluntary basis but is simply a natural consequence of the different

activities performed by a financial institution.

Indeed, a bank can avoid a specific type of market risk by closing (or avoiding) trading

positions which are sensitive to that market specific factor; alternatively, it could hedge

that specific exposure by trading a derivative instrument. Assume a bank is expecting the

French stock exchange to perform badly: it could simply avoid taking a long position on

the French equity market or hedge any pre-existing position by selling stock index futures

on the CAC 40 index. In the same way, a bank can avoid a specific credit risk by simply

refusing to grant a loan or by buying protection through an OTC credit derivative.

This line of reasoning does not apply to OR. Indeed, the only way to avoid OR is to

close down any banking business. As shown by the examples above, OR is intrinsically

connected to all banking activities, from lending to securities trading and underwriting,

from payment services to investment banking. This simply means that a bank cannot

avoid this type of risk. Furthermore, despite the recent development of a number of risk

transfer instruments,3 OR hedging is hampered by the lack of a liquid secondary market,

like those available for interest, market and credit risks.

A second important feature of OR, which makes it different from other risk types such

as interest or market risks, relates to its nature of “pure risk” as opposed to “speculative

risks”. By this, we mean that while for interest or market risks, risk originates from the

volatility of returns, which in turn may lead to either positive results (profits) or negative

3



See section 17.4.



516



Risk Management and Shareholders’ Value in Banking



ones (losses), OR (like casualty risks covered by insurance policies) does not give rise to

return variability but simply to the possibility of losses.4 Indeed, it would quite difficult

to imagine a human error or an IT failure generating unexpected profits!

A third important peculiarity of OR (linked to the previous one) is that it does not

involve an increasing relationship between risk and expected returns. In fact, while in

the case of financial risks (such as interest rate, market or credit risks) higher risks

are typically associated to higher expected returns, this is not the case for OR. Indeed,

if we exclude the cost savings which may result from lower investments in effective

internal processes, procedures and controls, there is no reason to expect a higher OR to

be associated to a higher profitability for the bank. Lending money at a high interest rate

to a high leverage company or investing in the equity capital of a small biotech company

both represent high risk investments, with possibilities of significant losses. However, they

are also associated to a relatively high expected return. Assume a bank operating in the

securities settlement business does not enforce adequate internal controls and procedures

and is therefore exposed to a significant risk of human and information system errors.

While this too does represent a risky activity, there is no reason to expect it to generate

higher profits for the bank.

A fourth peculiarity of OR is related to its complexity, as far as identification and

understanding of risks are involved. This is clearly reflected by the different definitions of

OR that can be found in the financial industry, and is most likely the consequence of the

wide heterogeneity of the factors that generate OR losses. Such a complexity becomes

fully apparent when OR is to be measured: indeed, as we shall see in the next section,

measuring OR also requires to overcome significant problems related to data availability,

extreme and rare events, etc.

Finally, it is worth stressing that, as mentioned above, OR is different from other

banking risks because of the lack of hedging instruments. Indeed, while in recent years a

Table 17.2 OR peculiarities

FINANCIAL RISKS

(INTEREST RATE, MARKET, CREDIT)



OPERATIONAL RISK



Consciously and willingly faced



Unavoidable



“Speculative” risks, implying losses or profits



Pure risks, implying losses only



Consistent with an increasing relationship

between risk and expected return



Not consistent with an increasing

relationship between risk and expected

return



Easy to identify and understand



Difficult to identify and understand



Comparatively easy to measure and quantify



Difficult to measure and quantify



Large availability of hedging instruments



Lack of effective hedging instruments



Comparatively easy to price and transfer



Difficult to price and transfer



4

An exception to this rule is represented by external events. Indeed, events such as changes in the regulatory,

fiscal or political context in which a bank operates may give rise both to unexpected losses and to unexpected

profits if these changes affect the bank’s profitability favourably.



Operational Risk: Definition, Measurement and Management



517



number of financial institutions and insurance companies have started to offer risk transfer

instruments which allow to hedge losses arising from some specific (and mainly external)

events, a liquid secondary market for the OR hedging does not yet exist.5

The peculiarities of OR and its main differences with respect to financial risks are

summarized in Table 17.2.



17.3 MEASURING OR

This section describes a step-by-step approach to the measurement of OR. Such an

approach is aimed at highlighting the implications of an effective OR measurement system for the organizational structure of the bank; indeed, as we shall see, the different

profiles of operational risk will have to be defined through the active participation of the

senior and middle management running the various business lines of the bank. Since the

main aim of this paragraph is to help the reader understand the managerial implications

of setting up an OR measurement system, the techniques used, by way of example, for

the assessment and quantification of expected and unexpected losses will deliberately be

kept very simple. Appendix 17A will describe a more sophisticated, statistical approach

based on EVT (extreme value theory, see Chapter 9).

Before we enter into the details of the various phases of an OR measurement system,

let us first briefly discuss the main criteria and objectives of an OR measurement system.

First, measuring OR requires an appropriate mapping process of the bank’s – and eventually of other banks – historical losses to the relevant risk factors. This allows one to

build an adequate database, which can then be used to measure OR accurately. Second,

measuring OR requires to distinguish between an expected loss component, which should

be covered by adequate provisions, and an unexpected loss component, which should be

covered by the bank’s equity capital. Finally, an appropriate OR measurement system

should be aimed at estimating the amount of economic capital absorbed by this type of

risk. This implies that the measurement system should be consistent with the criteria (time

horizon, confidence level, etc.) used by the bank for the measurement of the other types

of risks.

Let us now look at the problems which are typically faced by a bank trying to measure OR.





The first problem comes from the fact that some of the events related to OR tend

to produce losses which are difficult to quantify. Take the example of a bank whose

franchise has been negatively affected by a regulatory change. Quantifying the loss

requires an estimate of the negative impact of such change on the bank’s future earnings,

√ which could be quite difficult.

A second problem is related to the fact that some of the OR events are quite rare.

This means that an individual bank has a limited direct experience of such losses. This

in turns makes it quite difficult to estimate the probability distribution of these events

in a statistically significant way. A bank may then decide to turn to pooled data, like

those recorded in publicly available databases: however, this is likely to pose several

challenges. First, and most significant, not all losses are reported publicly. Also, as larger

5

In the case of credit risk we do not only refer to credit derivatives but also to all the transactions such

as loan sales and securitization which allow to transfer risk. A typical example is represented by the CBO

(collateralized bond obligations) and CLO (collateralized loan obligations) markets.



518



Risk Management and Shareholders’ Value in Banking



losses are more likely to have been reported, a positive relationship may exist between

the loss amount and the probability that it is included in public data sources. If such

a relationship exists, then the data are not a random sample from the population of all

operational losses, but rather a biased sample containing a disproportionate number of

very large losses. Statistical inference based on such samples can yield biased parameter

estimates: namely, the presence of too many large losses is likely to lead to an upwardbiased estimate of the bank’s exposure to OR. To avoid such a problem, banks may

decide to pool together their internal databases on operational losses, subject to a mutual

√ confidentiality commitment (see the introduction to this part of the book).

A third problem relates to the low reliability of past historical data for the estimate of

both the probability and the loss size of future OR events. Take, e.g., losses originated by

errors in the IT systems for interbank payments or international securities settlement.

These kind of loss events have become less and less frequent over time thanks to

technological and organizational progress. Their historical frequency is therefore a bad

proxy for their future probability; conversely, past data may underestimate the threat

posed by new classes of operational risks, like those related to hackers and computer

√ crime.

Finally, OR measurement is negatively affected by the fact that it has become “fashionable” only in rather recent times. Indeed, banks all over the world started to seriously

analyse this type of risk and collect relevant data only in the late 90’s. OR measurement therefore suffers from a relative lack of statistically significant time series of loss

data, which are needed to estimate expected and unexpected losses. Indeed, the lack

of reliable internal operational loss data has often prevented banks from improving the

statistical techniques used for OR measurement. Due to the unavailability of adequate

databases, many banks are still to achieve proper risk quantification models covering

operational risk.

Having stated the main objectives and characteristics of an OR management system, let

us introduce our simplified approach. As indicated by Figure 17.1, the next sections will

discuss a number of different phases that will build up a complete OR measurement

process.

17.3.1 Identifying the risk factors

The first phase in OR measurement requires to estimate the relevant risk factors. This

means defining a list of the events which the bank would consider as part of OR. This

phase is particularly important as it should also allow to build a common language across

the different business units of the bank. Table 17.1 reports an example of the possible

outcome of this first phase.

17.3.2 Mapping business units and estimating risk exposure

The second phase requires to map, to the factors identified in the first phase, the various

business lines and activities carried out by individual business units. This means that

one needs to identify all relevant OR events for each business unit. For example, it is

quite likely that “internal fraud” events play a major role for the trading unit, while being

almost irrelevant for the securities placement business.



Operational Risk: Definition, Measurement and Management



519



1. Identification of the risk factors



2. Estimating exposures to the risk factors – Exposure Indicator (EI)

(mapping business processes)



3. Estimating probability of occurrence of the risky events – Probability of Event (PE)



4. Estimating loss in case of events (severity) – Loss Given Event (LGE and LGER)



5. Estimating expected loss – Expected Loss (EL = EI x PE x LGER)



6. Estimating unexpected loss – Unexpected Loss (UL)



7. Estimating OR capital at risk (CaR)



Figure 17.1



The different phases of the OR measurement process



This phase is similar to the “risk factor mapping” process that banks have to carry

out regarding financial risks (see, e.g., Chapters 3 and 5). More specifically, one needs to

identify (see Table 17.3):

(i) for each business unit, the relevant risk factors;

(ii) for each business line with in a business unit, one or more exposure indicators (EI)

representing its vulnerability to different risk factors. These EIs could be P&L variables, such as gross operating income, or balance sheet aggregates, like total asset

under management.6



17.3.3 Estimating the probability of the risky events

The third phase of the measurement process requires to estimate a probability of occurrence for each risk factor/business unit combination. This estimate may be based on

different techniques and data sources depending on whether loss events are frequent, so

that internal bank data are likely to be enough to allow a statistically significant estimate,

or events, in which case other data sources need to be identified (like pooled databases

6

This exposure indicator may not be needed in case a monetary definition of the average loss for each OR

event is adopted rather than a percentage of the exposure one (see next section).



520



Risk Management and Shareholders’ Value in Banking



Table 17.3 Mapping business units to risk factors

Risk factors

People Technology Processes External

events

Business

Unit

Investment

Banking



Business

Line

Corporate

Finance



Activity



Merchant Banking,

Advisory Services,

Securities u/w &

placement



Securities u/w

& placement



Exposure

indicator

(EI)

TR



X



X



X



X



X



X



X



Trading &

Sales



GI



Retail Banking,

Cards, Private

Banking



GI



Corporate

Banking



Corporate Lending,

Project Finance



GI



Payment and

Settlement



Payment and

Settlement



GI



X



X



Agency

services



Corporate Agency,

Custody



TR



X



X



Asset

Management



Unit trusts,

segregated accounts



AM



X



X



Insurance



Life & Casualty

Insurance



TP



Retail

Brokerage



Other



Proprietary Trading,

Sales, Mkt Making



Retail

Banking

Banking



X



X



X



GI



X



Retail Brokerage



GI



X



X



X



X



X



X



Legend: TR = total revenues, GI = gross operating income, AM = assets under management, TP = total premiums.



run by interbank consortia,7 as well as data provided by professional data vendors8 ). The

former events typically tend to generate relatively low losses: hence, they are generally

labelled as “high frequency low impact (HFLI) events”. Conversely, less frequent events

are often associated with more significant losses and therefore are called “low frequency

high impact (LFHI) events”. As a result, probability distribution for OR losses tend to be

7

An example of such cooperative efforts is Morexchange (Multinational Operational Risk Exchange), a database

originally introduced in November 2000 by major financial institutions such as JP Morgan, CIBC and Royal

Bank of Canada. This database, managed by the a New York-based software company called NetRisk, collects

all operational loss data from the member banks, which are analysed and standardised in order to make them

comparable across banks of different sizes, and finally returned on an aggregate basis to all member banks.

8

Two examples are represented by OpRisk Analytics and OpVantage, a division of Fitch Risk Management.

Both vendors gather information on operational losses exceeding $ 1 million and collect data from public

sources such as news reports, court filings, and regulatory authorities filings.



Operational Risk: Definition, Measurement and Management



521



HFLI

Frequency



LFHI



Severity



Figure 17.2



High frequency – low impact versus low frequency – high impact events



highly skewed to the right (see Figure 17.2);9 furthermore, due to the special relevance of

extreme losses, the right tail of the distribution is often modelled though ad hoc estimation

techniques, like Extreme Value Theory (see Chapter 9).

The probability of each different type of OR event (that is, of each business unit/risk

factor combination) can be estimated subjectively by the bank’s management, based either

on qualitative judgement or a formal rating system. Such ratings capture the relevance of

a given specific risk factor for the individual business unit, business line or activity, i.e.,

their vulnerability to the risk factor. Such a rating system can then be used, just as for

credit ratings, to quantify the probability of occurrence associated with different rating

classes. Table 17.4 reports a simplified example for a bank’s trading unit: this is based on

a 1 to 10 scale, where each value is associated to probability range covering a one-year

risk horizon.

The synthetic judgements or ratings assigned to each business unit should reflect both

the intrinsic risk of the BU and the level and quality of the controls in place. Indeed, the

introduction of a more effective system of internal controls should, other things equal,

lead to a better rating and therefore a lower risk.

The main shortcoming of this “risk quantification” phase is that it is mostly based on

the managers’ subjective appraisal of risks. This can be mitigated in two ways:

• the exposure indicators and the risk levels assigned to each business unit should reflect

a consensus within the banking industry; in other words, while each bank may have a

9

Figure 17.1 only looks at the two most common types of events. However, combinations represented by high

frequency-high impact (HFHI) events and low frequency-low impact (LFLI) events, while less common, can

also be identified.



522



Risk Management and Shareholders’ Value in Banking



Table 17.4 Example of OR exposure for a bank’s trading unit

Risk factor



Qualitative judgement Rating (1 = low risk; Probability range

10 = high risk)



1. Human resources

– fraud



Average/Low



3



0.3 %–0.5 %



– negligence



Average



5



1.0 %–2.0 %



– violation of internal rules



High



9



7.0 %–10.0 %



– systems failures



Average



4



0.5 %–1.0 %



– software errors



Average/High



8



5.0 %–7.0 %



– telecommunication



Low



2



0.1 %–0.3 %



– model risk



High



10



– transaction risk



Average



6



2.0 %–3.0 %



– documentation risk



Average/Low



3



0.3 %–0.5 %



– political risk



Low



1



0.0 %–0.1 %



– regulatory/fiscal risk



Average/High



8



5.0 %–7.0 %



– natural events



Low



2



0.1 %–0.3 %



2. Technology



3. Processes

>10.0 %



4. External events



different risk profile as compared to the industry average, industry data should always

be used as a benchmark to assess the credibility of the valuation process;

• the valuation of each business unit risk profile should be performed by an independent

unit, such as the internal audit department, based on rigorous, objective and well-defined

criteria, which have to be consistent with the best market practices and applied in a

uniform way to all the bank’s business units; these criteria should be made explicit and

periodically updated.

Finally, it is important to highlight that, while based on subjective judgement and discretionary valuations, the approach described above is relatively flexible and can be easily

tailored to the organizational complexity of the bank, taking account of its risk profile

and the quality of the controls in place.

17.3.4 Estimating the losses

The distinction between HFLI and LFHI events is also relevant for the fourth phase of

the OR measurement process, i.e. when one wants to estimate the average loss associated



Operational Risk: Definition, Measurement and Management



523



to each type of risky event. Indeed, once the probability of each event (“probability of

event” – PE) has been estimated, a measure of the loss in the case of an event (“loss

given event” – LGE) is needed to quantify the expected loss.

The loss given event can be expressed as either a monetary amount – average dollar

loss – or a percentage of the exposure indicator. In the latter case it is called loss given

event rate (LGER).

Table 17.5 reports some information sources that can be used to estimate PE and LGE.

Table 17.5 Information sources for the measurement of OR

Probability of event (PE)



√ Internal audit reports

√ Internal historical events data

√ Management reports

10

√ Experts’ opinions (Delphi techniques )

Vendors’ estimates



√ Budgets

Business plans



Loss given event (LGE)



√ Management interviews

√ Internal historical loss data

Historical loss data from other banks or

√ consortium data series

√ Industry benchmark

External estimates (consultants,

dataproviders, vendors, etc.)



Source: adapted from Crouhy, Galai, Mark (2000).



Table 17.6 reports some examples of information sources that can be used for some

specific OR events.

Table 17.6 OR risk factors: example of cause, effect and information source

Risk factor



Cause



People



Loss of key human

resources acquired by

competitors



Process



Productivity decrease due

to an unexpected increase

in the business volume



Technology



Costs related to the

updating of information

systems



Effect

Variance in revenues and

profits (recruiting &

training expenses,

negative impact on the

existing HR)



Information source





Delphi technique





Variance in process costs √ Historical series

with respect to the

External estimates

expected levels



Variance in technological √ Historical series

resources management

√ External estimates

and maintenance costs

Industry benchmarks



The estimate of LGE can also be based on a subjective valuation performed by the

bank’s management;11 however, estimates based on actual historical data look preferable.

10

Delphi are iterative techniques aimed at developing consensus among different people which can be used to

obtain a group estimate of the probability of future events.

11

An example is given by the bottom-up approach adopted by the Italian Banking Association for its common

database of OR losses, where the indicator can take four different values:



Xem Thêm
Tải bản đầy đủ (.pdf) (811 trang)

×