Risk Management in Banking

RISK MANAGEMENT
BUSINESS IS INHERENTLY RISKY RISKS CANNOT BE AVOIDED COMPLETELY RISKS DEFY CONVENTIONAL THINKING IMPORTANCE OF RISKS CHANGES WITH TIME
2

FINANCIAL RISKS
CREDIT RISKS MARKET RISKS LIQUIDITY RISKS OPERATIONAL RISKS
3

Credit Risk

Operational Risk

Market Risk

The risk that a borrower may not be able to repay a loan.

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

The risk of loss arising from the fluctuating prices of investments as they are traded in the global markets.

Operational Risk
Historically, operational has taken a back seat to market and credit risk -it is not easy to quantify -it means different things to different people -in trading you are paid to assume market and credit risk but not operational risk However, operational risk can be large when not effectively measured or controlled

Operational Risk
Reserve Bank of India Definition
Any risk which is not categorized as market or credit risk, or the risk of loss arising from various types of human or technical error. It is also synonymous with settlement or payments risk and business interruption, administrative and legal risks. Operational risk has some form of link between credit and market risks.

What is operational risk?

Basel definition:
The risk of

loss resulting from inadequate or failed internal processes, people and systems, or from external events (including legal risk but excluding strategic and reputational risk)

Legal Risk the risk of loss (including litigation costs, settlements and regulatory fines) resulting from the failure of the bank to comply with laws, regulations, prudent ethical standards and contractual obligations in any aspect of the banks business. Generally excludes losses related to credit(outside of the defined boundaries)
Excludes opportunity costs
7

Definition - contd
Examples of operational risks in retail branch (illustrative)

Internal processes: KYC guidelines not observed resulting in fraud People related : Lack of Job Knowledge, task misperformance, accounting error, delivery failure etc. Systems related : system failure, ATM outages etc. External events : Natural disasters resulting in disruptions of operations
Key Point; Each Banks definition for internal management purposes should reflect its unique risk characteristics including its size and sophistication and complexity of its products and activities and nature

Compliance / Legal Risk

Compliance/Legal risk includes, but is not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlements. Legal/compliance risk arises from an institutions failure to enact appropriate policies, procedures, or controls to ensure it conforms to laws, regulations, contractual arrangements, and other legally binding agreement and requirements.
9

Documentation Risk
The unpredictability and uncertainty arising out of improper or insufficient documentation which gives rise to ambiguity regarding the characteristics of the financial contract is referred to as documentation risk.

10

Types of Operational Risks

People risk - Incompetence - Fraud Process risk
Transaction risk Execution error Product complexity Settlement error Documentation/ contract risk

11

Types of Operational Risks

Operational control risk -Exceeding limits -Security risks -Volume risk Technology risk -System risk -Programming error -Information risk -Telecommunication error Risk from External Environment
12

Operational Risk
Your perception in back home situation: - Branches - Controllers - Compliance Risk (Risk of legal or regulatory compliance) HOW TO CONTROL/MITIGATE

13

Features of Operational Risk

Pervasive
Embedded and inherent in internal processes, activities, people and systems across the entire Bank

Measurement is a challenge

Cannot quantify / measure in the same manner as credit or market risk

quantifying individual events is a challenge. For e.g. system downtime, business disruption
approach to be adopted for quantifying overall capital charge is a challenge

Dynamic

With continuous changes in operations, processes, technology, external environment of the Bank, nature of operational risk undergoes changes all the time

Ownership a challenge

Being pervasive in nature, who should own its management poses a challenge
14

Operational Risk has different qualities from other risks

People Leniency, temptation Multiplier-effect Multiple control breakdowns can lead to exponential growth of potential loss
Multiplier effect Barings 1995: -No independent oversight, no local risk manager - no segregation of duties between front and back-office - systems unable to handle trade flow and trading errors - sizable and repeated HQ cash transfer for client margin loan without credit approval - Lack of HQ understanding of business (i.e. huge profits in index arbitrage & brokerage) - audit report warnings ignored
15

Structure of the Basel Accord

The New Basel Capital Accord consists of three mutually enforcing pillars. All three pillars need to be applied by banks.

Pillar 1
Minimum Capital Requirements
Establishes minimum standards for management of capital on a more risk-sensitive basis and specifically addresses:

Pillar 2
Supervisory Review Process
Increases the responsibilities and levels of discretion for supervisory reviews and controls covering: Processes for capital and risk profile management Capital adequacy Level of capital charge Proactive monitoring of capital levels and ensuring remedial action

Pillar 3
Market Discipline
Expands the content and improves the transparency of financial disclosures to the market, with disclosure of: Description of risk management approaches Levels of capital Analysis of risk exposures and capital by businesses / segments

Credit risk Operational risk Market Risk

Risk Management Needed due to pervasive scope of risk

The pervasive scope of risk points to the need for a bank-wide, comprehensive risk management strategy, supporting structure , monitoring and control, and measurement processes which encompass all key elements of risk. Reputational Risk and Business Strategy Risk, both are specifically excluded by BASEL

Credit Risk Corporate Consumer Counterparty Sovereign Model Insurance

Operational Risk Internal fraud External fraud Employment practices and workplace safety Clients, products & business practices Damage to physical assets Business disruption & system failure Execution, delivery & process management Risk and Control Culture

Market Risk Underwriting Liquidity Market Price Trading and ALM Model

17

Approaches to minimum capital Requirement

Basel II provides banks with a menu of approaches for quantifying the different types of risk under Pillar 1

Basel II Menu
Credit Risk Standardised Approach (a modified version of the existing Basel 1 approach)

Foundation Internal Ratings Based Approach

Advanced Internal Rating Based Approach Market Risk (unchanged from Basel 1) Standardised Approach Internal Models Approach Operational Risk Basic Indicator Approach Standardised Approach Advanced Measurement Approaches
18

Capital Allocation for Operational Risk

- Basic Indicator Approach Banks must hold capital equal to 15% of average of previous 3 years annual gross income. - Standardised Approach - Banks activities are decomposed into a number of standard business lines. Capital charge standardised by supervisor; gross income of each business line multiplied by prescribed beta factor for that business line. - Advanced Measurement Approach - Meant for Banks meeting rigorous standards and subject to Supervisory Approval.

19

Basic Indicator Approach

Capital Charge = 15% of av. Gross Annual Income (positive income) of previous 3 years Basel Committee defines Gross Income as: net interest income + net non-interest income - gross of any provisions (e.g. for unpaid interest), gross of operating expenses (including fees paid to outsourcing service providers), excluding realised profits/losses from sale of securities in the banking book, excluding extraordinary or irregular income such as income from insurance claims 20

Operational Risk Capital : Basic Indicator Approach

KBIA = GI x where: KBIA = Capital charge under Basic Indicator App. GI = average annual gross income last 3 yrs. = 15% Gross income = net interest income + net non-interest income as laid down by supervisors/ national accounting standards. 1. gross of any provisions 2. exclude realised profits/losses from sale of securities in banking book (HTM and AFS) 3. exclude extraordinary/ irregular items/ Insurance Income
21

The Standardized Approach

Banks Gross Income mapped to 8 business lines defined by Basel

Capital charge for each business line calculated by multiplying an indicator by a factor assigned to that business line Indicator: annual gross income (as described in BIA) Factor: beta () established by the BCBS Total capital charge is based on the 3 year average of the simple summation of the regulatory capital charges across each of the business lines in each year
22

The Standardised Approach (TSA)

More refined than Basic Indicator Approach

Gross income for each business line, not the whole institution.
Gross income for a business line- same definition as in Basic Indicator Approach. Capital charge- multiply gross income by a factor (beta) assigned to that business line. Total capital charge, KTSA={years 1-3 max[(GI1-8 x 18),0]}/3 where: KTSA= capital charge The Std. App. GI1-8 = Gross Income 1-8 = multiplication factor

23

Standardised Approach
Business Lines
Corporate Finance Trading & sales Retail Banking Commercial Banking Payments & settlements

Beta factor ()
18 % 18 % 12 % 15 % 18 %

Agency services
Asset Management Retail Brokerage

15 %
12 % 12 %

24

Operational Risk Capital: The Standardised Approach (TSA) an example

Business Lines Average Gross Income of 3 years (Rupees in crores) Beta factor () Capital charge

Corporate Finance Trading & sales Retail Banking Commercial Banking Payments & settlements Agency services Asset Management Retail Brokerage Total

200 100 200 200 200 100 100 100 1200

18 % 18 % 12 % 15 % 18 % 15 % 12 % 12 %

36 18 24 30 36 15 12 12 183

25

OR Capital : BIA vs TSA

Under TSA capital computation is a function of the nature of banks business composition. E.g. for banks where Treasury & Commercial segments are the major contributor the Bank will have to allocate a higher capital (Commercial 15%, Trading & Sales 18%) as against banks who are active in retail segment where beta factor is 12% Thus TSA presents a more realistic capital computation approach as compared to BIA as it is a function of business mix.

Income is still the proxy for risk and therefore both TSA and BIA dont provide Bank with any incentive for improved risk management
26

Advanced Measurement Approach

Definition: Under Advanced Measurement Approach, the regulatory capital will equal the risk capital measured by Banks internal operational risk measurement system using Bank specific statistical models

Banks under this approach are allowed to develop their own empirical model to quantify required capital for Op risk based upon the 4 data elements. Banks have flexibility in the specific methods used for incorporating the elements in the models
27

Advanced Measurement Approach

28

Advanced Measurement Approach

Under this approach, regulatory capital requirement for Operational Risks will be calculated on the basis of risk measure generated by banks internal operational risk measurement system using quantitative & qualitative criteria subject to supervisory approval

29

Advanced Measurement Approach

1st step in AMA is Operation Profiling: - Identification & quantification of ORs in terms of its components - Prioritization of ORs and identification of risk concentrations - Formulation of banks strategy for OR management & risk based audit

Estimated level of Operational Risk depends on

- estimated probability of occurrence - estimated potential financial impact - estimated impact of internal controls (problem: absence of reliable historical data) ( Need to Extract Loss Data in various business lines and strengthen MIS.)
30

Advanced Measurement Approach

RCSA (Risk and Control Self Assessment) KRI (Key Risk Indicator) Loss Data Entry

31

Capital Computation Approach for Operational Risk

32

Business Lines & Loss Events

Basel II & RBI have identified : 8 Business lines and 7 Risk Event Categories

BUSINESS LINES/ EVENT TYPES CORPORATE FINANCE

INTERNAL FRAUD

EMPLOYMENT PRACTICES EXTERNAL AND WORK FRAUD PLACE SAFETY

CLIENTS, PRODUCTS & BUSINESS PRACTICES

DAMAGES TO PHYSICAL ASSETS

BUSINESS DISTRUPTION AND SYSTEM FAILURES

EXECUTION DELIVERY & PROCESS MANAGEMENT

TRADING AND SALES

RETAIL BANKING

COMMERCIAL BANKING
PAYMENT AND SETTLEMENT AGENCY SERVICES ASSET MANAGEMENT RETAIL BROKERAGE

33

Mapping of Business Lines

Internal historical loss data to be mapped onto Level 1 business lines
Level 2 Corporate Finance Government Finance Merchant Banking Advisory Services Trading & Sales Sales Market Making Treasury Foreign Exchange, Repos, Brokerage, Income from Cross Selling Activity Group M&A, Underwriting, Securitisation, Syndication,

Level 1 Corporate Finance

Retail Banking

Retail Banking
Card Services

Private Lending & deposits, other banking services

Gross Income

Commercial Banking

Commercial Banking

Continues
34

Mapping of Business Lines

Level 1 Payment & Settlement Level 2 External Clients Activity Group Payments and Collections, Funds Transfer, Clearing &b Settlement Depository, Securities lending, Corporate Actions, Execution Services Institutional, Retail

Agency Services

Custody

Corporate Agency
Retail Brokerage Asset Management Retail Brokerage Discretionary Fund Management Non-discretionary Fund Management

35

Detailed Loss Event Type Classification

Event Type Category Level 1 Definition Categories (Level 2) Activity Example (Level 3)

Internal Fraud

Losses due to acts of a type intended to defraud or circumvent regulations, which involves at least one internal party

Unauthorized Activity

Transactions not reported (intentional) Sanctioning Unauthorised Activities Fraud / Credit Fraud/ Theft / Embezzlement / Robbery Misappropriation of assets Forgery Impersonation Tax non-compliance / Evasion of Tax Bribes / Kickbacks

Theft & Fraud

External Fraud

Losses due to acts of a type intended to defraud, circumvent rules, by a third party

Theft & Fraud

System Security

Theft / Robbery Forgery

Hacking Theft of information

36

Detailed Loss Event Type Classification

Event Type Category Level 1 Employment practices & workplace safety Definition Categories (Level 2) Employee Relations Activity Example (Level 3) Compensation, Termination Issues, Organized Labour Activity General Liability, Employee health, Workers Compensation

Losses arising from acts inconsistent with employment, health or safety laws, From payment of personal injury claims or from discrimination events

Safe Environment

Diversity & Discrimination

Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events Losses arising from disruption of business or system failures Disaster & Other Events

All discrimination types

Natural Disaster Losses Human losses from external sources (terrorism etc.) Hardware Software Telecommunications Utility outage 37

Business disruption and system failures

Systems

Detailed Loss Event Type Classification

Event Type Category Level 1 Clients, Products & Business Practices Definition Losses arising from an unintentional or negligent failure to meet professional obligation to specific clients or from the nature of design of a product Categories (Level 2) Suitability, Disclosure & Fiduciary Activity Example (Level 3) Fiduciary breaches / guidelines violations Suitability (KYC), Breach of Privacy, Aggressive Sale, Account Churning, Misuse of Confidential Information, Lender Liability Improper Trade / market practices Market Manipulation Insider Trading Unlicensed Activity Money Laundering Product defects Model errors Failure to investigate client per guidelines Exceeding client exposure limits Disputes over performance of advisory services 38

Improper Business or Market Practices

Product Flaws Selection, Sponsorship & Exposures Advisory Activities

Detailed Loss Event Type Classification

Event Type Category Level 1 Definition Categories (Level 2) Activity Example (Level 3)

Execution, Delivery & Process Management

Losses from failed transaction processing or process management from relations with trade counterparties and vendors

Transaction Capture, Execution & Maintenance

Miscommunication Data Entry, Maintenance or loading error Missed deadline or responsibility Accounting error / entity attribution error Delivery failure Collateral management failure Reference Data Maintenance
Failed mandatory reporting obligation Inaccurate External Reports Client permissions / disclaimers missing Legal documents missing / incomplete Unapproved access given to accounts Incorrect customer records Negligent loss or damage Outsourcing Vendor Disputes
39

Monitoring & Reporting Customer Intake & Documentation Customer Account management Vendor & Suppliers

AMA : Data Elements

A banks internal measurement system must reasonably estimate unexpected losses based on the combined use of : Internal Loss Data External Loss Data Scenario Analysis Business Environment & Internal Control Factors (BEICF)

40

Loss Events Database OR Redefined

Creation of Loss Events Database :
Clarity on definition

Example : a loan goes bad

Clearly : Credit Risk But, it is found that the faulty documentation is not enforceable

Now clearly : Operational Risk

Example : a dealer runs a position resulting in loss due to market movements Clearly : Market Risk

But, it is found that the dealer exceeded permitted limits

Now clearly : Operational Risk
41

Internal Loss Data

Definition: Any data on exposures held in a banks existing or historical portfolios, including data elements or information provided by third parties regarding such exposures. e.g. Penalties, Compensation paid etc.
42

Internal Loss Data

Platform & Systematic process for comprehensive data collection of Operational loss Operational losses must be mapped to 7 event types and 8 business lines Threshold for data collection , banks to demonstrate that no important loss data is excluded Internal loss data is used for direct input to Op Risk capital model. Also as input in scenario analysis & BEICF (Business Environment & Internal Control Factors) Issues related with the collection of Loss Data from branches developed
43

External Loss Data

Banks operational risk measurement system must use relevant external operational loss data (either public data and / or pooled industry data) Obtained from data consortia, vendors, newspapers, court records, insurance companies, etc Multiple Uses i) Management reports ii) Direct input into capital model, iii) Supplement internal loss data for low frequency and high severity events (tail events)
44

External Loss Data

Definition: External data refers to information on exposures held outside of the banks portfolio or aggregate information across an industry. It along with scenario analysis helps in capturing data for tail events (high severity- low frequency)

45

Loss Data Near Misses

"Near Misses" are operational risk events where no loss has actually been incurred by the Bank. Examples are Attempted Frauds, Failed Controls, Potential System failure etc. It can also be explained as an operational risk event which results in no financial impact by chance, or following any action taken by counterparty or a third party. The fact that there is no financial impact is neither due to the efficiency of controls nor to a specific internal action.

Live Example: In a branch, if there was an attempt to encash fake dividend warrant of an amount of Rs 100000.00 which was prevented by vigilant staff.
46

Business Environment & Internal Control Factors (BEICF)

The Indicators of an institutions operational risk profile that reflect a current and forward looking assessment of its underlying business risk factors and internal control environment. Tools Used to support BEICF Requirement Risk Control Self-Assessment s (RCSA) Key Risk Indicators

47

Operational Risk Management - RCSA

RCSA is a systematic and rigorous process which leverages the collective knowledge of individuals within the organization to proactively Identify, Assess, Mitigate/Control and Report `Significant Risks RCSA questionnaires developed for various entities, viz. front office, mid office and back office RCSA process customized to suit various risk entities of the Bank After the risks are identified, controls are to be put in place and the efficacy of which can be measured in the subsequent RCSA exercise resulting in better risk management. It is a continuous process.
48

RCSA : Risk Assessment

Risk assessment enables management to rate and analyze significant risks based on impact (severity) and likelihood (frequency) and identify controls for risk mitigation

As part of the risk assessment process an Owner is defined for each risk and timelines for implementation
Risk assessment forms basis for subsequent steps of risk mitigation, measurement and reporting.
49

RCSA : Assessment Scale

SEVERITY OF OPERATIONAL LOSS 1. Very low impact 2. Low impact 3. Moderate impact 4. High impact 5. Very high impact PROBABILITY OF LOSS 1.Very low likelihood 2. Low likelihood

3. Moderate likelihood
4. High likelihood 5. Very high likelihood
50

KEY RISK INDICATORS

KRIs are early warning signals used to monitor Op Risk. KRIs are generally derived from key risks identified in the RCSA exercise to enable the bank track the trajectory of risks. KRIs could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover (attrition in treasury), system downtime and so on. KRIs to link to different risk dimensions such as: Potential frequency Average severity or cumulative loss

51

KEY RISK INDICATORS 2

KRIs to be readily defined, understandable and quantifiable Collectable at a reasonable cost/time units Comparable through time and across business units Auditable Indicators may be either numeric or financial Financial are preferred Institutions / Banks are all very different There cannot be any standard library of KRIs- organisation / business specific - function of internal controls too. Different Banks/offices/Businesses may use different KRIs for the same risk
52

KEY RISK INDICATORS - Example

Value Escalation Trigger 15% 24 Hours % Change over Last Quarter 10% 15% % Change over Last Year 20% 25%

Staff Turnover Rate

5%

Downtime in IT system during 22 Trading Hours hours

Material Data Security Breaches

Number of Failed Critical Systems

1
6

2
10 3 million 3 million

100%
100% 111% 77%

100%
200% 103% 262%

Value of Loss due to Suspicious 1.6 Activity million Value of Unreconciled items 3.22 over 30 days million

53

Scenario Analysis
A systematic process of obtaining opinions from Business Managers & Risk Management experts to derive reasoned assessments of the likelihood & impact of operational losses

Where scenarios are used: Input for Operational Loss capital Basis of a Operational Risk analytical framework
Use of scenarios varies widely among institutions

54

Example: Components of a Scenario

Scenario: Rogue Trader Output: Scenario loss amount and probability Key considerations: Each scenario should use internal loss data, external loss data, business environment and internal control factors to determine the scenario severity and probability parameters. Internal Loss Data What losses has the firm experienced for the given scenario? What were the size of losses, frequency of major events? What management actions have been taken to prevent future occurrence or reduce potential size of loss?
55

Example: Components of a Scenario (cont.)

External Loss Data What major events of this particular scenario have occurred to other firms similar to the firm? What is the potential range of losses? How frequently have the events occurred? What is the potential loss and likelihood of occurrence for the firm? Business Environment & Internal Control Factors What are the BEICFs that could affect size and likelihood of loss? Complexity of product/business, pace of change or market regulation, volumetrics, key risk indicators.
56

Why is Operational Risk receiving increased attention ?

Growing complexity in the banking industry (products, services, technology, globalization, acquisitions/mergers, etc.) Several large and widely publicized operational losses in recent years eg. Barings Bank, Sumitomo Corp, Diawa Bank (NY), Societe Generale , SATYAM, Rapid pace of innovation Increased focus on corporate governance Increased global competition A changing regulatory capital regime.
57

BARINGS BANK
This is one of the most infamous tales of financial demise. Trader Nick Leeson was supposed to be exploiting low-risk arbitrage opportunities between derivatives written on the Nikkei equity index traded on the Singapore Money Exchange (SIMEX) and on the Osaka exchange. In practice, he was running open futures contracts on the two exchanges. Thanks to the lax attitude of senior management, Leeson was given control over the both the trading and back office functions. AS Leesons losses mounted, he increased his bets by selling options. Unfortunately, the major Kobe earthquake in February 1995 caused the Nikkei Index to drop sharply. Leesons losses increased rapidly, and Barings were unable to continue to fund his positions. Despite emergency meetings at the Bank of England, external support was not forthcoming for Barings, and in March 1995 it was 58 purchased by the Dutch bank ING for just GBP 1.

Control of Operational Risk

Book of Instructions Circulars Delegation of Financial Powers Appropriate Reporting System Policies of the Bank Use of Information Technology Self Assessment Audit committees

Unless you are able to implement your controls & you have powers to penalise, the controls will be meaningless.
59

Mitigating Operational Risk

Basic objective of Operational Risk Management is to mitigate Operational Risk: Inspection & Audit Insurance Training Rewards
60

Best Practices of Operational Risk

Identify Assess Report Mitigate Measurement

61

Control of Operational Risk

Book of Instructions / Manuals

Circulars
Delegation of Financial Powers Appropriate Reporting System Policies of the Bank Use of Information Technology

Self Assessment
Audit committees
62

Implementation at Role holders level a Process

Identify the events / transactions Identify the parties involved Identify the potential pressure points Identify the processes : Awareness Systems / Procedures Follow Strengthen Own Implementation

63

THANK YOU

64