Operational Risk The Challenge Ahead

Operational Risk The Challenge Ahead

Recent evolution
Operational risk management has evolved rapidly over recent years as banks become more aware of the need to manage all areas of operational risk and the impact on shareholder value of the failure to do so. Furthermore, banks are increasingly under the obligation to demonstrate to bank regulators that they have a sound operational risk management infrastructure and both the Basel Committee and Financial Services Authority have issued frameworks and principles that they expect to be applied. Indeed, it is a prerequisite of Basel II that banks demonstrate a sound operational risk management and control infrastructure, before they can adopt an approach more advanced than the simple basic approach, which most banks will strive to do. Even where banks elect to adopt the most basic approach, it will be expected by central banks that banks will, as a minimum requirement, demonstrate that they are operating a sound operational risk management infrastructure.

Benefits realised by operational risk management

Banks perceive the greatest benefit to be realised by operational risk management to be the creation, protection and enhancement of shareholder value. In terms of importance, the following rank as the main benefits: Protection of shareholder value Increasing awareness of operational risk Reduction of losses Reduction of control breakdowns Protection of reputation Improved capability to predict operational risk Complete and consistent operational risk information Satisfied regulators Addressing of audit points

It is clear that banks are now aware that a sound operational risk management infrastructure will generate significant benefits to their business operations.

Operational activities most targeted by banks

Having identified that they require a sound operational risk management infrastructure, banks need to increase their activities in this area. The principal activities that banks are focussing upon are: Business continuity and planning New products/business risk assessment prior to launch Organisational roles, responsibilities and accountabilities assigned Development of operational risk information on a consistent basis for reporting and analysis Cross-enterprise risk assessment
1 September 2004

Operational Risk The Challenge Ahead

Self-assessment development and execution Capital allocation methodology (including Basel II proposals) Measurement and quantification of operational risk Creation of operational risk indicators and limit reports

As a rough and ready checklist the above activities are an extremely useful place to start in the building of an operational risk management infrastructure and banks should certainly ensure that these activities are covered.

Reasons for recent increased attention paid to operational risk

There are a number of reasons for the increased attention being paid by banks to operational risk and they will be very familiar to all banks contemplating the implementation of an operational risk management programme:

Perceived increase in operational risk. Due to the growth in service-oriented businesses, compounded by globalisation of firms, increases in volumes, adoption of e-commerce, shorter settlement times, straight-through processing, more complex products, increasing reliance on technology, increasing incidence of money laundering and the heightened risk of terrorist attacks, it is not surprising that operational risk features high on a banks agenda. Regulatory attention. Many regulators have chosen operational risk as a point of focus and in particular base their work on the principles and practices established by the Basel Committee. Impact of internal and external events. Banks are becoming much more proactive
and aware of the impact that an accumulation of smaller events, as well as a single large event, can have. This cumulative effect can have a significant financial impact as well as an impact on service.

Current concerns
Bringing all of the above together, it can be seen that the whole area of operational risk has been elevated as a key issue to be addressed by banks. Principal concerns are concentrated into the following headings: Operations and transactions risk representing the traditional focus of operational risk Business risk representing the core strategies of the bank Growth strategy Information technology Business continuity Fraud and criminal risk Compliance Reputation

September 2004

Operational Risk The Challenge Ahead

Basel II
The Basel II Revised Framework issued in June 2004 stipulates that an explicit capital charge should be made to cover other unmeasured risks not included in the market risk or credit risk calculations. A capital charge for operational risk is not an option but a fundamental part of Basel II. The simpler approaches - basic indicator, standardised or alternative standardised approaches - are relatively straightforward to implement (the last two require banks to be able to provide an appropriate breakdown of gross income into business lines). The Accord has as its foundation three pillars. The Three Pillars Pillar One: covering minimum capital requirements, specific new rules for credit and operational risk Pillar Two: covering supervisory review Pillar Three: covering market discipline Pillar One: Calculating operational risk capital The Basel Committee identified three methods of calculating operational risk capital, in order of increasing sophistication and risk sensitivity, as follows: Basic indicator approach: This approach is an elementary, top down approach that can be followed by any bank, irrespective of its size or complexity. Under this approach, the operational risk capital is calculated using a proxy indicator for the entire bank, such as gross income. This indicator is multiplied by a parameter . This parameter is calibrated so that the operational risk capital equals approximately 15% of the minimum capital requirement. Standardised approach: This method breaks out the above calculation by business line. Eight business lines have been identified by the Committee: Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services and Custody, Asset Management, and Retail Brokerage. For each business line the operational risk capital is calculated as the parameter X . The Committee has specified that Gross Income should used as for all business lines. The values of the betas are detailed below: Business Lines Corporate finance (1 ) Trading and sales (2) Retail Banking (3) Commercial Banking (4) Payment and Settlement (5) Agency Services (6) Retail Brokerage (7) Asset Management (8) Beta Factors 18% 18% 12% 15% 18% 15% 12% 12%

At national supervisory discretion a supervisor can choose to allow a bank to use the Alternative Standardised Approach (ASA) provided the bank is able to satisfy its
3 September 2004

Operational Risk The Challenge Ahead

supervisor that this alternative approach provides an improved basis by, for example, avoiding double counting of risks. Once a bank has been allowed to use the ASA, it will not be allowed to revert to use of the Standardised Approach without the permission of its supervisor. It is not envisaged that large diversified banks in major markets would use the ASA. Under the ASA, the operational risk capital charge/methodology is the same as for the Standardised Approach except for two business lines retail banking and commercial banking. For these business lines, loans and advances multiplied by a fixed factor replaces gross income as the exposure indicator. Advanced measurement approaches (AMA): Bottom up approaches allowing for greater granularity in risk assessment are grouped under AMA. It is unlikely that banks in the GCC will adopt this approach and will go for, at a minimum, the basic approach or (more likely) the standardised approach.

The basic indicator approach is unlikely to be adopted by the majority of banks as regulators will in all likelihood expect banks to be more proactive in the risk assessment process than simply applying a basic indicator to the entire banks operations. This may suggest to the regulator that the bank has not taken significant steps to implement latest generally accepted risk management techniques. Accordingly it is highly likely that most banks will adopt the standardised approach, with only the largest and most complex banks going for the advanced measurement approach. To be able to implement the standardised approach banks must meet all of the following criteria. The following criteria are Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework; It has an operational risk management system that is conceptually sound and is implemented with integrity ; and It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas.

An internationally active bank using the Standardised Approach must meet the following additional criteria: The bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function. As part of the banks internal operational risk assessment system, the bank must systematically track relevant operational risk data including material losses by business line. There must be regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors. The bank must have procedures for taking appropriate action according to the information within the management reports.
4 September 2004

Operational Risk The Challenge Ahead

The banks operational risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of noncompliance issues. The banks operational risk management processes and assessment system must be subject to validation and regular independent review. These reviews must include both the activities of the business units and of the operational risk management function. The banks operational risk assessment system (including the internal validation processes) must be subject to regular review by external auditors and/or supervisors.

Since all of the above criteria are comprehensively dealt with our approach and methodology, it follows that banks implementing this approach can adopt the standardised approach. Pillar Two: Supervisory review Pillar Two of the Basel II Accord focuses on the establishment of internal systems to monitor, measure, and control risk and on supervisory assessment risk management for capital adequacy purposes. In this respect, the development of detailed guidelines for banks as well as the supervisors became critical. The Basel Committee published its Sound Practices for the Management and Supervision of Operational Risk, covered fully by Business Performance Consultancy who cross reference these principles to the steps in their methodology. It therefore follows that banks complying with the our

methodology will be able to comply with Pillar Two of the Basel Capital Accord.
Pillar Three: Disclosure Pillar Three relates to market discipline and disclosure. The Basel Committee believes that disclosure requirements can induce banks to build a strong capital base, in order to be viewed favourably by other market participants and improve access to the markets. This in turn will support the objectives of Pillars one and two, and promote safety and soundness in the banking system. Requirements on disclosure are still being evolved, but once again, compliance with our methodology should enable a fairly painless disclosure process to be developed.

Key issues for banks arising from Basel II

The key issues can be summarised as follows: Active involvement of management and audit in the operational risk management process is imperative. The board and management must plan and manage resources to tackle compliance with Basel II requirements for operational risk. Banks must ensure that proper risk measurement systems and strong internal controls are in place. Banks must document compliance with operational standards, documentation and audit trail requirements, sufficient to satisfy regulators. Adopting the approach in this handbook will achieve this.
5 September 2004

Operational Risk The Challenge Ahead

Banks must treat Basel II and the whole area of operational risk as a major project.

Putting it all together how we can help

Having explained the various elements that make up operational risk management, the important task now is to put these elements into a methodology and project management tool. This will enable banks to methodically implement an operational risk management framework, ensuring that all the elements are included. We can provide the resource to achieve this through a phased approach Phase 1 - Develop awareness and prepare project plans Appoint Head of Operational Risk to drive the project Establish roles and responsibilities and secure buy-in from all business areas Conduct awareness sessions on operational risk, including the Basel II developments Evaluate status of internal control assessment process Define overall risk policy and risk appetite for the bank Prepare operational risk project plan Report to the board Report to the central bank as required Phase 2 - Risk identification and assessment Prepare inventory of all operational risks to be covered Prepare Risk Assessment Forms for each of the above risks Prepare a suggested list of Key Risk Indicators Assess the impact, probability and priority of each risk Identify the controls and mitigators Identify the cost of the controls, the effectiveness and extent of implementation Prepare an overall assessment for each risk based on the above factors Summarise the risks and prioritise Prepare a summary Key Risk Indicator report Prepare a risk assessment report with recommendations Report to the board Report to the central bank as required Phase 3 Create Loss Event Database Establish business lines as set out in Basel II Define Loss Event Types as set out in Basel II Set up database/establish general ledger codes and accounts for the above Populate database, create accounting entries Develop suitable reports Phase 4 - Risk Monitoring and Record Keeping Prepare risk monitoring audit plan Produce all the necessary regular risk monitoring reports and records
6

September 2004

Operational Risk The Challenge Ahead

Report to the board Report to the central bank as required

Phase 5 Create Capital Adequacy Calculation Establish business lines Identify gross income (for 3 years as necessary) for each business line as defined in Basel II Apply percentages Calculate capital charge Phase 6 - Software solutions (optional) Evaluate software solutions, both internally developed and externally purchased Select preferred software solution Implement recommended solution External software solutions are an option for banks that need to be carefully considered before committing the expenditure. Small to medium sized banks can in all probability develop their own internal database and spreadsheet solutions to maintain risk assessment records, losses, key risk indicators and capital allocation models. Banks should ensure they do not become seduced into implementing a solution appropriate for (and perhaps endorsed by) a large and complex multinational bank, which is wholly inappropriate for themselves. We can assist in this process.

Operational risk review and health check

As a first step, we can carry out a review and health check of a banks current operational risk management process. The objective would be to review the operational risk management infrastructure and benchmark it against the requirements of Basel II. We will then prepare a report detailing the current operational risk infrastructure, indicating the areas of compliance and non compliance with the Basel Committee requirements. Recommendations will be made as to the next steps to take, with time and cost estimates. A review and health check is estimated to take approximately three weeks, assuming full cooperation from key areas. Implementation of the findings of the review and health check will necessarily take much longer should the risk identification, assessment, control and monitoring process need considerable reengineering.

When to start
Basically now, as the deadline is 2006 Large accounting firms are advising to treat this as a major project (many banks may take over a year) and start now Significant time and resource requirement

September 2004

Operational Risk The Challenge Ahead

Why Ourselves
Currently there is little practical help available to embark on this yourself Other business priorities will make resource and brainpower scarce We can provide the solution through a structured practical approach following Basel principles that will satisfy regulators, auditors and rating agencies
Finally: But the effort is just at its beginning. In time we expect banks to focus increasingly on the what, how and how much of operational risks, and in fact it is quite likely that soon their efforts in this field will at least match what they do in market and credit risk assessment. - Moodys Investors Service

September 2004