Modelling operational risk in Banking and Insurance using @RISK

Modelling operational risk in

Banking and Insurance using

@RISK

Dr Madhu Acharyya

Lecturer in Risk Management

Bournemouth University

macharyya@bournemouth.ac.uk

1

Palisade EMEA

2012 Risk Conference

London

Risks in Banking and Insurance

Main Banking Risks

Market risk

Credit risk

Liquidity risk

Operational risk

Systemic risk

Strategic risk

Reputational risk

Main Insurance Risks

Market risk

Underwriting and pricing

risk

Credit risk

Liquidity (reserving) risks

Operational risk

Strategic risk

Reputational risk

2

Business Units/lines in Banking and Insurance

Banking

Credit department

Banking book

Derivative desk

Fund management

Others

Insurance

Underwriting department

Personal and commercial

Claims department

Reinsurance department

Finance and investment

department

Others

3

4

Risk types

Inte

rest

Rat

e

Ris

k

Mar

ket

Ris

k

Cre

dit R

isk

……

….

Opera

tional

risk

Business

units

Credit

department

Banking book

Derivative

desk

……

Fund

management

Risk types

Inte

rest

Rat

e

Ris

k

Mar

ket

Ris

k

Cre

dit R

isk

……

….

Opera

tional

risk

Business

units

Credit

department

Banking book

Derivative

desk

……

Fund

management

Expected loss and Unexpected Loss

Expected loss

The mean value of the probability distribution of future

losses.

Not a significant risk and hedged by adding a suitable spread

to the interest rate charged on the loan

Unexpected loss

Expected loss

5

Unexpected Loss

The true risk i.e., the risk that the loss will prove greater

than originally estimated

• i.e., The variability of loss above the EL

The EL of a diversified portfolio is simply equal to the sum of

the expected losses on the individual loans in it

• The EL is reduced by diversifying the portfolio

The volatility of the total portfolio loss is generally lower

than the sum of the volatilities of the losses on individual

loans (provided that the correlations amongst the individual

losses are low) where

represents the individual credit losses

6

VaR computation

Probability distribution of loss data

Probability = 5%

7

Maximum

$ Loss Minimum

$ Loss Average

$ Loss

Three methods of calculating VaR

1. Parametric (or analytical or delta-

normal) method

2. Historical method

3. Monte Carlo Simulation method

8

Example: Computation of Value at Risk (VaR)

Year Loss ($)

1996 9223.41

1997 9708.5

1998 11087.27

1999 10059.5

2000 8781.8

2001 10106.58

2002 11197.34

2003 9892.56

2004 9369.17

2005 8842.99

2006 10628.46

Minimum loss $8,781.80

Maximum loss $11,197.34 9

for the standard normal distribution,

Mean $9,899.78

Standard deviation $826.76

Parametric approach

z-statistic at 95% confidence

interval 1.645

VaR (95%) $11,259.69

10

VaR computation

Probability distribution of loss data

Probability = 5%

11

Maximum $

Loss

$ size of the

portfolio

Minimum

$ Loss

$0

Average

$ Loss

$9,899.78 $11,259.69

VaR 95%

12

Interpretation of VaR Result

Given the loss data the Bank or Insurance Company (or any of

its business line) can afford a loss of maximum of $11,259.69.

The bank or insurance company is 95% confident that the

actual loss will remain within the boundary between $0 and

$11,259.69. However, there is a 5% probability that the actual

loss will go beyond $11,259.69.

In other words, n every 1 in 20 occasions (or days/month/year)

the actual loss will go above $11,295.69

If the actual loss goes above $11,295.69 then the bank or

insurance company will be insolvent.

What is operational Risk

Banking sector definition

In Basel II the common industry definition of operational

risk is –

“The risk of direct or indirect loss resulting from

inadequate or failed internal processes, people and

systems or from external events.“

The definition includes legal risk but strategic and

reputational risk is not included in this definition.

Source: Basel Committee on Banking Supervision, Consultative Document, Operational

Risk, January 2001, accessed at http://www.bis.org/publ/bcbsca07.pdf on 01st January, 2011 13

Insurance sector definition

The Solvency II definition of operational risk is –

“Operational risk means the risk of loss arising from

inadequate or failed internal processes, or from

personnel and systems, or from external events

(Article 13(29) of Level 1 text). Operational risk shall

include legal risks, and exclude risks arising from

strategic decisions, as well as reputation risks (Article

101 4(f)) of the Level 1 text).”

(Ref: CEIOPS Advice for Level 2 Implementing Measures on Solvency II: SCR

Standard Formula – Article III (f) Operational risk: former CP53)

14

Event categories

Level 1 Level 2 Level 3

Internal fraud

Unauthorised activities

1. Unauthorised used of

computer system to

defraud firm or customer

2. Unauthorised

transactions

3. Underreported

transactions

4. Over-reported

transactions

5. Falsifying personal details

Theft and fraud

1. Theft of assets

2. Destruction of assets

3. Forgery impersonation

4. Disclosure of confidential

information

5. Accounting irregularities

6. Misappropriation of

assets

Table: Detailed loss event type classification in Insurance Operational Risk by ORIC

15

External fraud

External fraud

1. Theft of assets

2. Forgery impersonation

3. Fraudulent billing by

suppliers

4. Fraudulent claims

System security 1. Hacking

2. Theft of information

3. Viruses

Employment practice and

workplace safety

Employee relations 1. Harassment

2. Terminations, including

tribunals

3. Industrial activity

4. Management

5. Loss of key personnel

Safe environment 1. Health and safety

2. Public liability

3. Employee liability

Diversity and discrimination 1. Equal opportunities

2. Human rights

16

Clients, products and business

practices

Suitability, disclosure and fiduciary 1. Regulatory impact

2. Data protection act

3. Regulatory compliance of

appointed representatives

4. Customer complaints

5. Treating customers fairly

Improper business or market practices 1. Money laundering

2. Other improper market

practices

3. Insider dealing

4. Tax evasion

5. Anti trust

Product flaws 1. Product defects

(unauthorised, etc.)

2. Product literature defects

3. Product design

4. Unintentional guarantees

Selection, sponsorship, and exposure 1. Client fact-findings

2. Client exposure

Advisory activities 1. Mis-selling due to mortgage

endowment

2. Mis-selling (other)

17

Damage to physical

assets

Disasters and other

events

1. Natural disaster losses

2. Loses from external sources

(terrorism, vandalism)

3. Physical assets failure (not

systems)

Business disruption

and system failures

Systems 1. Hardware

2. Software

3. IT network

4. Telecommunication

5. Utility outage/disruption

6. External interference (excluding

fraudulent activity)

18

Execution, delivery and process

management

Transaction capture, execution and maintenance 1. Customer service failure

2. Data entry error

3. Transaction system error

4. Management information

error

5. Accounting error

6. Incorrect application of

charges

7. Incorrect unit pricing/

allocation

8. Management failure

9. Inadequate process

documentation

10. Training and competence

Monitoring and reporting 1. Failed mandatory reporting

2. Inaccurate external

reporting

Customer intake and documentation 1. Incomplete/ incorrect

application documents

2. Contract document

incorrect

3. Inappropriate underwriting

4. Inappropriate reinsurance

5. Missing documentation

Source: ORIC at http://www.abioric.com/oric-standards/risk-event-categories.aspx as on 29

Dec 2010. 19

Operational Risk Categories

Internal Fraud External Fraud Damage to

Physical Assets

Business

Disruptions &

System Failures

Execution,

Delivery &

Process

Management

No. of

events

per

Month

No. of

Month

Total

no. of

events

No. of

Month

Total

no. of

events

No. of

Month

Total

no. of

events

No. of

Month

Total

no. of

events

No. of

Month

Total

no. of

events

k n(k) n(k) n(k) n(k) n(k)

0 7 0 4 0 4 0 4 0 2 0

1 0 0 2 2 5 5 3 3 3 3

2 4 8 2 4 2 4 2 4 2 4

3 3 9 3 9 3 9 3 9 4 12

4 4 16 3 12 3 12 3 12 3 12

5 5 25 6 30 6 30 4 20 4 20

6 2 12 4 24 3 18 3 18 3 18

7 2 14 2 14 2 14 2 14 2 14

8 2 16 1 8 2 16 2 16 3 24

9 0 0 1 9 1 9 1 9 1 9

10 1 10 3 30 3 30 4 40 4 40

events 110 142 147 145 156

month 36 36 36 36 36

Average events

p/m (λ)

3.06 3.94 4.08 4.03 4.33

Table: Summary of Operational Loss Data (All data are hypothetical)

20

Table: Summary Statistics of Frequency Loss Data

Internal

Fraud

External

Fraud

Damage

to

Physical

Assets

Business

Disruptio

ns &

System

Failures

Execution,

Delivery

& Process

Managem

ent

Average

Minimum ($) 11,629.81 34,154.57 28,254.02 17,295.17 26,338.26

Maximum ($) 199,734.09 461,535.19 467,152.57 719,922.09 311,739.24

Mean ($) 108,165.98 55,881.49 76,977.50 139,744.89 69,203.62 89,994.70

Standard

deviation ($)

56,767.93 62,093.00 70,895.66 97,461.74 35,201.25 64,483.92

21

Internal

Fraud

External

Fraud

Damage

to

Physical

Assets

Business

Disruptio

ns &

System

Failures

Executio

n,

Delivery

& Process

Managem

ent

Averag

e

Minimum ($) 11,629.81 34,154.57 28,254.02 17,295.17 26,338.26

Maximum ($) 199,734.09 461,535.19 467,152.57 719,922.09 311,739.24

Mean ($) 108,165.98 55,881.49 76,977.50 139,744.89 69,203.62 89,994.7

0

Table: Descriptive Statistics of Severity Loss Data

22

Aggregated Operational Loss Parameters Distribution

Type

Frequency Mean=Variance 3.89 Poisson

Severity Mean ($) 89,994.70 Pareto

Standard deviation

($)

64,483.92

Table: Parameters of Loss Distributions from

Aggregated Observed Loss Data

23

Aggregated Operational Loss Data Summary for Monte Carlo

Simulation using @Risk

Frequency 4.00

Severity ($) 64,484.632979

Total Aggregated

Operational Loss ($)

257,938.53

Table: Parameters of Loss Distributions after Monte Carlo Simulation

24

Figure: Monte Carlo Simulation Output for Internal Fraud Category

25

Figure: Monte Carlo Simulation Output for External Fraud Category

26

Figure: Monte Carlo Simulation Output for Damage to Physical Asset Category

27

Figure: Monte Carlo Simulation Output for Business Disruption and System Failures Category

28

Figure: Monte Carlo Simulation Output for Execution, Delivery and Process Management Category

29

Figure: Monte Carlo Simulation Output for Integrated Operational Risk

30

Irrational Human Behaviour Causing Operational (and Strategic)

Failures

Agency problem

Principal-agent problem

Intentional fraud

Compensation culture

Examples: 2007 Financial Crisis

Lehman Brothers – over exposure on Securitised Products

Royal Bank of Scotland – M&A with ABN AMRO

Lloyd’s Banking Group – M&A with HBOS

AIG – exposure on CDOs

Many Others

31

32

Questions and Answers