2006 General MeetingAssemblée générale 2006

Chicago, Illinois

Canadian Institute

of Actuaries

L’Institut canadien desactuaires

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006Contents

• Introduction to CIBC

• Operational Risk Definition

• Rationale for Measuring Operational Risk

• Implementing an Operational Risk Program

• Measuring Operational Risk

• Future Developments / Enhancements

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Introduction to CIBC• The Canadian Imperial Bank of Commerce (CIBC) is a

leading North American financial institution with (at year end 2005):

• 11 million individual and small business clients;

• $12.5 billion in revenues;

• $280.4 billion of total assets;

• $24.1 billion market capitalization; and

• 37,000 employees worldwide

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Operational Risk Definition• Operational risk is defined as:

“the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”

• At CIBC Operational Risk is classified using the following seven loss types:

• Client Disservice;• Legal Liability – Employees;• Legal Liability – Clients and/or Third

Parties;• Loss or Damage to Assets;• Regulatory, Compliance and Taxation

Violations;• Theft, Fraud, Unauthorized Activities; and• Transaction Processing

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Rationale for Measuring OpRisk

1. Because it Benefits the Bank– Better understanding of our risks allows us to:

• Mitigate risks by changing controls, and/ or avoiding certain exposures;

• Price our risks into our products and services; and• Transfer (i.e. insure) our risks to third parties• Ensures we have a more complete capital capture for

performance measurement. The economic capital for each business line is made up of credit, market, and operational risk capital. Some business have little or no credit/market risk but a substantial amount of OpRisk (e.g. fee based businesses)

2. Because it is a regulatory requirement under the new Basel Accord

“You can’t manage what you can’t measure”

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Basel II & Regulatory Requirements• In June 2004, regulators from the G-10 countries

approved the Basel II Capital Accord, which will require, for the first time, banks to set aside regulatory capital for operational risks

• Basel II provides three methods for the calculation of operational risk capital:

(i) the Basic Indicator Approach; (ii) the Standardized Approach; or (iii) the Advanced Measurement Approach (AMA)

• The Basic Indicator & Standardized Approaches are based upon simple multipliers of gross revenue, differing only by their organizational level of calibration (e.g. capital is 15% of the avg. annual gross revenue from the previous 3 yrs)

• The Advanced Measurement Approach (AMA) determines capital based on a bank’s internal operational risk measurement system

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

CIBC’s OpRisk Program BackgroundOpRisk program has evolved over time to become

compliant with the AMA requirements• CIBC initially assessed operational risk capital in 1999

using an “AMA-like” approach;

• The approach was updated in 2002 to better align with the available guidance related to Basel II;

• Following the release of the new Basel Accord in June 2004; CIBC completed a gap analysis and identified eight projects that would enable the Bank to meet the new AMA requirements; and

• With the completion of all of the principal objectives for each of the eight projects in 2005, CIBC formally applied to OSFI for AMA for operational risk on February 1, 2006

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

CIBC’s OpRisk Program• Framework: The Framework is aligned with the

new Capital Accord and allows the Bank to:• Identify Operational Risks; then• Measure the risks identified; and • Monitor/Report on the risks that have been measured

• Policy and Methodology: CIBC has a documented and approved Policy and Methodology which specifies how OpRisk is measured and outlines the roles and responsibilities of the various groups involved

• Supporting Technology: CIBC has invested in a technology solution which serves as a central repository for thousands of records used in the calculation of operational risk

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Risk Identification ProcessRisk Identification is the first step in attributing

Operational Risk capital• The Operational Risk Department works with

business management to complete a Risk Identification

• The Risk Identification process summarizes which loss types are applicable to a given business activity

• As the business evolves and changes over time, the New Initiative Approval Process (NIAP) and the Risk and Control Self Assessment Processes (RSA & CSA) ensures that any relevant and material changes are communicated and incorporated into a revised Risk Identification for the given business.

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Operational Risk MeasurementOpRisk capital is comprised of two components:(1) Baseline Capital

• Determined using a Loss Distribution Approach• The inputs to the Baseline Capital are either;

[1] Actual internal loss experience where there is a sufficient loss history available to perform statistical analysis; or

[2] Loss scenarios, which are based on available internal/external loss data and management judgment

(2) Qualitative Adjustments • Qualitative Adjustments (QAs) are added in order to make

timely adjustments for internal control issues and risks that were not included in the original operational risk profile

• Derived from the quarterly Risk and Control Self Assessment Processes (RSA & CSA) and add approximately 10% to 20% to baseline capital

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Operational Risk MonitoringRisk monitoring ensures that the capital

remains current and that management is apprised of changes in the level of risk

• Risk monitoring involves the regular monthly reporting of operational risk capital to the business lines and to the Economic Capital group for performance measurement and the quarterly reporting of risk capital to senior management (Governance and Control Committee) and to the Board

• The underlying process for supporting and monitoring operational risk include:

1. the monthly tracking of actual operational losses;2. the monthly review of the Key Risk Indicators (KRIs);3. the quarterly Risk and Control Self Assessment Process

(RSA & CSA); and 4. the quarterly capital update process

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

OpRisk Supporting TechnologyThe AMA Program requires processing thousands

of records information and to maximize efficiency a technology solution has been developed

• At the core of CIBC’s operational risk AMA compliance efforts is the “Sub-ledger” system

• The “Sub-ledger” system is a central repository which houses all of the operational risk data (e.g., losses, issues, etc.) feeds; performs the capital calculations and provides management reporting

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Risk Measurement

Operational risk capital is comprised of two main components:

1. Baseline (internal loss data or scenarios)– Expected loss = frequency X severity– Baseline capital = Worst Case Loss

– depends on the expected loss, distributional assumptions, and the confidence interval

2. Qualitative Adjustments (RSA/CSA output)– Covers risks and key control deficiencies

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Baseline Capital QuantificationHigh Freq / Low SeverityHigh frequency loss data for a given regulatory business line and loss type are fitted to a loss distribution and the Worst Case Capital calculated at a 99.9% Confidence Interval

Low Freq / High Severity Low frequency events are defined through loss scenarios. The OpRisk group works with mgmt to determine a frequency and severity for each applicable loss type / business line. Internal and External loss data are used along with professional judgments to define the input parameters to the frequency and severity distributions. The resultant loss distribution is determined by running simulations

Expected Worst Case

Loss Distribution

Severity

Frequency

Loss Distribution

Expected Worst Case

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Qualitative Adjustments Qualitative Adjustments (QAs) ensure capital

reflects the current internal control and risk environment

• In order to incorporate the latest information in regards to internal control issues arising from people, process and systems that were not addressed by baseline capital

• The adjustments are identified through the Risk and Control Self Assessment (RSA/CSA) process may have either a positive or negative impact on risk capital

• At CIBC this process is managed via a partnership of the OpRisk & Controls Group; and includes participation by the other governance groups (i.e. Audit, Legal & Compliance)

• The QAs adds 10% to 20% to baseline capital and provide a degree of conservatism. Also serves as both a penalty & an incentive for improvement of the risk/control environment

2006

Gen

eral

Mee

ting

Ass

embl

ée g

énér

ale

2006

Future Developments / Enhancements

• Reporting of Operational Risk Capital to OSFI as part of the parallel run through F2007

• Ongoing enhancements of the methodology

• Continue to independently benchmark and validate the AMA Methodology