Managing Operational Risk Focusing on What’s Practical

Flora Do, Senior Manager, Deloitte March 23, 2011

Agenda • • • •

1

Introduction Industry observations Operational Risk Management (ORM) Approach – Key tools Closing comments

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Introduction

As operational risk measurement remains in its infancy, need to focus on improving management of operational risk • Operational risk management (ORM) more focused on measurement and capital vs. proactive identification and management of risk • Market events in recent years make have shifted Board and executive attention away from operational risk, towards market, credit and liquidity risk • Greater levels of operational risk from recent increases in:  Demand on staffing levels and infrastructure  Transaction volumes

• Measurement challenges:  No single standard methodology has emerged for risk measurement, impact quantification, and capital attribution  The use of external data poses a number of questions  Historical data is not necessarily a good indicator of future events

3

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Focus on significant risks

Probability

Significant Risk Criteria Material Capital Significant Capital Consumption Consumption

Total Loss Distribution

Does the risk expose the organization to the threat of significant capital consumption? Expected Loss (EL)

Significant Reputational Material Reputational Impact Impact

Unexpected Loss (UL)

Significant Risk = Unexpected Losses Mean

99th percentile

Does the risk expose the organization to the threat of significant reputational consequences?

Annual Aggregate Loss ($)

4

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Value of Operational Risk Management An effective ORM program increases the value of a company Qualitative Advantages • Process optimization

Quantitative Advantages • Calculation of economic capital for OpRisk

• Risk awareness

• Enterprise-wide comparability of all material risks (ICAAP)

• Transparency & control • Strategic decision making • Prevention of reputational loss • Compliance with regulatory requirements

• Low error rate

• Saving from regulatory capital

• Better rating by the rating agencies

• Risk Adjusted Performance Measurement (RAROC)

• Loss reduction

• Risk-taking optimization

• Improved investor relations

• Profit maximization

• Profit maximization

Increase in value of the company 5

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Industry observations

Challenges implementing an ORM program Framework capability

Performance

Risk strategy

Challenges •

How is the operational risk strategy linked to business objectives?

•

Making a step change in risk strategy to “best of breed”

•

How is the overall operational risk strategy decomposed for different sub-risks and how do these interrelate?

•

Deepening articulation of operational risk appetite, leveraging metrics and boundaries f rom both organisations

•

How is progress against this strategy being monitored across the group?

•

Alignment of operational risk strategy to corporate strategy

•

How do the various roles of the business lines (risk, internal audit etc.) interact?

•

Streamlined risk governance, de-duplicating committees, roles and activities

•

What is the decision making structure?

•

•

What is the most ef f icient and ef f ective balance of centralisation/decentralisation f or risk management and controlling?

Clarif y ORM roles and responsibilities at the same time as consolidating risk governance models

•

Eliminate gaps in activity

How can OR inf ormation help:

•

Aligning MI to stakeholder needs

– identif y areas of concern?

•

– Benchmark the quality of risk management across the group?

Consideration of both risk and business unit objectives in developing revised risk MI

•

Enables early warning of changes in risk or control ef f ectiveness

RAPM Alloc ating Capital Quantitativ e ris k analy s is /modeling

Opportunities

Identify , meas ure, control and monitor

Knowledge

Organizational structure Board Risk Man ag emen t Commit t ees

Grou p

Bu sin ess 1

Bu sin ess 2

Risk Man ag emen t Fu n ct ion s

Au d it Commit t ee

In t ern al Au d it

Market risk Cred it risk Op erat ion al risk et c Grou p /Su p p ort Fu n ction s

Sp ecialist Dep art men t s Leg al/comp lian ce HR et c

1 st lin e of d efen se/Day t o d ay risk man ag emen t

2 n d lin e of d efen se/ Risk oversig h t

3 rd lin e of d efen se

Management Information (MI)

•

•

7

How should data be collected, collated and aggregated? Can this be f urther automated?

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Industry observations • Many institutions focus on risk avoidance and/or measurement vs. risk management • Focus generally at process level vs. business and strategic level • Leading institutions have ORM objectives clearly defined, and robust data collection analysis processes, triggering update of risk assessment as events occur • Some have moved from a centralized to a more decentralized approach in assessing risk and controls • Most common inputs to operational risk capital models include internal loss data and risk and control self assessment  Wider range of inputs being considered • Majority provide risk reports to the Board of Directors and designated board risk committee for operational risk

8

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Operational Risk Management Approach – Key Tools

Advanced solutions need to incorporate loss data, scenario analysis and forward looking indicators Internal Data

Internal Loss Database

Loss Distributions

Internal loss

External Data Loss Distributions

External Loss Database

Combined Baseline

Measurement Model

Model Outputs • Capital attribution • Pricing decisions • Risk Based Performance measure • Management reporting (Dashboards) • Strategic planning • Regulatory reporting

Scenario Analysis Scenario A B C

Im pact … … …

Likelihood … … …

Extreme Events

Adjustments

Forward Looking Data Risk & Control Self Assessment (RCSA)

10

Risk Mitigation (e.g. insurance)

Key Risk Indicators (KRI)

Scorecard

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Risk and Control Self-Assessment (RCSA)

Risk Governance and Organization

Risk Strategy and Policy Enterprise-wide Risk Management Process

4. Supervision

1. Identification

Risk Definition/ Categorization

Reporting

3. Procedure Management

2. Evaluation

Competencies and Resources Risk & Control Self Assessment (RCSA) Diagnostic 11

Identification & Assessment

Managing Operational Risk - Focusing on What's Practical

Mitigation

Reporting © Deloitte & Touche LLP and affiliated entities.

Scenario analysis and stress testing • Develop a set of practical scenarios – Should be based around the key drivers of each of the significant risks facing the entity • Demonstrate that the process of selecting the scenarios represents a reasonable evaluation of the potential „unknown unknowns‟ • Carefully consider basis for determining the strength of correlations between operational / non financial risk and diversification benefits • Establish a process to consider the extent to which the outcomes of the scenario and stress testing undertaken should be reflected in the maintenance of capital levels and the degree to which this can be mitigated

12

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Key Risk Indicators (KRIs) • KRIs are parameters which can act as indicators and which can be seen to be predictive regarding changes in the risk profile of a business • Ideally determined for many of the significant risks identified in the RCSA process • Some indicators are meaningless on their own and need to be combined with other KRIs • Risk Appetite setting - among the methods which can help in articulating risk appetite is the setting of tolerance and escalation levels for KRIs • Regulatory Compliance - identification and management of KRIs is an area of regulatory focus • Capital Calculation – data from established KRIs can be used as a source of input for OR capital calculations

13

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

Closing comments

Final thoughts • Regulatory-driven operational risk efforts are typically focused on measurement and capital vs. proactive identification and management of risk • Measurement of operational risk lacks precision of other major risk types • As organizations can budget for expected losses but not for expected losses…  Increase robustness of analytical tools and systems to better manage operational risk and facilitate capital allocation decisions  Improve integration with related risk and control programs

15

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.

16

Managing Operational Risk - Focusing on What's Practical

© Deloitte & Touche LLP and affiliated entities.