Information risk and data quality management Operational Risk€¦ · John Hull, Risk Management and Financial Institutions, 3rd Edition (Boston: Pearson Prentice Hall, 2012). ...

Information risk

and

data quality management

Operational Risk

Alberto Ferreras Salagre [email protected]

Julio - 2015

Alberto Ferreras, FRM 2015

2

Anthony Tarantino and deborah Cernauskas, Risk Management in Finance: Six

Sigma and Other Next Generation Techniques (Hoboken, nJ: John Wiley & Sons,

2009).Chapter 3. Information Risk and Data Quality Management

Assess the potential negative impact poor data quality may have on a business 8-9

Identify the most common issues which result in data errors 10

Identify some key dimensions of data quality. 11-12

Describe the operational data governance process and differentiate between

data quality inspection and data validation.

13-14

Summarize the process of creating a data quality scorecard and compare three

different viewpoints for reporting data via a data quality scorecard

15-17

FRM I


3

“Principles for Effective Data Aggregation and Risk Reporting,” (Basel

Committee on Banking Supervision Publication, January 2013).*

Explain the potential benefits of having effective risk data aggregation and

reporting

25-26

Describe key governance principles related to risk data aggregation and risk

reporting practices.

27-28

Identify the data architecture and IT infrastructure features that can contribute

to effective risk data aggregation and risk reporting practices.

29-30

Describe characteristics of a strong risk data aggregation capability and

demonstrate how these characteristics interact with one another.

31-36

Describe characteristics of effective risk reporting practices 37-45

FRM I


4

John Hull, Risk Management and Financial Institutions, 3rd Edition (Boston:

Pearson Prentice Hall, 2012). Chapter 20.

Compare three approaches for calculating regulatory capital. 98-103

Describe the Basel Committee’s seven categories of operational risk. 74-78

Derive a loss distribution from the loss frequency distribution and loss severity

distribution using Monte Carlo simulations. 111-114

Describe the common data issues that can introduce inaccuracies and biases in the

estimation of loss frequency and severity distributions. 119-120

Describe how to use scenario analysis in instances when data is scarce. 121

Describe how to identify causal relationships and how to use risk and control self

assessment (RCSA) and key risk indicators (KRIs) to measure and manage

operational risks.

83

Describe the allocation of operational risk capital and the use of scorecards. 123

Explain how to use the power law to measure operational risk. 115

Explain the risks of moral hazard and adverse selection when using insurance to

mitigate operational risks. 89

FRM I


Information Risk and Data Quality Management

Principles for Effective Data Aggregation and Risk Reporting

5

Information risk and data quality management

FRM I




6 FRM I


7

Information risk and data quality management

If successful business operations rely on high-quality data, then the opposite is likely to be true as well: flawed data will delay or obstruct the successful completion of business processes.

No enterprise risk management program is complete

without instituting processes for assessing, measuring, reporting, reacting to, and controlling the risks associated with poor data quality.

FRM I


8

Assess the potential negative impact poor data quality may have on a business.

1. Financial impacts: Lower revenues or higher expenses Increased operating costs, decreased revenues, Missed opportunities, Reduction or delays in cash flow, Increased penalties, fines, or other charges.

2. Confidence-based impacts. Managers may make incorrect business decisions based on faulty data

Decreased organizational trust, low confidence in forecasting, inconsistent operational and management reporting,

delayed or improper decisions.

3. Satisfaction impacts. Customers may become dissatisfied when the business processes faulty data (e.g.,

billing errors). Employees may become dissatisfied when they are unable to properly perform

their job due to flawed data.

FRM I


9

4. Productivity impacts increased workloads, decreased throughput, Increased processing time, decreased end-product quality.

5. Risk impacts Underesrimaring credir risks due to inaccurare documentarion, thereby exposing a

lender to potential losses. Underestimating investment risk, thereby exposing an investor to potential losses.

6. Compliance is jeopardized,

whether that compliance is with government regulations, industry expectations, or self-imposed policies (such as privacy policies).

A business may no longer be in compliance with regular ions (e.g., Sarbanes-Oxley) if fi nancial reporrs are inaccurare

Despite the natural tendency to focus on financial impacts, in many environments the risk and compliance impacts are largely compromised by data quality issues.

FRM I


10

Identify the most common issues which result in data errors.

Data entry errors Missing data Duplicate records Inconsistent data Nonstandard formats Complex data transformations Failed identity management processes Undocumented, incorrect, or misleading metadata

All of these types of errors can lead to inconsistent reporting, inaccurate aggregation, invalid data mappings, incorrect product pricing, and failures in trade settlement, among other process failures.

Employee Fraud and Abuse Underbilling and Revenue Assurance Credit Risk Development Risk Compliance Risk

FRM I


11

Identify some key dimensions of data quality.

DATA QUALITY EXPECTATIONS The first step toward managing the risks associated with the introduction of flawed data into the environment is articulating the business user expectations for data quality and asserting specifications that can be used to monitor organizational conformance to those expectations

Accuracy. Exactitud The degree to which data correctly reflects the real world object. Measurement of accuracy can occur by manually comparing the data to an authoritative source of correct information.

Completeness. Completitud The completeness dimension specifies the expectations regarding the population of data attributes. The extent to which the expected attributes of data are provided. Eg: phone number.

Completeness does not necessarily imply accuracy

FRM I


12

Consistency. Consistencia Consistency refers to measuring reasonable comparison of values in one data set to those in another data.

Note that consistency does nor necessarily imply accuracy

There are three types of consistency: l. Record level: consistency between one set of data values and another set within the same record. 2 Cross-record level: consistency between one set of data values and another set in different records. 3. Temporal level consistency: between one set of data values and another set within the same record

at different points in time.

Reasonableness. Razonabilidad This dimension is used to measure conformance to consistency expectations relevant within specific operational contexts.

Currency. Relevancia This dimension measures the degree to which information is current with the world that it models.

Uniqueness. Naturaleza única This dimension measures the number of inadvertent duplicate records that exist within a data set or across data sets

FRM I


13

Describe the operational data governance process and differentiate between data quality inspection and data validation.

Operational data governance is the manifestation of the processes and protocols necessary to ensure that an acceptable level of confidence in the data effectively satisfies the organization’s business needs.

Operational data governance refers to the collective set of rules and processes regarding data that allow an organization to have sufficient confidence in the quality of its data

A data governance program defines the roles, responsibilities, and accountabilities associated with managing data quality. A data quality scorecard could be used to monitor the Success of such a program.

Operational data governance combines the ability to identify data errors as early as possible with the process of initiating the activities necessary to address those errors to avoid or minimize any downstream impacts.

FRM I


14

o Data Quality Inspection vs. Data Validation

While the data validation process (is a one~tirne step)reviews and measures conformance of data with a set of defined business rules, inspection is an ongoing process to:

Reduce the number of errors to a reasonable and manageable level.

Enable the identification of data flaws along with a protocol for interactively making adjustments to enable the completion of the processing stream.

Institute a mitigation or remediation of the root cause within an agreed-to time frame. Solve the cause of the errors and flaws in a timely manner

The goal of data quality inspection is to catch issues early on before they have a substantial negative impact on business operations.

FRM I


15

Summarize the process of creating a data quality scorecard and compare three different viewpoints for reporting data via a data quality scorecard

o Essentially, the need to present higher-level data quality scores

introduces a distinction between two types of metrics.

“base-level” metrics. The simple metrics based on measuring against defined dimensions of data quality. They quantify specific observance of acceptable levels of defined data quality rules.

“complex” metric. Representing a rolled-up score computed as a function (such as a sum) of applying specific weights to a collection of existing

metrics, both base-level and complex. Complex data quality metrics can be accumulated for reporting in a scorecard in one of three different views: by issue, by business process, or by business impact.

FRM I


16

Data Quality Issues View Evaluating the impacts of a specific data quality issue across

multiple business processes demonstrates the diffusion of pain across the enterprise caused by specific data flaws.

This scorecard scheme, which is suited to data analysts attempting to prioritize tasks for diagnosis and remediation, provides a rolled-up view of the impacts attributed to each data issue. Drilling down through this view sheds light on the root causes of impacts of poor data quality, as well as identifying “rogue processes” that require greater focus for instituting monitoring and control processes

Business Process View A scorecard view by business process. For each business process, this scorecard scheme consists of complex

metrics representing the impacts associated with each issue. The drill-down in this view can be used for isolating the source of the introduction of data issues at specific stages of the business process as well as informing the data stewards in diagnosis and remediation.

FRM I


17

Business Impact View Business impacts may have been incurred as a result of a number of

different data quality issues originating in a number of different business processes.

This reporting scheme displays the aggregation of business impacts rolled up from the different issues across different process flows.

For example, one scorecard could report rolled-up metrics documenting the accumulated impacts associated with credit risk, compliance with privacy protection, and decreased sales. Drilling down through the metrics will point to the business processes from which the issues originate; deeper review will point to the specific issues within each of the business processes. This view is suited to a more senior manager seeking a high-level overview of the risks associated with data quality issues, and how that risk is introduced across the enterprise

FRM I


1 - Which of the following viewpoints regarding data quality scorecards is best described as providing a high-level understanding of the risks embedded in data quality problems? A. Business impact view.

B. Business process view.

C. Data quality issues view.

D. Data process issues view.

FRM I


Flawed data will delay or obstruct the successful completion of business processes

Negative impact poor data quality: Financial Confidence-based Satisfaction Productivity Risk Compliance

Data errors lead can lead to inconsistent reporting, inaccurate aggregation…...

Key dimensions of data quality Accuracy Completeness Consistency Reasonableness Currency Uniqueness

Operaríonal data governance Data Quality Inspection vs. Data Validation Data Quality / Business Process / Business Impact

RESUMEN DE IDEAS

19

FRM I




20


21

o Identify Principles for effective risk data aggregation and risk reporting

One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks.

Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities.

Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices.

This had severe consequences to the banks themselves and to the stability of the financial system as a whole.

In response, the Basel Committee issued supplemental Pillar 2 (supervisory review process) guidance to enhance banks’ ability to identify and manage bank-wide risks.

FRM I


22

o “risk data aggregation” (RDA) means:

defining, gathering and processing risk data according to the bank’s risk reporting requirements to

enable the bank to measure its performance against its risk tolerance/appetite.

This includes sorting, merging or breaking down sets of data.

o The paper presents a set of principles to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices (the Principles). In turn, effective implementation of the Principles is expected to enhance risk management and decision-making processes at banks.

o The adoption of these Principles will enable fundamental improvements to the management of banks. The Principles are

expected to support a bank’s efforts to:

FRM I


23

o The principles are initially addressed to SIBs and apply at both the banking group and on a solo basis. Banks identified as G-SIBs by the FSB in November 20118 or November 20129 must meet these Principles by January 2016; G-SIBs designated in subsequent annual updates will need to meet the Principles within three years of their designation.

o It is strongly suggested that national supervisors also apply these Principles to banks identified as D-SIBs by their national supervisors three years after their designation as D-SIBs.

o The Principles and supervisory expectations contained in this paper apply to a bank’s risk management data. This includes data that is critical to enabling the bank to manage the risks it faces. Risk data and reports should provide management with the ability to monitor and track risks relative to the bank’s risk tolerance/appetite.

FRM I


24

o These Principles also apply to all key internal risk management models, including but not limited to, Pillar 1 regulatory capital models (eg internal ratings-based approaches for credit risk and advanced measurement approaches for operational risk), Pillar 2 capital models and other key risk management models (eg value-at-risk).

o All the Principles included in this paper are also applicable to processes that have been outsourced to third parties

The Principles cover four closely related topics: • Overarching governance and infrastructure • Risk data aggregation capabilities • Risk reporting practices • Supervisory review, tools and cooperation

o Banks should develop forward looking reporting capabilities to provide early warnings of any potential breaches of risk limits that may exceed the bank’s risk tolerance/appetite.

o These risk reporting capabilities should also allow banks to conduct a flexible and effective stress testing which is capable of providing forward-looking risk assessments. Supervisors expect risk management reports to enable banks to anticipate problems and provide a forward looking assessment of risk.

FRM I


25

Explain the potential benefits of having effective risk data aggregation and reporting.

Enhance the infrastructure for reporting key information, particularly that used by the board and senior management to identify, monitor and manage risks;

Improve the decision-making process throughout the banking organisation;

Enhance the management of information across legal entities, while facilitating a comprehensive assessment of risk exposures at the global consolidated level;

Reduce the probability and severity of losses resulting from risk management weaknesses;

Improve the speed at which information is available and hence decisions can be made; and

Improve the organisation’s quality of strategic planning and the ability to manage the risk of new products and services. FRM I


26

• An increased ability to anticipate problems.

• In times of financial stress, effective risk data aggregation enhances a bank`s ability to identify routes to return to financial health.. For expample, a bank may be better able to identify a suitable merger partner in order to restore the bank`s financial viability.

• Improved resolvability.

• By strengthening a bank`s risk function, the bank is better able to

make strategic decisions, increase efficiency, reduce the chance of loss, and ultimately increase profitability

FRM I


27

Describe key governance principles related to risk data aggregation and risk reporting practices.

Principe 1 Governance

A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.

o The governance principle suggests that risk data aggregation should be part of the bank's overall risk management framework.

o To ensure that adequate resources are devoted, senior management should approve the framework before implementation

A bank’s risk data aggregation capabilities and risk reporting practices should be:

Fully documented and subject to high standards of validation. This validation should be independent , using staff with specific IT, data and reporting expertise

FRM I


28

Considered as part of any new initiatives, including acquisitions and/or divestitures, new product development, as well as broader process and IT change initiatives. When considering a material acquisition, a bank’s due diligence process should assess the risk data aggregation capabilities and risk reporting practices of the acquired entity, as well as the impact on its own risk data aggregation capabilities and risk reporting practices. The impact on risk data aggregation should be considered explicitly by the board and inform the decision to proceed.

The bank should establish a timeframe to integrate and align the acquired risk data aggregation capabilities and risk reporting practices within its own framework.

Unaffected by the bank’s group structure. The group structure should not

hinder risk data aggregation capabilities at a consolidated level or at any relevant level within the organisation (eg sub-consolidated level, jurisdiction of operation level). In particular, risk data aggregation capabilities should be independent from the choices a bank makes regarding its legal

organisation and geographical presence.

A bank’s senior management should be fully aware of and understand the limitations that prevent full risk data aggregation, in terms of coverage (eg risks not captured or subsidiaries not included), in technical terms (eg model performance indicators or degree of reliance on manual processes) or in legal terms (legal impediments to data sharing across jurisdictions).

The board should also be aware of the bank’s implementation of, and ongoing compliance with the Principles set out in this document.

FRM I


29

Identify the data architecture and IT infrastructure features that can contribute to effective risk data aggregation and risk reporting practices.

Principle 2 Data architecture and IT infrastructure.

A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.

Principie 2 requires that:

Risk data aggregation capabilities and risk reporting practices should be given direct consideration as part of a bank’s business continuity planning processes and be subject to a business impact analysis.

FRM I


30

A bank should establish integrated data taxonomies and architecture across the banking group, which includes information on the characteristics of the data (metadata), as well as use of single identifiers and/or unified naming conventions for data including legal entities, counterparties, customers and accounts.

Multiple data models may be used as long as there are robust automated reconciliation measures in place.

Roles and responsibilities should be established as they relate to the ownership and quality of risk data and information for both the business and IT functions. The owners (business and IT functions), in partnership with risk managers, should ensure there are adequate controls throughout the lifecycle of the data and for all aspects of the technology infrastructure. The role of the business

owner includes ensuring data is correctly entered by the relevant front office unit, kept current and aligned with the data definitions, and also ensuring that risk data aggregation capabilities and risk reporting

practices are consistent with firms’ policies.

FRM I


31

Describe characteristics of a strong risk data aggregation capability and demonstrate how these characteristics interact with one another.

Principle 3 Accuracy and Integrity

A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data

should be aggregated on a largely automated basis so as to

minimise the probability of errors.

Controls surrounding risk data should be as robust as those applicable to accounting data.

Where a bank relies on manual processes and desktop applications (eg spreadsheets, databases) and has specific risk units that use these applications for software development, it should have effective mitigants in place (eg end-user computing policies and procedures) and other effective controls that are consistently applied across the bank’s processes.

FRM I


32

Risk data should be reconciled with bank’s sources, including accounting data where appropriate, to ensure that the risk data is accurate.

A bank should strive towards a single authoritative source for risk data per each type of risk.

A bank’s risk personnel should have sufficient access to risk data to ensure they can appropriately aggregate, validate and reconcile the data to risk reports.

As a precondition, a bank should have a “dictionary” of the concepts used, such that data is defined consistently across an organisation.

There should be an appropriate balance between automated and manual systems. Where professional judgements are required, human intervention may be appropriate. For many other processes, a higher degree of automation is desirable to reduce the risk of errors.

Banks must document and explain all of their risk data aggregation processes whether automated or manual (judgement based or otherwise). Documentation should include an explanation of the appropriateness of any manual workarounds, a description of their criticality to the accuracy of risk data aggregation and proposed actions to reduce the impact.

Supervisors expect banks to measure and monitor the accuracy of data and to develop appropriate escalation channels and action plans to be in place to rectify poor data quality.

FRM I


33

Principle 4 Completeness

A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.


A bank’s risk data aggregation capabilities should include all material risk exposures, including those that are off-balance sheet. Both on- and off-balance sheet risks should be aggregated

A banking organisation is not required to express all forms of risk in a common metric or basis, but risk data aggregation capabilities should be the same regardless of the choice of risk aggregation systems implemented. However, each system should

make clear the specific approach used to aggregate exposures for any given risk measure, in order to allow the board and senior management to assess the results properly.

FRM I


34

Supervisors expect banks to produce aggregated risk data that is complete and to measure and monitor the completeness of their risk data. Where risk data is not entirely complete, the impact should not be critical to the bank’s ability to manage its risks effectively. Supervisors expect banks’ data to be materially complete, with any exceptions identified and explained.

Principle 5 Timeliness

A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.

FRM I


35


A bank’s risk data aggregation capabilities should ensure that it is able to produce aggregate risk information on a timely basis to meet all risk management reporting requirements.

Critical risks indude, bur are not limited ro

The aggregated credit exposure to a large corporate borrower. By comparison, groups of retail exposures may not change as

critically in a short period of time but may still include significant concentrations;

Counterparty credit risk exposures, including, for example,

derivatives;

Trading exposures, positions, operating limits, and market concentrations by sector and region data;

Liquidity risk indicators such as cash flows/settlements and funding; and

Time-critical Operational risk indicators (eg systems availability, unauthorised access).

FRM I


36

Principle 6 Adaptability

A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.

Adaptability will enable banks to conduct better risk management, including forecasting information, as well as to support stress testing and scenario analyses. Data aggregation processes that are flexible and enable risk data to be aggregated

for assessment and quick decision-making; Capabilities for data customisation to users’ needs (eg dashboards, key

takeaways, anomalies), to drill down as needed, and to produce quick summary reports;

Capabilities to incorporate new developments on the organisation of the business and/or external factors that influence the bank’s risk profile; and

Capabilities to incorporate changes in the regulatory framework. Supervisors expect banks to be able to generate subsets of data based on requested scenarios or resulting from economic events.

FRM I


37

Describe characteristics of effective risk reporting practices

o Accurate, complete and timely data is a foundation for effective risk management.

o However, data alone does not guarantee that the board and senior management will receive appropriate information to make effective decisions about risk.

o To manage risk effectively, the right information needs to be presented to the right people at the right time. Risk reports based on risk data should be accurate, clear and complete.

FRM I


38

Principle 7 Accuracy.

Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.

o Risk management reports should be accurate and precise to ensure a bank’s board and senior management can rely with confidence on the aggregated information to make critical decisions about

risk.

Defined requirements and processes to reconcile reports to risk data;

Automated and manual edit and reasonableness checks, including an inventory of the validation rules that are applied to quantitative information. The inventory should

include explanations of the conventions used to describe any mathematical or logical relationships that should be verified through these validations or checks; and

Integrated procedures for identifying, reporting and explaining data errors or weaknesses in data integrity via exceptions reports.

Supervisors expect banks to consider accuracy requirements analogous to accounting materiality.

FRM I


39

Principle 8 Comprehensiveness

Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients. Risk management reports should include exposure and position

information for all significant risk areas (eg credit risk, market risk, liquidity risk, operational risk) and all significant components of those risk areas (eg single name, country and industry sector for credit risk). Risk management reports should also cover risk-related measures (eg regulatory and economic capital).

FRM I


40

Reports should identify emerging risk concentrations, provide information in the context of limits and risk appetite/tolerance and propose recommendations for action where appropriate. Risk reports should include the current status of measures agreed by the board or senior management to reduce risk or deal with specific risk situations. This includes providing the ability to monitor emerging trends through forward-looking forecasts and stress tests.

For example, an aggregated risk report should include, but not be limited to, the following information:

capital adequacy, regulatory capital, capital and liquidity ratio projections, credit risk, market risk, operational risk, liquidity risk, stress testing results, inter- and intra-risk concentrations, and funding positions and plans.

FRM I


41

Principle 9 Clarity and usefulness.

Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.

A bank’s risk reports should contribute to sound risk management and decision-making by their relevant recipients, including, in particular, the board and senior management. Risk reports should ensure that information is meaningful and tailored to the needs of the recipients. (Reporting policies and

procedures should recognise the differing information needs of the board, senior management, and the other levels of the organisation (for example risk

committees). Reports should include an appropriate balance between

risk data, analysis and interpretation, and qualitative explanations.

FRM I


42

The board should alert senior management when risk reports do not meet its requirements and do not provide the right level and type of information to set and monitor adherence to the bank’s risk tolerance/appetite. The board should indicate whether it is receiving the right balance of detail and quantitative versus qualitative information.

Senior management is also a key recipient of risk reports and it is responsible for determining its own risk reporting requirements. Senior management should ensure that it is receiving relevant information that will allow it to fulfil its management mandate relative to the bank and the risks to which it is exposed.

A bank should develop an inventory and classification of risk data items which includes a reference to the concepts used to elaborate the reports.

Supervisors expect a bank to confirm periodically with recipients that the information aggregated

FRM I


43

Principle 10 Frequency

The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.

The frequency of risk reports will vary according to the type of risk, purpose and recipients. A bank should assess periodically the purpose of each report and set requirements for how quickly the reports need to be produced in both normal and stress/crisis situations. A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in stress/crisis situations.

FRM I


44

Supervisors expect that in times of stress/crisis all relevant and critical credit, market and liquidity position/exposure reports are available within a very short period of time to react effectively to evolving risks. Some position/exposure information may be needed immediately (intraday) to allow for timely and effective reactions

Principle 11 Distribution.

Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained. Procedures should be in place to allow for rapid collection and

analysis of risk data and timely dissemination of reports to all appropriate recipients. This should be balanced with the need to ensure confidentiality as appropriate.

Supervisors expect a bank to confirm periodically that the relevant recipients receive timely reports.

FRM I


45

Supervisory review, tools and cooperation.

Principle 12 Review.

Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.

Principle 13 Remedial actions and supervisory measures.

Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.

Principle 14 Home/host cooperation

Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.

FRM I


2 - A bank should include information on data characteristics (metadata) and naming conventions for legal entities. counterparties, customers, and account data in aggregated risk data. This is suggested by the Basel Committee on Banking Supervision in the principle related to: A. accuracy.

B. completeness. C. claarity and usefulness. O. data architecture and infrastructure

FRM I


Risk data aggregation The Principles is expected to enhance risk management and decision-

making processes at banks.

Potential benefits of having effective risk data aggregation and reporting. Reporting key information. Improve the decision-making process. Facilitating a comprehensive assessment of risk exposures. Improved

resolvability.Reduce the probability and severity of losses. Anticipate problems. Improve the speed which information. Improve the

organisation’s quality of strategic planning…

Overarching governance and infrastructure. Principle 1 Strong governance arrangements

Risk data aggregation capabilities Principle 2. Ddesign, build and maintain data architecture and IT infrastructure

Risk reporting practices. Principles 3-6 specify standards and requirements for effective risk data aggregation.

Principles 7- 11 specify standards and requirements for effective risk reporting practices

To manage risk effectively, the right information needs to be presented to the right people at

the right time. Risk reports based on risk data should be accurate, clear and complete

Supervisory review, tools and cooperation. Principles 12- 14

RESUMEN DE IDEAS

47

FRM I


Conceptos Introductorios

Ciclo de Gestión del R.Operacional

Basilea II

Modelos Avanzados de R.Operacional

48

Operational risk




Basilea II


49


• El Diccionario de la Real Academia Española de la Lengua define el

riesgo como:

1. Contingencia o proximidad de un daño.

2. Cada una de las contingencias que pueden ser objeto de un contrato de seguro

¿Y en una EMPRESA?

El riesgo de la empresa consiste en la incertidumbre de alcanzar los

resultados previstos como consecuencia de determinados eventos que lo

impidan. Estos eventos, algunos de ellos “previsibles” otros “inesperados.

Definición de la palabra Riesgo

50 FRM I


¿ Qué es el Riesgo Operacional ?

¿Es un nuevo riesgo, que antes no existía ?

• No. El riesgo operacional es el más antiguo de todos. Está presente en cualquier clase de negocio y forma parte de nuestra vida cotidiana.

• Es inherente a toda actividad en la que intervienen personas y tecnología.

• En banca, el riesgo operacional es anterior al de crédito y al de mercado.

51

FRM I


¿Donde se puede dar el Riesgo Operacional?

– Está presente en cualquier clase de negocio y forma parte de nuestra vida cotidiana.

52

FRM I


• Nos saltamos algún control.

• Empleado falsifica una firma.

• No practicamos una retención de impuestos.

• El sistema informático no está disponible.

• Documentación legal incorrecta.

• Se incendia una oficina bancaria.

• Asesoramos mal a un cliente.

• El nombre de la entidad se asocia a un escándalo por blanqueo de dinero.

• Introducimos mal un datos de una operación.

Ejemplos de Riesgo Operacional

53

FRM I


Si es algo tan antiguo, ¿porque este reciente interés?

• Porque, como veremos mas adelante el Riego Operacional es un

riesgo muy relacionado con los procesos, (más concretamente,

aunque no sólo, con algún tipo de error en los mismos), y en la

actualidad la complejidad de los mismos se esta incrementando

exponencialmente.

• La consecuencia: aumento en la probabilidad de error y en el

coste del mismo.

• Costes Directos. Pérdidas sufridas por las entidades.

• Costes Indirectos. Coste de implantación de cambios

regulatorios.

Pero, ¿cuanto puede costar el riesgo operacional?

FRM I


The ORX Global Operational Risk Database is the world’s largest operational

risk loss data resource.

- At 30 June 2013 the Database contained 327,465 loss events worth to a

total value of €166,092,571,314.

- At 30 September 2014 the Banking Database contained

406,939 loss events worth a total value of €230,802,382,321 (+ 39% up)

Pero, ¿Cuanto puede costar un evento?

55

FRM I


0 € 1.000 € 2.000 € 3.000 € 4.000 € 5.000 €

Madoff

Societe General

Sumitomo Bank

UBS

Daiwa Bank

Baring Bank

Allied Irish Bank

Bank Of Scotland

NBA

Bankers Trust

Natwest

1.500 Millones €

4.700 Millones €

1.370 M

¿Cuanto puede llegar a constar un evento de RO?

50.000 Millones €

56

FRM I


■ February 2002—Allied Irish Bank ($691 million loss). A rogue trader, John Rusnack, hides three years of losing trades on the yen/dollar exchange rate at the U.S. subsidiary. The bank’s reputation is damaged.

■ March 1997—NatWest ($127 million loss). A swaption trader, Kyriacos Papouis, deliberately covers up losses by mispricing and overvaluing option contracts. The bank’s reputation is damaged. NatWest is eventually taken over by the Royal Bank of Scotland.

■ September 1996—Morgan Grenfell Asset Management ($720 million loss). A fund manager, Peter Young, exceeds his guidelines, leading to a large loss. Deutsche Bank, the German owner of MGAM, agrees to compensate the investors in the fund.

■ June 1996—Sumitomo ($2.6 billion loss). A copper trader amasses unreported losses over three years. Yasuo Hamanaka, known as “Mr. Five Percent,” after the proportion of the copper market he controlled, is sentenced to prison for forgery and fraud. The bank’s reputation is severely damaged.

■ September 1995—Daiwa ($1.1 billion loss). A bond trader, Toshihide Igushi, amasses unreported losses over 11 years at the U.S. subsidiary. The bank is declared insolvent.

■ February 1995—Barings ($1.3 billion loss). Nick Leeson, a derivatives trader, amasses unreported losses over two years. Barings goes bankrupt.

■ October 1994—Bankers Trust ($150 million loss). The bank becomes embroiled in a high-profile lawsuit with a customer that accuses it of improper selling practices. Bankers settles, but its reputation is badly damaged. It is later bought out by Deutsche Bank.

■ Enero 2008. Societe Generale (€ 4.700 m). Durante el año 2007 y principios del 2008, un trader “Jérôme

Kerviel” acumuló grandes posiciones € 49.900 m en Equity index, el cierre de dichas porciones coincidió con una caída del mercado lo que acarreo la citada pérdida.

■ Septiembre 2011 UBS (€ 1.500 m). En septiembre de 2011, el banco suizo IBS anunción haber sufrido unas pérdidas de 1.500 millones de euros por actividad no autorizada de su trader de 31 años Kweku Adoboli.

■ Bank os Scotland (€615): Un telepredicador Americano, empezó a hablar mal en su programa de los escoceses

después de que este banco, no acometiese la creación de un banco en estados unidos, del cual el telepredicador iba a

tener una participación significativa.

57

FRM I


58 FRM I


Cambios Regulatorios.

– Entidades Financieras

• Basilea II.

– Por primera vez se incluirá una dotación de capital por

riesgo operacional

• MiFID. (Markets in Financial Instruments Directive)

– Basada en el concepto Know your customer

• MiFID II - 2017

– Entidades de Seguro

• Solvencia II - 2016

59

FRM I


¿Qué es el Riesgo Operacional?

Una definición amplia: ( Negative definition of other risk)

“Any financial risk other than Market and Credit risk” Jorion p 533

“Anything that is not Credit- or Market- Risk Related” Hoffman p 35

Una definición limitada:

“Risk arising for Operations” Jorion pag 537

“The risk that deficiencies in information systems or internal controls will result in unexpected losses” Schwartz and Smith p 40

La definition de Basilea:

“The risk of loss resulting from inadequate or failed internal processes, people and system, or external events. This definition includes legal risk , but excludes strategic and reputational risk. ” Basilea II

60

FRM I


¿Qué excluye la definición de Basilea?

• Riesgo estratégico (strategic risk): aquel proveniente de la

elección de una estrategia errónea para asegurar un

rendimiento máximo del capital empleado.

• Riesgo de negocio (business risk): aquel que se deriva de

cambios desfavorables en los ámbitos fiscal, económico,

regulatorio o de competitividad. Algunas entidades no

distinguen entre riesgo de negocio y riesgo financiero.

• Riesgo reputacional (reputational risk): es la exposición a

la incertidumbre de resultados, como consecuencia de

eventos que pueden afectar negativamente a la percepción que

los stakeholders tienen del Grupo.

61

FRM I


¿Qué incluye la definición de Basilea?

• Riesgo Legal (legal risk):

Aquel que se origina cuando una operación no esta

contemplada por la ley, o se incumple la misma.

Occurs if contracts are not properly prepareted and

executed, or the counterparty claims lack of understanding

and , therefore, the contract is unsuitable.

• Riesgo de Modelo (Model Risk):

Aquel que se origina cuando se utiliza el modelo o los

parámetros incorrectos en la valoración o cobertura de un

producto.

62

FRM I


No siempre es posible gestionar y medir el RO

G e s t i ó n

M e

d i

c i

ó n

Estratégico

y/o Negocio

Operacional

(Basilea - Solvencia)

Reputacional

Regulatorio

63

FRM I


En Riesgo Operacional

¿El tamaño es lo único que importa?

Severidad

A – 1 m

B – 100m

Frecuencia

100 veces al año

1 vez cada 100 años

Problema práctico:

Una entidad tiene 2 debilidades y presupuesto para solucionar

sólo una de las dos.

¿En función de la información aportada cual de las dos

debilidades debería de abordar la entidad ?

Coste Anualizado

100

1

64

FRM I


Dimensiones de Riesgo Operacional

0 1 2 3 4 5

1

3

2

4

5

65

FRM I

• Loss frequency is defined as the number of losses over a specific time period (typically one year),

• and loss severity is defined as the value of financial loss suffered (i.e., the size of the loss).


RIESGO

DE MERCADO

RIESGO

DE CRÉDITO

RIESGO

OPERACIONAL

Causas

Impacto

De Fontnouvelle, Djesus- Rueff, Jordan and Rosengren (2003) find that the

capital requirement for operational risk at large US financial institutions

often exceed the capital requirement for their market risk. Mo Chaudhury 2010

66

FRM I


B e n e f i c i o

R i

e s

g o

mercado

operacional

No es necesario asumir RO

para conseguir beneficios

crédito

“Operational risk is highly

firm and operations specific,

and unlike the market, credit,

interest rate and foreign

exchange risks, a higher level

of operational risk exposure

is not generally rewarded

with a higher expected

return”

Mo Chaudhury 2010

El riesgo operacional es distinto a los demás...

67

FRM I


RIESGO

Factor de Riesgo

Pérdida Potencial

PÉRDIDA

Evento Op.

Pérdida Contable

68

FRM I


Por qué es importante el riesgo operacional. – Costes directos & Costes Indirectos

Conceptos de Frecuencia y Severidad.

Tres definiciones de Riesgo Operacional. BIS

Diferencia entre – Riesgo vs Pérdida

– Factor de Riego vs Evento

– Pérdida potencia vs Perdida Contable

RESUMEN DE IDEAS

69

FRM I




Basilea II


70


• Opción 1 - Estrategia del avestruz

• Opción 2 :Dos enfoques

MEDICION DEL RIESGO OPERACIONAL.

Obtener conclusiones y toma de decisiones

Pérdida Evento

GESTION DEL RIESGO OPERACIONAL.

• Gestión Pasiva ( Medición)

Pérdida Evento

• Gestión Activa.

Riesgo de Perdida Factor de Riesgo

E

X

P

O

S

T

E

X

A

N

T

E

¿Cómo se puede gestionar el Riesgo Operacional?

71

FRM I


Identificar

Estimar o Cuantificar

Mitigar

Seguir

Ciclo de Gestión Activa del Riesgo Operacional

Información

Op risk management does

not ensure that nothing

will go wrong, but instead

focuses on identifying and

assessing what can go

wrong, on monitoring and

reporting changes in risk,

and mitigating and

controlling the impact of

any events that are

threatening to occur, or

that have occurred and

need speedy

72

FRM I


• Errores en procesos

• Legales

• Incumplimiento normativo

• Fraudes

• Sobrepasar límites

• Fugas de talento

• Caída de sistemas

• Fallos de programación

• Daños en edificios

EVENTOS

SUCEDIDOS

AGRUPAR

CRITERIO

DE

CLASIFICACION

CLASIFICAR

GESTIONAR

LA INFORMACION

Procesos

Fraudes y Act. N.A.

RRHH

Tecnología

Desastres ¿ Que es la mora ?

¿POR QUÉ ?

73

FRM I

IDENTIFICAR


1. Internal fraud: Acts of a type intended to defraud, misappropriate property, or circumvent regulations, the

law, or company policy (excluding diversity or discrimination events which involve at least one internal

party).

Examples include intentional misreporting of positions, employee theft, and insider trading on an

employee’s own account.

Insider traiding and unanthorized trading are captured under this category.

2. External fraud: Acts by third party of a type intended to defraud, misappropriate property, or circumvent

the law.

Examples include robbery, forgery, check kiting, and damage from computer hacking.

EF capture all events where there has been fraud, with no collusion or participation from internal

employee. High-profile operational risk (cyber security)

3. Employment practices and workplace safety: Acts inconsistent with employment, health, or safety laws

or agreements, or which result in payment of personal injury claims, or claims relating to diversity or

discrimination issues.

Examples include workers compensation claims, violation of employee health and safety rules, organized

labor activities, discrimination claims, and general liability (for example, a customer slipping and falling at

a branch office).

Captures losses that result from harm suffered by employees either due to workplace accident or due

to mistreatment by the firm.

Describe the Basel Committee’s seven categories of operational risk. J. Hull

Baseil II Event Type classification

74

FRM I

IDENTIFICAR


4. Clients, products, and business practices: Unintentional or negligent failure to meet a professional

obligation to clients and the use of inappropriate products or business practices. Examples are fiduciary

breaches, misuse of confidential customer information, improper trading activities on the bank’s account,

money laundering, and the sale of unauthorized products

Some of the largest events, as large legal losses are often captured here

5. Damage to physical assets: Loss or damage to physical assets from natural disasters or other events.

Examples include terrorism, vandalism, earthquakes, fires, and floods.

Most evnts in this category will be covered at least in part, by insurance.

6. Business disruption and system failures: Disruption of business or system failures.

Examples include hardware and software failures, telecommunication problems, and utility outages.

It is often best measurement in lost opportunities, rather than direct losses.

7. Execution, delivery, and process management: Failed transaction processing or process management, and

disputes with trade counterparties and vendors.

Examples include data entry errors, collateral management failures, incomplete legal documentation,

unapproved access given to clients accounts, nonclient counterparty misperformance, and vendor disputes.

High frequency category

• “Consistency is more important than accuracy. As long as similar events are always in

the same way, the operational risk management can be effective”

Baseil II Event Type classification

75

FRM I

IDENTIFICAR


Examples by Basel II Event Type classification.

• Internal fraud: Allied Irish Bank, Barings, and Daiwa lost $700 million, $1 billion,and $1.4 billion, respectively, from fraudulent trading.

• External fraud: Republic New York Corp. lost $611 million because of fraud committed by a custodial client.

• Employment practices and workplace safety: Merrill Lynch lost $250 million in a legal settlement regarding gender discrimination.

• Clients, products, and business practices: Household International lost $484 million from improper lending practices; Providian Financial Corporation lost $405 million from improper sales and billing practices.

• Damage to physical assets: Bank of New York lost $140 million because of damage to its facilities related to the September 11, 2001, terrorist attack.

• Business disruption and system failures: Salomon Brothers lost $303 million from a change in computing technology.

• Execution, delivery, and process management: Bank of America and Wells FargoBank lost $225 million and $150 million, respectively, from systems integration failures and transaction processing failures.

76

FRM I

IDENTIFICAR IDENTIFICAR


77

FRM I

IDENTIFICAR


78

FRM I

IDENTIFICAR


• El ejemplo siguiente está tomado de Robert Ceske (de NetRisk) en el manual de P. Jorion (edición 2001-2).

• Las líneas de negocio no se corresponden exactamente con las definidas en Basilea II, pero sirven para hacerse una idea:

• ¿Pero, todos los bancos son iguales?, ¿Todos los departamentos de un

banco hacen , lo mismo y se pueden enfrentar a los mismos problemas ?, ¿

Todos los bancos y departamentos pueden tener el mismo perfil de riesgo

operacional ?

•Commercial banking is exposed mainly to credit risk, less so to operational risk,

and least to market risk.

• Investment banking, trading, and treasury management have greater exposure to

market risk.

• By contrast, business lines such as retail brokerage and asset management are

exposed primarily to operational risk. (Jorion 4 ed)

Clasificación de R.O. de Basilea II (Líneas de Negocio)

79

FRM I

IDENTIFICAR


80

FRM I

IDENTIFICAR


Matriz de clasificación de Basilea

OR

C 3

ORC 2

ORC 1

81

FRM I

IDENTIFICAR


Herramientas de cálculo de capital (motor de cálculo de capital)

Herramientas de autoevaluacion

(RCSA)

Análisis de escenarios

Indicadores de Riesgo Operacional

(KRI, KPI,KCI…)

Bases de datos de pérdidas

operacionales

82

FRM I

CUANTIFICAR


Indicadores de riesgo operacional BCBS (2002b) defines ‘key risk indicators as: risk indicators are statistics and/or metrics, often financial, which can provide insight into a

bank’s risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may

be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of

errors and omissions

PROACTIVE APPROACHES-Causal Relationships Operational risk managers should try to establish causal relations between decisions taken and operational risk losses.

One approach to establishing causal relationships is statistical. Risk control and self-assessment (RCSA) is an important way in which banks try to

achieve a better understanding of their operational risk exposures. KRI- The most important indicators are prospective. They provide an early warning

system to track the level of operational risk in the organization.

The hope is that key risk indicators can identify potential problems and allow remedial action to be taken before losses are incurred. It is important for a bank to quantify

operational risks, but it is even more important to take actions that control and manage those risks.

Examples of key risk indicators that could be appropriate in particular situations are 1 Staff turnover 2. Number of failed transactions 3. Number of positions filled by temps 4. Ratio of supervisors to staff 5. Number of open positions 6. Percentage of staff that did not take 10 days consecutive leave in the last 12 months

Describe how to identify causal relationships and how to use risk and control self assessment (RCSA) and key risk indicators (KRIs) to measure and manage operational risks. J Hull

83

FRM I

SEGUIR


Objetivos de gestión de R. Operacional en una empresa.

1. Eliminar el riesgo operacional (Imposible)

2. Intentar no sucedan eventos (Frecuencia)

3. Si suceden, intentar que cuesten lo menos posible

(Severidad)

4. Si no puedo evitarlos o disminuir su coste, por lo

menos tener recursos para pagarlo.(Severidad-

Capital)

84

FRM I

MITIGAR


Una vez que hemos decidido tomar algún tipo de medida,

¿ que podemos hacer ?

OBJETIVOS

FRECUENCIA SEVERIDAD

Reducir la probabilidad de que suceda el

evento

Reducir el impacto económico del

evento

ESTRATEGI

A

Mejorar los controles Internos

Ejemplos:

Baring

National Bank Of Australia

Allied Irish Banks

Mejorar los controles Internos

Planes de Contingencia

Planes de Continuidad

Transferencia de Riesgo

(Aseguramiento)

Ejemplos

El 11 de Septiembre

Although insurance is available for some types of operational risk (e.g., damage to physical assets, business

disruption and system failure, et cetera), the insurance policies can be quite expensive, may entail risks of

cancellation or lack of compliance by the insurer, and there is a cap on regulatory capital relief

for insurance of operational risk 85

FRM I

MITIGAR


Internal control methods consist of:

• Separation of functions: Individuals responsible for committing should not perform clearance and accounting

functions.

• Dual entries: Entries (inputs) should be matched from two different sources, that is, the trade ticket and the

confirmation by the back office.

• Reconciliations: Results (outputs) should be matched from different sources, for instance the trader’s profit

estimate and the computation by the middle office.

• Tickler systems: Important dates for a transaction (e.g., settlement, exercise dates) should be entered into a

calendar system that automatically generates a message before the due date.

• Controls over amendments: Any amendment to original deal tickets should be subject to the same strict controls

as original trade tickets.

External control methods consist of:

• Confirmations: Trade tickets need to be confirmed with the counterparty, which provides an independent check on

the transaction.

• Verification of prices: To value positions, prices should be obtained from external sources. This also implies that

an institution should have the capability of valuing a transaction in-house before entering it.

• Authorization: The counterparty should be provided with a list of personnel authorized to trade, as well as a list of

allowed transactions.

• Settlement: The payment process itself can indicate if some of the terms of the transaction have been incorrectly

recorded, for instance, as the first cash payments on a swap are not matched across counterparties.

• Internal/external audits: These examinations provide useful information on potential weakness areas in the

organizational structure or business process.

86

FRM I

MITIGAR


BoE Report on Barings Interior Allied Irisk Bank

Duty to Undestand Fallos en la revisión de los superiores de Mr Rusnak sobre la actividad

desarrollada

Sin embargo, Rusnak consiguió convencer a la dirección de que la utilización de

este tipo de cuentas era más conveniente porque eliminaba la carga de trabajo

del Back Office.

Clear Responsability La estructura de reporte del responsable de Mercados era matricial, es decir

reportaba a la alta dirección local y al responsable de Mercados de la casa

matriz.

Relevant Internal controls la persona responsable de asegurar que la actividad de negociación presenta

resultados satisfactorios, estaba encargado del control de dicha actividad.

Además se aprovechó de una debilidad de control más importante, que fue la

falta de obtención de confirmaciones por parte del back office.

Quick resolution of

weeknesses

Falta de respuesta adecuada cuando se identificaron incidencias en la

actividad de Mr Rusnak Fallos en la implementación completa de las recomendaciones de los

auditores y supervisores lo que hizo que tanto los superiores de Mr Rusnak, como los responsables de la

contabilidad y los auditores detectaran unos ingresos inadecuados para el uso

que se realizaba del balance

87

FRM I

MITIGAR


• Like market VAR, the distribution of op. losses can be used to estimate expected losses as well as the amount

of capital required to support this financial risk.

• Internal Capital Retention: This option reflects the pure retention of risk. In this case a bank simply

allocates a certain amount of capital that is considers sufficient to cover potential losses.

• The expected loss represents the size of operational losses that should be expected to occur. Typically, this represents high frequency, low severity events. This type of loss is generally absorbed as an ongoing cost and managed through internal controls. Such losses are rarely disclosed. systems.

• The unexpected loss represents the deviation between the quantile loss at some confidence level and the expected loss. Typically, this represents lower frequency, higher severity events. This type of loss is generally offset against capital reserves or transferred to an outside insurance company, when available. Such losses are sometimes disclosed publicly but often with little detail.

• The stress loss or catastrofic loss represents a loss in excess of the unexpected loss. By definition, such losses are very infrequent but extremely damaging to the institution. The Barings bankruptcy can be attributed, for instance, in large part to operational risk. This type of loss cannot be easily offset through capital allocation, as this would require too much capital. Ideally, it should be transferred to an insurance company. Due to their severity, such losses are disclosed publicly.

88

FRM I

MITIGAR


Explain the risks of moral hazard and adverse selection when using insurance to mitigate operational risks. J Hull

• An important decision for operational risk managers is the extent to which operational

risks should be insured against.

• Provided that the insurance company’s balance sheet satisfies certain criteria, a bank

using AMA can reduce the capital (up to 20%)

• Moral Hazard: The risk that the existence of the insurance contract will cause

the bank to behave differently than it otherwise would. This changed behavior increases the risks to the insurance company. Ways of dealt with it: o A deductible in any insurance policy. This means that the bank is

responsible for bearing the first part of any loss. o A coinsurance provision in a policy case. The insurance company pays a

predetermined percentage (less than 100%) of losses in excess of the deductible.

o A policy limit. This is a limit on the total liability of the insurer.

• Adverse Selection: This is where an insurance company cannot distinguish

between good and bad risks. It offers the same price to everyone and inadvertently attracts more of the bad risks. Ways of dealt with it:

o As time goes by, it gains more information about the bank’s operational risk control systems and losses data and may increase or reduce the premium charged.

89

FRM I

MITIGAR


Enfoque de Medición vs Gestión de Riesgo Operacional.

Ciclo de gestión del Riesgo Operacional. o Identificación.

o Medición o cuantificación.

o Seguimiento

o Mitigación.

Clases de Riesgo y Líneas de Negocio.

Herramientas. o Herramientas de autoevaluación.

o Indicadores.

o Bases de datos.

o Procedimientos de Mitigación. o Moral Hazard

o Adverse Selection

RESUMEN DE IDEAS

90

FRM I


Transferir

Hacer Frente

Evaluación de la situación de riesgo

Transferir

Estrategias:

Evitar

Reducir

Frecuencia

Severidad

Seguros

Derivados

Capital Riesgo No Transferible

RESUMEN DE IDEAS Mitigar

91

FRM I


3 - Alter conducting a detailed internal controls assessment, a trading firm sees that it is highly vulnerable to rogue trading. The company seeks to insure against this operational risk and requests insurance policy pricing from two insurers. Insurer A offers tired pricing based on the trading firm`s internal controls and Insurance B offers a single standard fee. Compared to Insurer A, Insurer B is exposing itself to more of witch kind of risk ? A. Insurance fraud. B. Moral hazard. C. Adverse selection. D. Reputational decline.

FRM I



Ciclo de Gestión del R. Operacional

Basilea II

Modelos Avanzados de R. Operacional

93


Basilea II • Inclusión de modelos avanzados de riesgo de crédito.

• Inclusión de una dotación específica por riesgo operacional.

• Equiparación del riesgo operacional con el de crédito y mercado.

• El capital mínimo requerido será menor cuanto más alto sea el nivel del modelo de gestión utilizado.

Evolución de la Normativa Bancaria

94

FRM I


CAPITAL

SUPERVISIÓN

TRANSPARENCIA

Basilea II

1 2 3

R.

C R E D I T O

R.

M E R C A D O

R.

O P E R A C I O N A L

R. I N T E R E S

OTROS RIESGOS

R. L I Q U D E Z

R. E S T R A T E G I C O

R. R E P U T A C I O N A L

O T R O S

95

FRM I


Grandes incentivos para estar en el nivel avanzado 1) Reducción notable de la dotación de capital 2) La implantación de herramientas para gestionar el RO, provocarán una disminución de los eventos adversos (reducción

de pérdidas) 3) El pilar 3º del acuerdo (transparencia), hace que la gestión del riesgo sea una ventaja competitiva

Básico

• El capital se calcula como el 15% de la media trianual del Margen Bruto del Banco

Estándar

• El capital se calcula por líneas de negocio

• Cada línea tiene una beta o coeficiente.

Avanzado

• El capital se calcula por unidades de cálculo de capital (ORC), a partir de datos internos

Pilar I para Riesgo Operacional

96

FRM I


Pilar 2: Supervisión del Regulador

• Los niveles de capital del pilar 1 son los mínimos

• El Regulador podrá establecer niveles más elevados si lo cree conveniente, a tenor de la

capacidad de gestionar los riesgos operacionales que demuestre la entidad

Pilar 3: Transparencia de Mercado

• Obligación de publicar regularmente la forma de gestionar los riesgos operacionales

• The two most significant of these disclosures are The size of the capital charge and the

technique used to calculated it.

• The size of the capital charge. The capital is the only comparable measure of exposure

available.

• The technique used to calculated it. While the technique used gives an indication of the

sophistication of the institution´s risk management and, to some extent, the emphasis

accorded to the issue by the bank.

97

FRM I


Compare three approaches for calculating regulatory capital. J. Hull

The Basic Indicator Approach.

• Banks using the Basic Indicator Approach must hold capital for operational risk equal to the average over the previous three years of a fixed percentage (denoted alpha) of positive annual gross income. Figures for any year in which annual gross income is negative or zero should be excluded from both the numerator and denominator when calculating the average. The charge may be expressed as follows:

where: • KBIA = the capital charge under the Basic Indicator Approach • GI = annual gross income, where positive, over the previous three years • N = number of the previous three years for which gross income is positive • α = 15%, which is set by the Committee, relating the industry wide level of required

capital to the industry wide level of the indicator.

• Firms that use this approach are still encouraged to adopt all of the risk

management elements that are outlined in the “Sound Practices” document.

nGI nBIA .1

BIA

98

FRM I


The Standardised Approach

• The standardized approach is similar to the basic approach, except that

different business lines have different multipliers or betas. • The total capital charge is calculated as the three-year average of the simple

summation of the regulatory capital charges across each of the business lines in each year. In any given year, negative capital charges (resulting from negative gross income) in any business line may offset positive capital charges in other business lines without limit. However, where the aggregate capital charge across all business lines within a given year is negative, then the input to the numerator for that year will be zero. The total capital charge may be expressed as:

• There are also 3 alternative methods designed standard for companies having difficulties to divide the information by business line

BETAS by Basilea Business LInes

Corporate finance 18% Payment and settlement 18%

Trading and sales 18% Agency services 15%

Retail banking 12% Asset management 12%

Commercial banking 15% Retail brokerage 12%

STA

30,max31

8181

years

TSA GI

99

FRM I


• The Basel Committee has listed conditions that a bank must satisfy in order to use the standardized approach or the AMA approach. It expects large internationally active banks to move toward adopting the AMA approach through time. To use the standardized approach a bank must satisfy the following conditions:

1. The bank must have an operational risk management function that is responsible for identifying, assessing, monitoring, and controlling operational risk. 2. The bank must keep track of relevant losses by business line and must create incentives for the improvement of operational risk. 3. There must be regular reporting of operational risk losses throughout the bank. 4. The bank’s operational risk management system must be well documented. 5. The bank’s operational risk management processes and assessment system must be subject to regular independent reviews by internal auditors. It must also be subject to regular review by external auditors or supervisors or both.

100

FRM I

STA


Fuente: BdE. Guía para la aplicación del Método Estándar en la determinación de los recursos propios por riesgo operacional 2008

101

FRM I

STA

BIA


Advanced Measurement Approaches (AMA) • Under the AMA, the regulatory capital requirement will equal the risk

measure generated by the bank’s internal operational risk measurement system using the quantitative and qualitative criteria for the AMA discussed below. Use of the AMA is subject to supervisory approval.

A M A

• Se reconoce el efecto reductor del riesgo que entrañan los seguros en las medidas de riesgo operacional,

permitiéndose una reducción máxima del capital por este concepto del 20%. Se necesitan cumplir ciertos

requerimientos.

Requisitos Generales. Mejores Prácticas + Test de Uso

Implicación activa de la alta dirección y del consejo de administración en la gestión del riesgo Op.

Que el modelo sea sólido y este plenamente integrado en los sistemas de medición y Gestión de riesgos de

la entidad (Test de Uso).

Que la entidad cuente con recursos suficientes tanto en las líneas de negocio como en las áreas de control y

auditoria.

USE TEST. Comprobación de que el modelo sirve para la gestión activa del riesgo y es

utilizado diariamente por la organización.

Este requisito implica que en ningún caso sería admisible un modelo cuya única finalidad fuera el cálculo de

los requerimientos de capital. ( Mª Ángeles Nieto pag 172)

The bank’s system must be capable of allocating economic capital for operational risk across

business lines in a way that creates incentives for the business lines to improve operational risk

management.

102

FRM I


Requisitos Cualitativos. Objetivo Facilitar gestión activa del Riesgo

Contar con una unidad independiente de gestión del riesgo operacional responsable del desarrollo e implantación de la

metodología de cálculo.

Que el modelo de medición de riesgo operacional esté totalmente integrado en los procesos de gestión de riesgo de la entidad.

Existencia de un sistema de información periódica a las direcciones de las líneas de negocio, a la alta dirección y al consejo de

administración.

El sistema debe de estar suficientemente documentado.

Debe de ser validado interna y externamente. (Mª Ángeles Nieto pag 172-173)

Requerimientos cuantitativos.

Que pueda identificar eventos situados en las “colas” de la distribución de probabilidad y que generan graves

pérdidas

Que su medida del riesgo operacional satisface unos criterios de solidez comparables a los del IRB (Horizonte temporal de 1

año y nivel de confianza del 99,9%)

Que el requerimiento de capital regulatorio deberá de ser la suma de la

pérdida esperada y la inesperada, a menos que el banco pueda demostrar que

ha efectuado una medición de la pérdida esperada y la esta cubriendo de

alguna forma. ( Mª Ángeles Nieto pag 173). Pérdida inesperada. El capital se calcula por defecto como la suma de las unidades de cálculo, salvo que se justifique una correlación

diferente.

Los cuatro elementos básicos.

Todos los modelos AMA deberán utilizar los cuatro elementos básicos de un sistema de medición de riesgo

operacional:

Datos Internos - Datos Externos – Escenarios - Factores de control y entorno de negocio. 103

FRM I

A M A


• Capital por riesgo Operacional.

• Tres Pilares de BASILEA II.

• Tres metodologías de Medición de Riesgo Operacional.

1. Datos Internos 2. Datos Externos 3. Análisis de Escenarios 4. Factores de entorno y control

interno

• Requisitos calificar en AMA.

– Generales

– Cualitativos – “Sound Practices”

– Cuantitativos

– 4 Elementos Básicos del Modelo

- Grado de complejidad y sensibilidad al riesgo +

+ Nivel de requerimientos de recursos propios -

BIA STA A M A

RESUMEN DE IDEAS

104

FRM I

Seguros Max 20% reducción


El Riesgo Operacional en Basilea II

BASILEA II Pilar I

Requerimientos de Capital

Pilar II

Supervisión del Regulador

Pilar III

Disciplina del Mercado

Riesgo de Mercado Riesgo de Crédito Riesgo Operacional

Metodologías Avanzadas Indicador Básico Enfoque Estándar

Líneas de negocio Beta

Finanzas Corporativas 18%

Negociación y ventas 18%

Banca minorista 12%

Banca comercial 15%

Pagos y liquidación 18%

Servicios de agencia 15%

Administración de activos 12%

Intermediación minorista 12%

Líneas de negocio Alfa

Entidad

15%

- Grado de complejidad y sensibilidad al riesgo + + Nivel de requerimientos de recursos propios -

1. Datos Internos 2. Datos Externos 3. Análisis de Escenarios 4. Factores de entorno y control interno

– Generales

– Cualitativos

– Cuantitativos

– 4 Elementos Básicos del Modelo

RESUMEN DE IDEAS

105

FRM I


Factores de

entorno/control Análisis de

Escenarios

Datos Internos

Datos Externos

RESUMEN DE IDEAS

106

FRM I


4 - The board of directors plays a key role in the process of creating a strong culture of risk management at an organization. As part of this role, one function that should be fulfilled by the board of directors is to: A. Monitor the effectiveness of the company’s governance

practices and make changes, if necessary, to ensure proper compliance.

B. Ensure that the interests of the company’s stakeholders are prioritized above its executives’ interests in order to maximize the potential return on investment.

C. Address issues that could potentially represent a conflict of interest by assigning committees composed exclusively of executive board members.

D. Establish a policy to address individual risk factors by either reducing, hedging, or avoiding exposure to each risk.

FRM I



Ciclo de Gestión del R. Operacional

Basilea II

Modelos Avanzados de R. Operacional

108


Enfoque Empírico – Bases teóricas

Problema a resolver:

• Partiendo de una base de datos de 1.000 años del pérdida, facilitar la mejor

estimación del capital para el próximo año con un nivel de confianza de 90%.

Año Importe Posición Año Importe

1910 15 1 1915 1

1911 65 2 1955 6

1912 8 500 1975 50

…. 900 1999 90

2008 45 998 2000 200

2009 25 999 1980 500

2010 19 1.000 1929 1000

109

FRM I


Enfoque Empírico – En la práctica

Base de datos

Interna 5 – 10

años de datos

Capital Infra estimado

Capital Adecuado

Capital Sobre estimado

Entidad

Regulador /

Supervisor

110

FRM I


Derive a loss distribution from the loss frequency distribution and loss severity distribution using Monte Carlo simulations. J.Hull

Enfoque de Distribución de Perdidas o LDA Base Teórica I

Base Interna

Frecuencia

Possion (5)

Severidad

Log (2,1)

1º

Simulación

Frecuencia Severidad Perdida año 1

2 5 15 10

2º

Simulación


3 3 17 2

12

n

Simulación


1 25 25

Montecarlo

……….

Año Importe

1 15

2 17

3 8

….

n-2 45

N-2 25

n 25

111

FRM I


Enfoque de Distribución de Perdidas o LDA Base Teórica II

Distribución de Frecuencia

Distribución de Severidad

Simulation: Montecarlo

Capital

Basel II Op Capital

Poisson Binomial distribution Negative binomial

LogNormal

• The usual assumption is that loss severity is independent of loss frequency

112

FRM I

Convolution


Si se realiza la suma de todas las casillas, estamos

poniéndonos en el peor de los escenarios

Estamos suponiendo correlación 1

Enfoque de Distribución de Perdidas o LDA Base Teórica III

8

1

7

1i j

ijLDA CARCAR

Líneas de Negocio CLASES DE RIESGO

PROCESOS FRAUDE

EXTERNO FRAUDE

INTERNO TECNOLOGIA RRHH

PRACTICAS COMERCIALES

DESASTRES

FINANZAS CORPORATIVAS

NEGOCIACION Y VENTAS

BANCA MINORISTA

BANCA COMERCIAL

LIQUIDACION Y PAGOS

SERVICIOS DE AGENCIA

ADMINISTRACION DE ACTIVOS

INTERMEDIACION MINORISTA

113

FRM I


Enfoque LDA – Ajuste de Severidad en la práctica Sub-exponential Fat Heavy Tail Light Tail Other

LogNormal Mixture of distriburions

LogNormal-Gamma Exponential Empirical (body)

Log-Gamma Weibull G y H

Generalised Pareto (GDP) Gamma

Burr

Pareto

Log-logictic

114

FRM I


Explain how to use the power law to measure operational risk. J Hull

where: V = losss variable X = large value of V K and alfa. = constants

• De Fountnouvelle et al. (2003), using data on losses from vendors, found that the power law holds well for the large losses experienced by banks.This makes the calculation of VaR with high degrees of confidence such as 99.9% easier.

• The 99.9 percentile of the loss distribution can then be estimated using a closed equation or formula.

• When loss distributions are aggregated, the distribution with the heaviest tails tends to dominate.

• This means that the loss with the lowest alpha defines the extreme tails of the total loss distribution.

• Therefore, if all we are interested in is calculating the extreme tail of the total operational risk loss distribution, it may only be necessary to consider one or two business line/risk type combinations.

Kxxv )(Prob

115

FRM I


Enfoque LDA – Ajuste de Frecuencia en la práctica

Poisson The mean frequency of losses equals the variance of the frequency of losses.

Binomial distribution If the mean frequency is greater than the variance of the frequency

Negative binomial If the mean frequency is less than the variance

116

FRM I


Enfoque LDA – Cálculo de capital RO en la práctica

117

FRM I


Enfoque de Distribución de Perdidas o LDA En la práctica

Factores de entono

y/o control

Datos Externos

Datos Internos

Escenarios

Tiempo

Pérdida

Objetivo principal de complementar

la base de datos interna con datos

procedentes de bases externas o

escenarios, es tener una

representación adecuada de los

eventos significativos que pueden

condicionar el capital, para

asegurarse que la cifra obtenida no

esta infra estimada.

118

FRM I


Describe the common data issues that can introduce inaccuracies and biases in the

estimation of loss frequency and severity distributions. J. Hull

Internal data: • The tracking of internal loss event data is an essential prerequisite to the development and

functioning of a credible operational risk measurement system. Internal loss data is crucial

for tying a bank's risk estimates to its actual loss experience.

• There are two types of operational risk losses: high-frequency low-severity losses (HFLSLs) and

low-frequency high-severity losses (LFHSLs). An example of the first is credit card fraud losses.

An example of the second is rogue trader losses. A bank should focus its attention on LFHSLs.

These are what create the tail of the loss distribution. A particular percentile of the total loss

distribution can be estimated as the corresponding percentile of the total LFHSL distribution plus the

average of the total HFLSL. Another reason for focusing on LFHSLs is that HFLSLs are often taken

into account in the pricing of products. By definition, LFHSLs occur infrequently. Even if good

records have been kept, internal data are liable to be inadequate, and must be supplemented

with external data and scenario analysis.

• Traditionally, banks have done a much better job at documenting their credit risk losses than their operational risk losses.

Also, in the case of credit risks, a bank can rely on a wealth of information published by credit rating agencies to assess

probabilities of default and expected losses given default. Similar data on operational risk have not been collected in a

systematic way.

• It is recornmended that banks use internal data when estimating the frequency of losses

and both internal and external data when estimating the severity of losses. 119

FRM I


External data: • A bank’s operational risk measurement system must use relevant external data especially

when there is reason to believe that the bank is exposed to infrequent, yet potentially severe,

losses.

• There are two sources of external data.

o The first is data consortia, which are companies that facilitate the sharing of data

between banks.

o The second is data vendors /public data base, who are in the business of collecting

publicly available data in a systematic way.

• Both internal and external historical data must be adjusted for inflation.

• In addition, a scale adjustment should be made to external data.

• Size on the size of a loss experienced is non-linear

• Data from vendors cannot be used in the same way as internal data or data obtained through

sharing arrangements because they are subject to biases. For example, only large losses are

publicly reported, and the larger the loss, the more likely it is to be reported.

• Public data are most useful for determining relative loss severity.

>

120

FRM I


Scenario analysis: • A bank must use scenario analysis of expert opinion in conjunction with external data to

evaluate its exposure to high-severity events.

• The aim of scenario analysis is to generate scenarios covering the full range of possible

LFHSLs. Some of these scenarios might come from the bank’s own experience, some might

be based on the experience of other banks, some might come from the work of consultants,

and some might be generated by the risk management group in conjunction with senior

management or business unit managers.

Describe how to use scenario analysis in instances when data is scarce. (J. Hull)

One difference between this scenario analysis and the normal one is that there is no model for

determining losses and, if data is not available, the parameters of the loss severity distribution

have to be estimated by the committee. One approach is to ask the committee to estimate an

average loss and a “high loss” that the committee is 99% certain will not be exceeded. A

lognormal distribution can then be fitted to the estimates.

• The advantage of generating scenarios using managerial judgment is that they include losses

that the financial institution has never experienced, but could incur. The scenario analysis

approach leads to management thinking actively and creatively about potential adverse

events.

121

FRM I


Business environment and internal control factors: • In addition to using loss data, whether actual or scenario-based, a bank’s firm-wide risk

assessment methodology must capture key business environment and internal control factors

that can change its operational risk profile. These factors will make a bank’s risk

assessments more forward-looking, more directly reflect the quality of the bank’s control

and operating environments, help align capital assessments with risk management objectives,

and recognize both improvements and deterioration in operational risk profiles in a more

immediate fashion.

• John Hull - Business environment and internal control factors (BEICFs) should be taken into

account when loss severity and loss frequency are estimated.

122

FRM I


Describe the allocation of operational risk capital and the use of scorecards.

• Operational risk capital should be allocated to business units in away that encourages

them to improve their operational risk management.

• Methodologies

o Euler`s Theorem

o Calculate incremental economic capital for each business unit and then allocate

economic capital to business units in proportion to their incremental capital.

(Incremental capital is the difference between the total economic capital with and

without the business unit.).

o Work with the component economic capital

o Scorecard

• If a business unit can show that it has taken steps to reduce the frequency or severity of a

particular risk, it should be allocated less capital.

• Note that it is not always optimal for a manager to reduce a particular operational risk.

Sometimes the costs of reducing the risk outweigh the benefits of reduced capital so that

return on allocated capital decreases.

• The overall result of operational risk assessment and operational risk capital allocation should

be that business units become more sensitive to the need for managing operational risk.

123

FRM I


Enfoque LDA

Severidad Vs Frecuencia

Use the power law to measure operational risk.

Data Issues Internal

External

Scenarios

BEIC

Operational risk capital allocation.

124

RESUMEN DE IDEAS

FRM I


5 - According to Basel II, the basic indicator and standardized approaches to operational risk require banks to hold capital for operational risk equal to a fixed percentage of gross income. The difference between the two approaches is that under the standardized approach: A. banks must calculate a capital requirement for each

business line, rather than at the firm level as in the basic indicator approach.

B. banks must calculate separate capital requirement for rated and unrated exposures rather than at the firm level as in the basic indicator approach.

C. the capital requirement is a higher percentage of income than in the basic indicator approach.

D. the capital requirement is a lower percentage of income than in the basic indicator approach.

FRM I


6 - A risk analyst is attempting to analyze a bank´s operational loss severity distribution. However, historical data on operational risk losses is limited. Which of the following is the best way to address the issue? A. Generate additional data using Monte Carlo simulation and

merge it with the bank´s operational losses. B. Estimate the parameters of a Poisson distribution to

model operational loss severity. C. Estimate relevant probabilities using expected loss

information that is published by credit rating agencies. D. Merge external data from other banks with bank`s internal

data after making appropriate scale adjustment

FRM I


7 - An operational risk manager is trying to compute the aggregate loss distribution for a firm's investment banking division. When using Monte Carlo simulation, which of the following loss frequency and loss severity distribution pairs is the most appropriate to use? A. Poisson, normal B. Poisson, lognormal C. Binomial, lognormal D. Binomial, normal

FRM I


GRACIAS POR SU ATENCIÓN


129

Pregunta Respuesta

1 A

2 D

3 C

4 A

5 A

6 D

7 B

FRM I

Information risk and data quality management Operational Risk€¦ · John Hull, Risk Management and Financial Institutions, 3rd Edition (Boston: Pearson Prentice Hall, 2012). ...

Documents