电话:010-85195300
E-mail:cassoa@cass.org.cn
地址:中国北京建国门内大街5号中国社会科学院1#楼
扫一扫关注微信
国家哲学社会科学文献中心版权所有
The [alpha], [beta], and [gamma] of operational risk
Michael K. OngAlmost Live! A broken elbow kept Michael Ong from the RMA Capital Management Conference in June, but The RMA Journal tracked him down and offers this Almost Live! presentation.
Part [alpha]--The Past 24 Months
Although an earlier version of this list has appeared elsewhere, I am pleased to offer readers of The RMA Journal an updated list of the Top 10 Reasons Why So Many People Are Interested in Operational Risk:
10. It's sexy, it's hot, and it's completely nebulous. Since there's no correct answer, every loud answer is a correct answer. The loudest voice now comes from the regulators and is parroted by OpRisk's newly crowned princes and princesses.
9. Regulators and senior management think that talking about it will prevent mishaps from happening. Well...they 're still talking.
8. People think they've already conquered both market risk and credit risk. Then why are we still looking for credit loss and other data?
7. So vendors and consultants can drum up more sales. ORGA has beached itself off the Jersey shore, but there are still some left.
6. So the quantitative people can have something to amuse themselves with, in light of declining demand for new derivatives products. Where art thou EVT, Fast Fourier Transform, Bayesian Belief Networks, Loss Database, etc.?
5. So regulators can ding the banks for declining credit quality, lowering of loan loss reserves, and derivatives losses.
4. So banks can, under the guise of regulatory pressure, show who's bigger and better. Banks are getting bigger, but not better.
3. So operational risk managers can pick fights with the audit department and settle some old scores. There are now many more newly crowned princes and princesses of OpRisk.
2. We enjoy digging up "skeletons" and "rotten eggs" in our closets. We thought we enjoyed digging up skeletons and rotten eggs in our closets. Look who's hiding in the closets now!
(DRUM ROLL)
1. Operational risk is a convenient catch-all "garbage dump" for all kinds of possible risks. The garbage dump is getting full.
Part [beta]--The Rule of Common Sense: What could go wrong?
There are interdependencies among risks. People, process, and technology can all wreak havoc on internal business strategy, and vice versa. Meanwhile, the entire internal environment is subject to the caprice of the external business environment.
Operational risk has been defined as "The risk that external events, or deficiencies in internal controls or information systems, will result in an economic loss--whether the loss is anticipated to some extent or entirely unexpected." There are many other highfalutin and facetious definitions of operational risk. We need to define it in line with the philosophy of raking proactive stances in managing the risks of the enterprise. According to a Federal Reserve internal comment, the "most significant operational losses have been larger in magnitude than the most significant market or credit losses." And a 1997 British Bankers' Association survey on operational risk tells us "24% of the banks surveyed have experienced operations-related losses of more than 1 million pound sterling in the past three years."
By 1995, only eight institutions had an operational risk function. Just three years later, there were 18, and the number continues to grow. (1) Acknowledgment of risks continued to centered around credit in the 1970s before it was joined by market risk in the 1980s and then organizational, business, and operations risk in the 1990s. In whole, dealing with these risks has become known as enterprise-wide risk management.
There are two broad categories of operational risk:
1. External operational strategic risk--the risk of choosing an inappropriate strategy in response to such external factors as politics, regulation, competition, taxation, and societal forces.
2. Internal operational failure risk--the risk encountered in the pursuit of a particular chosen strategy due to people, technology, process, and other factors.
Breaking down definitions further, we get:
* Strategic risks--risks related to doing the wrong things.
* Business risks--risks related to doing the right things the wrong way.
* Process risks--risks related to unreliable systems, inadequate information, and inaccurate or erroneous reporting.
* Control culture risks--risks related to corporate purpose, commitment, internal capabilities, and monitoring, whose inadequacies increase the bank's vulnerability.
The Key Components of Operational Risk
Figure 1 (following page) offers categories, definitions, and types of loss effect. Operational risk can arise from many sources, and no institution is immune. Many of the key components will ring a (dissonant) bell for many bankers:
* Core operational capability--loss of premises, natural disasters, bombs, strikes, computer viruses, Y2K.
* People--human error, fraud, collusion, dishonesty, in-fighting, jealousies, sabotage, rumor-mongering, incompetency, poor management, lack of discipline.
* Client relationship--reputation loss, improper client suitability, money laundering, Nazi gold, lack of disclosure, false disclosure, highly leveraged institutions.
* Transactional and booking systems--back- and middle-office snafus, checks clearing, teller errors, mortgage servicing, private banking, foreign exchange, ATM failures and theft, inadequate documentation.
* Reconciliation and accounting--bookkeeping, financial reporting, general ledger, profitability analysis, trade ticket verification.
* Changes and new activities--tax law changes, FAS 133, takeovers, staff expansion, new products or customers, evolving technologies.
* Expense and revenue volatility--runaway expenses, lax accounting, revenue gyration, erratic returns.
Thus, a core definition for operational risk has emerged as follows: "The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events." This is also the definition adopted by the Basel Committee. Financial institutions are convinced that operational risk management programs protect and enhance shareholder value. The creation of operational risk management programs has been driven by a combination of management commitment, need for an understanding of enterprisewide risks, a perceived increase in exposure to operational risk and risk events, and regulatory interest. To lead this operational risk management initiative a new organizational model is emerging, with a new position: a head of operation risk, reporting to the chief risk officer. The role is to develop and implement the operational risk framework and consult to the lines of business. Methodologies are evolving to quantify operational risk capital. While progress is being made, there is no consensus on approach, and methodologies are not yet used as a basis for decision making. A framework for operational risk management is emerging, consisting of a set of integrated processes, tools, and mitigation strategies. While each firm may have evolved in its own manner, we can identify five stages of development of an operational risk management framework. This may help companies beginning a program to prioritize their efforts. (See Figure 2). (2)
Responsibilities of the Op Risk Management Function
An evolving role, the primary responsibilities of operational risk management are to:
* Determine operational risk policies and definition.
* Develop and deploy common tools.
* Establish indicators.
* Assess benefits of programs.
* Analyze linkages to credit and market risk.
* Consolidate and monitor enterprise-wide risk information.
Major Op Risk Identification and Assessment Tools
A number of tools have come into common use. Each has its application, and each has its limitations. (3)
* Risk and self-assessment--reinforces responsibility and raises awareness within the business units; gains agreement on the operational risks and required next steps; and brings together independent views. Limitations of this tool depend on method employed, as some are more robust than others and can provide greater insights and gain acceptance; some alternatives can be time consuming; tools are primarily qualitative.
* Risk mapping--adds detail to an understanding of operations and specific operational risk activities. A tool for lower-level staff, limitations include less value for senior management because of detail; difficult to keep current; primarily qualitative.
* Key risk indicators--measure of progress in operational risk management; provides objective, nonfinancial measure of risk; can be updated as frequently as daily. Limitations include unproven risk/indicator correlations; some operational risks are difficult to measure; uncertainty whether the right measures are being used or just the measures where data is available.
* Escalation triggers--predetermined decision or intervention points for management. Limited by their dependence on the quality of the target setting and the risk indicators used.
* Loss event databases--provide financial-based measures; tool used for empirical analysis as well as risk modelling and support for cost/benefit analysis. Limitation is difficulty in collecting data on a consistent basis.
Op Risk Alternatives
There are three alternatives for financial institutions seeking to manage or transfer operational risk:
1. Risk mitigation or control through policy and audit.
2. Insurance. There is insurance for fire and theft, but there is no insurance for stupidity and incompetency.
3. Capital allocation. A possible fourth alternative is securitization and commoditization of operational risk through the introduction of "catastrophe" derivatives instruments, such as operational risk-linked bonds.
Economic Capital from Operational Risk
Although a number of banks have, or are developing, a methodology for estimating a measure of economic capital for operational risk, a great majority are not satisfied with their current approach or with the behavioral incentives they create.
Consequently, only a few banks, if any, use their measure of operational risk capital to drive economic decision-making. Only 16 banks chose to reveal the percentages of economic capital attribution. The average allocations are 53% for credit risk, 17% for market risk, and 30% for combined operational and strategic risk. The current Basel proposal is contemplating a downward adjustment to around 12% for operational risk.
Measurements used by banks vary along the continuum between "top-down" and the more risk-based or "bottom-up approaches. There is a preferential trend toward using the "bottom-up" approach as the choice for methodologies. There is a clear bias in terms of planned approach with the development of actuarial models very much leading the way.
Figure 1
Loss Effect Type: Definitions & Examples
Category Definition/Discussion
Legal Liability Judgments, settlements,
and other legal costs,
Regulatory Fines or the direct
Action payment of any other
penalties, such as
license revocations.
Loss or Direct reduction
Damage to in value of
Assets physical assets
due to some kind
of accident
(e.g., neglect,
accident, fire,
earthquake).
Restitution Payments to third
parties from
operational losses
for which the bank
is legally
responsible.
Loss of Losses experienced
Recourse when a third party
does not meet its
obligations to the
bank, and which are
attributable to
an operational
mistake or event
(i.e., which could
have been avoided
even though the
counterparty
refused or was
unable to pay).
Write-down Direct reduction
in the value of
assets due to
theft, fraud,
unauthorized
activity, or
market or credit
losses arising
as a result of
operational
events.
Further
Conbsiderations
(not category
specific)
Category Includes
Legal Liability * Costs incurred in connection
with litigation in a court
proceeding or arbitration
(including external attorneys'
fees, settlements, judgments
paid, etc.).
* External legal costs directly
associated with event.
* Write-down based on GAAP.
Regulatory * Fines paid for regultory
Action violation.
* Attorneys' fees paid for
representation at hearing on
regulatory violation.
Loss or * Cost to relocate short-term,
Damage to business continuity.
Assets * Use of third-party supplier to
continue business.
* Costs associated with making
premises fit for business after
fire, flood, or other disaster.
* Write-downs/write-offs of assets
due to fire, flood, or other
natural disaster.
* Loss/destruction of intangible
property (e.g., data).
Restitution * Claim from client due to
business interruption loss (for
which bank is responsible).
* Pricing error results in claim
from client for compensation by
the bank.
* Net interest cost due to delays
in settlement.
* Confidential client information
lost in burglary; client suffers
loss and enters claims
against bank.
* Employee fraud results in bank
replacing lost client
funds/assets.
* External fraud results in loss
of client funds, requiring the
bank to make a payment to the
client to make good the loss.
Loss of * Funds transferred by mistake to
Recourse incorrect or duplicate payments
made, unable to be recovered.
* Credit-related operational
loss: loan documentation errors,
monitoring inadequacies,
failure to perfect security
interest (subject to discussion)
* Inability to enforce netting
agreement due to inadequacies in
documentation or failure to
verify counterparty (subject to
discussion as regards status as
credit versus operational loss).
Write-down * Failure to deliver/acquire asset
in time and market price moves.
* Losses from unauthorized trade
(rogue trading").
* Loss from excessive trades (in
excess of established market
exposure limits).
* Pricing error that results in
lower-than-expected revenue.
* Employee fraud results in bank
writing off the loss.
* External fraud or theft results
in loss of bank assets/revenues.
* External security breach results
in hiring consultants to
determine nature of problem
and fix it.
Further * Costs related to consultants/
Conbsiderations third parties to investigate/fix
(not category (may be in various categories).
specific) * Costs associated with failed
outsourcing assignment (may be
in various categories).
* Control breakdown that leads to
an operational loss, requiring
consultants to understand the
cause of the problem and propose
remedies (may be in various
categories).
Source: QIS2--Operational Risk Loss Data, May 4, 2001.
Figure 2
Five Stages of Evolving OR Initiatives
1 2
Traditional Awareness
Baseline
* Internal controls * Operational risk manager
* Reliance on internal audit * Governance structure
* Individual mitigation * Definition
programs
* Policy
* Reliance on quality of
people and culture * Process maps/
self-assessment
* Early indicators
* Collection of event
data and establishment
of value proposition
* Top-down economic
capital models
1 3
Traditional Monitor
Baseline
* Internal controls * Clear vision and goals for
operational risk
* Reliance on internal audit management
* Individual mitigation * Comprehensive indicators
programs
* Escalation triggers
* Reliance on quality of
people and culture * Consolidated reporting
* Dedicated business line
staff
* Training
1 4
Traditional Quantify
Baseline
* Internal controls * Comprehensive loss
databases
* Reliance on internal audit
* Quantitative goals for
* Individual mitigation improvement
programs
* Predictive analysis &
* Reliance on quality of leading indicators
people and culture
* Risk-based economic
models
* Active operational
committee
1 5
Traditional Integrate
Baseline
* Internal controls * Full, linked sets of tools
* Reliance on internal audit * Cross-function risk analysis
* Individual mitigation * Correlation between
programs indicators & losses
* Reliance on quality of * Insurance linked with risk
people and culture analysis and capital
* Risk-adjusted returns
linked to compensation
Source: BBA/ISDA/RMA Study, November 1999
Notes
(1.) S. Willis, "Rewards on Offer from a New Discipline," Risk, November 1999.
(2.) BBA-ISDA-RMA Study Key Conclusions, November 1999.
(3.) Based on S. Willis, "Rewards on Offer from a New Discipline," Risk, November 1999.
Contact Ong by e-mail at mong@us.ca-indosuez.com
[c] 2002 by RMA. Ong is executive vice president and chief risk offer at Credit Agricole Indosuez. All the opinions expressed here are solely the author's and not necessarily those of Credit Agricole Indosuez.
COPYRIGHT 2002 The Risk Management Association
COPYRIGHT 2005 Gale Group