Operational Risk AMA at the EIB

8/13/2019 Operational Risk AMA at the EIB

1/31

AMA at the EIB

March 2009


2/31

Agenda

Operational risk framework

Basel II and the advanced measurement approach (AMA)

Adjusted risk capital (ARC)

Worked example


3/31

Operational risk framework

Operational risk policy

Operational risk methodology

Historical data

KRIs

Information on internal controls

Scenario analysis

Operational risk system: SAS


4/31

Basel II and the advanced

measurement approach (AMA)


5/31

Basel II / AMA Approaches

Basic

15% of Gross Income

Advanced Measurement ApproachRisk Measurement, Loss Data Base, Risk Exposure Report, Capital

Calculation Engine

Standardized

15% of Gross Income

Alternative

Standardized

15% x 3.5% of Assets

Only capital calculation, no risk measurement


6/31

EIB and Basel IIQualifying Criteria

Existing

Situation

Under Basel II / CAD

Objective

Basic Stand. Altern. Stand. AMA

Operational Risk Policy Yes No Yes Yes YesKeep Existing Operational

Risk Policy

Operational Risk Exposures

ReportYes No Yes Yes Yes

Keep Existing Operational

Risk Report

Loss Data Base Yes No Yes Yes YesKeep Existing Loss Data

Base

Capital Calculation Engine No No No No YesImplement Capital

Calculation Engine

Basel II Capital Requirement N/A 265M 265M 1,300MApprox.

100 M 150 M


7/31

Motivations for AMA

Basel II / CAD

Large international bank

Triple A rating

Non profit

Key objective is best practice not capital


8/31

AMA Key Elements

Scenario Analysis

Business Environment & Internal

Control Factors

Internal Data

External Data

Scenario Analysis

Key Risk Indicators since

2001

Scorecard / KRIs

Database of events

and losses since 2002

SAS Global Data

Operational Events and Losses

0%

20%

40%

60%

80%

100%

120%

2 00 2 200 3 20 04 200 5 20 06

Years

E

vents

0%

20%

40%

60%

80%

100%

120%

Losses(EUR)

Operational Events

Operational Losses

Preliminaryanalysis

Servicesvalidation


9/31

Adjusted risk capital (ARC)


10/31

Adjusted Risk Capital(A.R.C.)

Operational Risk Management Model

Key Principles

ARC

Capital adjustment

Reporting


11/31

OR Governance

Strategy and

Policy ORMOrganizational

Structure

OR Framework

& Processes

Qualitative Requirements

Internal

DataExternal

Data

Scenario Analysis BusinessEnvironment

OR Measurement

Quantitative Requirements

Operational RiskManagement Model


12/31

Key Principles

Management comes before measurement

No appetite for Operational Risk

You can do everything, but you cannot

do it alone


13/31

Annual riskassessment process

Frequencyof events

Severityof loss

43210

40-

50

30-

40

20-

30

10-

20

0-10

Annual Aggregate Loss($)Mean 99.9th Percentile

Business and internalcontrol environment

Key Risk Indicators

ScenarioAnalysis

Adjustedparameters

and distributions

Preliminary

analysis

LDA model

Prior VAR

Adjusted VAR

New Loss

Data

New KRIs

Historical Data

Internal/External


14/31

Preliminary analysis

Historical data onfrequency and impact

Distribution of lossesbased on historical data

Stress testing basedon scenario analysis

Historical data onfrequency only

No historical dataavailable

Distribution of lossesbased on scenario analysis.

Scenario frequency based on historical dataScenario impact to include extreme (stress) losses

Distribution of lossesbased on scenario analysis.

Scenario impact to include extreme (stress) losses


15/31

Scenario identification

Events with losses already happened

Near misses

ICFAudit points with AAPs

Events identified by management

Events identified through external info


16/31

Scenario assessment

Frequency of occurrence

Severity of impact

Worst case (substantial deviation from

business as usual)


17/31

Services assessment

Is each scenario credible? Need to

modify/discard?

Are estimates (probability, impact, worst

case) reasonable?Are there other scenarios to consider?

In this case what are probability, impact

and worst case?


18/31

Business andControl Environment

2006 Q1

Evolution1

%

Front office trade capture

Number of treasury portfolio deals # 2,819 10% 3,000 4,000

Percentage of new transactions % 0 0 10

Number of cancellations and rejections in FK # 60 -50% 40 100

Back office transaction processing and accounting

Number of payments and transfers # 6,586 -13% 9,000 15,000

Number of cancellations and rejections in payments and transfers # 178 -1% 90 180

Average number of outstanding items older than 7 days at month end

in the nostro accounts reconciliation.

working

days 27 -15% 25 40

Number of cancellations and amendments in Swift Alliance # 141 14% 100 250

Number of manual interventions in accounting # 63 25 40

Risk and control environment

Total Operational Losses EUR 7,500 1,000 150,000 Risk Assessment score from ICF Score 1 0% 1 2

System server downtime during working hours hrs 0 -95% 0 2

Treasury Process Scorecard

Indicators Units ValueThreshold

2 Limit3


19/31

Business andControl Environment

1.7

Front office trade capture 1 1.4

Number of treasury portfolio deals 1.0 1

Percentage of new transactions 1.0 2

Number of cancellations and rejections in FK 2.0 2

Back office transaction processing and accounting 1 2.1

Number of payments and transfers 1.0 1

Number of cancellations and rejections in payments and transfers 2.0 2

Average number of outstanding items older than 7 days at month end

in the nostro accounts reconciliation. 2.0 2

Number of cancellations and amendments in Swift Alliance 2.0 2

Number of manual interventions in accounting 3.0 2

Risk and control environment 1 1.7

Total Operational Losses 2.0 3

Risk Assessment from ICF 1.0 2

System server downtime during working hours 2.0 2

Activity6

Process7Indicators Scores

4Weight

5


20/31

Capital Adjustment


21/31

A.R.C. Reporting

Monthly Report

Quarterly Report

Ad-hoc Report

President

Board of

Directors

ManagementCommittee

Directors general, Internal Audit,External Audit, Audit Committee

W k d E l


22/31

Worked Example

P li i l i


23/31

Preliminary analysiswith historical data

Level 3 Business Level

A trader deals in unauthorized

derivatives and hides losses in adummy account.

A system failure on a major paymentdate leads to inability to settle a

portion of that days transactions.

BODY OF DISTRIBUTION (based onhistorical losses)

A mis-specified SWIFT code leads to

an incorrect payment.

STRESS SCENARIO FOR TAIL OFDISTRIBUTION A payment is sent out just before a

counterparty defaults.

AverageFreq.

N. A.

Once ayear

Fourtimes a

year

Once in50 years

Averageimpact

N. A.

N. A.

15,000

70M

WorstCase

N. A.

N. A.

450,000

126M

1.1.1 Internal fraud

Unauthorized

transaction notreported

6.1.1 Losses arising fromsystem failures

Hardware

7.1.1 Transaction capture,

execution and maintenance

Data entry,

maintenanceor loading

error


A trader deals in unauthorized

derivatives and hides losses in adummy account.

A system failure on a major paymentdate leads to inability to settle a

portion of that days transactions.


A mis-specified SWIFT code leads to

an incorrect payment.



AverageFreq.

N. A.

Once ayear

Fourtimes a

year

Once in50 years

Averageimpact

N. A.

N. A.

15,000

70M

WorstCase

N. A.

N. A.

450,000

126M


Unauthorized

transaction notreported


Hardware

7.1.1 Transaction capture,

execution and maintenance

Data entry,

maintenanceor loading

error

P li i l i


24/31

Preliminary analysisincluding scenarios


A trader deals in unauthorizedderivatives and hides losses in adummy account.

A system failure on a major paymentdate leads to inability to settle aportion of that days transactions.


A mis-specified SWIFT code leads toan incorrect payment.



AverageFreq.

Once in10 years

Once ayear

Fourtimes a

year

Once in50 years

Averageimpact

1M

10,000

15,000

70M

WorstCase

50M

150,000

450,000

126M


Unauthorizedtransaction notreported


Hardware

7.1.1 Transaction capture,execution and maintenance

Data entry,maintenance

or loadingerror


A trader deals in unauthorizedderivatives and hides losses in adummy account.

A system failure on a major paymentdate leads to inability to settle aportion of that days transactions.


A mis-specified SWIFT code leads toan incorrect payment.



AverageFreq.

Once in10 years

Once ayear

Fourtimes a

year

Once in50 years

Averageimpact

1M

10,000

15,000

70M

WorstCase

50M

150,000

450,000

126M


Unauthorizedtransaction notreported


Hardware

7.1.1 Transaction capture,execution and maintenance

Data entry,maintenance

or loadingerror

R lt f i


25/31

Results of reviewwith the services

20,000,000

Between

50M and

150M

Between 50M

and 150M

Once in 50

years

53,832,905Total Operational Risk Capital (EUR)

53,832,905Total VAR

1,061,082

Between

150,000 and

500,000

Less than

10,000Quarterly

7. Execution, Delivery &

Process Management

471,823

Between

50,000 and

150,000

Between 10,000and 50,000

Once a year6. Business disruption andsystem failures

32,300,000

Between

50M and

150M

Between 1M

and 5M

Once in ten

years

1. Internal Fraud

Unauthorized Activity

VAR (EUR)

Worst case

(EUR per

event)

Mean severity

(EUR per

event)

Mean

frequency

What is your risk of

incurring losses related to

ResultsAnswers (self-assessment)Questions

20,000,000

Between

50M and

150M

Between 50M

and 150M

Once in 50

years


53,832,905Total VAR

1,061,082

Between

150,000 and

500,000

Less than

10,000Quarterly

7. Execution, Delivery &

Process Management

471,823

Between

50,000 and

150,000

Between 10,000and 50,000

Once a year6. Business disruption andsystem failures

32,300,000

Between

50M and

150M

Between 1M

and 5M

Once in ten

years

1. Internal Fraud


VAR (EUR)

Worst case

(EUR per

event)

Mean severity

(EUR per

event)

Mean

frequency




I t ti ith


26/31

Integration withnew loss data

During the first three months of the year, two events in Risk

Category 6., with losses of40,000 and60,000, respectively.

Risk assessment is updated accordingly.

Lognorm(30000; 42500) Trunc(0;+inf)

Probability

Valuesx10^-5

LossesValues in Thousands

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

050

100

150

200

250

300

350

400

450

500

>0.1%99.9%0.0 440.0

Lognorm(400000; 280000) Trunc(0;+inf)

Probability

Valuesx10^-6

LossesValues in Thousands

0.0

0.5

1.0

1.5

2.0

2.5

0

600

1200

1800

2400

>99.9%0 2350

R lt ith


27/31

Results withNew internal loss data

20,000,000

Between 50M

and 150MBetween 50M

and 150M

Once in 50

years


56,097,730Total VAR

1,061,082Between

150,000 and

500,000

Less than 10,000Quarterly7. Execution, Delivery &

Process Management

2,736,648Between

150,000 and

500,000

Between 50,000

and 150,000Quarterly

6. Business disruption and

system failures

32,300,000Between 50M

and 150M

Between 1M and

5M

Once in ten

years

1.Internal Fraud


VAR(EUR)

Worst case

(EUR per

event)

Mean severity

(EUR per

event)

Mean

frequency




20,000,000

Between 50M

and 150MBetween 50M

and 150M

Once in 50

years


56,097,730Total VAR

1,061,082Between

150,000 and

500,000


Process Management

2,736,648Between

150,000 and

500,000

Between 50,000



system failures

32,300,000Between 50M

and 150M

Between 1M and

5M

Once in ten

years

1.Internal Fraud


VAR(EUR)

Worst case

(EUR per

event)

Mean severity

(EUR per

event)

Mean

frequency




New KRIs and


28/31

New KRIs andcapital adjustment

Business and control environment is reflected in a Scorecardsummarizing a set of Key Risk indicators (KRIs).

Six months later the relevant Business Units score is rated VeryGood.

Capital charge is adjusted according to the following formula.

%2.72exp1exp

expexp

2.12.1

K

SSK

Exponential function limits downside reductions of capital

-10%

-5%

0%

5%

10%

15%

20%

25%

30%

35%

1 VeryGood

Good Medium Bad VeryBad

3

Risk Score

Capital Adjustment

= - 7.2%

Results with new KRIs


29/31

Results with new KRIs

20,000,000Between 50M

and 150MBetween 50M

and 150M

Once in 50

years


52,058,693Total Adjusted Operational Risk Capital (EUR)

56,097,730Total VAR

1,061,082Between

150,000 and

500,000


Process Management

2,736,648

Between

150,000 and

500,000

Between 50,000



system failures

32,300,000Between 50M

and 150M

Between 1M and

5M

Once in ten

years

1.Internal Fraud


VAR(EUR)

Worst case

(EUR per

event)

Mean severity

(EUR per

event)

Mean

frequency




20,000,000Between 50M

and 150MBetween 50M

and 150M

Once in 50

years


52,058,693Total Adjusted Operational Risk Capital (EUR)

56,097,730Total VAR

1,061,082Between

150,000 and

500,000


Process Management

2,736,648

Between

150,000 and

500,000

Between 50,000



system failures

32,300,000Between 50M

and 150M

Between 1M and

5M

Once in ten

years

1.Internal Fraud


VAR(EUR)

Worst case

(EUR per

event)

Mean severity

(EUR per

event)

Mean

frequency




Conclusions


30/31

Conclusions

Strong top management commitment

Analysis of all incidents (and near

misses)Risk measurement andmanagement

Work with the business units

Keep it simple


31/31

Any questions?

Thank you for

attention!

Operational Risk AMA at the EIB

Documents

Transcript of Operational Risk AMA at the EIB