Basel II – Operational Risk – AMA Basel II – Operational Risk – AMA INTRODUCTION Advanced Measurement Approaches (AMAs) for operational risk are the subject matter of this tutorial. The AMA is one of three methods of increasing sophistication and risk sensitivity for calculating operational risk capital charges that the Basel II framework presents. The other methods are the: Basic Indicator Approach (BIA) Standardized Approach (SA) These other methods can be studied in the tutorial: Basel II – Operational Risk – BIA & SA. A bank's risk profile, particularly its operational risk profile, should be a key factor in determining the method used to measure the extent of its exposure to operational risk. The measurement and management of operational risk as a distinct SLID E 2 1
Advanced Measurement Approaches (AMAs) for operational risk are the subject matter of this tutorial. The AMA is one of three methods of increasing sophistication and risk sensitivity for calculating operational risk capital charges that the Basel II framework presents.
The other methods are the: • Basic Indicator Approach (BIA) • Standardized Approach (SA)
These other methods can be studied in the tutorial: Basel II – Operational Risk – BIA & SA. A bank's risk profile, particularly its operational risk profile, should be a key factor in determining the method used to measure the extent of its exposure to operational risk.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Basel II – Operational Risk – AMA
Basel II – Operational Risk – AMA
INTRODUCTION
Advanced Measurement Approaches (AMAs) for operational risk are the subject matter of this
tutorial. The AMA is one of three methods of increasing sophistication and risk sensitivity for
calculating operational risk capital charges that the Basel II framework presents.
The other methods are the:
Basic Indicator Approach (BIA)
Standardized Approach (SA)
These other methods can be studied in the tutorial: Basel II – Operational Risk – BIA & SA.
A bank's risk profile, particularly its operational risk profile, should be a key factor in
determining the method used to measure the extent of its exposure to operational risk.
The measurement and management of operational risk as a distinct risk is a relatively recent
phenomenon. As a result, the development of internal operational risk measurement methods
by banks is still in relatively early stages, with much work still under way. At present, there is no
one measurement methodology generally recognized within the banking industry.
The internal methods currently in use by banks vary extensively, primarily because banks'
circumstances and operational risk profiles are very different. It is expected that banks will
continue to develop and refine methods as their experience grows and the discipline matures.
SLIDE
2
1
Basel II – Operational Risk – AMA
OBJECTIVES
On completion of this tutorial, you will be able to:
describe what is meant by Advanced Measurement Approaches (AMAs) for operational
risk
list the qualitative and quantitative conditions for the use of an AMA
define the key features of an Operational Risk Measurement System (ORMS)
describe the range of AMAs in use
explain the risk mitigating impact of insurance on capital requirements for operational
risk
describe the implementation and transitional issues relating to AMAs
Prerequisite Knowledge
To get the maximum benefit from this tutorial, you should be familiar with the Basel II capital
adequacy framework and the fundamentals of operational risk. You can study these concepts in
the following tutorials:
Basel II – An Overview
Operational Risk – An Introduction
Operational Risk Management – Sound Practices
Basel II – Operational Risk – BIA & SA
SLIDE
3
KNOWLEDGE CHECK
Take the Knowledge Check to see how much you already know about AMAs for operational
risk. This short quiz (six questions) introduces you to some of the subjects that are presented in
this tutorial.
It will also help you identify any gaps in your knowledge, although you may find you know more
than you thought!
Keep in mind that answering each question correctly is no guarantee you know everything
SLIDE
4
2
Basel II – Operational Risk – AMA
covered in this tutorial.
1. What types of banking groups are likely to use an AMA to determine capital
requirements for operational risk?
Large banking groups that are broadly diversified in terms of business activities and
operate in many different countries around the world
Highly specialized banks whose activities involve a high daily volume of transactions
Small banks that do not aspire to using their internal rating systems for determining
capital requirements for their credit risk exposures
A bank that is a small subsidiary of a banking group located in another country whose
banking supervisors are not expected to approve the use of AMA by their banks
SLIDE
5
2. What do you think are the Basel II objectives for setting out supervisory standards
relative to the use of an AMA for operational risk?
To ensure that banks’ internal methods result in credible levels of capital for
operational risk
To encourage banks to work together to develop similar approaches and uniform
techniques to measure operational risk
To provide incentives to banks for developing operational risk measurement methods
that capture all material elements of operational risk
SLIDE
6
3. Which of the following statements relating to key features of an internal Operational
Risk Measurement System (ORMS) are true and which are false?
A bank must collect internal loss data, by type of loss events, as a basis for its AMA.
External data is particularly relevant for types of loss that are frequent and of low
severity.
SLIDE
7
3
Basel II – Operational Risk – AMA
External operational risk loss data is seen primarily as a means for supervisors to verify
that a bank’s internal data is credible and reasonable.
An ORMS needs to incorporate scenario analysis based on not only internal, but also
external, loss data as one of its integral parts.
4. True or False?
To meet the requirements of Basel II, a bank's AMA cannot incorporate aspects of both
the Loss Distribution Approach (LDA) and the Scenario-based Approach (SBA).
An AMA can incorporate externally generated loss data provided a system of
adjustment is put in place to reflect the circumstances of the banking group.
Where a banking group’s internal loss data is comprehensive and extends to more than
five years of history, it is not necessary to perform scenario analysis as part of its AMA
for operational risk.
An AMA should estimate the aggregate operational risk loss that it faces over a one-
year period at a soundness standard consistent with the standard applicable for credit
risk.
SLIDE
8
5. Which of the following mitigants are recognized under Basel II for operational risk?
Collateral
Guarantees
Operational risk derivatives
Insurance provided by regulated insurers
Insurance provided by highly rated insurers, provided specified criteria are met
SLIDE
9
6. Which of the following are among the conditions that must be met before an AMA
bank can allocate a portion of its group-wide AMA capital to one of its foreign
subsidiaries for the purpose of determining the subsidiary's standalone operational risk
capital requirement?
SLIDE
10
4
Basel II – Operational Risk – AMA
The allocation mechanism has been approved by the host supervisor and is supported
by the home supervisor.
The foreign subsidiary is considered significant relative to the size of the overall banking
group.
The foreign subsidiary is subject to Basel II on a standalone basis in the jurisdiction
where it operates.
COMMUNICATE
Once you have completed this topic, you will be able to outline some of the key concepts
related to Basel II’s Advanced Measurement Approaches (AMAs) for operational risk.
In particular, you will learn about:
what Basel II means by an AMA for operational risk
options for implementing an AMA in a banking group, including partial use
the issues arising from the flexibility that Basel II allows for the development of AMA
SLIDE
11
AMA Application within a Banking Group
What is an AMA?
SLIDE
12
5
Basel II – Operational Risk – AMA
An AMA is a bank-specific internal method for:
identifying, assessing and quantifying operational risk exposure, as defined by Basel II
calculating regulatory capital requirements
Banks with significant operational risk exposures, including specialized processing banks, are
expected to use an approach that is:
more sophisticated than the Basic Indicator Approach (BIA)
appropriate for the risk profile of the institution
The AMA capital requirement for operational risk is based on the measure of operational risk
exposure generated by a bank's internal measurement system for operational risk. The use of
an AMA by a bank is subject to supervisory approval.
AMA Application
An AMA is generally expected to be a group-wide method for capturing all material operational risk at all
levels within a banking group. There are circumstances, however, under which it may be impractical – for
cost or logistical reasons – to implement an AMA that is truly group-wide.
For example, the activities of a banking subsidiary located in a different jurisdiction than the group
parent could have unique operational risk characteristics not found elsewhere in the group. Where the
subsidiary's activities and related operational risk profile are immaterial relative to those of the rest of
the group, the cost of implementing the necessary practices and procedures in the subsidiary so that its
activities are reflected in the group-wide AMA could be difficult to justify in relation to the benefits.
Consequently, such risks may not be adequately reflected in an AMA developed with the bank's group-
wide operational risk profile in mind.
It is largely for this reason that Basel II allows for 'partial use' of the AMA.
SLIDE
13
Partial Use of AMA
SLIDE
14
6
Basel II – Operational Risk – AMA
Subject to the approval of its supervisor, a bank can use an AMA for some parts of its
operations and the BIA or Standardised Approach (SA) for others. Partial use can apply on a
transitional basis, recognizing that it may be difficult for a bank to roll out an AMA across all of
its operations at the same time, or on a permanent basis.
When partial use of an AMA is employed, the group-wide operational risk capital requirement
is equal to the sum of:
the capital required under the AMA for those parts of the group that are captured by
the AMA
the capital required under the BIA or SA for the parts that use these approaches
There are a number of conditions a bank must meet before it can use an AMA on a partial basis.
Conditions for Partial Use
In order to make partial use of an AMA, a bank must meet all of the following conditions:
All operational risks of the bank's global, consolidated operations must be captured.
All of the bank's operations that are covered by the AMA must meet the qualitative
criteria for using an AMA. The parts of the bank's operations that are using one of the
simpler approaches must meet the qualifying criteria for that approach.
When the AMA is implemented, the AMA must capture a significant part of the bank's
operational risks.
The bank must have a plan that sets the timetable for implementing the AMA across
the remainder of the group. Once the implementation plan is completed, all but an
immaterial part of the bank's operations must be captured by the AMA. The bank's plan
for extending the use of the AMA across all the bank's operations should not be
influenced by incentives to hold lesser amounts of capital. Immaterial operations
should only be excluded if it is not feasible or practical to move them to the AMA over
time.
SLIDE
15
7
Basel II – Operational Risk – AMA
AMA Partial Use – Exceptional Approvals
You have learned that a banking group can make partial use of a group-wide AMA, provided it
meets a number of conditions. Let's look at a bank that does not intend to implement the AMA
on a group-wide, consolidated basis, but would rather use a simpler approach. In limited
circumstances, the supervisor may allow the bank to use an AMA on a permanent basis for a
part of its operations even if the AMA does not capture a significant part of the bank's group-
wide operations and the bank has no intention to roll out the AMA to all but an immaterial part
of its operations.
In general, such approvals should be granted only where a bank has a subsidiary operating in a
foreign jurisdiction that is required by the host supervisor to adopt an AMA for that subsidiary,
that is, the only reason the bank is unable to meet all of the partial use conditions is a decision
by the supervisor of one of its foreign subsidiaries. In such a case, the bank would include in its
group-wide, consolidated operational risk capital requirements the results of an AMA
calculation at the subsidiary. This AMA must be approved by the relevant host supervisor and
must also be acceptable to the bank's home supervisor.
Flexibility and the Bank
Under the Basel II AMA approach, a bank has considerable flexibility in developing and using its
own methodology for calculating its risk-based capital requirement for operational risk.
The flexibility provided by the use of internal methods is intended to encourage banks to:
develop systems that are responsive to their own risk profiles
improve their risk management practices
SLIDE
16
8
Basel II – Operational Risk – AMA
At the same time, the Basel Committee recognizes the need to ensure that:
the use of different internal methods delivers an appropriate degree of credibility and
reliability in terms of capital held for operational risk
there is a common set of standards for the use of AMAs, so that different banks
adopting different methodologies for assessing operational risk have consistent results
in terms of capital held for similar levels of operational risk
Flexibility and the Supervisor
Providing flexibility for banks to use their own methods can place a considerable burden on you as a
supervisor. This is most apparent when you are assessing different banks' approaches to operational risk.
This flexibility also makes it more difficult for you to make comparisons between banks than if a
common, more prescriptive approach is specified.
To address these issues, the Basel Committee has developed both qualitative and quantitative
supervisory standards. These standards, which are discussed in the next topic, will provide supervisors
and banks with some assurance that all banks using internal measurement systems are subject to similar
expectations.
SLIDE
17
Partial Use
Identify one of the conditions a bank must meet in order to make partial use of an AMA.
At least 50% of a bank’s operations that are covered by the AMA must meet the
qualitative criteria for using an AMA.
In order for a supervisor to approve the use of an AMA, a timetable must show that the
SLIDE
18
9
Basel II – Operational Risk – AMA
AMA will capture all operational risk within a year.
The bank's AMA must capture all material operational risk of its group-wide,
consolidated operations.
…To sum up
An Advanced Measuring System Approach (AMA) is a bank-specific internal method under the
Basel II for identifying, assessing and quantifying operational risk and calculating the related
regulatory capital requirements. Banks with significant operational risk exposure are expected
to use an approach that is more sophisticated than the Basic Indicator Approach, such as an
AMA. The use of an AMA by a bank is subject to supervisory approval.
An AMA is generally expected to be a group-wide method that captures all material operational
risk at all levels within a banking group. There are circumstances, however, under which it may
be impractical – for cost or logical reasons – to implement an AMA that is truly group-wide. For
this reason, Basel II allows for ‘partial use’ of an AMA on a transitional or permanent basis for
banks that meet prescribed conditions.
Basel II allows banks considerable flexibility in the design of an AMA. As a result of this
flexibility, AMAs can look very different from bank to bank.
SLIDE
19
AMA SUPERVISORY STANDARDS
Once you have completed this topic, you wil be able to describe the supervisory standards that
a bank must meet before it will be permitted to use its AMA for regulatory capital purposes.
Under Basel II, the use of an AMA is subject to supervisory approval.
In particular, you will look at the:
general and specific qualitative standards
quantitative standards
SLIDE
20
10
Basel II – Operational Risk – AMA
I. The Purpose of AMA Supervisory Standards
Meeting the objective of a risk-sensitive capital requirement for operational risk depends on
the bank’s effectiveness in measuring that particular risk accurately. Consequently, banks must
meet a number of both qualitative and quantitative supervisory standards.
The supervisory standards are intended to result in a process that has integrity. Therefore, the
objective is to achieve a reasonable estimate of the level of operational risk exposure. These
standards are minimum standards, and national supervisors may have additional requirements.
Qualitative Standards
Quantitative Standards
SLIDE
21
A. Qualitative Standards: General
If you are involved in assessing a bank's AMA, you must ensure that a number of general
standards are met. There are three minimum qualifying general standards:
The board of directors and senior management are actively involved in the supervision
of the operational risk management framework.
The bank has an operational risk management framework that is conceptually sound
and is implemented with integrity.
The bank has sufficient resources involved in the use of the approach in major business
lines as well as in the control and audit areas.
In addition, a bank's AMA is subject to a period of initial monitoring by its supervisor before it
can be used for regulatory purposes.
What happens if a bank that is approved to use the AMA no longer meets the minimum
SLIDE
22
11
Basel II – Operational Risk – AMA
criteria for AMA?
If a supervisor determines that a bank using an AMA no longer meets the AMA
qualifying criteria, the bank may be required to revert to a simpler approach for some
or all of its operations. If this occurs, the bank cannot use an AMA until such time as it
has remedied the situation. In addition, the bank must meet the conditions specified by
the supervisor before returning to a more advanced approach. After a bank has been
approved for an AMA, it cannot revert to a simpler approach on its own accord.
Qualitative Criteria
In addition to the three general standards, there are a number of applicable qualitative criteria
a bank must meet before it can use an AMA for operational risk capital.
Independence – The bank must have an independent operational risk management
function that is responsible for the design and implementation of the bank’s
operational risk management framework.
For example, a dedicated group, separate from the day-to-day operations, should
develop and oversee the framework.
Integration With Other Risk Management Processes – The banks’ internal operational
risk measurement system (ORMS) must be closely integrated with the day-to-day risk
management processes of the bank.
An ORMS should identify, assess, monitor and control operational risk as part of the
bank’s overall risk management processes.
SLIDE
22
Internal Reporting – Comprehensive Internal Reporting of Operational Risk Exposures
and Loss: There must be regular reporting of operational risk exposures and loss
experience to business and management, senior management and the board of
directors
Compliance/Non-Compliance Processes – The bank must have a process in place for
ensuring compliance with a documented set of internal policies, controls and
procedures concerning the operational risk management system. The process must also
include policies for the treatment of non-compliance issues.
Internal/External Audit Reviews – Internal/External Auditors must perform regular
reviews of the operational risk management processes and measurement systems. This
review must include both the activities of the business units and of the independent
12
Basel II – Operational Risk – AMA
operationa rosk management function
Validation – The bank’s external auditors or supervisors must be able to verify that the
bank validates its internal operational risk management system appropriately.
The external auditors or supervisors should also have ready access to system
information to ensure that they can understand it. This means that data flows and
processes associated with the risk measurement system must be transparent and
accessible.
Which of the following are among the qualitative requirements for an AMA bank?
An independent risk management function dedicated to operational risk only
Integration of the bank's ORMS into day-to-day management
Reporting to senior management and the board of directors
Documented policies, controls and procedures
An annual audit by the external auditors of the bank’s ORMS
Validation of the bank's ORMS by the bank's internal or external auditors
A compliance function to ensure that the ORMS is consistent with policies and
procedures
SLIDE
24
B. Quantitative Standards
AMA quantitative standards are the minimum parameters, procedures and systems banks are expected
to use to determine credible and consistent estimates of the capital required in respect of operational
risk.
Soundness
Basel II seeks to ensure that banks' systems for assessing required capital are prudent and sensible and
that they yield credible results.
Basel II does not specify the approach or distributional assumptions used to generate the AMA
operational risk measure for regulatory capital purposes. This is in recognition of ongoing developments
in operational risk measurement. Basel II provides a considerable amount of flexibility for banks to
develop their operational risk measure. However, a bank must be able to demonstrate that its approach
SLIDE
25
13
Basel II – Operational Risk – AMA
captures infrequent, but severe, loss events.
In calculating its operational risk exposure, an AMA bank is expected to estimate the aggregate
operational risk loss that it faces over a 1-year period at a 99.9 percentile confidence level. In other
words, over a 1-year period, in only one of every one thousand cases would the loss experienced by the
bank exceed the estimate. This level of soundness is comparable to the standard applicable under the
internal ratings-based (IRB) approach for credit risk.
There are number of applicable quantitative criteria a bank’s AMA must comply with before it
can be used for regulatory capital purposes.
Consistency with Basel II Conditions – An internal ORMS must be consistent with the
Basel II definition of operational risk and the identified los event types.
SLIDE
26
Expected/Unexpected Losses – The bank’s AMA capital requirement for operational risk
is the sum of expected losses (EL) and unexpected losses (UL); unless the bank can
demonstrate to you that it can reasonably estimate EL for operational risk. In other
words, a bank needs to demonstrate to you that it can reasonably estimate EL for
operational risk and that it has in fact accounted for such EL in an acceptable way.
A Granular Risk Measurement System – A bank’s risk measurement system must be
sufficiently granular. In other words, it must be detailed enough to capture the major
drivers of operational risk that can affect the estimates of Infrequent, but sever, losses
(tall events in loss distribution)
Correlations – Measures for different operational risk estimates must be added for the
purpose of calculating the regulatory minimum capital requirement. However,
internally determined correlations in operational risks losses across individual
operational risk estimates may be used.
Key Features of an ORMS – An ORMS must have certain key features including:
a. relevant internal data
b. relevant external data
c. scenario analysis
d. factors reflecting the business environment and internal control systems
Weighting Based on Bank’s Profile – a bank needs to have a credible, transparent, well-
documented and verifiable approach for weighting these fundamental elements in its
14
Basel II – Operational Risk – AMA
overall ORMS
True or False?
Banks should strive to establish their estimates for operational risk with the same
degree of rigor as is done for market risk.
Banks should strive to establish their estimates for operational risk with a comparable
degree of rigor as is done for credit risk.
Banks should strive to establish their estimates for operational risk with a higher degree
of rigor than is done for credit risk.
SLIDE
27
…To sum up
Basel II prescribes a set of qualitative and quantitative standards for an AMA, which provide
superiors with some assurance that all AMA banks are subject to similar expectations despite
the flexibility banks are allowed in the design of an AMA
The qualitative standards require
The independence of the risk management function
the integration of operational risk management with the management of other risks
comprehensive internal reporting of exposures and losses
Regular reviews of compliance with internal policies and procedures
the availability of the necessary information to support reviews by external auditors
and or supervisors
The qualitative standards address:
The minimumm acceptable soundness standard
definitional consistency with Basel II
the treament of expected versus unexpected losses
granularity of the risk measurement system
the recognition of correlation
the requirement to consider and appropriately weight internal data, external data,
SLIDE
28
15
Basel II – Operational Risk – AMA
scenarios, and busines environment and internal factors
II. Key Features of an ORMS
By the end of this topic, you will be able to describe the essential features of a credible
operational risk management system (ORMS)
In particular, you will learn about
internal loss data
external data
scenario analysis
business environment and internal control factors
SLIDE
29
Key Features of an ORMS
A. Internal Loss Data
A bank's own operational risk losses, experienced in past years,
form the cornerstone of its ORMS. Such internal loss data is one of
the required elements in an AMA.
Tracking internal loss event data is essential to the development
and functionality of a reliable ORMS. Internal loss data is crucial for
relating a bank's risk estimates to its actual loss experience.
Internally generated operational risk measures used for regulatory
capital purposes must be based on a minimum five-year observation period of internal loss data. This
applies whether the internal loss data is used directly to build the loss measure or to validate it. When
the bank first moves to an AMA, three years of historical data is acceptable.
SLIDE
30
The Eight Business Lines Defined by Basel II
Basel II has defined eight business lines into which banks using an AMA must be able
to categorize their own activities. These business lines are:
<INS
ET>
16
Basel II – Operational Risk – AMA
corporate finance
trading and sales
retail banking
commercial banking
payment and settlement
agency services
asset management
retail brokerage
B. Collecting Internal Loss Data
There are eight requirements that an internal loss data collection process must meet.
1. A bank must be able to map its historical internal loss data into the business lines and
the loss event types defined by Basel II. It must also be able to provide the results of
this mapping to its supervisor. Nevertheless, the bank has discretion as to the extent its
ORMS parallels those business lines and loss event types
2. The criteria for allocating losses to the specified business lines and loss event types
must be objective and documented.
3. Specific criteria must be developed for assigning loss data for losses arising from an
event in a centralized function (for example, an information technology department) or
an activity that spans more than one business line.
4. Internal loss data must be comprehensive. In other words, all material activities and
exposures from all appropriate sub-systems and geographic locations must be
captured.
What is meant when we say that internal loss data must be comprehensive?
Comprehensiveness of internal data
Any excluded activities or exposures, both individually and in combination,
should not have a material impact on the overall risk estimates. A bank must
have an appropriate minimum gross loss threshold for internal loss data
collection. The Basel Committee uses EUR 10,000 as an example.
17
Basel II – Operational Risk – AMA
The threshold for recording losses can vary by business line. It also varies from
bank to bank. It is the responsibility of the bank to justify the basis for excluding
data and the appropriateness of the thresholds. One method that supervisors can
use to assess a bank's thresholds for excluding loss data is to compare them with
those of its peers.
5. The amount of detail on loss events should increase as the size of the losses increases.
Information collected should include the date of the event, the amount of recovery and
description of the cause of the loss.
6. All material operational risk losses consistent with the definition of operational risk,
including those related to credit risk, must be collected. Material operational risk-
related credit risk losses that historically were recorded as credit risk losses should
continue to be recorded as credit losses for calculating the Pillar 1 capital requirement
for credit risk, but will not be subject to the operational risk capital charge to avoid
double counting. For example, a loss resulting from a bank's inability to liquidate
collateral in the event of a borrower's default may be recorded as a credit loss even
though poor collateral management practices may be the cause of the loss.
7. Operational risk losses that are related to market risk are subject to the operational risk
capital charge.
8. Data must be accessible to supervisors and provided to them upon request.
Why are operational risk losses that are related to market risk subject to the
operational risk capital charge?
Operational failures that result in market risk losses should be treated as
operational risk losses and subjected to the operational risk capital charge. This is
because market risk methodologies are calibrated from price movements, not
actual losses. Excluding such operational risk losses from the calculation of the
operational risk capital requirement may lead to under-capitalization.
There have been several high profile situations where large market risk related
SLIDE
32
18
Basel II – Operational Risk – AMA
operational risk losses have been incurred, primarily as a result of a breakdown of
internal controls. Included in this group are:
Barings Bank collapsed in 1995 as a result of the actions of a rogue trader.
Allied Irish Bank and National Australia Bank incurred large losses, in
unrelated incidents that came to light in 2002 and 2004, respectively,
because of unauthorized currency trading.
Fraudulent trades by a single trader resulted in pre-tax losses of more
than €4.9 billion in 2008 for Société Générale.
C. Internal Loss Data Collection Process
Identify the requirements for an AMA-approved bank’s internal loss data collection process.
Internal loss data must be comprehensive and must be mapped into the loss event-
types specified by Basel II.
Individual operational risk losses exceeding EUR 10,000 must be captured by the ORMS.
The criteria for allocating losses into business lines and loss event types must be
objective and documented.
Specific criteria must be developed for consistently categorizing loss information that
spans more than one business line or that originates in a centralized function.
A clear process must be developed for identifying and including credit risk-related
losses in the Pillar 1 calculation of operational risk capital requirement.
A clear process must be developed for excluding operational risk losses arising from
trading activities.
SLIDE
33
III. External Data
A bank's operational risk measurement system must use relevant external data. This is
extremely important when there is reason to believe that the bank is exposed to infrequent,
SLIDE
34
19
Basel II – Operational Risk – AMA
yet potentially severe, losses.
External data can be:
public data – data collated from individual publicly reported loss events
pooled industry data – data assembled in a structured fashion by a group of banks
If a bank's internal loss history is not extensive enough to provide a reasonable basis for
estimating major unexpected losses, it should turn to external data to complement its own
internal data.
A. Comprehensive Data
External data should be comprehensive enough to enable a bank to assess its relevance for its own
operational risk. External data should include:
actual loss amounts
information on the scale of business operations where the event occurred
information on the causes and circumstances of the loss events
B. Process for Using Data
A bank must have a systematic process for determining the situations in which external data is used. A
bank also needs to develop a methodology to incorporate the data into its own processes, such as
adjusting for scale or improving scenario analysis. The conditions and practices for the use of external
data must be regularly reviewed, documented, and subject to periodic independent reviews.
SLIDE
35
C. Scenario Analysis and AMA
Another element of the AMA framework is scenario
analysis. Scenario analysis is the systematic process of
obtaining expert opinions from business managers and
risk management experts in order to evaluate banks'
exposure to high-severity events. These opinions are
used to assess the likelihood and impact of severe but
plausible operational loss events.
The results of the scenario analysis process need to be incorporated in a bank's AMA. For instance,
SLIDE
36
20
Basel II – Operational Risk – AMA
scenario analysis results could be expressed as parameters of an assumed statistical loss distribution.
Scenario analysis also should be used to assess the impact of deviations from the correlation assumptions
that are embedded in the bank's operational risk measurement system. In particular, they should be
used to evaluate potential losses resulting from multiple simultaneous operational risk loss events.
Scenario analysis may use a combination of internal and external data (for example, where an institution
looks to industry experience) to generate plausible loss scenarios.
1. When to Use Scenario Analysis
Scenario analysis should be an integral part of a bank's ORMS. The scenario analysis should be more
elaborate where internal and external data do not generate a sufficient assessment of the institution’s
operational risk profile.
For example, some individual banks may have only encountered a few, if any, internal occurrences of
certain types of loss events. In addition, the banks may not have much experience of certain types of loss
events that affect the banking sector in a particular jurisdiction.
Examples of low frequency events that can potentially result in high severity losses can include:
unusual client lawsuits
acts of terrorism
natural disasters
The qualitative and subjective nature of a scenario analysis approach means that the
assessments need to be validated over time against actual losses. This is particularly true for
cases where the underlying data used is sparse.
SLIDE
37
SLIDE
21
Basel II – Operational Risk – AMA
IV. Business Environment and Internal Control Factors
Internal and external data provide an important historical picture of a bank's operational risk profile.
However, that profile can change over time as a result of:
internal factors (such as expansion into new business activities or new regions or withdrawal
from other areas)
changes in internal controls
changes in the business climate in the different countries where a bank has significant
operations
Therefore, it is important that a bank supplement its internal and external data by taking into account the
fact that this historical profile can change as the business environment and its own internal controls
change.
A bank's group-wide risk assessment methodology must capture the key business environment and
internal control factors. An AMA bank must use these factors in its risk measurement framework.
What are the advantages of incorporating key business environment and internal
control factors into a bank's risk assessment methodology?
By incorporating these factors into its methodology, a bank’s risk assessment will:
be more forward-looking
reflect more accurately the quality of the bank’s control and operating environments
help align capital assessments with risk management objectives
be able to recognize both improvements and deterioration in operational risk profiles
more quickly
38
A. Criteria for Business Environment and Internal Control Factors SLIDE
22
Basel II – Operational Risk – AMA
To qualify for regulatory capital purposes, the use of key business environment and internal control
factors in a bank's risk measurement framework must meet the following standards:
Each factor must be a meaningful driver of risk – this is based on the experience
and expert judgment of the affected business areas. The business line managers
and specialists in the bank who are most attuned to the business conducted can
best assess the potential risks facing that particular business.
The sensitivity of a bank's risk estimates to changes in the factors and the relative
weighting of the various factors need to be well reasoned. For example,
improvements in risk controls have to be assessed in light of potential increases
in risk due to greater complexity of activities or increased business volume.
The framework and each instance of its application, including the supporting
rationale for any adjustments to empirical estimates, must be documented and
subject to independent review within the bank and by supervisors.
The process and its outcomes need to be validated through comparisons made
over time to actual internal loss experience, relevant external data, and
appropriate adjustments made.
39
True or False?
In a bank whose primary activity is retail banking, improvements in internal controls in the
trading function's back office would significantly improve the bank's overall operational risk
profile.
A bank’s ORMS must involve its senior management level strategists because the bank’s future
plans and direction in terms of expansion or withdrawal from particular business lines can
materially influence its operational risk profile.
External loss data supplements banks’ internal data and is an important contributor to scenario
analysis. Scenario analysis can be used to test and validate correlation assumptions in a bank’s
ORMS.
SLIDE
40
…To Sum up SLIDE
41
23
Basel II – Operational Risk – AMA
There are four essential elements in an effective operational risk management system:
internal loss data that has been collected over a minimum five-year observation period
and can be mapped to the business lines and event types that are defined in Basel II
external data that is related to the bank (and scaled, as necessary) whether the data is
collated from public reports or from a data pool created by a group of banks
scenario analysis to assess the likelihood and impact of severe but plausible operational
loss events, which can be particularly useful for banks that have little internal
experience with certain types of loss
business environment and internal control factors, which provide useful insight into
changes in a bank’s operational risk profile
V. RANGE OF AMAs
As a result of the flexibility that Basel II allows banks in the design of an AMA, there is
considerable variability in the AMAs that are in use. By the end of this topic, however, you will
be able to categorize AMAs based on their key characteristics
In particular, you will look at the
Loss Distribution Approach (LDA)
Scenario-based Approach (SBA)
Risk Drivers and Controls Approach (RDCA)
42
VI. CATEGORIES OF AMAs
Because the management of operational risk is a
relatively new discipline in the field of risk
management, Basel II intentionally provides banks
with a significant degree of flexibility in the design of