|
1
|
|
|
2
|
- Introduction to Operational Risk & Incidents
- Introduction to Operational Risk Management
- Historic Perspective
- OR Incidents – Pakistan
- Operational Risk Framework & Approaches
- Operational Risk Framework
- ORM Approaches
- Success Factors
- Challenges Industry Faces
- Key Benefits to Industry in Implementation of Operational Risk
- Regulators – Case Study Pakistan Banking Industry
- Business Models – Full Integration to Complete Segregation
- RCSA Models
- AMA Models
|
|
3
|
|
|
4
|
- ORM is the oversight of operational risk, including
the risk of loss resulting from
- Inadequate or failed internal processes and systems;
- Human factors; or
- External events.
|
|
5
|
|
|
6
|
|
|
7
|
|
|
8
|
|
|
9
|
|
|
10
|
|
|
11
|
|
|
12
|
|
|
13
|
- Lesser number of business lines i.e. easy to map
- ASA permit banks to use loans and advances as the exposure indicator
rather than the gross income indicator under TSA
- ASA is designed to support banks working in high-margin markets, such as
emerging markets
- Capital Benefit
|
|
14
|
- Regulatory Emphasis – Realization of its impact
- Guidelines, Deadlines, Seminars, Audits and Penalties
- Training and certification to promote correct approach
- Industry level Risk Assessment Workshops
- Executive Management/ Board Level Support
- Regulatory Instructions for strong control environment/ operational
risk whereby board is to review and sign off
- Dedicated Team – Bank
- Separate from Audit, compliance and operations
- Risk Management Culture
- Automation – Continuity
- Real Value in risk mitigation not collection of data
|
|
15
|
- Regulators do not force enough
- Board/ Executive Management has low priority on ORM
- Success Stories not very frequent – Still searching for monetary
benefits
- Not easy to scope it – Banks find it difficult to draw a line where not
to engage operational risk. Hence role is not clear leading to confusion
and frequent changes in resources
- Practice vs models – Implementation across the bank for all support
functions and integrating/translating the results into models – models
are not proven
- Lack of Experienced Resources: RCSA workshops cannot be conducted by
Junior Staff – Requires Leadership and People Management
- Standardization of risk taxonomy/common definitions across the bank
|
|
16
|
- Unavailability of data
- Operational losses are parked under expense heads
- Single incident may attribute to multiple business lines and departments
- Missing insurance recovery data
- Incomplete details or incident related information
- Difficult to reconcile with accounts
- Lack of evidences
- Scattered Data
- Lack of risk culture
|
|
17
|
- Loss Data Collection
- Transparency and culture of reporting
- Lessons learnt
- Plugging of gaps (Mitigation of Risks)
- Key Indicator
- “KEY” indicators not data collection
- Data Flow Models
- Alerts / Existing MIS
- Action Plans on Alerts
- RCSA
- Quantitative vs Qualitative
- Control Testing Results
- Risk Mitigation
|
|
18
|
- Maturity Level towards risk management moves up
- More Transparency in the banking sector – staff is comfortable to report
losses and high-light risks in RCSAs
- Control are tested efficiently and effectively since Key controls are
know better
- Larger shocks are reduced
- Developments
- Loss Data Consortium
- Industry Risk Assessment/ Benchmarks
- Key Indicator Industry Dashboard
|
|
19
|
- Operational Risk Guidelines 20031 and 20132
- Loss Data Consortium – Discussion Phase (PBA)
- Seminars 2010, 2013 by State Bank of Pakistan
- Industry Risk Assessment Workshop SME Sector 2012
- Part of Audit/Inspection Plan
- COSO/ Enterprise Risk Management/ IRAF
- Workshop on operational risk management for banks in May 2009 conducted by Ali Samad Khan
- Guidelines on Fraud Risk Management & Reporting in 2014
|
|
20
|
- Dedicated ORM Teams
- Guidelines/ Policy and Procedures ORM
- Loss Data – All Banks
- Key Indicators – 50% Banks ( Value is needed)
- Risk Assessment – 50% Banks ( Value is needed)
- 3 Banks on Parallel Run - ASA Approaches
and 4 Banks expected to submit request for ASA Approaches
- Majority of Banks on Basic Indicator Approach
- RCSA major challenge – Still need leadership and resources
- Automation over 70 percent banks (without DFIs)
|
|
21
|
- Single Unit ORM
- ORM + Compliance
- ORM + Compliance + Internal Control Unit
- Loss Data+ (RCSA +KRI) + Analytics
- ORM + Internal Control + Fraud Investigation Units + Compliance
|
|
22
|
|
|
23
|
- Qualitative Assessment (Based on scores)
- Quantitative Assessment (Based on amounts)
- Hybrid Assessment (Based on scores and respective amounts linked to it)
- Control Scoring
|
|
24
|
|
|
25
|
- According to this method, the Operational Risk capital charge depends on
the sum of the unexpected and expected losses
- Expected losses are computed by using bank historical data
- Unexpected losses are found by multiplying the expected losses by a
factor, derived by sector analysis.
- where,
- i = Business line, j = Risk Type
- γ = Gamma Factor, fixed percentage for each business line
predetermined by the supervisor
- EI = Exposure Indicator, the amount of risk for different business lines
- PE = Probability that a loss event occurs, the number of loss events per
the number of transactions
- LGE = Losses Given such Events, the average loss amount per transaction
amount
|
|
26
|
- Advantages
- Simplest AMA method to calculate OpVaR
- Banks having internal and external data can easily deploy IMA without
any statistical modeling
- Disadvantages
- The drawbacks of this approach are the assumptions of
- Perfect correlation between the business line/loss type combinations,
and
- A linear relationship between the expected and unexpected losses.
|
|
27
|
- In this method, an expert panel has to go through a structured process
of identifying the drivers for each risk category, and then forming
these into questions that could be put on scorecards.
- These questions are selected to cover drivers of both the probability
and impact of operational events, and the actions that the bank has
taken to mitigate them.
- In parallel with the scorecard development and piloting, the bank’s
total economic capital for operational risk is calculated and then
allocated to risk categories.
|
|
28
|
|
|
29
|
- Disadvantages
- Historical data dependency
- Experts opinion dependency
|
|
30
|
- This method uses loss data, for every Business Line/Event Type
combination, the probability distribution for the frequency of the loss
event as well as for its impact (severity) over a specific time horizon.
|
|
31
|
- Advantages
- It is highly risk sensitive, making direct use of bank’s internal loss
data
- No assumptions are made about relationship between expected and
unexpected losses
- Provided that an estimation methodology is correct, LDA provides an
accurate capital charge
- Disadvantages
- Loss distributions may be complicated to estimate
- VaR confidence level is not agreed upon, and whether 99.9% or
higher/lower percentile is considered makes a significant difference on
the capital charge
- Extensive internal data sets (at least five years) are required
- The approach lacks a forward-looking component because the risk
assessment is based only on the past loss history
- Historical data dependency
- The approach is applicable to banks with extensive and properly managed
databases
|
|
32
|
- Probability in theory requires historic data for its calculations – a
suitably relevant concept as far as market and credit risks are
concerned.
- But what about operational risk? Is history a logically valid parameter
to predict potential future operational losses? Specially frequency!
- An operational risk event that happens today will be met by immediate
counter measures reducing the probability of its happening again in the
same manner.
- If something can happen and has not happened so far, then with every
passing day, the probability of its happening increases!
- So, meta-theoretically, what has happened in past has less probability and
what has not happened so far has greater probability of happening!
|
|
33
|
- Frequency of operational loss events is generally country specific and
particularly institution specific –No institution would have large
history of operational losses or it would not be there!
- Therefore, internal data needs to be combined with external data in
order to establish reliable probabilities–External operational data may
distort complete calculations and calculated probabilities may reflect a
picture which has nothing to do with institution!
- Even in presence of external data, frequency of high impact events is
too low to model some credible statistical pattern – Tail prediction
dilemma!
|
|
34
|
- Every bank needs to establish a minimum threshold for recording
operational risk impact –these thresholds may differ from bank to bank making
internal and external data incompatible.
- A single operational risk event may have impact on several business
lines which requires empirical distribution of impact value that may not
be accurate.
- Empirical methods for operational risk impact distribution over
different business lines may differ from bank to bank.
- Tail prediction dilemma stays with impact calculations too!
|
|
35
|
|
|
36
|
- Approximately 150 incidents reported from across the Bank through
the online incident reporting form over the last few years.
- 1300+ incidents in the incident library including expected losses, potential
losses and near misses
- 1200+ risks assessed through 19 workshops
- 300 KRIs capturing data from every department of the Bank
- 14,000+ controls tested frequently by all branches and head office
functions.
- Control gaps and unwanted risks mitigated through effective actions
plans.
- Regular reporting to management and key stakeholders
- Fully automated processes and reporting
- All of the above achieved within a period of approximately 2 years
|
|
37
|
|
Notes
