Dr Chris Stalvies Director Cognitix Limited The Regulatory Time Bomb redefining how people work with risk.

Dr Chris StalviesDirectorCognitix Limited

The Regulatory Time Bomb redefining how people work with risk

Contents

Introduction The problem – examples Why it has become a regulatory hotspot Who is affected How they are affected When they will be affected What customers need to do Problems – data modelling Opportunities

About Cognitix What we do

– Cognitix is a risk management and corporate governance company that helps organisations identify rapidly factors that can help predict success or failure.

– We supply Cognitix Quadrant the most powerful and flexible solution available to help financial services companies satisfy FSA and Basel II operational risk regulatory requirements

About Cognitix

Where we come from– The background of the founders is operational

risk management in the financial services sectors combined with very strong in-house development capabilities. We work with companies of all sizes

Where we are going– We will become the standard for operational risk

management

About Cognitix Quadrant

Web technology based Multi tiered databases fits any hierarchy End to end risk management process XML output Rules based fuzzy logic engine incorporated Validates collaborative input to assess and predict

high impact low frequency events Very low integration costs

Cognitix philosophy

Cognitix Quadrant takes a Bayesian approach to the assessment of High Impact Events.

This is reinforced by standard statistical analysis so that reliable data is available for further manipulation or for input to risk management processes.

Application of rules based analysis and fuzzy logic profoundly augments the capabilities of the system in an uncertain environment.

What is Operational Risk

Risk Management Process– The proactive identification, analysis and control of those

risks which threaten the assets or earning capacity of an enterprise (Institute of Risk Management)

Operational Risk – a relatively new classification– The risk of direct of indirect loss resulting from inadequate or

failed internal processes, people and systems or from external events

– Traditional banking risks such as Credit and Trading risks do not form part of this Framework. Strategic risk and reputational risk are specifically excluded.

Measurement or Assessment?

What is happening?

Regulators all around the world are imposing new regulations on banks and insurance firms to make sure they

– Can demonstrate they know how to manage operational risks

– Put aside enough capital to cope with operational risks Deadlines have been set Many firms have not woken up to this need Many thousands of companies are affected Thousands of small intermediaries are not going to

make it

Why is it happening

Major losses and failure in the corporate world over the past years have forced regulators globally to take action to protect the financial system

A few examples

Polly Peck Schneider Tyco Atlantic Computers World Com Maxwell BCCI Standard Chartered Bombay Bankers Trust/PG ABN-AMRO Chiasso NatWest Markets

Kidder Peabody Daiwa Bank Metallgesellschhaft Barings Barlow Clowes Pensions mis-selling Lloyds re-insurance spiral Morgan Grenfell Jardine Fleming Levitt

The Vicious Circle

Failure of controls

Unsustainableproduct

Individualidiosyncrasies

FraudFalse accounting

Overstated securityvalues

The Vicious Circle - 2

Failure of controls

Unsustainableproduct

Individualidiosyncrasies

FraudFalse accounting

Overstated securityvalues

Maxwell

Morgan Grenfell

Barings

Polly PeckFacia

Atlantic Computers

Wallace Smith

Standard Chartered

Kidder

DaiwaBarlow Clowes

Pensions mis-selling

Bankers Trust/PG

Jardine Fleming

Metallgesellschaft

Levitt

Schneider

ABN-AMRO

Lloyds

NatWest Markets

What is being done about it

Across the world regulators have intervened e.g. – Basel Committee on Banking Supervision– FSA– CAD 3– Higgs– Turnbull– Sarbane Oxley– MAS– King Report

The pressure is from…….

Operational Risk Basel II

– requires all financial institutions to be able to demonstrate that they are maintaining adequate capital to support their operational risks

– CP3 CAD3 FSA

– CP142 – applies to both banks and insurance firms equally

– CP178 – Lloyds

Corporate Governance Higgs

Turnbull

Sarbanes-Oxley

Institutional Investors

Why is it a hot topic now?

Regulators globally have been forced to take action to protect the financial system

The most common cause of loss has been “ Operational” (reminder - people, processes and systems and external events)

Territorial regulators give this the force of law e.g. CAD3, FSA

Companies must:– Have adequate systems in place to be able to manage the

risks – Have sufficient capital put aside to cover them in the event

of these types of loss happening

When is it going to happen Global

– 2007 but with 3 or 4 years data

European– Expected Oct 03 for enforcement

UK – FSA regulated Banks and Insurance Firms– 2003 FSA publishes final policy for operational risk management

systems and controls– 2003/4 One year for firms to prepare for implementation of

operational risk management systems and controls policy– 2004 Operational risk management systems and controls policy

takes effect– Insurance registration must be completed by 15/1/2005 or drop dead

What needs to be done

Guidance from Basel

Guidance from the FSA

Guidance from BaselLikely to become best practice in all sectors

Sound Practices paper - Basel Committee Feb. 2003

1. The Board exercises oversight responsibility 2. The Board ensures a complete internal audit of ORM

but the internal audit function should not be directly responsible for operational risk management

3. Senior management implements the programme 4. Management identifies and assesses OR inherent in

all activities 5. Management monitors OR profiles

Basel Sound practices

6. Management creates control policies, processes and procedures

7. Management creates contingency and business continuity plans

8. Bank supervisors require all banks to have an effective framework

9. Supervisors independently evaluate bank practices

10. Banks should make sufficient public disclosure of OR approaches

Guidance from FSA

The firm will need to document its policy for managing operational risk – its strategy and objectives and the processes that it adopts to achieve;

– Analysis of the firm’s risk profile– Which risks are to be accepted – How it intends to identify, assess, monitor and control the

risks, with an overview of the people, processes and systems to be used

– Where information is used internally for capital allocation purposes, how that exercise is undertaken.

What the FSA expects to see

Monthly Operational Risk Pack A Risk Map that assesses high frequency losses and

low frequency/high impact exposures Analysis of the effectiveness of existing controls with

action plans for risk reduction Improvements made to risk positions through

activation of risk controls or improved effectiveness of existing controls

Aggregate risk accumulations – by actual costs of risk or expected low frequency/high impact exposures

Solutions typical definition of requirements

The ability to: create risk profiles, not just

loss data modelling document the controls capture loss data create action plans with

responsibilities and accountability clearly shown

manipulate data into reports flag alerts to the Board by

email

self certification procedures and scenario planning capability

develop key risk indicators Sarbanes Oxley capability

(corporate governance) Integrate validated external

loss databases.

Problems

Data– Quality– Availability

Data Models– Based on traditional requirements

People– Don’t always tell what they know

Culture/Corporate Governance– Senior management responsibility

Organisational Change– Need to start with a framework

Opportunities Huge new market, wider than just financial services Regulatory pressure to buy Risk management solutions can be added to any other

service Genuinely new market with regulatory drivers Cognitix Quadrant is different

– risk analytic models adapted from credit or trading environments are not adequate to deal with the totally different requirements of operational risk assessments.

– The real value is that it is able to help to predict what might happen, where data is too limited to be statistically modelled by traditional stochastic methods.

– We provide full support ranging - framework design to technical implementation

“Cognitix is the most radical, high impact and cost effective approach available for risk and

governance”

© Cognitix Limited 2003

To share opportunities with us please contact

[email protected]

+44 (0)7980 734875

D E M O N S T R A T I O N

Overview of Quadrant

Notes

This slideshow features Quadrant, showing how the entire risk management process is addressed including:

1.Identification

2.Assessment/Measurement

3.Control

Only selected parts of the full functionality of Quadrant are shown in the interests of brevity

Contents This is a Bank example, for illustration only.

1.Access - Sign on screen for multilevel access2.Responding - Respondent screens with and without costing3.Viewing

Client view – hierarchical – select data to view Viewing risk factors – apply weightings – hide non

relevant Viewing data outputs – Boston chart example Viewing data outputs – Bar chart example Viewing details – sorting – raising Issues

4.Managing Issues5.Event logging6.Applying Risk Appetites

Access to all functions is through this sign on screen

The top bar can be changed to reflect Partners own branding

From this single screen youhave seven levels of access

1. Super Administrator2. Administrator3. Consultant4. Client5. Respondent6. Manager7. Resource

This is the first and only screen most users see – they just choose a category and select the appropriate radio button on the range

There is no limit on the number or location of respondents

Include qualitative data for richness

Instructions can be provided at any level of detail

Scales are non numeric here, andcan be tailored

Users with more in depth knowledge are asked to provide

more information about the maximum cost of the risk if it

happens, the cost of countermeasures and frequency

The first run produces a risk map, the second one is for controls assessment using“Implementation” and “Effectiveness” as measures

Risk assessment questions arestructured by Client, and canbe viewed hierarchically

For each Client the risk questions are organised into Categories

The data can beanalysed at any level by clicking this button

View risks weighted and un-weighted

Questions can be analysed at several levels including scorecards

Each question and/or category can be weighted on each scale and can be hidden from selected users if desired

Respondents only answer questionsrelevant to themselves

The Boston chart is a simple but effective display of risks ranked by priority.

Hover the mouse over a star and detailsappear – click to drill down for more detail

Increasing levels of granularity can be displayed x2 to x64

Data can beviewed inother formats

Resize for a better view

Another display is the Bar ChartRisk scores for individual criteria

Risk scores combined

Colour coding for instant impact

In this view data can be displayed in a number of ways, including the standarddeviation of responses, raise Issues and Actions and sort the columns

Drill downSort by risk colour code

Risks can be easily escalated to Issues with action plans, and managers and resources set tasks to mitigate the risks.

Tasks are monitored for completion status

Events can be logged and actions assigned

This one button produces a consolidatedreport for FSA Operational Risk compliance

Any number of risks can be related to an event

Formulae can be applied to each scale to reflect the risk appetite

Risks can be viewed as “appetised” or “un-appetised”

© Cognitix Limited 2003

[email protected]

“Cognitix is the most radical, high impact and cost effective approach available for risk and governance”