Académique Documents
Professionnel Documents
Culture Documents
James Elder Director Credit Suisse First Boston (james.elder@csfb.com) OpRisk Europe, March 2004
The author makes no representation as to the accuracy or completeness of the information provided. The views expressed here are those of the author, and do not necessarily represent those of Credit Suisse First Boston or Credit Suisse Group.
Overview
Background The fundamental challenges in measuring OpRisk? The 4 elements of the AMA Practical implementation issues The irrelevance of small losses on the capital charge Correlation assumptions Implementing a scenario-based capital estimation approach Conclusion
Operational Risk
Background
Operational Risk
Not Relevant
(Otherwise would already be out of business!)
Operational Risk
Risks
Successive layers of protection each designed to protect against the possible breakdown of the one in front
Potential losses
Major OpRisk events more unlikely as they require alignment of holes in successive control layers
e.g. bad person; flawed systems; poor management; weak controls, on a bad day . . .
Risks
Some holes from active failures
Defences
Losses
Operational Risk
Risk taking decision depends on the ability to measure the risk of a transaction relative to its expected profitability Credit risk: Exposures can be measured as money lent, mark-to-market exposure of potential exposure. The risk can be estimated using credit ratings, market-based models and other tools Market risk: Positions can be decomposed into risk sensitivities and exposures. The risk can be quantified with scenarios, value-at-risk models, etc. Generally, market prices are observable/quoted & frequent
In both market and credit risk there is a direct linkage to the driver of risk, the size of the position, and the level of risk exposure
These risk models allow the user to predict the potential impact on the firm for different risk positions in various market movements
OpRisk is normally an implicit event it is accepted as part of being in business, rather than part of any particular transaction
No inherent size for the OpRisk inherent in any transaction, system, or process
Eg. how much rogue trader risk does a bank have? How much fraud risk? How much could a bank lose from implementing a new IT system incorrectly? Has the risk grown since yesterday? The equivalent position for OpRisk is difficult to identify
Operational Risk
For both market and credit risk, modelling starts with a known portfolio of risks
Usually a key test of a banks risk management systems and processes to ensure that there is complete risk capture
In OpRisk modelling, the portfolio of risks is not available with any reasonable degree of certainty
Even if a bank knows its processes and could ascertain the size of the risk in those processes, it is difficult to identify unknown risks or non-process types risks
Many Major OpRisk events are from unknown or non-process types risks they are simply outside the banks normal set of understood risks
Many of the biggest operational risk losses arise from fundamentally new issues, which even the most far-sighted and active risk management might not be able to foresee
Many OpRisk approaches effectively imply the portfolio from historic loss events
Imagine taking this approach to credit risk modelling i.e.deduce the loan portfolio from historic defaults instead of obtaining it from books and records
8
Operational Risk
Eg. an analysis of transportation accidents over the last century would clearly contain data that had lost relevance due to different modes of transport, changing infrastructure, better communications, etc.
Consider the following questions: (1) Are your businesses, people or processing systems similar to 10 years ago? (eg. many banks have merged and/or materially changed their systems and processes) (2) Are the threats to those systems similar to 10 years ago? (eg. did firms worry about internet virus attacks in 1993?) Answering No illustrates the high context dependency of OpRisk Context dependency is driven by how quickly the underlying system or process changes
Market risks: Appear to have a moderate level of context dependency as stock market prices tend to exhibit statistical properties that appear to be somewhat stable across time Credit risk: Credit ratings an loss statistics have been measured for many decades and show some reliable properties
The level of context dependency has a fundamental impact on the ability to model and validate a system the higher the context dependency the less the past will be a good predictor for the future
Operational Risk
10
Accuracy
HIGH LOW (3) MEDIUM LOW/MEDIUM(4)
Auditability
HIGH LOW/MEDIUM (3) LOW LOW/HIGH (4)
Relevance
LOW (2) MEDIUM HIGH HIGH
Conclusion Some elements are auditable but not relevant & others are relevant but not auditable
Notes (1) More difficult to ensure completeness for high-frequency, small-loss events Minor events; easier for Major events (2) Low rating as most firms unlikely to have suffered numerous Major events to provide sufficient data sample (3) Low/medium rating due to reporting bias and collection bias (4) Medium accuracy and auditability for factors that are countable but Low otherwise
Operational Risk
11
After major event, management actions lead to improved controls & reduced chance of re-occurrence
Given lack of historic data and scarcity of meaningful data points, data can only be used as input into defining potential types of scenarios
External loss data Main purpose is to provide guidance on types of scenarios and parameters & for lessons learned to identify potential actions to reduce likelihood of event occurring within own organization Numerous reporting/data capture issues:
Reporting bias: Relies on companies disclosing significant OpRisk loss events. Some events have to be disclosed others may not. Relies on events to be reported correctly in publicly available documents (figures often inflated) Capture bias: Relies on firms capturing accurately OpRisk loss events and amounts from publicly available documents After reviewing for relevance (ie. similarity to your firm; whether your firm has similar business; whether circumstances surrounding the loss could be repeated in your firm) meaningful data points can be reduced significantly Estimate of the OpRisk event probability can be estimated as number of events divided by institution years (typically 1 in 2, 3, 5, 10, 20, 50 years); Number of institution years estimated from number of peer institutions and the number of years over which the external data was likely to be reasonably reliable
External data can be used to assist in determining an estimate of the event severity and probability
Operational Risk
12
Can better take account of context dependency and the evolution of the organization, the business environment and internal control factors
To address the issue of completeness of the portfolio of OpRisk exposure one needs to list out a set out exposures (and their associated probabilities of occurring)
Primary focus is on the major events, eg. rogue trader, building unavailability, etc.
Rogue Trading
Important to note that many of the biggest OpRisk losses arise from fundamentally new issues & hence difficult to foresee
Fraud
There will be some element of the Event space not covered by a known risk unknown risks but with top-down approach can include Unexpected Event scenario
Risk A
Risk B
Operational Risk
13
Complexity (business/product, technology, business processes, organization, legal entity) Rate of change of markets/products/volume (developing vs matured) Management (centralised vs remote; own managed vs outsourced) Processing maturity (automatic straight-through-processing vs manual) Personnel (level of turnover; level of resourcing; competency of resourcing)
Although it is possible to justify each business environment and internal control factor as a driver of risk, it is generally only possible from a directional basis rather than absolute basis
Generally more effective to develop action plans and monitor risk reduction of each risk factor to an acceptable risk level
Some elements are auditable at the specific factor level but is it difficult to translate the factor into an economic amount Even harder to aggregate across factors
Eg. what is the economic value of one outstanding confirmation acceptance vs one depot break? Translating economic amounts is necessarily judgmental and qualitative Easier for factors that are countable, eg. process type risks, rather than non-process type risks
Can be taken account of, to some extent, in determining scenarios and associated severity and probability parameters
Operational Risk
14
Operational Risk
15
Lots of data
Limited data
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
Value of losses
No information More relevant information
5,000
10,000
25,000
50,000
100,000
250,000
500,000
750,000
1,000,000
1,500,000
2,000,000
2,500,000
Loss
5,000,000
1,000,000
1,500,000
2,000,000
2,500,000
Conclusion: All relevant information is obtained from Major OpRisk loss events
Operational Risk
5,000,000
100,000
250,000
500,000
750,000
10,000
25,000
50,000
5,000
More
More
16
Eg. 90% of cumulative loss comes from approx. largest 10% of loss events (approx. 20 loss events)
Conclusion: Major event losses drive the capital charge & impact the economic condition of a bank Difficult to model OpRisk with only few relevant data points
% of total loss
20.0%
Rank
Operational Risk
17
Benefit from central collation and analysis to identify cross-department functional issues and lessons learned Key difference: Do not get small rogue traders, class-actions, etc. Small OpRisk losses Generally result from basic human errors (eg. lack of attention, forgetfulness, poor communication, etc.)
Incidents typically correspond to single breaches of the control layers; Shows that the successive defense layers provide adequate control to capture upstream control breaches Examples: Settlement errors; Credit card fraud
18
Small Loss
Big Loss
Small Losses Small number of control layers breached Generally control failure is specific to a particular department Settlement errors Lessons learned only relevant to processes within the particular dept concerned Often actions taken only require reinforcement of minor changes to controls already in place Escalation only relevant to dept management Department escalation and reporting processes sufficient
Large Losses Typically many control layers breached Control failures cross a number of departments Fraud; rogue trader; business interruption Lessons learned often read across multiple departments Often require new controls or significant redesign of existing controls Escalation required across departments
Operational Risk
Correlation assumptions
Operational Risk
20
eg. Major rogue trader event is the combination of: lack of supervision & failure to obtain confirmations & failure to independent test prices & failure to perform independent P&L analysis & No evidence to suggest that OpRisk events are correlated, eg. what is the likelihood of documentation failure impacting building unavailability Major event eg. Rogue Trading
Lack of supervision Poor challenge, issue escalation Failure to obtain transaction confirmations Failure to obtain independent FX prices Failure to analyse P&L Major event is the combination of individual control failures that alone would not give rise to the incident (ie. 100% correlation between individual control failing)
21
Operational Risk
There is no strong relationship between the number of loss events and the aggregate value of loss events
No obvious relationship between number of losses and aggregate value of losses is evident suggests that the level of OpRisk is not related to the number of events suffered
1-Jan-01
1-Jan-02
1-Jan-03
Loss event
Date of loss
1-Jan-04
2001 Q1
2001 Q2
2001 Q3
2001 Q4
2002 Q1
2002 Q2
2002 Q3
2002 Q4
2003 Q1
2003 Q2
2003 Q3
2003 Q4
Operational Risk
22
Correlations unlikely to be able to be estimated empirically due to the lack of meaningful relevant data From OpRisk loss data it is possible to estimate the distribution of interarrival times, ie. the days elapsing between each loss event and the next event in sequence For independent events, interarrival times should be approximately exponentially distributed. Fitting an exponential distribution allows the average interarrival time to be estimated
Loss Interarrival times
OpRisk loss data for 3 year period to 31/12/2003
Number of months in data period
100
80
60
1
Number of events
0
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
Conclusion Evidence confirms common-sense, ie. intuitive that OpRisk events are not correlated OpRisk scenarios should be aggregated with 0% correlation
Operational Risk
23
Operational Risk
24
F1. Putting it all together & determining a capital charge 4 elements of the AMA
4.00%
3.50%
Loss Distribution
3.00%
2.50%
Probability
2.00%
Capital charge
1.50%
1.00%
0.50%
0.00%
Probability 1 in x years
Annual loss
Operational Risk
25
Rogue Trading
Fraud
Risk B
Base Risk
BE&ICFs
26
Using a credit portfolio analogy the inputs into the OPRISK+ model are: OpRisk scenario exposures (cf. credit exposures) and OpRisk event probability (cf. default probability) Top-down scenario approach considering major events allows an independence assumption to be made Bottom-up scenario approach looking at the combination of minor OpRisk events needs to consider how these minor events could correlate to generate a major event
4.00%
A correlation assumption is made that major OpRisk scenario events are independent
3.50%
Loss Distribution
3.00%
2.50%
Probability
2.00%
1.50%
Capital charge
1.00%
Medium Medium
High High
Very Low 50
Low
Probability 1 in x years
0.50%
20
10
2
0.00%
Annual loss
Operational Risk
27
Understanding of risks facing the bank Basel event categories Internal/External loss data to indicate where banks can lose money Description of scenario risk Description of primary controls mitigating risk Summary of internal loss experience related to scenario risk Summary of relevant external loss experience related to scenario risk Description of any relevant Business Environment and Internal Control Factors affecting scenario risk or control environment Assumptions used to determine parameter assumptions Summary of scenario parameters (frequency and severity) Discuss scenario risk, controls and scenario parameters with relevant line experts utilizing their expert judgment (eg. discuss the Fraud scenario with experts from Legal, Corporate Security and Operations). Provides an additional sense check over capital numbers Provides comparison check between business units
Operational Risk
28
Against External OpRisk Loss Data Graph shows loss events for 10 key peers over 10yrs (ie. 100 institution yrs of relevant data) 99%-ile capital figure is equivalent to 1 in 100 year event
"Backtest" of peer loss data (present value) vs 99% OpRisk Capital Based on 10 key peers and 10 years - ie 100 Bank Years
1994 1995 1996 1997 1998 1999 2000 2001 2002 2003
0.6%
0.5%
0.4%
0.3%
0.2%
0.1%
0.0%
Loss $m
Operational Risk
29
G1. Conclusion
Characteristics of Scenario Approach
A scenario based capital estimation approach is: pragmatic; implementable; cost effective Sensible capital numbers can be derived in a systematic and transparent manner The approach is forward-looking, utilizing all types of data available Expert judgment is used to blend available data with understanding of the control environment to produce forward-looking assessments of risk
Have a go yourself
Re-perform the analysis in this presentation on your data What does your loss data tell you?
Frequency plot; Value of losses vs number of losses plot; Cumulative loss ranking; Scatter plot vs time; Interarrival times
Operational Risk
30