Operational Risk

OPERATIONAL RISKS IN FINANCIAL SERVICES
AN OLD CHALLENGE IN A NEW ENVIRONMENT
HANS-ULRICH DOERIG, VICE CHAIRMAN
CREDIT SUISSE GROUP

JANUARY 2001 PARTLY ADJUSTED APRIL 2003
ADVICE TO THE READER
Aware that the reader of this presentation is always under time pressure, I propose the following advice:
1.
The "really" hurried reader gains an overview from (17 pages): S S S Table of Contents Chapter 1 - Introduction Chapter 2 - Summary and Outlook: 12 Conclusions
2.
The "less" hurried reader gains an enlarged overview from (56 pages): S S S S Table of Contents Chapter 1 - Introduction Chapter 2 - Summary and Outlook: 12 Conclusions 12 Principles / or 12 Issues / 12 Checks / etc. (which are highlighted in yellow throughout the paper)
3.
The reader wishing a complete overview should read (135 pages): S the document in its entirety
CSG
Operational Risks in Financial Services
PREAMBLE
In view of the increasing industry discussion on Operational Risks and the BIS intention to charge banks with additional regulatory capital requirement, I held the original presentation at the Institut International d'Etudes Bancaires in October 2000. This Institute is a forum of 50 European top management members. Since then, I adjusted some texts and added a few pages, where appropriate.
ACKNOWLEDGEMENT
This presentation would not have been ready in time without the constructive and critical contributions by my CSG Risk Management staff. My thanks to them.
While having structured and written the presentation myself, Dr. Harry Stordel deserves a special mention of thanks - he concentrated on research for some chapters and some of his ideas have been included. My thanks also to Mrs. Annette M. Rouiller who handled the presentation appearance, a rather nerve-wrecking task in a hectic environment.
CSG
Table of Contents
1. Introduction and Overview 1.1 The 100 Risks in Financial Services 1.2 Coping with Risk Complexity 1.3 Operational Risk in Risk Management 1.4 The 12 Golden Organisational Principles in Risk Management 2. Summary and Outlook: 12 Conclusions 3. Operational Risks: Framework for Definitions and Dimensions 3.1 Operational Risk Definitions 3.2 Five major OpRisk-Categories and their Sub-Categories 3.3 Overlaps between Risk Classes 3.4 Operational Risk ? Total Risk - Credit Risk - Market Risk 3.5 The Dimensions of OpRisk Management 3.6 The four Stages of OpRisk Management 4. Major OpRisk-Mishaps in Financial Services: 12 Lessons learned 4.1 Introduction 4.2 Overview of 8 selected Mishaps since 1991 4.3 The 1977 Credit Suisse Chiasso Case 4.4 OpRisk Scandals in Financial Services: 12 Lessons 5. Organisations with a 5000 Year OpRisk Experience: 12 Lessons 5.1 Introduction 5.2 Principles of the Military 5.3 Military OpRisk Experience: 12 Lessons 6. Managing Operational Risks: The 12 S's as a High Level Requirement Risk Management Framework Strategy and Structure 6.2.1 Corporate Governance 6.2.2 Segregation of Duties 6.2.3 Management Structure for OpRisk 6.2.4 Audit driven OpRisk Management 6.3 System and Systems 6.3.1 Framework of OpRisk Management 6.3.2 OpRisk Control Process: 12 General Rules to Watch 6.3.3 Top-down versus Bottom-up OpRisk Management 6.3.4 Risk Processes: Quantitative and Qualitative Approaches 6.3.5 Personal Attention by Senior Management 6.3.6 Compensation-System 6.3.7 Modern IT-systems lead to New Processes 6.4 Safety and Speed 6.5 Staff and Skills 6.6 Style and Shared Values 6.7 Stakeholders and Symbol 6.8 Synchronisation 7. Managing Operational Risks: Practical Instruments and Tools 7.1 Introduction 6.1 6.2
4 4 5 7 8 11 19 19 20 22 23 24 25 26 26 26 29 30 33 33 33 40 43 43 44 44 46 47 48 49 49 49 52 53 53 54 54 56 59 62 66 68 69 69
CSG

69 71 72 73 74 74 75 76 76 77 78 79 79 80 83 83 86 90 90 91 95 96 98 99 100 101 101 102 102 104 104 106 114 114 115 116 117 119 120 122 125 127 129 132 134
7.2 Control and Risk Self-Assessment 7.3 Impact & Frequency Scorecard 7.4 Risk Indicators and Escalation Triggers 7.5 Risk and Process Mapping 7.6 OpRisk Dashboard 7.7 Loss Event Database 7.8 Applications and Limitations of Tools 8. Operational Risk Transfer: Insurance and Finance 8.1 Insurance as Part of Risk Management 8.2 Availability of Insurance 8.3 Strategy and Structure for Insurance Coverage 8.4 Funded Captives 8.5 Alternative Risk Transfer 8.6 Risk Transfer: 12 Guiding Principles 9. The Data Challenge 9.1 Risk Data Methodology: 12 Issues 9.2 Using Data: 12 Issues 10. Quantification of Operational Risks Introduction What is Quantified in OpRisk ? Purpose of OpRisk Quantification How to Quantify/Model OpRisk 10.4.1 Factor-derived / Indicator based Models 10.4.2 Statistical / Actuarial / Simulation-based Models 10.4.3 Loss-Scenario / Qualitative Assessment Models 10.5 Capital Allocation 10.5.1 Bankers Trust Approach: Combining Methods 10.5.2 Credit Suisse Groups Approach: Scenario Based 10.6 OpRisk Quantification: 12 Conclusions 11. Concerns of Supervisors 11.1 The Three Pillar Approach by the BIS 11.2 The OpRisk Regulatory Solution: 12 Points from a Banker's Point of View 12. Selected Areas of Future Concern 12.1 Business Continuity Planning 12.2 Customer Complaints 12.3 IT Migration 12.4 IT Security 12.5 Outsourcing 12.6 Money Laundering 12.7 Fraud 12.8 Settlement 12.9 Communication 12.10 Transformation Management List of Abbreviations Bibliography 10.1 10.2 10.3 10.4
CSG
1.
Introduction and Overview
Risk management has always been an explicit or implicit fundamental management process in financial services. Today, however, there is more pressure to avoid things going wrong while continuing to improve corporate performance in the new environment. Good risk management is a decisive competitive advantage. It helps to maintain stability and continuity and supports revenue and earnings growth. Risk management is an obligation to stakeholders; diligent and intelligent risk taking is an "attitude" towards stakeholders. Despite all the progress in the quantification of risks, risk management will remain a blend of art and science. Quantified risk is seductive, but can be misleading or provide a "false sense of security"; imperfections have to be acknowledged. Comprehensive, institution-wide strategy and tactics towards risk can no longer be achieved by applying common sense only - albeit common sense remains crucial. There is a need for credible and relevant methodologies to identify, define, assess, reduce, transfer, avoid and manage risk. Risk management is a daily struggle against uncertainty and a daily learning process: Risk management is not a program, but a process for which senior management and Board of Directors are increasingly called upon to ensure. New governance requirements are quite explicit about this responsibility. Good risk management is not only a defensive mechanism, but also an offensive weapon. Quality of leadership and governance is increasingly an issue of risk management.
1.1
The 100 Risks in Financial Services
Risk is uncertainty about a future outcome. The daily life of a human being is full of risks, especially "operational risks". Life without uncertainty is like a movie or a joke of which you already know the outcome. Risk is part of corporate life. It is the essence of financial institutions' activities. A recognised risk is less "risky" than the unidentified risk. Risk is highly multifacetted, complex and often interlinked. While not avoidable, risk is manageable - as a matter of fact most banks live reasonably well by incurring risks, especially "intelligent risks". Risk is to be managed, not feared. Financial services - dealing with so many daily actions and reactions by human beings - are exposed to a variety of risks. Chart 1.1 indicates such variety; all the 100 risks have at least an "operational touch". The greatest risk, however, is not taking one, as the chances for rewards move towards zero.
CSG
Chart 1.1: 100 Risks in Financial Services

Interest Regulatory Strategy Systemic Credit Spread Business Volume Team Departures Insider Innovation Collateral Settlement Systems Revenues Custody Risk Culture Public Relations War Large Exposures Catastrophe Infrastructure Shutdown Credit Netting Cost FX Style Volatility Market Litigation Management Structure Rogue Trading Liquidity Proportionality Character Risk Appetite Priority Setting Counterparty
Operations Pricing
Reputation Brand
Low ProbabilityHigh Impact Losses
AL Management Intrusion
Globalisation
New Business
Cross Border Balance Sheet Structure Know-How
Competition
Transparence Legislation Refinancing Complexity Capital Allocation Legal Segmentation Communication Court Decisions IT Product Capital Access Timing
Commodity
100 Risks in Financial Services
Partnerships-Alliances Bridge Finance Social Unrest Financial Models Centralisation-Decentralisation Concentration Know Your Client MIS Critical Size Hackers Risk Control Staff / Team Change Management Channels / Internet Risk Capacity Motivation Compliance Cadence of Change Syndication Emerging Markets Supervisory Risk Ratings Event Risks Project Future Commitments Flexibility Political Insurance Outsourcing Take-Over Data Integrity Theft / Crimes/ Fraud Deal Breakup Value Proposition Initiatives Overload
Control Environment
H.-U. Doerig, 1998
Control Procedures
Documentation
Naturally, such variety is confusing and not helpful for coping with risks. An intelligent "packaging" of risks is needed. Such a packaging often involves setting a priority focus. This focus might differ from one bank to the other - there are over 30'000 banks and estimated 20'000 insurance companies world-wide.
1.2
Coping with Risk Complexity
Credit Suisse Group - presented in Chart 1.2 as one example of many - differentiates among 7 priority risk categories. Strategy and reputation risks are tackled on a systematic and qualitative basis. Market, credit, insurance underwriting and commission and fee income risks have become quantifiable in a more credible fashion. Chart 1.2 also indicates the scope and challenge of any integrated firm-wide risk management. Thereby, any organisation has to build on what I call the 12 S's - albeit different for any specific situation as to priority, timing, intensity and scope. The 12 S's serve as a systematic base for general management. The 12 S's will appear in the following chapters again and again, focused on OpRisk management.
CSG
Chart 1.2: Building an Organisation for the Management of 8 Major Risks
Major factors shaping the risk disposition of an individual and an organisation
Scope and challenge of an integrated firmwide risk management
Effective risk management provides focus on and control over 8 major risks
Values, Society & Politics

& on ati gy ov olo Inn chn ns Te io at ct pe Ex
Facts
Ex pe rie nc Cli e en ts
Action and Reaction by Management and Staff Knowledge
Building on the organisations 12 S: - Strategy - Stakeholders - Shared values - Structure - System/s - Skills - Simplicity - Symbol - Safety - Sustainability - Speed - Synchronisation Ensuring a risk culture with: - modern methods / limits - proactive risk management - constructive control attitude - continuous training - discipline as to corrective actions
Co mp eti tio Pe n rc ep tio n
Strategy Risk Reputation / Brand Risk Market Risk Credit Risk Ins. Underwriting Risk Business Risk Operational Risk
Chart 1.3 is a simplified attempt to visibly present my personal thinking as to the years to come for financial services. The convergence of all sorts will lead to the focused universal banking concept for some. Many will specialise - successfully so - in retail banking, private banking, wholesale banking or even concentrate on logistics as insourcer for outsourcers. Almost all will have similar challenges as to OpRisk; some of these challenges may only apply e.g. to retail or wholesale banking. An attempt is made here to find some of the more relevant common denominators.
Chart 1.3: Focused Universal Banking: Year 2000 onwards 4 Core Activities: Retail, Private Banking, Wholesale and Logistics
9 Product or Activity Groups:
Retail Banking: Individual and small/ medium sized Companies, Mortgages Allfinanz Bancassurance Personal Financial Services Private Banking Asset Management for Institutions, Funds Trading: Securities, FX, Commodities, Derivatives, Brokerage Investment Banking: Prim. Mkt, Financial Engineering, Corp. Finance, M&A Wholesale Banking: Loans, Structured Financing, Syndication, Securitisation Comprehensive Risk Mgt for Risks of all Sorts incl. Insurance
Securitisation
1, 2, 5 2, 3, 5
5 Prime Value Generators for the Product or Activity Groups

1 = Operational Excellency: Standardisation, Segmentation 2 = Client Orientation: IT-Contacts plus physical Client Contact 3 = Excellency re Product, "Market Touch", Risk Management 4 = Capital Strengths, Rating & Standing 5 = Critical Size and/or Market Share
H.-U. Doerig, 2000
& ies lic Po
H.-U. Doerig, 2000
Retail
ur s vio ion ha lat Be gu Re
Markets & Economy
Liquidity Risk
Logistics: Back-/Mid office, incl. for 3rd Parties: Insourcer for Outsourcers
2, 3, 4
Private
3, 4, 5 3, 4, 5 3, 5, 4 4, 3, 5
Wholesale national = global
3, 4, 5 1, 5, 4
Logistics
CSG
1.3
Operational Risk in Risk Management
The management of market and credit risks has made great progress as to its methodologies and quantification approaches, given the vast and reasonably reliable data and statistics. This does not mean that misjudgements as to the future are rarer, but the approach is more empirically founded. Operational risks - while not new but in a new environment - have received tremendously increased attention as of very recent. While dealing with "operational risks" more closely, I realised the breadth and complexity of such a task. You can name anything out of the "banking-life", it almost certainly has an operational risk touch. The confusion as to OpRisk and its management is quite impressive in the industry: Definitions not settled, frameworks different, data hazy, models complex and/or not (yet) credible, academics impractical, consultants looking for new assignments lack a track record, quants hungry for fresh challenges. Supervisors - in spite of all - are eager to get additional capital charges. Activism is abound. What an imbroglio to start with?! Operational risk management is - simply put - good management and close to quality management. As management in financial services is dealing with people for people - in a continuous process and ever changing environment - there cannot be an easy answer or a simple model. Mistakes and failures, i.e. OpRisk losses, happen daily in every financial services organisation, some negligible, some more serious; very rarely they can be very grave. This should make every manager humble, also in the judgement on competitors. The general environment for financial services will continue to change dramatically. It will call for significant and continuous adjustments in the way enterprises do business and adapt their operations. As a result, OpRisk will primarily be driven by: S S S S S S S S S S S New products Product sophistication New distribution channels New markets New technology Complexity (IT-interdependencies, data structures) E-Commerce Processing speed Business volume New legislation Role of non-government organisations S S S S S S S S S S S Globalisation Shareholder and other stakeholder pressure Regulatory pressure Mergers and Acquisitions Reorganisations Staff turnover Cultural diversity of staff and clients Faster ageing of know-how Rating Agencies Insurance Companies Capital Markets
CSG
With dramatically increased competition - also from non-banks - a successful OpRisk management is crucial for survival. In the future, the market will be less forgiving of any colossal lapse. Reputation is increasingly also built on OpRisk management skills. These are some of the reasons why OpRisk gets such attention at present. Chapter 3 deals with the definition of OpRisk. Let me stress, however, OpRisk and OpRisk management are not only about risks and threats. Both are chances and opportunities as well. New approaches can solve many old problems. A financial services organisation must be a learning organisation and increasingly also a "knowledge-organisation". In chapters 4 and 5, I have therefore included the experience of 9 mishaps in the financial world and the very concrete experience of the oldest organisation with operational risks: the military. Chapter 6 deals with the more high level management issues, while chapter 7 presents some OpRisk instruments and tools. OpRisk transfer is discussed in chapter 8. OpRisk data and quantification follow in chapters 9 and 10. Concerns and issues of regulators and supervisors are presented in chapter 11, while areas of future concerns for OpRisk management are in the final chapter 12. Having observed the financial scene for some years, I am fully aware that every organisation is always in different stages of quality performance and process sophistication, given the interdependencies of internal projects and external pressures. I also know that there are many "paths to Rome". There is often not "only one solution" in management. It would be quite presumptuous to try for a complete paper on "good OpRisk management" or "good management": This paper contains suggestions based on personal opinion and observations, including the ones from Credit Suisse Group (CSG). The reader will also realise that I seem to have a "preoccupation" with the number 12. Over centuries, the number 12 has played the symbolic role of completeness - which is somewhat ambitious for an active banker. More important, my observations tell me that "12 messages" are just about digestible to keep one's attention span. They also force a priority setting.
1.4
The 12 Golden Organisational Principles in Risk Management
Ahead of the OpRisk discussion, my following 12 Golden Rules in Risk Management should be a guide throughout the presentation. They are the result of observations and adjustments over the years and apply to OpRisk aspects as well. Some of the following 12 conclusions or issues sound banal, but probably are the more vital elements when it comes to implementation.
CSG
Table 1.1:
The 12 Key Principles in Risk Management
Our principles have not changed, but as a "learning organization" in a dynamic environment, we are continuously adjusting the contents with new priorities or refinements based on experience. The issue is not the intellectual level of the 12 principles but rather their diligent implementation which is challenging in a diverse, global and changing world. Thereby no organization ever achieves an ideal or perfect positioning in every respect. Executing the Fundamentals 1. Risk is uncertainty about future results. Risk taking = risk management. Do not fear but respect risks. - Ensure the balance of gains versus losses. "Informed and intelligent" risk-taking, including attention to proportionality, concentration and diversification active portfolio management. Watch liquidity/flexibility aspects in turbulent times. Watch harm by association. Never forget "extreme event" risks. Deal with consequences of the unexpected cases. Capital allocation based on Economic Risk Capital. 2. The 6 S's for the systematic mental discipline of an organization: the logical sequence. Strategy structure system systems safety speed. 3. Clear structure, allocation of responsibility and accountability and discipline are basic preconditions. Prioritise disciplined processes and structures. Transparency as to policies, directives, etc. Clear and communicated responsibility and accountability. "Ownership" of issues and risks. No conflicts of interest: i.e. front office versus support areas - but "constructive tension" where appropriate. 4. Rigorous measures in case of non-compliance/breaches. Know the rules of the game: courage for unpleasant measures with a "culture of consequences". It takes a lot of discipline, training and time to get everyone worldwide on an adequate control/compliance level. Adequate compliance environment: Responsibility lies not only with immediate heads leadership function of each management level. Retaining the perspective 5. Completeness, integrity and relevance of data/systems/information as a basis. No diagnosis without information. Know what you do not know. What is measured, observed and recognized gets attention. Data characteristics are ideally: Complete, objective, consistent, transparent, standardized, comparable across the institution, interpretable, auditable, replicable, embedded in aggregated processes, and above all they are relevant and credible as to facts and perceptions. Credibly quantified and relevant risks represent an opportunity. If not credible, cynicism abounds. Thoughtful self-challenge - especially rigorous audit reports - can provide a formidable basis to avoid/limit operational risks. 6. Risk management is a tenacious process not a program. Prevention ahead of correction. "Best practice" as goal. However "best practice" must be applied intelligently no "fads". Ongoing questioning of strategy, structure, systems, safety, simplicity, speed. Risk and compliance awareness ideally with everyone. Care about substance, not only legalistic form: "smell test" with "overall view". Focus on long-term initiatives versus short-term ones. Emphasize furthering the risk culture, rather than controlling the numbers. S Management of risks for own organization comes ahead of risk management for supervisors/regulators.
CSG
Table 1.1 (continued): The 12 Key Principles in Risk Management

7. Risk management is part art, part science. Facts, perceptions, expectations all are important. Markets might promise but never guarantee anything. Risk management is often the art of drawing sufficient conclusions from insufficient premises. Watch internal and external exuberances and paralysis. Counterbalancing is a management task. To be right too soon is also wrong: timing is the issue. S Common sense for reality checks, especially for models. 8. Limitation of models. A model is always a strong reduction/approximation of a more complex reality. Models are as good as the underlying assumptions: "garbage in" "garbage out effect". Not all risks are relevant and/or quantifiable: also here, use 20/80 approach. "Reductio ad absurdum" may lead to a "model figure" but is irrelevant in the overall context. New external parameters and continuous restructurings can make models questionable, as there is no reliable base material. Comparisons of absolute model figures with those of third parties are questionable: The prime internal value added of a good model including the stress test is its trend over time. Theoretical rigidity may not prevail over practical relevance and credibility. Models are always only part of an overall risk management approach and must include common sense. 9. Complex organizations, restructurings and projects can add risks. Complexity is the enemy of speed and responsiveness: try hard for simplicity. The more complex a risk type is, the more specialized, concentrated and controlled its management must be. Focus on human aspect 10. A financial institution is a knowledge and learning organization. Faster race higher bar: antennae out to receive and implement internal and external input. Data is ubiquitous and abounds: Timely sorting and packaging in the proper context creates relevant information and value added. People with authority especially must be educators: source, share, synthesize and save knowledge. Specialists can "walk out" easily in good times. Learn from mistakes and determine causality. Self-management and leadership with regard to a culture of open communication based on "experience" and know-how are increasingly challenging: Ban knowledge-hoarders and turn knowledge-givers into heroes as part of evaluation/incentive process. Continuous learning and training is part of the evaluation/incentive process. Knowledge alone is not enough: it is the rigorous implementation which leads to results. 11. Responsible control/compliance/risk culture is as important as the most sophisticated quantification. Those values count which are enforced. Lead by example practice what you preach. Combine overall judgement by experienced people with specialist knowledge. Mistakes or misjudgements are unavoidable: The ways of correcting mistakes are part of culture. Risk culture on the whole is the final responsibility of the top management. 12. Human element is THE critical factor of success. Professionalism includes: inquisitiveness, feel, intuition and inspiration for risk and market direction. Good mix of professional, open-minded and honest people with formal training, professional and life experience, integrity and character. Honesty includes intellectual honesty: Cover-ups are lethal. Successful risk management is primarily the result of the capacity, aptitude and attitude of the people involved: people shape the culture, reputation and brand equity.
H.-U. Doerig, 2003
10
CSG
2.
1.
Summary and Outlook: 12 Conclusions

OpRisk management is nothing new per se. Risk management and OpRisk management in banking have been around since the inception of banking. From obscurity they moved to respectability. From respectability they have at least reached prominence. Over the last 10 years, risk management especially for market and credit risks, has reached the impact stage. OpRisk management today is gaining prominence, but the stage of the full quantitative impact has not been reached. Its quantitative foundation - with credible, relevant and meaningful total figures - cannot be expected in the near future. Perhaps it never will be! What is new and will become a more prevalent development: S S S S S S Generally increased risk awareness, including OpRisk More rational, more analytical attempts to identify, define, categorise, measure, quantify and partly transfer losses and risks Closer attention by regulators Attention by and responsibility of senior management and Board of Directors OpRisk seen in a broader context A fast changing environment, in which OpRisk management takes place: boundaries increasingly blur, more non-banks enter the turf, consolidation and convergence in the industry continue, dis-intermediation and global capital markets grow faster
2.
OpRisk is not "other risks": The term "other risks" stems from the obsolete notion of OpRisk as all non-market and non-credit risks. Many institutions have moved away from this negative definition to a positive definition. Contrary to market and credit risks, OpRisks are usually not willingly incurred, often they are insignificant in an overall context. Also for reputation reasons, OpRisks are avoided. OpRisks are primarily institutional, "bank made", "internal", context dependent, incredibly multifaceted, often judgemental, interdependent, often not clearly discernible vis vis e.g. market and credit risks and not diversifiable. OpRisks cannot be laid off in liquid trading markets: OpRisks are only eliminated if a bank ceases to be. Market and credit risks are revenue driven, OpRisks are not. OpRisk management is often close or parallel to quality management and, therefore, contributes to client satisfaction, reputation and shareholder value. These are some of the reasons why the definition, measurement and modelling of OpRisk is so difficult to come by.
11
CSG
Having recognised the above, a suggested OpRisk definition could be: "Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors." This definition needs categorisation: Organisation, Policy / Process, Technology, Human, External. 3. The OpRisk management of the future has to be seen in the wider context of globalisation and Internet-related technologies. The 2 major future drivers - globalisation and Internet-related technologies will challenge the banks to take on additional and partly new OpRisk: Avoidance of a "double click imbroglio". The increasing globality of financial services increases the demands on governance, including environmental and social responsibility. Globalisation - with its many advantages for the stakeholders of a modern firm - usually adds complexity and diversity of cultures, management and staff. A common culture - and a common risk culture - will be one of THE challenges for a globally oriented organisation. Managing a modern company means managing on behalf of all core stakeholders. Creating value for clients, staff and business partners is a precondition for creating shareholder value. Sustained and sound profitability is also the best contribution for avoiding systemic risks and protecting savers. Old World and New World are moving towards One World. Ubiquitous computing and Internet-related technologies (IRT) make every business a data-based business in a new e-economy, especially in financial services. IRT changes everything. IRT is no longer just a strategy supporter, but a strategy enabler: it enables transactions and services any time, instantaneously, with no barriers, at decreasing prices. Such a "technical environment" represents a major new challenge for management and especially for OpRisk management. While computing solves many OpRisk problems, it also creates new ones: IT, control, compliance, security, privacy protection etc.
12
CSG
4.
Banks face continued dilemmas which have OpRisk ramifications: S S S S S S S S S S S S S The most venerable versus the most vulnerable E-commerce hype versus hybris Dot-com culture with rapid responses and change versus structured, systematic, sometimes slow structure / system and legacy systems Innovation "entrepreneurship" and "intrapreneurship" versus structure and processes Consistency and predictability versus change and innovation Long term orientation versus short term performance pressure Security versus speed Scale and standardisation versus scope and differentiation "Roots" versus "strong wings" of management and staff in global organisations Local conditions versus global pressures: "glocalism" Maximising activities where the outcome is controlled and minimising exposures for which there is little or no control over the outcome Operating and capital allocation efficiency versus compliance, control and capital requirements of supervision Shareholder pressure versus other stakeholders' expectation
The winners will be those who understand the forces of change best, implement accordingly and "synchronise" their efforts optimally in turbulent times. 5. Good OpRisk management prevents crises. The only alternative to good OpRisk management is crisis management. With good OpRisk management an organisation manages its risks. In a crisis situation, the crisis itself often manages the organisation. All the more important is good management, e.g. along the diligent, disciplined, daily management of the 12 S's of an organisation: strategy, structure, system/s, staff, safety, speed, skills, style, shared values, stakeholders, symbol, synchronisation as discussed in chapter 6. Clear structures and processes with defined allocation of responsibilities are preconditions for a successful OpRisk management. The control and compliance environment is increasingly checked by supervisors, who more and more ask for individual responsibility. 6. Good OpRisk management - in combination with quality management - is a decisive base for enhancing the reputation of a bank: OpRisk deficiencies appear in every bank, almost daily. However, shareholders and other stakeholders will be much less forgiving of a major OpRisk mishap in the future. In a major crisis, the impact on market capitalisation and reputation can be significant during the first few months. Thereafter, the responsibilities for the disaster and the OpRisk management capability to deal with the aftermath become more visible. Thereby, consistent and effective communication as well as honesty show a fundamental financial value. A more analytical OpRisk management approach is emerging: The attention it receives is a multiple of what it was only 5 years ago. OpRisk has been controlled at least in some fashion - for years. It is now becoming more formalised and increasingly measured or at least consciously observed.
7.
13
CSG
Financial institutions and regulators / supervisors should be aware of the cost / benefit relationship of setting in place the quantification of OpRisk involving data gathering, models, procedures, systems and staff. The experience of setting up such systems for the quantification of market risks indicates the cost and inertia involved for changing the system and systems for a relatively little disputed analytical approach. Based on this lesson: Think first, organise second and act third in the right and not the wrong direction. The financial services industry as a whole - not withstanding the major differences among banks - has made considerable progress over the last 2 3 years in OpRisk areas, such as: definition, aspects of strategy and planning, structure, reporting, tools, capital allocation and risk transfer. There is still a long way to go to reach an effective, credible and implementable OpRisk analytical framework. 8. OpRisk management is a continuous learning process: OpRisk management is not a program, it is a continuous, diligent process throughout an organisation. OpRisk measurement and internal loss information should - also in the interest of rational data collection, risk transfer solutions and potential risk quantification - be guided by the following characteristics: Relevant in the overall context, complete, objective, consistent, transparent, minimally standardised to be used across institutions, interpretable, teachable, auditable and above all, credible by facts and perception. The credibility of OpRisk measurement is enhanced if there is quantitative evidence of cost of collecting data versus benefits of measurement. Existing OpRisk measurements and tools are usually not expressed in financial terms, excepting loss databases. Many statistics - as shown in chapters 7 and 9 can be misleading, inconsistent, irritating and confusing.
9.
10.
There is no credible and satisfying overall model applicable to "OpRisk at large" available for the quantification at present, except for some subcategories which might not be relevant in the overall context. However, the momentum is building each year with improved data on hand. Remember the pains in building market and credit risk models over the years, with an incomparably better database. They became core and standard management tools. I doubt whether there can be one "catch-all" OpRisk model with a credible outcome: "more sizzle than steak"? In addition, it is management which is responsible for the reasonableness and credibility of models, not academics, quants, or supervisors. There will be a convergence of a common definition, concept, tools and models, but it will take years.
14
CSG
We should not overlook that an analytically sophisticated, credible and accepted approach to risk management is only one important attribute of a strong risk management effort. Also, there always has to be ample room for common sense. A simple number can be so intriguing, but do not ever forget the "garbage in - garbage out" effects. For more, see chapter 10. 11. Developments to be expected: S S S Greater involvement and "buy-in" by senior management and Board of Directors. Greater visibility of the risk management function and its place within the organisation. A greater general awareness and institutionalisation of risk management, including OpRisk; a sophisticated risk management framework with more analytical and predictive contents. "As people are walking all the time in the same spot, a path appears." (Lu Xun). On the one hand, there are more traditional concerns about "high frequency, low impact" losses with concerted efforts like quality management, straightthrough-processing, controls. On the other hand, there is a pronounced concern for "low frequency, high impact" losses, with corresponding risk transfers. S A more conscious analytical and multi-disciplined integration of credit, market and OpRisk control functions: internal and external audit, legal and compliance, product control, operations, insurance, finance. Sound OpRisk management is, therefore, becoming a core competency of risk management and of general management. A better focused business approach: a move from a "defensive" posture of OpRisk management to an "offensive" positioning. Risk management is always and consciously an integrated part of good business management. Loss events are opportunities to improve structure, system and systems. Risk management becomes TQM and, therefore, synonymous with good customer service, which supports reputation and share price. Strategic planning is linked with risk management and OpRisk. Internal and external audit play a crucial role, especially if more ex-ante and not exclusively ex-post oriented. Credible and relevant internal database systems become more commonly defined, standardised, structured, systematic, comprehensive and consistent as part of a modern risk management framework. Data sharing agreements in neutralised form get created, excepting very confidential data on legal disputes. Tools become more integrated and are also used by line or front functions. The focus on quantification attempts is increasing. Important, however, remains the relevance and credibility of such attempts. A "false sense of security" could lead to wrong priority setting and counterproductive outcomes.
S S S
15
CSG
S S
Internal economic risk capital models include OpRisk in view of more internal rational capital allocation targets. More risk transfer to third parties which are able to analyse, diversify and bear OpRisk of banks: insurance for external risks and for integrated risk products as well as for standardised capital market transactions. Some insurance companies increasingly "detect" the huge potential in this market. Extreme internal and external risks, (e.g. rogue trading, hackers, IT security) become increasingly insurable. Reliable and punctual insurance protection will have to be recognised by supervisors. Risk transfer becomes part of an integrated OpRisk management, as shown in chapter 8. More outsourcing of non-core activities and partnerships with banks and non-banks, especially Internet-related. All this entails new aspects of OpRisk which need close attention. New regulatory and supervisory standards and entities converge, cooperation and information sharing between supervisors gets closer. Global rules? More intervention? More judgements on management? More influence on the strategy of a bank? Risk creates value, profits come from taking risks. Regulators and supervisors who do not take this truism into account - well-meaning in the name of creditors' and investors' protection and avoidance of systemic risks - end up in making the financial system more unstable. The level playing field remains - unfortunately - an unresolved issue, but would have fostered the credibility of regulators. The BIS should be encouraged to add a Pillar 4 to the suggested and discussed Pillars 1 - 3: sustained sound and diversified profitability as THE precondition and THE contribution to protect creditors and to avoid systemic risks. For such profitability and growth, good OpRisk management is core. Understanding and managing OpRisk is more important than putting a regulatory value on it. Close to 100% of the benefit of OpRisk management is derived from the fact of doing so. Regulators and supervisors should hopefully be positively impressed by the ongoing conscious OpRisk management efforts in the industry. Various regulators and supervisors seem to prefer a simple "box-ticking OpRisk capital charge", which is just not fair, difficult to evaluate credibly or ignores the relevant issues like "good management". There are many different ways other than "capital" to judge an organisation, as presented in chapter 11. Banking supervision is firmly risk-based. Regulators and supervisors especially with the planned BIS Pillar 1 - 3 approach - take on a greater interest and a rather pronounced responsibility in the OpRisk arena.
16
CSG
According to supervisors, OpRisk should be supported by a Pillar 1 capital requirement for each bank and additional Pillar 2 capital for "special OpRisk situations"; there are continued arguments about the justification for Pillar 1 OpRisk capital requirements. With Pillar 2, the supervisors take on an additional risk management layer for the respective bank; industry knowledge, including insurance, management know-how and judgement capabilities, is the challenge for supervisors. Regulators and supervisors finally have to come to grips with the following issues: S S S Really threatening OpRisk issues for banks have been very rare in the past; they were not of systemic nature. The 9 major mishaps of financial institutions as discussed in chapter 4 were all issues of management, not of regulatory capital. Civilian and military studies - presented in chapter 5 - reveal: Insufficient management and processes were responsible for 80% of the mishaps. There are better "checks and controls by supervisors", which have nothing to do with regulatory capital. Convergence is observed in almost all financial activities. Why not convergence of the very same activities' regulatory environment? Non-banks are exposed to the same OpRisk as banks. Both, however, represent similar "systemic risks". What are the measures of the regulators to avoid such potential systemic risks of non-banks? Why care about systemic risks by banks while ignoring those by non-banks? Why should banks be charged with a special OpRisk regulatory charge? Why should banks become less competitive?
S S
12.
OpRisk management is good management of the 12 S's of an organisation as described under chapter 6: Senior management is called upon to act. OpRisk management is only very partly rocket science and partly social science as the targeted objects and issues change continuously and the past does not repeat itself in the same context. Good OpRisk management may never get a Nobel Prize, but is still core for successful survival. Discipline is the discipline for good OpRisk management. Good OpRisk management relies on proper corporate culture with a diligent risk culture and a positive acceptance of control.
17
CSG
Good OpRisk management within a proper risk culture includes: S S S S S S S S S Proper structure and governance Risk management visibility Control, compliance Forward-looking internal audit and corresponding follow-ups Proper tools and analytical measurement of OpRisk Attempts for credible and relevant quantification Proper skills and style Continuous adjustments of safety measures especially related to Internetactivities and above all: A shared values attitude as to "acceptability of risks"
When an organisation reaches and maintains such a challenging level, it achieves the most important steps towards a successful OpRisk management. Good OpRisk management improves quality and reduces cost by cutting risks. As a consequence, good OpRisk management amounts to a competitive advantage and is reflected in the shareholder value. OpRisk is not so much about capital and models, it is about management: diligent, arduous and daily OpRisk management supports the stability and continuity of a firm. The issue is not capital, it is human beings in an organisation serving human beings with their actions and reactions. Not surprisingly, therefore, the critical OpRisk management success factor is management and staff: experienced people with integrity, credibility, visibility and acceptance within the organisation. This strong statement - I hope it is strong enough - is evidenced by the experience of the major mishaps in the past financial history and by the experience of the military with the longest OpRisk exposure of human history. Finally, every employee should ideally be a risk or control manager in his/her daily activity: A general pure awareness of risks is already a major step towards successful OpRisk management.
"Tout ce qui mrite d'tre fait, mrite d'tre bien fait." (Inconnu)
18
CSG
3.
3.1
Operational Risks: Framework for Definitions and Dimensions

Operational Risk Definitions
Before managing anything, it is important to know what it is to be managed. Therefore, a definition of OpRisk is needed. This definition has to be understood, accepted and identical across an organisation. A common practical definition of OpRisk does not exist in the literature nor in the industry as shown in Chart 3.1. Theoretically, there are as many definitions as there are financial institutions.
Chart 3.1: OpRisk Definition Types in the Financial Industry
Single, positive definition, 49% Multiple definitions, 5%
Exclusive (TR-MR-CR) definition, 15%
No formal definition, 31%
Source: BBA (1999).
The survey of BBA (1999) 1 provides a good overview of the different views on OpRisk definitions. To summarise its results: S A consensus about the nature of OpRisk is emerging as regards OpRisk being the risk of losses resulting from inadequate or failed processes, people, and systems or from external events Definitions of OpRisk in each specific firm are different
The widespread confusion prevailing in the financial industry about OpRisk is somewhat fading, progressively opening the way for more convergence of its generic features. This, however, does not mean that a unique, industry wide definition of OpRisk will emerge.
See British Bankers Association, ISDA, RMA, PricewaterhouseCoopers (1999), Operational Risk, the next frontier, RMA, Philadelphia, 1999, pp. 29-38. This reference will be quoted BBA (1999) in the following.
19
CSG
The following sample of the major OpRisk definitions by the industry and regulators shows that, while there is a broad agreement on the general concept of OpRisk, diversity in some detailed aspects will continue to prevail: S S S "OpRisk is the risk of everything other than credit and market risk"2 "OpRisk is the risk associated with the Operations department" (narrowest definition) "OpRisk is the risk that deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, systems failure and inadequate procedures or controls" (BIS)3 "OpRisk is the risk of direct or indirect losses resulting from inadequate or failed processes, people, and system or from external events" (BBA/ISDA/RMA)4
With OpRisk, the devil lies in the details. Each institution has its own, individual and unique operational setting. Thus, to be able to manage OpRisk might require tailoring its definition and its sub-categories to the firms specific setting.
3.2
Five major OpRisk-Categories and their Sub-Categories
The following OpRisk-definition is used by Credit Suisse Group: S "Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors. OpRisk may tangibly manifest itself in the likes of business disruption, control failures, errors, misdeeds or external events, and can be captured in five major OpRisk categories: 1. 2. 3. 4. 5. Organisation Policy/Process Technology Human External"
The 5 suggested categories are major and they present a valid base for solving problems for management. The crucial issue is the intellectual framework and discipline for present and future problem-solving approaches under new paradigms: 1. Organisation: risks arising from such issues as change management, project management, corporate culture and communication, responsibilities, allocation and business continuity planning. 2. Policy and Process: risks arising from weaknesses in processes such as settlement and payment, non-compliance with internal policies or external regulation or failures in products or client dealings.
2 3
This is the definition of 15% of the 55 institutions surveyed in BBA (1999), p. 29. Basel Committee on Banking Supervision, Risk Management Group (2000), Other Risks (OR) Discussion Paper, BS/00/27,BIS, April 2000. Quoted as BIS (2000), 4 BBA (1999), p. 29.
20
CSG
3. Technology: risks arising from defective hard- or software, failures in other technology such as networks or telecommunications, as well as breaches in IT security. 4. Human: risks arising from failure of employees, employer, conflict of interest or from other internal fraudulent behaviour. 5. External: risks arising from fraud or litigation by parties external to the firm, as well as lack of physical security for the institution and its representatives. Not surprisingly, the 5 major OpRisk categories need further refining. Subcategories have to be created which allow the adding of new OpRisk aspects and the subtracting of obsolete ones. They allow one to be more specific on firm relevant risk drivers which require focus and responsibility assignment. Important is the intellectual, organisational and continuous discipline in categorising the risks and in doing something reasonable about them: Table 3.1 OpRisk Sub-Categories Organisation 1. 2. 3. 4. 5. 6. 7. Governance / Structure Culture Communication Project Management Outsourcing Business continuity Security Technology 12. 13. 14. Communications Hard- and Software IT Security
Human 15. 16. 17. Employee Employer Conflict of interest
Policy / Process 8. 9. 10. 11. Policy and process Compliance Product Client
External 18. 19. 20. Physical Litigation Fraud
These 20 sub-categories cannot be considered as complete. As methodologies and techniques advance at CSG, so will these sub-categories be refined or deleted. After all, complexity requires breaking down and simplification. It is important that this sub-categorisation relies on a root analysis, i.e. causation of OpRisk loss events. By linking causation to relevant business activities, it is intended to use this structure as a tool with which to act upon OpRisk, thereby providing management with an OpRisk framework. The structure also lends itself to possible quantification by drawing upon data sources relevant for modelling as well as for qualitative reporting.
21
CSG
While it is impossible to describe all aspects of each 20 sub-categories in this paper, important here is to focus on the structure, the framework-basis, and their relevance to the daily management of any financial services firm: Identify the format and follow it with discipline.
3.3
Overlaps between Risk Classes
Chart 3.2 is an attempt to map the risks faced by a firm providing banking and insurance services. These risks are partly overlapping or interdependent. The main challenge for risk management is to separate them in an intelligent way. This separation exercise forms core risk classes for the daily management and quantification where possible and credible. To do this, the pragmatic management angle should be taken. The ability to use a common, uniform management technique based on the peculiar features of a risk class provides the rule for drawing the line to other risks. Intellectual honesty should prevail in identifying the most appropriate technique, whether quantitatively or qualitatively based. The reliance on using available but misleading data should be carefully evaluated, particularly for risks that only allow an approximate quantification. Models should never prevent managers from using their common sense.
Chart 3.2: Overlaps between Risk Classes
Reputation Risk = Risk of losses by not meeting stakeholders' expectations Strategy Risk = Risk of losses from not choosing to do the right thing"
Credit Risk = Risk of losses from borrowers not meeting their obligations
Market Risk = Risk of losses from value changes of financial instruments
Business Risk = Risk of losses from business volume changes
Insurance Underwriting Risk = Risk of losses from unexpected insurance claims volume
Operational Risk = Risk of losses from not "doing things right"
Source: Credit Suisse Group / GRM, 2000.
This exercise is complex and time consuming. The activity focus of the firm is at the basis for determining the priority risk classes and developing or refining appropriate management tools and techniques. An essential component of the exercise is to identify the best way of managing a risk class in a uniform and coherent manner. This requires a "positive definition" of each risk class.
22
CSG
3.4
Operational Risk Total Risk - Credit Risk - Market Risk
Defining OpRisk in an exclusionary way - i.e. "total risk - credit risk - market risk" prevents from identifying a structured way of managing it. Credit and market risks originate form outside the bank. In contrast, OpRisk originates primarily from within the specific organisation, except risks in the category "external". Some supervisors define Total Risk = Market Risk + Credit Risk + Other Risk. "Other Risks" include primarily risks as to strategy, reputation, commission and fee income, liquidity, interest rate, legal, operations. Ideally for some supervisors, models would produce a regulatory capital for all "Other Risks" which is - certainly not yet feasible in a credible fashion. Risk as to strategy, reputation, commission and fee income, liquidity, interest rate have each to be and can be handled in a different fashion. These risks are not covered here. Strategy risk deals with the existing base of a bank and its options, based on a what-if analysis. Strategy is doing the right thing at the right time. It is not so much the strategy, but implementation which in turn is OpRisk. The relative assessment comes from the market, i.e. the relative stock performance. Reputation risk is the aggregation of the outcome of all risks plus other internal and external factors. Reputation is the outcome of the mix of doing the right thing and doing things right over an extended period. The best measure is relative share performance, revenue growth, number of clients growth, rating and attracting and keeping good staff. Reputation is a reflection of facts, perceptions and expectations and a key factor for the share price. Commission and Fee Income risk (C&F) is above all determined by outside forces: market moves, margin pressures. C&F risks are primarily revenue related and can be stress-tested with simple what-if analysis which can be easily compared across banks: What if business volume decreases by e.g. 20%? What are the effects on total revenues, NIAT, dividends? What is the organisation's flexibility to adjust to a downturn over years? Regulatory capital is not the solution for every risk. For Economic Risk Capital, an earnings-at-risk model serves the purpose. Interest rate and liquidity risks are for my taste part of market risks. Models are available for determining "outliers", i.e. those who are significantly above average for interest rate risks. Legal risks - like litigation, documentation issues - are part of OpRisk. The legal environment and its changes are part of strategy risk.
23
CSG
3.5 The Dimensions of OpRisk Management

Sustained, attractive returns increasingly depend on excellent risk management, including OpRisk management. OpRisk of a bank is not new, it is as old as banks are. To understand the risks has always been a fundamental, if only implicit, management process. What is new is: S S S S The increased explicit awareness and consciousness of managers and senior management for OpRisk issues The explicit and analytical approach The better awareness to gear an organisation's risk profile towards those risks for which it has a comparative advantage in managing The pressure to allocate capital more consciously
Risk management can add value and represent a valid business case in two dimensions: 1. Control: Independent risk assessment, compliance, business continuity planning, supervisory requirements, limits, progress reporting, escalation, corrections, etc.
2. Shareholder value creation:
efficiency, correct risk evaluation and pricing, duplicate control avoidance, rational economic capital allocation, reduction of regulatory capital, product enhancements, competitive strategic advantage, improved reputation, etc.
The dimension "1. Control" basically covers the following: avoiding accidents, catching non-compliance and illegal actions, complying with rules and regulations, complying with usual management needs. The dimension "2. Shareholder value creation" adds a further stage which treats OpRisk more like a real business. OpRisk management also gets close to quality management, efficiency management and the concept of opportunity cost. Naturally, the line between control and shareholder value creation is difficult to draw. Important is the direction to be chosen. OpRisk management, therefore, can move from one extreme to another one: Crisis management business continuity planning compliance shareholder and other stakeholder value enhancement. The spectrum moves from the Bottom to the Board Room. There are neither ready-made solutions, nor quick-fixes, confusion is ubiquitous, activism is widely-spread - and consultants enjoy hey days.
24
CSG
Any major OpRisk management project has the following five preconditions for success: S S S S S Strong management support Credibility overall Small realistic steps: all at once is impossible A better organisation afterwards Respect the constraints: compliance also with supervisors' requirements
Such a project may not be just "another project".
3.6 The four Stages of OpRisk Management

Implementing OpRisk management implies the progression through the following four stages5 in Chart 3.3:
Chart 3.3: Stages of Operational Risk Management Development
Stage 1: Identification
Data collection
Stage 2: Metrics & Tracking

Finding quantifiable means to track risks Creation of reporting mechanism Significant business unit involvement investment in automated data gathering & workflow technologies Significant use of manpower
Stage 3: Measurement
Development and continuous refinement of modelling approach Creation of OpRisk data Majority of effort born by OpRisk Group Significant technology development effort Limited use of manpower
Stage 4: Integrated Management

integration OpRisk exposure data into management process Significant senior management involvement Management of OpRisk exposures (e.g. insurance) Investment in processes; limited technology or manpower required
Prioritisation of risks Significant business unit involvement Limited technology usage
Significant use of manpower
Source: Meridien Research, 2000
Meridien Research approximates the lead time for Stage 1 to Stage 4 with a minimum of 2 - 3 years, depending on the complexity and the size of an organisation. The research indicates that most of the Top 500 financial institutions worldwide are still in stage 1 and 2. A handful has attained Stages 3 and 4; internal acceptance and credibility of the tools and figures produced are not without doubts, however.
"Alles soll so einfach wie mglich gemacht werden. Aber ja nicht einfacher." Every thing should be made as simple as possible. But not simpler. (A. Einstein)
5
Meridien Research Inc,(2000). "Time for a New Look at Operational Risk", New York, Feb. 2000. - to be checked with Meridien
25
CSG
4.
4.1
Major OpRisk-Mishaps in Financial Services: 12 Lessons learned

Introduction
Mistakes create opportunities. Exploiting such opportunities requires a willingness and capacity to learn. Analysis of past internal or external mistakes is key to at least partially avoiding them in the future. Existing OpRisk literature devoted to the investigation of lessons learned from past losses focuses on a few highly publicised events.6 This is primarily due to a widespread cultural barrier leading firms and individuals to disclosing only a minimum of information concerning financial mishaps. In fact, most individuals and institutions tend to avoid "twisting the knife in the wound", viewing mistakes as shameful and preferring to address new challenges rather than to resolve old ones. To tackle OpRisk, we must overcome this cultural barrier and refrain from turning the page of mishap before having read and re-read it attentively! The aim of this chapter is to do such a revisiting in order to derive lessons from past collapses commonly associated with an OpRisk event. This should help us to devise priorities and areas of focus for a successful OpRisk management.
4.2
Overview of 8 selected Mishaps since 1991
The reviewed mishaps in Chart 4.1 were selected based on CSGs definition of OpRisk: "... adverse impacts to business as a consequence of conducting it in an improper or inadequate manner...". This selection encompasses cases, where market risk or credit risk were sometimes also at play. However, the incurring of both these risks was exclusively as a consequence of an uncontrolled OpRisk. This allocation rule to OpRisk versus market or credit risk leads to an overestimation of the level of OpRisk. Operational mishaps are primarily triggered by significant breaks through existing floors and controls set by market or credit limits. Therefore, my approach in using the losses of a mishap is probably exaggerating the level of "pure OpRisk".
Based on Operational Risk.com research team material. Articles and books discuss selected cases in more details, e.g.: "Sumitomo losses show up poor links", Computing, Jun 20, 1997; Gapper, J., Denton, N., (1997) All that Glitters The Fall of Barings, Penguin Books, 1997; Norris, F, "Orange County Crisis Jolts Bond Market, The New York Times, Dec. 8, 1994.
26
CSG
Chart 4.1: Features of 8 selected operational risk mishaps since 1991 Mishap BCCI 1991 Feature Approx. total loss amount (in USD, bn) Loss in % of capital and loss to creditors Speed of irregularity maturating to mishap Irregularity description 10 4.4 2.6 1.6 LTCM 1998 Sumitomo Corp. 1996 Metallgesellschaft 1993
About 100% equity 70% Slow
44%
45%
about 100%
Fast
Slow
Fast
Wide range of illegal activities including i.e. fraudulent loans, fictitious deposits, money laundering Top management
Perpetrator
Overexposure to leverage, model, sovereign, liquidity and volatility risk with derivative instruments Top management strategists Persistent unfavourable market
Unauthorised commodity trades (double of firms annual trading) over 10 years
Dissimulation of excessive hedging exposure
Branch office staff
Crisis trigger
Regulatory audit report on massive fraud
Mistaken sending of document to finance office Information and communication flow weakness; allocation of responsibilities; culture of trust only Lax internal controls & audit; Inadequate management reporting systems Missing electronic trade reporting links Fraud by staff member
CEO, CFO and staff of subsidiary Unfavourable market turn
Failures along the 5 major OpRisk-categories (CSG) Organisation Governance; Culture of blind structure; secrecy model belief; culture; segregation of information flow; duties allocation of responsibilities Policy / Process Regulatory and legal compliance; Inadequate documentation Change of market importance/size; insufficient model adjustment and stress testing.
Governance, communication breakdown
Policy incoherence
Technology
Human
Practical skills as to assessment of changed parameters External BoE action timing --Source: Credit Suisse Group / GRM compilations (2000)
Fraud by owner
---
Inadequate skills / understanding of instruments ---
27
CSG
Chart 4.1: Features of 8 selected major operational risk mishaps

Mishap Feature Approx. total loss amount (in USD, bn) Loss in % of capital Speed of irregularity maturating to mishap Irregularity description 1.6 1.3 0.2 1.1 Orange County 1994 Barings 1995 NatWest Markets 1997 Daiwa 1995
Approx. 100% Medium 3 years
100% Medium 3 years
negligible Medium3 years
24% Slow 11 years
Trading in securities not legally approved; nondisclosure of massive, potential losses
Unauthorised and concealed trading in options and futures; loss concealment;
Unauthorised transfers between options books; deliberate option mispricing
Perpetrator
Orange County treasurer Warning to county executives by treasurers staff
Crisis trigger
Trader, Subsidiary in Singapore Margin call
Trader, possible management involvement External audit investigation
Unauthorised trading; forgery of back office documentation; losses concealed by management from regulators US branch office trader(s) Confession letter sent by trader to bank president Governance; management; culture (superstar); information flow failure Breach of policy; regulatory compliance failure; agency risk
Failures along the 5 major OpRisk-categories (CSG) Organisation Governance; Governance; management; management; lack of control culture diversity; information flow failure Policy / Process Inadequate policy (poor market risk management); agency risk Breach of policy; regulatory compliance; nonsegr. of duties
Governance; management; information coordination and distribution Breach of policy; regulatory compliance
Technology
Human
Employee failure (faulty trading strategy)
Employee failure (lack of character); employer misjudgement
Software dependency (blind acceptance of systemgenerated valuations) Employee failure (fraud)
External ----Source: Credit Suisse Group / GRM compilations (2000)
---
Employee deficiency (poor trading skills); employee failure (fraud); employer misjudgement ---
28
CSG
4.3
The 1977 Credit Suisse Chiasso Case
The old Credit Suisse Chiasso branch scandal of 1977 is a good example of Murphys law in terms of a fraud induced OpRisk.7 The reason for allocating the Chiasso scandal to an OpRisk event is that it occurred exclusively as a consequence of having conducted business in an improper and inadequate manner. Structural, procedural and control failures, errors and misdeeds were essential in building the Chiasso losses. What happened? In the early 1960s, the Chiasso branch manager set up an offshore trustee company (Texon), officially managed and controlled by an outside third party legal office. Texon provided the Chiasso branch manager with a medium to "externalise" branch losses and a vehicle to circumvent CS controls on loans and investments. The fraud began with placing customers' saving deposits in high yield instruments against CS letters of guarantee for Texon. Over time, the fraud extended to transferring non-performing branch loans for their full value to Texon and converting the guarantees into participations. These practices were to continue until March 1977. During this period and until the end of 1976, head office ignored several internal signals which hinted at irregularities. Management never wondered how the Chiasso branch could show a sustained impressive profitability track record, while other branches had to digest bad loans. Neither did it bother to inquire how Chiasso could provide loans which other branches - based on headquarter imposed restrictions - had to turn down. Nor did it provide for a channel through which branch staff could escalate their concerns on possible irregularities to head office. In summary, headquarters followed a policy of "why bother as long as profits flowed". External signals raised to senior management were investigated on a minimalistic basis. Several competitors complaints in 1968, 1969 and then again in 1976 about the practices of the Chiasso branch were dismissed or superficially investigated, despite documented evidence. Only the concerns of tax authorities on withholding tax evasion triggered an internal investigation in 1969. The latter remained restricted to ensure the compliance of guarantees with regulations. Fact finding mostly took place on a verbal basis and was satisfied by vague explanations. Internal audit was not requested to act. Information about the identified irregularities remained limited to four individuals at the headquarters until late 1976. The implementation of corrective measures was never verified. In December 1976, the breakdown of Weisscredit Bank - which failed due to similar practices as those practised by the Chiasso branch - finally triggered concerns about the situation in Chiasso. Several initiatives were launched to investigate the links and exposure of the branch to Texon. In March 1977, a hasty and insufficiently prepared press statement about the fraud was issued. It contained neither precise information about the risk amount nor any assurances of a contingency plan. The wildest speculations broke loose and triggered a major crisis.
For a detailed discussion of the Chiasso case, see Jung, J. (2000), From the "Schweizerische Kreditanstalt" to Credit Suisse Group, NZZ Verlag, Zurich (2000), pp. 245-289.
29
CSG
Chart 4.2 summarises the major ingredients of what ended in an approximate CHF 2 bn loss. The depicted OpRisk level is only illustrative.8 It is used to reflect the progressive build up of fraud exposure at risk and the cumulating of the various OpRisk components. It is not intended to imply that there is a specific critical risk level which triggers the crisis outburst.
Chart 4.2: What went wrong in Chiasso?
Risk Level (indicative)
Fraud: Time bomb Texon,
a vehicle allowing parallel accounting, high yield high risk investments circumventing headquarters controls
Management: Not caring

about repeated warnings, not sharing information, happy with superficial explanations
Communication:
Hastily, uninformed, vague, crisis magnifying
Internal communication:
None: Investigation of problems exclusively on a bilateral base, reporting generally only verbal
Crisis outburst: Control: No search for Internal signals: Ignored

Ability of branch to provide loans rejected by headquarters, impressive sustained profitability track record, indication of possible accounting irregularities causes, irregularities investigations focus on settling immediate complaints, trust ahead of follow up checks 25.4.1977, media boom on the affair
External warnings:
Ignored, market break downs, tax investigation, competitors complaints
Mar 61
Mar 63
Mar 65
Mar 67
Mar 69
Mar 71
Mar 73
Mar 75
Mar 77
Fraud Internal control failures
Documented internal signals Management review failures
Internal communication failures External warnings Communication mismgt
Time
Source: Credit Suisse Group / GRM, 2000
4.4
OpRisk Scandals in Financial Services: 12 Lessons
The total of 9 relevant cases of the past presented lead to the following 12 lessons for everybody: 1. A framework based on the OpRisk categorisation elements of chapter 3 constitutes a useful basis for identifying major OpRisk drivers. If used as a checklist, it provides the basis for a disciplined and systematic review of the aspects commonly at the root of OpRisk. The framework allows focusing managements attention on major weak spots requiring particular and regular attention. It is not only "Banks" which incur OpRisk, non-banks can equally present a potential systemic risk. Lack of good governance at large and lack and/or breach of policies and processes are the common issues for all 9 cases. The 12 S's of each organisation failed at work: Strategy, structure, system/s, safety, speed, style, skills, just to name the most important here.
2.
3.
Peaks were allocated for a documented event, which could have been expected to trigger corrective operational action when conducting business in an adequate manner. The fraud and the documented internal signals (accounting reports, quarterly management meetings with Chiasso branch managers) components were assumed to grow in a linear fashion over time and supplemented with "outbursts" at times when references to possible irregularities surfaced.
30
CSG
4.
Human inadequacies are - not surprisingly - relevant in all cases, whether character or skill. The big "C" for character in banking is as alive as ever. External risks did not play a major role in any of the most severe cases of the past with the exception of the BCCI case. However, the past is not an indicator for the future: Potential external hazards need appropriate attention. Relative size of an operational mishap tends to be correlated with the level of the perpetrator. In fact - with the exception of the Barings and the not discussed Kidder Peabody cases - operational crises tend to be: S S Major when the perpetrator stems from management or owners Absorbable when the perpetrator stems from more junior positions
5.
6.
7.
The speed of irregularity detection generally depends on the complexity of the financial instruments involved: S Short for more complex trading instruments - see transparent market developments, MIS and generally higher "risk awareness". S Longer for standard financial instruments - see documentation for loans with long tenors, audits.
8.
Operational irregularities tend to happen more often in branches or remote subsidiaries than at head-office. Trust is recommended, but must be complemented by diligent supervision and accepted controls. Senior management and Boards have to take their supervisory function seriously and invest time in it. This often requires a personal follow-up, no hesitation in being more demanding on details, as well as a sharing of the personal assessment of the situation with colleagues. Unavailability of direct and reliable information is a problem. Therefore, additional checks are needed such as: S S S S S S Track record of irregularities (e.g. tax irregularities) Track record of generating competitors' complaints Sustained profits and absence of bad loans compared with others Feedback to inquiries Site visits Intuition, "gut feeling": Management is seldom an "IQ" issue only
9.
10.
Significantly higher returns than average over time deserve more attention. Are the people involved really that much smarter? Internal and external communication and expectation management is crucial; both are part of OpRisk management once the mishap is recognised. It requires a crisis task force devoted to finding out all the facts and devising a clear contingency plan of measures to be taken to sort out the problem. Co-ordination with authorities and experts from the public relations / communication department is essential. Based on this, a professional communication strategy has to be defined ensuring explanatory, fact based press releases.
11.
31
CSG
12.
If you do not learn from internal and/or external mistakes, you just make another mistake. An organisation must be a learning organisation. Otherwise, a financial services organisation cannot be a knowledge company - which is what it should be.
Some interesting questions can be raised: S S S S S Did the models of LTCM work - with the smartest quant brains available worldwide? Would any of the present and potentially upcoming quantification approaches for OpRisk (including Value at Risk, Extreme Value Theory, Chaos Theory etc.) have been of relevant use at the time of occurrence? Would such theoretical quantification ex-ante have avoided the mishaps? Would any of the today's quant-approaches have calculated a large enough capital requirement to avoid a total collapse of BCCI or Barings? And, if so, would these two organisations with such huge additional capital requirements have been competitive before the collapse?
In my opinion, all five questions are to be answered with a "no" which does not imply at all that I am against credible and relevant quantification of OpRisk or at least credible attempts to try and observe a few "provisional results" over some years. Models, quantification and other tools are neither able nor meant to predict the "when" of a crisis outburst. They are only one of various elements for our judgements and decisions in addition to the more relevant aspects of the management of the 12 S's as discussed in chapter 6. Common sense and "gut feeling" which come from experience also are important. The 9 cases represent no good arguments for OpRisk regulatory capital solving the problem. The bank cases were all cases for Pillar 2 and 3, as discussed in chapter 11. All 9 cases had a very different context, i.e. were unique in their constellation, as presented in chapter 10. The prime issues for most of the 9 mishaps were lack of good OpRisk management: improper structure, system, systems, shared values.
"Lessons are not given. They are taken." (C. Pavese)
32
CSG
5.
5.1
Organisations with a 5000 Year OpRisk Experience: 12 Lessons

Introduction
Experience is often key to success. OpRisk is not constrained to banking activities but involved in all activities and organisations of human beings. Long before analytical OpRisk management came into fashion in the financial industry, it was already a core concern for several sectors of life. Since it exists, the military as a managed human and technical organisation has been devising ways to manage operational risks. Armies over the years have as an organisation developed certain principles which have been adjusted again and again. Not to learn from this experience in financial services - also with technological challenges - would be arrogant and represent another OpRisk opportunity loss. For decades, the manufacturing industry has been devising solutions for controlling their OpRisk.9 The OpRisk management methods developed by these sectors of activity are the result of many years of trial and error, of fine-tuning and of perfectioning. The aim of this chapter is to review a selected set of the methods of OpRisk management. This should help to devise or confirm the key elements and rules that should feature financial sector's approach to OpRisk management. Very briefly, methods for managing OpRisk, which have been developed by the US military with its recent experience are reviewed. This leads again to 12 lessons, directly or indirectly relevant for financial services.
5.2
Principles of the Military
In the military, the purpose of OpRisk management is to enhance hazard identification in the operational environment in order to eliminate risks or reduce them to an acceptable level.10 The US military has developed simple tools to help its leaders make sound decisions in a logical manner in order to manage identified risks. The general structure of these tools is common to all units. However, their detailing and implementation is very unit specific. The OpRisk management process used by US Military can generally be broken down into six steps, as shown in Chart 5.1.
The manufacturing industry primarily views operational risk from the opportunity perspective. Most methods of operational risk management are therefore running under the heading "business process reengineering". The oil and chemical industry, the pharmaceutical industry and the nuclear power generation industry, given their higher exposure to risk events, have focused on the operational risk management aspect for years. 10 See Capt. Bieberdorf W.J., "Operational Risk Management", MCO 3500.27, Naval Safety Centre, Norfolk, Va, April 1997.
33
CSG
Chart 5.1: USAF Operational Risk Management Six Step Process
1
Identify the Risk Supervise and Review 6 1 2 Assess the Risk
Operational analysis Assess hazard exposure Identify risk control options
List hazards Assess hazard severity
List hazard causes Identify Mishap probability
In-depth hazard identification Assess complete risk Prioritize risk controls
2 3 4 5 6
Evaluate control effects
Risk 5 3 Analyse Control Imple- 4 Risk Control mentation Measures Make Control Decisions
Select risk controls Clarify implementation Establish accountability
Risk decision Provide support
Supervise
Review
Source: Credit Suisse Group / GRM, adapted from Mjr. Crowell M., USAF, 2000
1. Identify the Risk The first step is to identify the hazards or risks. It is crucial to obtain a complete list of the hazards to which an operation is exposed. The 5-M model - man, machine, media, management, mission - provides the basic framework for analysing operational systems and determining the relationship between composite elements that work together to perform the mission. There is a significant overlap between the elements of the 5-M model as they interrelate directly. However, the most crucial elements are leadership and management, because they define how this interaction takes place. Military and civilian safety studies cite management processes to amount to 80% of reported mishaps. The focus of the 5-M model is to identify in detail what could cause a mishap, or an operational risk. Therefore, the army places extreme importance on detailing the various elements of the 5-M model. Based on its experience, it has developed a detailing covering all risk origins for each of the elements of the 5-M model. Table 5.1 summarises what the army uses as a checklist for the identification of hazards. We have added two columns, which by analogies try to tailor this checklist to the needs in the financial industry; the latter are only illustrative. However, "mission" is not discussed here as it is always specific to the task and cannot be presented in general terms. Table 5.1 shows that interesting similarities can exist between the military and the financial sector in terms of OpRisk drivers. The main conclusion, however, is that the devil lies in the details. The specific risk drivers which would have to be integrated in a checklist are highly dependent upon the activities.
34
CSG
Table 5.1: The 5-M Model Check List for a Comprehensive Risk Identification
Element
USAF Category
Description of Check-list USAF Risk Drivers
Financial Industry Category Equivalent Environment
Description of possible Financial Industry Risk Drivers
Medium: Environment
External, largely environmental forces Climatic visibility, wind, precipitation, humidity, etc Terrain, vegetation, man-made obstructions Ventilation, air quality, corrosives, etc. Paved, dirt, ice, hilly, etc. Clients needs in term of frequency and speed of transactions Market features, competitors behaviour (part of strategy risk) Offices, security, etc.
Operational
Market
Hygienic
Infrastructure
Vehicular
Communication
Distribution channels, features of customer interfaces and IT Hiring profile, education, training requirements, etc. Personality, skills-job profile matching, culture, incentives, etc. Job satisfaction, values, discipline, communication, etc.
Man:
Area of greatest variation and thus of risks Selection Right person, training, habit pattern, etc. Insight, stress, adaptive skills, peer pressure, etc. Job satisfaction, values, discipline, communication, etc. Engineering and user-friendly Training, time, tools, parts Supply, upkeep, repair Clear, adequate, useable, available DOC statements various criteria, policy, etc. Checklists, manuals, etc. Selection
Performance
Performance
Personal factors
Personal factors
Machine:
Used as intended, limitations, interface with man Design Maintenance Logistics Tech data Design IT architecture Maintenance & Migration Service providers Work tool user manuals Standards Engineering and userfriendly Tool complexity, island solutions, training, etc. Dependencies, confidentiality, reliance Clear, adequate, useable, available Code of Conduct, Policies, Governance principles & training Checklists, compliance manuals, escalation, etc. Audit, MIS, risk limits and flags, restrictions, motivation survey, etc.
Management:
Directing the process by defining Standards
Procedures
Procedures
Crew rest, speed limits, restrictions, lawful orders Source: USAF and Credit Suisse Group / GRM (2000)
Controls
Controls
35
CSG
How does one go about in identifying the OpRisk? The army provides a useful systematic and simple approach for going through each element of the 5-M checklist: S S S S First, analyse the operations Second, list the possible hazards Third, list hazard causes Fourth, proceed to an in-depth hazard identification
The operational analysis basically is breaking down the operation into "bite size" pieces.11 In the financial industry this procedure is often employed in the elaboration of business plans or for project management. In the end, the operational analysis boils down to making the key factors of an operation or issue more transparent. Once the list of hazards is established, the USAF proceeds to listing the causes for each of the identified hazards. For each case, it is attempted to identify the first link (root cause) in the chain of events leading to an OpRisk occurrence. The focus is to link the hazard to one or several elements in the 5-M model, in order to be able to identify a possible management action. Tools used to perform this task include change analysis, brain storming and "what-if" analysis. 2. Assess the Risk With the hazards identified, some method is required to assess and prioritise the list of hazards. The aim is to put the limited resources against the risk faced. For this purpose, risk is defined as "the probability and severity of loss linked to the hazard". Table 5.2 gives an overview of the approach used to determine the risk level for each identified hazard.
11
The USAF employs flow charts as tools to analyse its operations and break them down into separate components. The financial industry also uses workflow and organisational charts for this purpose.
36
CSG
Table 5.2: USAF Risk Levels Event Severity

Catastrophic (death, system loss, etc.) Critical (partial disability, major system damage, etc.) Moderate (minor injury, minor system damage, etc.) Negligible (minor treatment, minor system impairment, etc.)
Hazard Mishap Probability

Frequent (occurs often in a career) Likely (occurs several times in a career) Occasional (occurs sometimes in a career) Seldom (possible to occur in a career) Unlikely (occurs very rarely in a career) Extremely high risk Extremely high risk High risk High risk Medium risk Extremely high risk High risk High risk Medium risk Low risk High risk Medium risk Medium risk Low risk Low risk Medium risk Low risk Low risk Low risk Low risk
Risk Levels
Source: USAF compiled by Credit Suisse Group / GRM, 2000
How does one go about assessing the OpRisk level? The army provides a useful systematic and simple approach for going through each element of the 5-M checklist: S S S S First, assess the hazard exposure Second, assess the hazard severity Third, assess the mishap event probability Fourth, complete the risk assessment
3. Analyse Risk Control Measures After having completed the risk assessment, the USAF analyses control measures. For each hazard exceeding an acceptable level of risk, the USAF: S S S Identifies risk control measures Determines risk control effects Prioritises the list of available risk control measures
The identification of risk control measures involves searching for as many risk control options as possible by referring to the list of causes. Risk control options include avoidance, reduction, spreading and transference. Tools used to perform this task are brainstorming, mission accident analysis and "what-if" analysis. In the financial sector, the analysis of past OpRisk events could offer interesting avenues in identifying relevant risk control measures.
37
CSG
The determination of risk control effects evaluates the effectiveness of each control measure. Tools used in this context are mishap risk index matrices, scenarios and next accident assessments. In the financial sector these tools are also available, but could benefit from enhancing mechanisms and standards for systematic learning from mishaps. The prioritisation of risk controls prepares the choice of measures to be taken. Best controls are generally consistent with mission objectives and the optimum use of available resources. It involves the use of tools such as computer modelling, opportunity assessment and a cost versus benefit analysis. In the financial sectors similar tools are used, but not often in the context of OpRisk. 4. Make Control Decisions After having prioritised risk control measures, the person in USAF who is accountable for accepting the risk has to make the risk control decisions. For each hazard, the accountable person selects those risk control measures that will reduce the risk to an acceptable level. Tools assisting in making this choice are databases of implementation decisions recorded in a standardised format. In the financial industry an important requirement for such a procedure would be a clear responsibility allocation for each OpRisk category. The benefits of the operation are set against the level of risk of the operation, considering the cumulative risk of all identified hazards, the long term consequences of the decision and the law of diminishing returns of resources allocated to risk control (see Chart 5.3).
Chart 5.3: The Law of Diminishing Returns

Risk level high Allocated resources
Accident reductions low Resources allocated to risk reduction
Look for happy medium where cost of the control measure balance severity of risk
Source: Credit Suisse Group / GRM, adapted from US Air Combat Command, 2000
38
CSG
5. Risk Control Implementation Once the operations are launched it is essential to ensure the implementation of the selected risk control measures. In the USAF, this involves: S S S Making the implementation clear Establishing accountability Providing support
Clarifying implementation entails making sure that control measures are understood. For this purpose, directives, a roadmap for implementation as well as a description of the attempted end state are provided. Tools used for this task are examples, pictures, charts, job aids, etc. In the financial industry, policies, directives and manuals are often used as well as training material. These could be complemented by simple summaries of lessons learned from practical OpRisk cases. Accountability is an important element of OpRisk management. It requires sign off and proper documentation of all relevant risk taking decisions. In the financial industry, this aspect is critical given the relatively rapid turnover of staff. Quick response times, however, should not serve as an excuse to neglect documentation. Possibly computer aided standardised decision making forms could provide an avenue for enhancing accountability. To be successful, command must support the control measures put in place. This requires getting command approval prior to implementing a control measure. In the financial industry, this would possibly require making OpRisk an issue for the BoD and mandating the CRO or COO with the day to day management of OpRisk. In any case, management should be aware of the common obstacles to the implementation of controls as summarised in Chart 5.4.
Chart 5.4: The Pitfalls of selected Control Measures Inappropriate control for the hazard Operators do not use them Leaders do not use them Cost too much Impede the mission - limit opportunity Get lost in the priority system Misunderstood
Source: Credit Suisse Group / GRM, adapted from US Air Combat Command, 2000
39
CSG
6. Supervise and Review Once the operation is running it requires to be supervised. This entails the monitoring of the operation to ensure that: S S S Controls are effective and remain in place Changes in the operation which require further risk management are identified Actions are taken to correct ineffective risk controls and reinitiate the risk management steps in response to new hazards
Tools assisting in performing supervision include inspection, observation and feedback programs. In the financial industry management reviews, audits and controlling investigations are increasingly tailored to OpRisk management aspects. The operations must also be periodically reviewed. The review process must be systematic. Once assets are expended to control risks, a cost benefit analysis must be accomplished to see whether risk and cost are in balance.
5.3
Military OpRisk Experience: 12 Lessons
I have reduced the military experience to 12 lessons. 1. "OpRisk management is a process, not a program! It requires incorporating risk in decision making at all levels."12 "OpRisk management is:13 S S S S 3. Logic-based common sense approach to decision making Integrates the 5-M factors, before, during and after the operation Not a radical new way of doing things "Mission oriented"
2.
Always use the proper methodology: The 5-M concept: S S S S S Management (standards, procedures, values, goals) Man Machine Media (environment) Mission or mishap
Risk categories are categorised as to their severity and probability 4. Apply the 6 steps process (Air Combat Command): S S S S S S Identify risk Assess risk Analyse risk Make control decisions Implement risk control Supervise and review
12 13
US Navy, 27 Fighter Wing (no date). US Navy (1997).
th
40
CSG
Intensity of risk management is different with time available: S S S 5. Hasty = time critical: on the run consideration of the 6 steps above Deliberate: complete 6 steps application add time and techniques In-depth: complete 6 steps application add time, techniques and energy
Civilian and military studies reveal: Insufficient management processes are responsible for 80% of mishaps Personnel is the dominant factor in mishaps. Therefore, it has to be led. Ideally, management should ensure that everyone when performing his or her tasks takes into account some risk management considerations. Experience of military on the quality of involvement strongly supports this approach, as shown in Chart 5.5 Successful risk management requires an enterprise culture which makes everyone a risk manager. Such a culture ensures pro-active risk management
Chart 5.5: Everyones Involvement is highly desired! A Judgement on different Levels of Involvement
Involvement Level: Personal ownership

Team member Input provider Coordinator Comment and feedback provider Robot: object of inspection or enforcement
Source: Credit Suisse Group / GRM, adapted from US Navy 27th Fighter Wing 2000
Quality: Best
Worst
6.
"Safety is built on integrity, trust and leadership, created and sustained by effective communication" = enterprise culture14
14
US Navy (1997).
41
CSG
7.
To establish a personal ownership as a risk culture, five levels of OpRisk management training can be conceived:14 S S S S S Indoctrination: Making everyone aware of OpRisk User: Introduce concerned individuals to the five step OpRisk management process Advanced: Train relevant individuals to apply OpRisk management and its tools Leader: Enable responsible individuals to make OpRisk management decisions Senior leader: Provide a basic understanding of OpRisk management
8.
Anticipate and manage risk by planning: This first rule is one of simple efficiency and economy. Risks are more easily managed when addressed in the planning stage of an operation. Make risk decisions at the right level: This is a level where the decision-maker has the necessary information, experience and maturity to make a good decision. Normally risk decisions are made by the leader directly responsible for the operation, e.g. at the level where the risk taking can be influenced and is born. However, the level of approval authority should be commensurate with the level of risk accepted. Final risk decision-making authority resides with the agency or individual assigning the tasking within the chain of command. Accept no unnecessary risk: Leaders who accept unnecessary risk are gambling with others lives (in banking with others money). Take only risks that are necessary to accomplish the mission.
9.
10.
11.
Accept risk when benefits outweigh the cost: This rule recognises two key truths: S S There is some degree of risk associated with all operations. The goal of OpRisk management is not to eliminate risk, but to manage the risk so that the mission can be accomplished with the minimum amount of loss15
12.
KISS: Keep It Short and Simple - This rule recognises three key truths: S S S Complexity is often at the root of risk Communication is essential to mitigate risks Others do not per se understand ones thinking
"You don't manage people: you manage things. You lead people." (Admiral Grace Hooper)
14 15
US Navy (1997). Airtevron one, VX.1 Safety/Naptobs Dept., "Introduction to Operational Risk Management".
42
CSG
6.
Managing Operational Risks: The 12 S's as a High Level Requirement
This chapter deals with OpRisk management from the high level - top-down viewpoint. It is primarily concerned with setting the right management framework for dealing with OpRisk in the context of a fully integrated, institution-wide risk management. The 12 S's of such a management approach are: strategy, structure, system/s, staff, safety, speed, skills, style, shared values, stakeholders, symbol, synchronisation.
6.1
Risk Management Framework
An analytical and conscious approach to solve management issues - in this context in regard to OpRisk management - can be structured along the 12 S's for every organisation. I repeat my chart from chapter 1:
Chart 1.2: Building an Organisation for the Management of 8 Major Risks
Major factors shaping the risk disposition of an individual and an organisation
Scope and challenge of an integrated firmwide risk management
Effective risk management provides focus on and control over 8 major risks
Values, Society & Politics

& on y ati log ov no Inn ch ns Te io at ct pe Ex
Facts
Ex pe rie nc e nts
Action and Reaction by Management and Staff Knowledge
Building on the organisations 12 S: - Strategy - Stakeholders - Shared values - Structure - System/s - Skills - Simplicity - Symbol - Safety - Sustainability - Speed - Synchronisation Ensuring a risk culture with: - modern methods / limits - proactive risk management - constructive control attitude - continuous training - discipline as to corrective actions
Co mp eti tio Pe n rc ep tio n
Strategy Risk Reputation / Brand Risk Market Risk Credit Risk Ins. Underwriting Risk Business Risk Operational Risk
Markets & Economy
Cli e
Each financial services organisation has its own peculiar history, set-up, strategy, structure, values and challenges. Retail banking, asset management, brokerage, trading, investment banking, insurance, they all have very different prerequisites. Here, I have tried to come up with some salient common and general OpRisk related denominators concerning any organisation, irrespective of its peculiarities. By nature, the comments are more oriented toward high level issues.
& ies lic Po
H.-U. Doerig, 2000
ur s vio ion ha lat Be gu Re
Liquidity Risk
43
CSG
Basically, one can differentiate between "six tiers of defence" for risks: Tier 1: Business front line with the prime responsibility for taking and managing risks Tier 2: Support functions like product control, strategic risk management, legal and compliance, country management with focus on specific risk areas and concentrations Tier 3: Senior management and supervisory board with focus on the overall risk profile Tier 4: Internal and external audit with focus on deficiencies as to policy, structure, rules, regulations etc. Tier 5: Regulators - supervisors with prime role of an external referee Tier 6: Shareholders and other stakeholders as ultimate daily overall judges Simplified, but correct for any risk management is the following formula: S S Inherent risk - Mitigants = Residual risk Mitigants can be the 12 S's management as well as e.g. hedging, risk transfer
6.2
Strategy and Structure
There are very few really original banking strategies. Implementation is the issue. However, any financial organisation without a dedicated, simple and continuously checked strategy is lost from the start: "Strategy is always simple, but it is not for that reason easy" (von Clausewitz). The strategy should secure no undue risk taking, e.g. set ambitious but realistic targets. The structure very much depends on the strategy. Only a logical structure can lead to the successful implementation of the S's, especially for OpRisk management and its related issues like TQM, efficiency and effectivity. A structure for the 21st century has to take into account the need for continued innovation and creativity: structure with flexibility. We also should not completely overlook Peter Drucker's statement: "No institution can possibly survive if it needs geniuses or supermen to manage it. It must be organised in such a way as to be able to get along under a leadership composed of average human beings." 6.2.1 Corporate Governance
Quality starts at the top. We all observe the worldwide convergence of what constitutes good corporate governance, also in the European banking industry: "Accountability" has become the key issue. This paper cannot deal with specific national or EU legislation - de lege lata or de lege ferrenda - nor should it discuss the respective responsibilities of the Board of Directors versus the Executive Board. Important is - also based on the respective legislation - the clear allocation of responsibilities and the establishing of functioning checks and controls.
44
CSG
As a catch-all for present or future requirements, I raise salient elements of BIS' 1999 report "Enhancing Corporate Governance for Banking Organisations". The Cadbury report, the recent Turnbull report and the EMI ECB recommendations, all call on the various boards' responsibility to identify the relevant risks and to have an "embedded" risk management system, not just a "separate exercise" or "to take risk into consideration". This is essential for proper OpRisk management. The September 1999 Basle Committee on Banking Supervision on "Enhancing Corporate Governance for Banking Organisation" identifies 7 essential practices. Table 6.1 shows how these are linked with my 12 S's.
Table 6.1: BIS Essential Practices and the 12 S's BIS Practices Strategic objectives and a set of corporate values Clear line of responsibility and accountability Proper qualification of board of directors Appropriate oversight by management Internal and external auditors as independent checks Compensation consistent with bank's ethical values, objectives, strategy and control environment Transparency as to corporate governance
Corresponding 12 S's Strategy, shared values, style Structure, system Skill, style, shared values, symbol Structure, system, systems, safety Structure. system, systems, safety Staff, stakeholders, shared values
Structure, system, safety, synchronisation
The above, but also more recent supervisory and auditing requirements make it very clear that senior management today has an ever increasing responsibility to deal with risks, including OpRisk, in a diligent and continuous fashion. These aspects have become more formalised lately. Questions could be raised like: Does your organisation have an accepted OpRisk definition, a formal policy statement, a regular review of responsibilities? What committee deals with OpRisk? Who is the owner of an important issue? At a functional level, who is responsible for OpRisk management? Documented as to policy, structure and losses? Is there a clearly defined escalation process? Trend analysis? Impacts of OpRisk? Reports on OpRisk how often? Who reports to whom on legal cases, on insurance issues? Is the information consolidated and fit for high level supervision? In this context, it is not so crucial whether the whole BoD or Executive Board, the Audit or Chairman's Committee, an Executive Board Risk Committee, the CEO or the CRO have such a responsibility. Important is that it is done with skill, diligence, care and promptly, with clear allocation of responsibility, independence with built-in checks, deadlines, controls and proper reporting.
45
CSG
The role of an Audit or Risk Committee of the Board has become much more visible, including the information for the Supervisory Board. Regulators take a more vivid interest in such or similar committees and Board functions related to risks, including OpRisk. The intensity and frequency of risk management discussions depend on the organisation's specific situation. Each organisation has to strike the balance between what is to be managed tightly and what more loosely. A balance has to be found between: S S Extreme alignment (too much = bureaucracy and demotivation) and Extreme adaptability and flexibility (too much = chaos or difficult control)
The new decentralised structure initiated by Credit Suisse Group in 1996 served it well: Below a small Corporate Centre (= Holding Company), a total of 6 major Business Units - with their own Executive Board - are assembled: Retail banking, private banking, personal financial services, insurance, asset management and investment banking. One benefit of the restructuring was clearly defined responsibilities and enhanced transparency and discipline. It also led to shorter decision making processes - under the Group guidance - and to a much more focused risk management. A reduction of complexity was achieved also for OpRisk by grouping similar skills and workflows in one unit. Additional opportunity costs were avoided, ownership of risk more effective. 6.2.2 Segregation of Duties
Internal and external cases indicate that many of the significant OpRisk losses in history were related to the lack of segregation of duties: front versus support functions. This fact holds true not only for lower level functions, but also for Executive Board levels. The major forces influencing the management of OpRisk are presented in Chart 6.2.
Chart 6.2: Managing OpRisks Major Forces in a continuous Interplay
Shareholders and other Stakeholders
Supervisors Legislation BoD Senior Management
Internal and External Audit
Line / Business Management

Legal & Compliance Product Control Financial Control IT Country Management Risk Transfer Insurance Operations
Risk Management
Competition
H.-U. Doerig, 2000
IT Development
46
CSG
CSFB e.g. separates trading versus support functions. The following functions report directly to the Vice Chairman who has no line functions: Risk management, product control, operations, legal & compliance, financial control, treasury, IT and country management. Trading and Investment Banking report to different Executive Board members. 6.2.3 Management Structure for OpRisk
A survey has identified 3 generic organisational models for OpRisk management: 16 S S S A Head Office OpRisk function A dedicated but decentralised support Internal Audit playing a lead role in OpRisk management.
The Head Office OpRisk approach is receiving the widest acceptance. Such corporate structure acceptance and firmness of risk management is presented in Chart 6.3.
Chart 6.3: Corporate Operational Risk Organisation Model

Board of Directors
Senior Management Operational Risk Committee
Internal Audit
Operational Risk Related Staff Functions Compliance Human Resources Insurance IT Legal
Chief Risk Officer
Business Unit Management
Head of Operational Risks Head Office Operational Risk Staff
Business Units Operational Risk Staff
Source: BBA (1999)
As important as the concrete structure is the visibility, acceptance and firmness of risk management, as it is not a profit centre. Risk management must add value by: S S S S S S S S Fostering risk awareness in various situations and cycles of a firm or market Setting standards Ensuring smooth running of the firm's risk processes and methods Disclosing and escalating relevant risks to senior management No positions, but helping to prevent losses Offering constructive risk mitigation and pricing advice Assessing / quantifying risks Benchmarking with peers, where feasible
16
BBA (1999).
47
CSG
At CSG, the 6 major business units each have a CRO or CCO and an appointed OpRisk officer. The Group-CRO chairs 3 different risk related committees and has an overall topdown function as to creation and alignment of definitions, terminology, methods, procedures, processes. He monitors, encourages and intervenes if needed and advisable; he promotes the creation of a "proper" risk culture by following the previous 12 Golden Rules on page 9; he exercises formal and informal influence; bottom-up approaches are encouraged. 6.2.4 Audit driven OpRisk Management
It is self-evident that auditing and controlling activities are not reporting to those who are audited: Internal audit reports go to the Chairman or Audit Committee of the Supervisory Board; thus insuring independence. Internal and external audits play a very relevant role, especially in the OpRisk arena. It is true that many conventional audits are more control-oriented or concentrating on symptoms. However, forward looking and diligent audit reports are an excellent base for operational improvements and reduction or elimination of OpRisk: From ex-post assessments to ex-ante improvements. In my opinion, the audit driven approach is the most pragmatic and readily implementable approach in OpRisk management. As important as the audit reports themselves are the corresponding follow-ups and corrective actions by those concerned. At CSG, the Business Units have their own audit tracking system. At Group level, audit reports are reviewed by the CEO, CFO and CRO as well. Unsatisfactory major reports are subject to additional follow-up requests by Group Management. Very unsatisfactory reports - especially revisited issues - are bonus relevant, also on higher levels. Statistics based on internal audit findings can be revealing. At CSG e.g. percentage data on items for correction are established for each BU and then consolidated. Example: documentation issues at large are mentioned in 31% of all reports, procedures issues come up in 29% etc. A comparison over years allows for some conclusions as to progress in especially OpRisk issues. The tasks of internal auditors vary, depending on business activity and the engaging in consulting on OpRisk management matters. A limited CSG analysis of 12 banks indicates: Retail banking has 3 -5 and investment banking 7 - 10 auditors per 1000 staff on average.
48
CSG
6.3 System and Systems

System as one of the 12 S's stands for processes, while Systems are their corresponding IT and communication tools.
6.3.1
Framework of OpRisk Management
A common framework for OpRisk management for banks which has emerged recently includes integrated processes, tools and mitigation strategies.17 This framework has 6 components as presented in Chart 6.4.
Chart 6.4: Enterprise-wide OpRisk Management Framework
Integrate with Market and Credit Risk
S Strategy Risk Policies Risk Mgt Process

Controls Assessment Measurement Reporting
Align with Stakeholders
System and Systems
Risk Mitigation Operations Management Company Culture
Source: Credit Suisse Group, based on BBA (1999)
Strategy and structure aspects were discussed previously. Here, we deal with the risk management process, primarily control aspects. Risk assessment, measurement and reporting as tools are presented in chapter 7. Additional risk mitigation is dealt with in chapter 8. 6.3.2 OpRisk Control Process: 12 General Rules to Watch
In its September 1998 framework on internal control the BIS mentions three main objectives and roles of the internal control framework:18 S S S Efficiency and effectiveness of activities (performance objectives) Reliability, completeness and timeliness of financial and management information (information objectives) Compliance with applicable laws and regulations (compliance objectives)
17 18
BBA (1999), pp. 12-13. BIS (1998).
49
CSG
Internal control consists of 5 interrelated elements: S S S S S Management oversight and the control culture Risk recognition and assessment Control activities and segregation of duties Information and communication Monitoring activities and correcting deficiencies
The control and compliance process of a firm represents one of the most decisive OpRisk management tasks, especially in today's environment. An appropriate control and compliance culture is part of the risk culture. This "cultural aspect" needs close and continued attention by senior management. "Culture" is qualitative. It cannot be quantified or modelled. For me, the risk culture aspect is the most decisive factor and base for good risk management. In Table 6.2, I have summarised some existing and / or increasingly upcoming requirements as a "checklist" with 12 general rules to watch in the context of OpRisk. Table 6.2: OpRisk Control: 12 General Rules as a Check List19 1. Control is a difficult balance between action making the fortune and "the cautious seldom err" (Confucius): Have a control environment and a compliance culture which accepts internal supervision: Compare some of the "S" of an organisation: strategy structure system systems safety speed staff skills style shared values. 2. Regulators' standards are continuously being raised, especially in OECD countries. Supervisors increasingly discipline breaches of responsibilities. Individuals are increasingly held responsible by supervisors. Map regulatory requirements directly to compliance control. Organise the activities so that they can be controlled: Establish clear structures and procedures; allocate responsibilities to suitable individuals. Integrate OpRisk functions/responsibilities in job descriptions. 5. Construct procedures relevant for the concrete activity, including: Structure, activity, workflow, "owner" of specific activity, does "owner" know what he/she owns, checks organised, records, key risks, regulatory requirements, controls. 6. Document the procedures and maintain the relevant documents: You might have to prove something.
3. 4.
19
This section is partly based on: Morris, S., "Operational Risk Control, what FSA expects... and you must do", CMS, London, June 2000.
50
CSG
7.
Procedures should ideally have the following characteristics: S S S S S S S S S Single document as to rules and requirements Structured along the activity flow Comprehensive Clear: so someone else can pick it up; see staff turnover, role of temps and consultants Monitorable Instructing: what is to be done in case of...... Teachable: so it can be used as a training aid Implementable: use simple check lists Auditable
8.
Train management and staff: Train the supervisors of staff: supervisors also check.
9.
Special attention for control procedures should be paid to the following: S S S S S S S S S S S S S New business / activity / product Internet activity, e-business Outsourcing Security, safety: access to infrastructure, internal data Client privacy protection, including data on clients Insider trading Conflicts of interest Money laundering Suitability of clients Branch/subsidiary offices, especially far away from HO Overly profitable areas Internal communication/information flow Change management
10.
Compliance plays an increasingly core role for OpRisk control S S S S S S S S S S Proper positioning of compliance for a specialised activity: e.g. private banking has very different requirements compared to investment banking Compliance officers becoming risk managers: from a rule based approach to a function based approach? Enough and suitable compliance staff? Adequate procedures and reporting lines? Access to senior management? Staff understands compliance function? Compliance monitoring? Elevation procedures? Investigation on breaches? Follow-up on rectification?
11.
E-commerce presents a new control/compliance challenge S S S Entrepreneurs and creative innovators also need structure and systematic approaches in management: e-nablement = e-compliance E-business within the firm's regulatory and compliance framework Monitoring by senior management
51
CSG
12.
Supervisory board and senior management have an increasing responsibility for controls and compliance: from back to board room S S S S S S S S Key functions and procedures? Control environment? Adequate compliance function? Controls: serious breaches and their remedial follow-ups? Database on breaches? Clear areas of management responsibility? Management support for controls? Compensation impact?
6.3.3 Top-down versus Bottom-up OpRisk Management There is no commonly accepted benchmark or model as to the methodology of managing OpRisk. As to be expected in the art of management, there are arguments for both top-down and bottom-up approaches in OpRisk management. For me, the OpRisk management process includes identification, assessment, measurement, evaluation, priority setting, reporting, control and mitigation. Not surprisingly therefore, I believe in a mix. Top-down and bottom-up, both have advantages and disadvantages. Table 6.3 indicates some of the aspects of the two models. Table 6.3: The Choice of an OpRisk Management System Top-down S S S S S S S S Close to strategy, policy and corporate governance Management driven Loss events knowledge Defined, unified standards Comparable statistics High level mitigation Accountability? Compliance and/or acceptance? S S S S S S S Bottom-up Close to the concrete activity, often origin of risk Close interaction between events and people, processes and technology Local quality controls Sense of duty as a main driver? Dependence on staff initiative? Own standards? Incentives?
Most important seems to me the clear ownership of an activity, the ability to generate reliable, meaningful and relevant information and a well functioning early warning system.
52
CSG
6.3.4 Risk Processes: Quantitative and Qualitative Approaches Whether top-down or bottom-up, OpRisk management can be based on quantitative and qualitative assessments. Both should be combined and must induce management actions, as presented in Chart 6.5.
Chart 6.5: Qualitative and Quantitative Operational Risk Management Process

establish a set of indicators regularly monitor risk indicators use as basis for management reporting analyse trend of indicators: for their financial impact, if feasible for possible qualitative improvements
k Ris tors ca i In d
Analysis
ve ati alit qu
financial
implement improvements or transfer the risk appropriately
6.3.5 Personal Attention by Senior Management With all the requirements as to strategy, system and systems presented up to now, one element often overlooked is the personal senior management attention to support functions and to details in regard to OpRisk aspects. Honestly: S S S S S S How often is senior management visiting and discussing with support / control functions? How often and how long is senior management in the "machine room"? How often is senior management showing a vivid interest in some - overall unimportant - detail, but important for a department or issue? What is the time allotted at management meetings for support functions? What "pats on the shoulders" do they get? How large is the compensation difference between front producers and excellent or even crucial support people who are so relevant for mitigating OpRisk and fostering reputation?
or on a ti e r tig sf Mi Tran
Risk Based Internal Charge
Management Decisions
determine what kind of action is necessary, if any create incentives to encourage best practice
53
CSG
6.3.6 Compensation-System Banks are regularly being criticised for the - Anglo-Saxon influenced - bonus systems according to "plain volume performance". While all banks are under massive competitive market pressure, it is a serious issue which is relevant for OpRisk management as well. Pure short-term orientation can be damaging for the shareholder, other stakeholders, the organisation and even the individual concerned. The assessment of a line manager has to include control and reputational performance. In my opinion - in the interest of a proper risk management in the medium term - a modern compensation scheme should take the following into account: S S S S S Serious negative control and compliance performance is included for the overall performance judgement, including for "producers" Seriously negative audit issues - especially repeated weaknesses - are part of the yearly bonus fixing In case of doubt in regard to the clean-up of previous or real OpRisk performance issues, there is a suspension of the bonus-entitlement until full compliance has been achieved A meaningful portion of a bonus is in shares and/or options, effective after a few years and/or with a knock-in performance The higher the management level, the higher the longer-term component of compensation. That is the time when certain risks - including OpRisk - appear; that is when good management shows. For my personal taste, senior management should only get their bonuses in shares: either you have a medium-term commitment or you do not. The higher the seniority, the higher the number of years for the potential blocking of shares, with a longevity premium Some support functions, such as reducing OpRisk, increasing the operational quality and fostering the reputation are as core as the contribution of "producers"
The more diverse management and staff on a global scale, the more relevant the above suggestions become. 6.3.7 Modern IT-systems lead to New Processes The pressure from everywhere to invest continuously and dramatically - including in the interest of risk reduction - in modern processes is immense. Integrated IT networks are central, especially for a global institution. Internet related technologies enable much higher and more sophisticated levels of co-ordination, globality, efficiency and flexibility. However, they open the door for chaos and risks if they are not consistent, structured, harmonised and stable over time. The new technologies lead to unique opportunities to modify and/or overhaul business processes as to workflow, service delivery and risk reduction. They first and foremost enable business development; e.g. 24h x 7 availability of e-commerce services with realtime execution of transactions. Important is to rethink or even reinvent processes. The new IT in conjunction with process re-architecture has many advantages related to the reduction of OpRisk, such as higher automation, quick storage and retrieval, instant communication, monitoring against given standards, support for quick decision making, actual work steps in processes, support of process work functions.
54
CSG
Without even trying to be technical, there are some basic rules in regard to OpRisk to consider: Table 6.4: OpRisk-Systems: 12 IT related Basics
1.
Many, even technically perfect IT-solutions fail, because the users are ill prepared and resist. Communication and training is the issue; high tech combined with high touch. Reassess the existing process on a regular basis; especially recurring mistakes need re-examination of manager/supervisor/system/systems. As little manual intervention as possible: great sources of mistakes are manual interventions minimal reconciliation more ideal is straight-throughprocessing. One source of data throughout - especially market data; data should have a single assigned owner; data can be audited. Business line processes are separated from IT: no overreaching access of line function for data and IT-systems. Processes and systems are standardised across regions and product lines; avoid island solutions. Future-oriented and fully compatible architecture for operational demands of business. Not maximum performance, but the handling of bottlenecks mostly determine the quality and risk limitation potential. Quality is parallel to reducing OpRisk. Quality will no longer be a differentiating factor but a precondition for a decent survival. No core systems without backup; cost / benefit of a backup for backup? Systems - by their nature - are interdependent and complex, with potential conflicts between the interested parties: co-operation, consensus and compromise are management functions: follow the KISS-rule. New systems/processes should eliminate many risk sources, but they most probably add new ones: any solution breeds new problems. Security protection, firewalls and business continuity plans are key.
2.
3.
4.
5.
6.
7.
8.
9. 10.
11.
12.
55
CSG
6.4
Safety and Speed
One of the most distinguishing elements of competitiveness of a bank is its safety and security. However, this can imply slowness which in turn hampers competitiveness. Today, the fast beats the slow, more often than the big the small one. The challenges are great: managing heterogeneous systems, rapid IT changes, cost, e-commerce, Internet, restructurings and new products of all sorts. Whatever we do, we must make sure that we fulfil regulatory requirements and observe all laws, financial or other. A bank's reputation - its most valuable asset - is an issue of confidence and trust for which aspects of safety and security play such a crucial role. Only confidence at large builds reputation - so hard to get, so easy to lose. A general legal risk is the data protection problem. The EU directive of 1998 has 4 basic principles:20 S S S S Individuals should be able to obtain and make corrections to information that is held about them by companies or institutions Companies must gain their customers' consent before storing or using information about them Companies must only use data for the original purpose that was expressed at the time of collection, unless the customer agrees otherwise Companies must not obtain more data on individuals than they need to carry out their stated purpose
There is a privacy gap between the USA and Europe which poses problems for global marketers: What is sacred in Europe generally is for sale in the USA, especially by Webcommerce information plays. Is the planned US "safe harbour" approach the answer? Table 6.5: Safety and Speed: 12 Principles 1. Confidence and credibility of a bank - besides capital strength, size, position - rely largely on its safety and security: S S S 2. Safety and security foster accident free quality Prevention is often cheaper in the long run than damage control - cost / benefit dependent Perception is as important as facts
Safety / security come ahead of speed: S S S S Safety is a precondition, not a differentiation factor for a bank A bank's appetite for safety risks has to be smaller than the one of a non-bank Banks need safety in their speed: trust builds confidence "E-commerce-ready" management structure and system/s
3.
The damage caused by serious security / safety failures of an Internet activity most probably has a negative effect on other activities of the same organisation.
20
See Randall, J.(2000): "Digital Buccaneers Caught in a Legal Web" Financial Times, May 30, 2000
56
CSG
4.
Proactive business continuity planning - as a business imperative - is as much a prevention as a cure. Logical system threat is perceived as more important than physical threat: S S S S Regular checks on the relevant safety / security issue Combine traditional disaster recovery and fault-tolerant computing Speed of crisis response mostly more important than perfectionism Outsourcing increasingly possible, but outsourcer's responsibilities vis vis clients remain
5.
Any transformation project - restructuring, M&A, new systems, new process, new products - entails additional special and complex safety and security issues. Key success factors for projects: S S S S S Strong senior management support and involvement Thinking before acting Good planning Convincing business case Good discipline and controlling
6.
7.
High systems availability and user friendliness are a crucial - factual and perceived - indicator for safety and security: S S S S 99.99% availability for mission-critical systems is becoming a priority Minimise downtime with review of hardware, software, systems compatibility, processes and staff training Proven systems normally are more secure and reliable Watch the cumulative effect of systems downtime
8.
More security breaches - especially IT related - stem from inside the organisation than from outside - ignorance, carelessness, complexity, deliberately: S S S S S S S S S Security starts with identifying and planning Identify own weak areas and the real assets to be protected Protection of intellectual property, client list, computer codes etc. is as important as protection of money Preventive controls (biometrics password etc.) Documented detection and remedy controls Corporate style and culture Training Clear disclosure to employees that any and all communication they engage in on company time and equipment is subject to potential surveillance Watch also ex-employees
57
CSG
9.
Safety management is - besides having the right infrastructure, technology, service level agreements, processes and recoverability - primarily a matter of OpRisk management applying discipline, e.g.: S S S S S S S S S Rigorous password security and changes; cumulative barriers to overcome for access Rigorous Chinese walls Rigorous control mechanisms for new business activities, involving sign-offs by all concerned parties (including operations, L&C, tax, risk management) Continuously updated anti-virus software Immediate virus notification Regular checks and controls of logical security Backup Regular awareness management Rigorous discipline as to breaches
10.
Piracy on privacy and denial of service scare away clients, anywhere: transactions and data must be safe, secure, private, verifiable, auditable and defensible. E-commerce especially allows transaction information to be tracked, collected, compiled and used, respectively, misused. Protection of privacy and safety can be fostered by: S S S S S S S Protection from "cookies" (software tracking what you do on www.) Regular checks on new processes, new technology Terrestrial links (with two or more access points, satellite as stand-by) Secure Sockets Layer (SSL) Home Banking Computer Interface Standard (HBCI) encryption plus chip card with digital signature Existing (challenge response logic) and upcoming encryption technology with unique codes Public Key Infrastructure (PKI) increasingly enables users of Internet to securely and privately exchange data through the use of a public and a private cryptography key pair that is obtained and shared through a trusted authority. PKI's allow the use of digital certificates, which can identify individuals or organisations to authorise secured and private transactions across the Internet21
11.
The legal ramifications of the virtual online world are in flux and need careful examination. The EU has started various initiatives with directives on electronic signatures, e-commerce, distance marketing of financial services, distance selling, data protection. The legal aspects are potentially also relevant in the context of comprehensive general liability insurance. Watch for: domain name infringement, sale of keywords, copyright infringements and patent infringements, invasion of privacy, defamation, unfair competition, contractual risks, jurisdictional risk, employment practice liability, health and safety of staff, local legal specifics.
21
Norton, J. (no date), Security and Data Protection, FKM.
58
CSG
12.
Every major financial institution has the task of supporting industry-wide efforts and organisations to standardise transactions and foster safety and security, such as Global Straight-Through Processing Association (GSTPA), SWIFT, Continuous Link Settlement (CLS), CHIPS, etc.
6.5
Staff and Skills
The value of a financial services institution increasingly lies in its intangibles: data, knowledge, skills, people, network, reputation and brand. These are bundled together in the organisation and can also reflect in OpRisk. Worldwide, a battle for talent is going on. Human capital has become more important than financial capital. Human capital with its creativity will become THE core asset. The brain ware is the issue, not the hardware! For financial institutions, employee selection, retention and development is at least on the same level as customer loyalty or shareholder support. As a matter of fact, the last two stakeholders' aspects very much depend on proper management and staff. Despite all the quantitative and analytical methods used in disciplined and structured organisations, people still base their decisions on personal inclination, ad-hoc influences, group dynamics, belief systems, cultural norms and values.
Table 6.6: Staff and Skills: 12 Principles 1. Personality of a person is probably the most important core trait for a successful long term survival in an organisation, followed by motivation and ability. If above statement is correct, personality aspects should be the key selection and retention arguments. There is seldom a large difference between what a person is privately versus professionally. These aspects should never be forgotten as the ultimate source of OpRisk is always human in nature. This is important for risk management in general as risks are perceived subjectively: when a risk taker is in a relevant gain position, he/she becomes more conservative; in a position of loss, he/she normally becomes more risk seeking, having not much to lose (Prospect theory). A common bias is also the personal confirmation bias: more attention is given to information which confirms a personal hypothesis than information which contradicts it. All this requires employees with character, integrity and ability to be self critical.
59
CSG
2.
Never hire or keep anybody where there are question marks as to integrity and intellectual honesty; it only leads to additional OpRisk. This is easy to say, difficult to do. Intuition, experience and EQ remain important. "Integrity without knowledge is weak and useless, and knowledge without integrity is dangerous and dreadful" (S. Johnson, 1709 - 1784). Hire people who understand what they do and what they decide. For tasks of some importance, always hire somebody who is interested in developing him- or herself.
3.
If the difference between very good and not so good employees is 2 to 1, then the selection, retention and development of people becomes even more crucial. Recruiting and nurturing skills of managers and HR will be challenged even more in regard to this OpRisk. Not only the responsibility, position, empowerment, outlook, compensation and colleagues attract excellent staff. More flexibility is needed for e.g. for job-sharing, part-time or term-time working, dress-downs, telecommuting, childcare, paternity leave, special leave, no-strings attached sabbaticals, privileged early-stage investments, stock options, tax advice.
4.
Be aware that different attitudes exist, especially among younger people: S S Be part of a fashionable job with positive vibrations, even if very demanding and hyperactive, or Ensure balance between private and professional lives
Both attitudes can lead to personal growth, but watch the drag factor of a 80% commitment only: another OpRisk issue. 5. Managers and staff in Operations and Support often are not in the limelight like front people. This does not imply that aspirations and expectations of support people can be kept low! Take into account the aspects shown under 3., but also include some limelight. Example: "Team of the month" as an official firmwide announcement. Make entrepreneurship and creativity an issue, also in operational or support areas. Excellent performers in front functions or specialists are not necessarily good people managers - which can mean OpRisk. Some aspects of management can be learned, but not all. New skills needed in a competitive world include the management of change, of confrontation without hostility and of conflicts.
6.
60
CSG
7.
People's ability to change/learn is not primarily a function of capacity, but of choice. People with the most attractive personality and best skills are the most mobile. Management and staff of a global organisation need to demonstrate four key qualifications: S S S S Attitude Awareness Knowledge and Skills
Without these, a global organisation is bound to have problems. It is probably correct that a proper culture of an organisation improves people's attitudes and strengths. Global markets require a mix of management skills, including sensitivity, multicultural perspective, technological literacy, IQ, EQ and leadership. 8. Continuous training and retraining becomes crucial for each employer and employee, given the new economic environment, diversity of staff, high turnover rates and the coming termination of loyalty and lifetime employment. The new technology of Inter- and Intranet makes a very efficient, continuous in-house education and training - Webucation - possible: B2E. Knowledge management is an increasingly important and conscious corporate activity. It leverages existing intellectual information assets, corporate experience and best practice. This is even more crucial, given the growing diversity of staff and high turnover rates. Organisations are being challenged to identify and separate the high-value, high-utility data from the low-value data. Staff is mostly over-newsed and often under-informed. Therefore, knowledge management is also information management: the right contents in proper form, at the right time to the right people becomes the key to success. This is another OpRisk mitigant. Acquiring knowledge applying knowledge. Therefore, from "know-how" to "feelhow" to "do-how". 11. Coming to other regions from the USA, management and staff issues in regard to discrimination, mobbing, bullying, harassments of all sorts and infrastructural environment aspects have to be a senior management's OpRisk concern today. Staff pressure, litigation and/or media pressure in those areas are becoming more prevalent in Europe. Tougher legislation will come up.
9.
10.
61
CSG
12.
The engagement of outside consultants has become an important skill feature for almost any financial institution, including for OpRisk management matters. Such a temporary skill acquisition can be successful as long as the following conditions are met: S S S S S S S S Well formulated specified mandate with time limit Right experience Your project must be a consultant's priority Qualification of team members with specific responsibilities Acceptable financial situation of the consulting firm No conflict of interest Credibility as ambassador for the institution Compliance with internal rules during the contract, including trading rules
The consulting hey days for the introduction of the Euro and for Year 2000 are over. New engagements must be found among which OpRisk matters are most welcome. Some consultants are playing on fears about vulnerability rather than providing relevant and credible solutions; some of their representations vis vis regulators do not make life easier for banks.
6.6
Style and Shared Values
Style and shared values are core issues for the risk management of a financial organisation, including for OpRisk management. The following guidelines address OpRisk at the root as they touch the individual's attitudes, actions and reactions.
Table 6.7: Style and Shared Values: 12 Guidelines 1. Culture is core for the identity of people. Traditionally, culture has been linked to common language, values, customs and beliefs on a local, national and perhaps regional level. New mass media and Internet seem to be forging tomorrow's global culture with an internationalisation of activities and staff. Is the culture of global identification and cyber citizenship going to be enough of roots, values and beliefs? Corporate culture - an expression often used and misused - is this formal and informal, written and unwritten and often invisible totality of common norms, values, thinking and acting which determines the behaviours of management and staff. Each organisation has its very specific corporate culture. It is a qualitative expression of the organisation, internally and externally; such an expression can be difficult to describe. 2. Risk culture - besides people - is THE most crucial factor for a successful risk management generally and in OpRisk management in particular. This aspect is - in my judgement - even more important than the most sophisticated quantitative risk models which also need intellectual honesty. The control culture acts above all at the very place where risks are taken: At the level of the individual acting on behalf of the firm.
62
CSG
What is acceptable may differ from one individual or organisation to the next; "acceptability" needs formal and informal processes. Not every decision can have or should have written rules: Managers and staff have to be able to make the majority of their decisions within a cultural framework, even if he or she acts far away. Purely and formally ruled staff is an excellent recipe for getting mediocre quality only. 3. Top responsibility for the risk culture lies with senior management. Some components of a good risk culture: S S S S S S S S S S S S S 4. Honesty, intellectual honesty; integrity; fairness Flat structure; proper system and systems Properly formulated policies Clear guidelines and manuals Continuous risk oriented training Alert staff, supportive management Active and constructive communication Open agendas Acceptance of controls Natural, risk conscious behaviour; risk-adjusted compensation Elimination of undesirable managers and staff Prevention of risks ahead of correction Identification with the company; sense of belonging
Financial services is largely a judgement business. Therefore, mistakes happen daily as the future turns out differently than expected. It follows that a key factor in risk management and risk culture is discipline and perseverance as THE message of senior management. Discipline must be in place as to following structures, system and systems, but also as to admitting and learning from mistakes and correcting them properly. The style of a company should be inspiring - according to my perhaps still idealistic taste - with the following parameters: The employee brings competitive performance short-term and continuous competence building long-term. At the same time, the employer cares for competitive employment terms and conditions short-term and commits sustained investment in employability long-term. Given the environment today and tomorrow, such contract between employee and employer should be attractive for both partners. Important are the shared aspirations, openness and the ability to work in a team. "It is by acts, not by ideas that people live" (Anatole France).
5.
6.
The role of internal communication through informal processes and structures must not be underestimated. Such processes often are the sources of initiatives, creativity, innovation, energy and avoidance of risks.
63
CSG
7.
One recipe for OpRisk management is the removal of a "blame culture". To sack or reprimand staff after an incident can lead to covering up future problems. Therefore, a performance appraisal process must be designed to pick-up poor shows at an early stage. Staff must feel less concerned about admitting mistakes.22 Avoid "silo thinking and acting" in OpRisk management. All should know what others - relevant for their responsibilities - are doing and planning. A "full picture" environment, professionalism and motivation will be improved. Avoid the "knowledge is power" syndrome. Risk management - in the context of corporate culture and specifically for risk / control culture - is a continuing, never-ending process, not a program. Compare the military experience in chapter 5. You will never know how good a company's risk culture is until it is put to the test. Controlling and disaster simulation are good measures for judging the overall state of the organisation and using as base for improvements. "To take care" of management and staff is not synonymous with "caring for people"; psychologically, there can be a very fine line between the two. Subordinates or staff fully realise this. Senior management's action and reaction should take this into account when working towards mitigating OpRisk. Whether an organisation has a good or bad risk culture is a highly qualitative judgement. While it is the most crucial aspect of risk management, it cannot be mathematically quantified. The direct non-quantifiable characteristics of risk culture make regulators uneasy. To singularly judge an organisation with maturity and experience must be highly challenging for an outside supervisor, certainly much more than "box-ticking".
8.
9.
10.
11.
12.
Common denominators and shared values of an organisation are becoming much more relevant, given the "dilution" of other institutions' credibility, the rapid change, the diversity and fluctuation of staff and the globalisation of business. These are the reasons why CSG introduced an internal global and self-imposed Code of Conduct for close to 80'000 staff as part of their employment contract. While the daily application of such a Code of Conduct is the issue - it will be part of the regular internal auditing - it should provide the individuals around the globe a sense of focus and belonging. The 12 internal core values of the code as one example are shown in Table 6.8:
22
See also Rachlin, C. (1998): "Operational Risk in Retail Banking" in Jameson, R. (1998): Operational Risk and Financial Institutions, Rinks Books, London (1998), p. 125.
64
CSG
Table 6.8:
12 Core Values for Employees of Credit Suisse Group

6 Core Ethical Values
INTEGRITY
RESPONSIBILITY
FAIRNESS
COMPLIANCE
TRANSPARENCY CONFIDENTIALITY
We realise that our global franchise is based on our core ethical values and our long standing reputation for integrity, trust, confidentiality, fairness and professionalism. We respect the interests of our stakeholders (clients, employees, shareholders, service providers, government authorities, financial regulators, competitors, media) and of society as a whole. We honour our commitments and take personal responsibility for our actions. We promise only what we can deliver. We do not mislead our stakeholders. We believe in courteous and respectful treatment of our stakeholders. We support equal opportunities and a work environment free of discrimination and harassment of any sort. We acknowledge the importance of all relevant laws, regulations, policies and standards, both internal and external, and comply with them. We are committed to exemplary management discipline and a first class control and compliance environment. We seek constructive, transparent and open dialogue with our stakeholders based on fairness, mutual respect and professionalism. We treat confidential information as such and do not disclose non-public information concerning the Credit Suisse Group companies, their clients and employees, unless required by law. 6 Core Performance Values
SERVICE
EXCELLENCE
TEAMWORK
COMMITMENT
RISK CULTURE
PROFITABILITY
We are committed to providing superior service to our clients. We believe that knowing our clients and offering them value by combining good judgement, in-depth knowledge and prompt and courteous service leads to success. We are committed to excellence through continuous improvement of our management practices and know-how. Problems or mistakes are viewed as a chance to improve. We believe in achieving more for our stakeholders by working together to draw upon our individual and collective strengths and abilities worldwide and across business lines. We recognise individual contribution to the current and future success of our firm and reward it objectively, taking into account the personal contribution to targets, governance and teamwork. Every employee contributes her/his best to reach our common goals, by maintaining focus and intensity of effort. We base our business operations on conscious, disciplined and intelligent risk taking. We believe in independent risk management, compliance and audit processes with proper management accountability for the interests and concerns of our stakeholders. We are committed to sustained profitability which enables us to carry out our strategies, make long-term investments, fairly compensate our staff and achieve an attractive return for our shareholders. Legality, compliance and our core ethical values, however, come before profits.
65
CSG
6.7
Stakeholders and Symbol
This pair of the 12 S's is another "soft" area of an organisation and increasingly key for a successful survival. Influences and interdependencies between an organisation versus its stakeholders are manifold, often informal and hardly quantifiable. Stakeholders and other described factors influence the "symbol". The expression "symbol" stands for identity, reputation, brand.
Table 6.9: Stakeholders and Symbol: 12 Issues 1. The new environment is fast, mobile, innovative, anywhere-anytime connected, which leads to a world which is highly global, complex, IT-driven, interdependent, time-pressured and competitive. Every one of these characterisations entails challenges for OpRisk management. Corporate performance is increasingly judged by global standards. There is a trend away from the sole shareholder towards a more integrated stakeholder orientation. Shareholders cannot be satisfied if other stakeholders - primarily customers, employees, partners, but also supervisors, government and nongovernment organisations - are not cared for. Managing for shareholders means managing for stakeholders; all stakeholders drive the financial success and the share price which leads to sustainability. With globalisation and a gradual demise of traditional states and politics, the corporation's responsibility as a "partner in society" increases. A proactive social responsibility will have a more pronounced advantage vis vis stakeholders. Perhaps such social responsibility is a trade-off for more freedom to move. But the preconditions for a successful partnership in society remain: profitability and growth. Creating value for financial institution customers is the greatest challenge. Customer "ownership" is probably still the key strategic barrier for competitors. OpRisk management is close to quality and operations management. Operational skills of an institution are crucial for nurturing customer loyalty: reliance, quality, access, speed, transparency, customer orientation and "risk-free" activities; risk-free means "reliable" for many clients; the client expects privacy for his/her personal financial transactions. Up to now, banks do not seem to have had any major problems with operational e-safety. Such a record will be a crucial differentiation argument vis vis non-bank competitors. 5. The client or end-user is the final arbiter on a new service or process - not the enthusiastic internal project team. Early inclusion of potential clients, pilots and field tests can reduce the OpRisk involved. OpRisk management is especially challenged in restructuring and M&A situations. Most clients are primarily interested in the quality he/she receives during the transformation. The better and "risk-free" the ongoing service, the better also the internal and external credibility of the transformation project itself.
2.
3.
4.
66
CSG
6.
Financial institutions also have to protect themselves from the customer. Good OpRisk management calls for proper disclosure and suitability checks on counterparties. Satisfying its employees enables a company to satisfy its clients. Various staff aspects were discussed above. Key is a formal and informal mutually acceptable understanding between employer and employee, which should provide the needed identification. A company's social, ethical, environmental and working practices can make or break the reputation, a brand and affect the share price. Social cohesion has become a component of success. Financial institutions are more and more challenged in regard to their environmental consciousness for their own infrastructure. Certification of the latter is a proof of the seriousness in OpRisk management. Environmentally conscious lending and investing - with commensurate internal processes - have an OpRisk content as well.
7.
8.
9.
In the context of "symbol management" and of social cohesion, the activities of the non-governmental organisations become increasingly relevant. Such organisations have very different shapes and shades. Some of their aspirations have to be taken very seriously. "Activists rarely win against honourable organisations. There may be momentary damage, embarrassment and humiliation. Activists win when genuine problems are ignored, issues remain unexplained, or behaviours simply don't pass the smell test. Activists success requires energetic, negative responses from their targets. Without it, they have little choice but to move on."23
10.
Every organisation stands for something - whether in fact or perceived internally and externally: every organisation is a symbol for something: it has a reputation, perception, an experience, an identity, a brand; all this creates expectations in regard to the "trusted bank" which also have to be managed. The 12 S's of an organisation - discussed in detail up to now - create "a symbol" and support a brand. The 12 S's are partly directly related to the symbol, often indirectly, mostly in unquantifiable and intangible ways. Effective corporate communication is the lifeblood of any financial institution which is so heavily dependent on confidence and trust. Good communication can reinforce reputation, but good communication needs good facts, at least in the medium term. Good reputation is - simply put - the result of what a company says about itself, what it does - including in OpRisk areas - and what others say about it. Good reputation is the greatest intangible asset of a financial institution.
23
Lukaszewski, J. (1998), White Plains, NYC, 1998.
67
CSG
11.
Corporate communication - as an organisation in itself - is exposed to OpRisk. An ineffective communication organisation combined with a concrete risk or major OpRisk issue can lead to disaster: from cracks to crisis in extremis. The most relevant singular factor for establishing an excellent reputation long-term is earnings stability combined with growth. This is the "compensation" for the consistency driving value. Operational skills combined with a successful OpRisk management are an instrumental base for sustained earnings and the management of reputation and brand. Ideally, each employee takes some responsibility for risk management as well as for corporate reputation.
12.
6.8
Synchronisation
The 12 S's-discussion and the previous chapters show that OpRisk management is not an easily definable, measurable and quantifiable issue. OpRisk is rather different from one organisation to the next, each organisation having its own orientation and aggregate skills and expertise. The priorities must be different, given the specifics of tradition, strategy, global reach, distribution channels, structure, system and systems, stage of risk management, style, shared values etc. The art in financial services is not the perfect application of one of the 12 S's: The art of managing a bank or another business is the combination and synchronisation of the various S's: right strategy and priority, right structure, right people, right time, right form, right cost/price, right efforts and intensity. This is the reason why financial institutions have different results or different long-term success, different share price valuations and different expectations in the market. This makes up the "individualised corporation". A strategy or concept might well be perfect, but a bad synchronisation of all the efforts leads to a poor implementation. This is the reason why management including OpRisk management - is less of a science, but more of an art. We are dealing internally and externally with not only rational, but also emotional human beings who make efforts and mistakes every day. Good OpRisk management is largely good management.
"The difference between stumbling blocks and stepping-stones is how you use them" (Source unknown)
68
CSG
7.
Managing Operational Risks: Practical Instruments and Tools

Introduction
7.1
Chapter 6 focused on OpRisk management from a high level point of view. Chapter 7 concentrates on a more bottom-up point of view with corresponding tools, some of which are still being developed and may be CSG specific. Management of operations has always used some sort of tools to identify, assess, control and manage OpRisk in its day-to-day specific area of activity. With the increased awareness of senior management for risks in general and for OpRisk in particular, these tools have received closer attention. No one tool on its own is sufficient; each has its limitations. "Synchronisation" of the tools combined with previously discussed, more high level approaches of general management - including audits and compliance measures - is the issue. Such an approach leads to integrated risk management.
7.2
Control and Risk Self-Assessment
According to a recent study, self-assessment is the most widely used tool among banks.24 Control and Risk Self-Assessment (CRSA) is a workteam-based technique to help managers identify and measure OpRisk through estimates based on the consensus opinion of a group of knowledgeable managers and staff. The ultimate objective of this process is to foster the identification, assessment and mitigation of OpRisk. CRSA uses a formally documented process in which management and/or workteams review the effectiveness of the business controls to contain risks and to meet defined objectives. This is similar to the military approach as discussed in Chapter 5. A facilitator is designated to assist the workteam whose members should be people who are key to the achievement of the specific business objective or are influencing the operation that has been selected for review. In many cases, a cross-functional workteam helps to develop the broadest possible coverage for the achievement of the business objective. Management must clarify the relationship between the organisation's primary corporate objectives and the specific business line objectives for each participating unit. These objectives can include diverse areas, as well as diverse practical applications for every department and every employee function.
24
BBA (1999), pp 55 ff. - Response from 55 banks, 110 banks approached.
69
CSG
Workshops are conducted with employees from participating departments using a framework consisting of control categories, to review the controls in place to achieve each business objective under analysis. The framework's categories may include: purpose, commitment, planning, capability, direct controls, measurement, employee well-being and morale, process oversight and culture. The objectives are analysed in terms of: S S S Threats - events that could prevent the achievement of an objective Controls - activities that provide additional assurance that objectives are met Agreed residual risk - the real or possible events or situations where a business/quality objective is not being met or may not be met given the controls in use/place.
The information on threats, controls and risks is captured for each business objective. The information is then documented, summarised and reported to senior management. Due to the dynamic nature of a firm's risk profile, CRSA findings should periodically be updated. It is obvious that CRSAs benefit the organisation, the employee by his/her involvement and management due to the bottom-up feedback provided. A simplified CRSA example of CSG's Asset Management Business Unit is presented in Chart 7.1.
Chart 7.1: Process Self-Assessment

Risk level (results, on average)
Self-Assessment Checks
1. No procedure in place, audit remark 2. Procedure in place, possible audit remark 3. Level of external audit standard met 4. Local best practice 5. International best practice
This approach is used for different functions and locations.
Source: Credit Suisse Asset Management, 1999
100%
0%
70
CSG
7.3
Impact & Frequency Scorecard
It can also be useful to assess the impact and frequency of identified and relevant OpRisk events. This may be done using an impact and frequency scoring system quite similar to that presented in chapter 5 for military purposes. In particular OpRisk events that are identified as having potentially significant impact can be isolated for further analysis which may include frequency estimator and investigative study. Based on the fact findings from these analytical tools, appropriate management response can then be deployed.
Chart 7.2: IMPACT SCORING SYSTEM (example)
Impact Alternatives & related words Impact No.
5 4 3 2 1 Very High High Medium Low Very Low
Questions
Impact: financial
Impact: reputational
Impact: regulatory
Impact: human
Impact: organisational
Medium
Tolerable/ moderate 3
Does the occurrence of this risk event: S have a tolerable effect? S prevent you from operating efficiently?
High financial loss up to USD 25m
Some negative press
Regulatory scrutiny/ noticeable resource impact on normal activities
Tolerable loss in terms of: S loss of Key Staff S loss of expertise S erosion of culture Noticeable resource impact on normal activities
Tolerable loss in terms of: S loss of control S quality of system/ procedures S legal exposure S erosion of culture
Example Irregular trading activities spotted by local controllers that may be classified as rogue trading. The impact of this event is assessed using the Impact Scoring tool.
IMPACT SCORE:
Impact Score Range: 5 Very High [Devastating/ Catastrophic] 4 High [Substantial/ Major] 3 Medium [Tolerable/ Moderate] 2 Low [Negligible/ Minor] 1 Very Low [No Impact/ Insignificant]
IMPACT ASSESSMENT: Regulatory Local regulator questioning the adequacy of the controls of traders limits early feedback indicates that the regulator is satisfied that all feasible controls are installed and followed.
Chart 7.3: FREQUENCY ESTIMATOR (example) Frequency Alternatives & related words Unlikely Frequency Score 2 Descriptions Questions
Low
1 in 50 years
Is this risk event: Unlikely to happen? Say 1 in 50 years?
ROGUE TRADING INCIDENT: Internal loss history indicates that this type of events, given the level of existing controls, has a FREQUENCY rating of LOW, i.e. likelihood of 1 in 50 years
Frequency Score Range: 5 Very High [Almost Certain - A number of times a year] 4 High [Likely - 1 in 2-5 years] 3 Medium [Moderate - 1 in 10 years] 2 Low [Unlikely - 1 in 50 years] 1 Very Low [Rare - 1 in 100 years]
71
CSG
7.4
Risk Indicators and Escalation Triggers
OpRisk literature is full of fancy terms like KPI, KCI and KRI. These are nothing but abbreviations of the superlative of one and the same thing: All departments in a bank watch certain figures or trends related to their work. Sales people would monitor performance, settlement staff monitor mistakes resulting from inaccuracies in their operation etc. They all choose certain indicators which can be sensibly tracked over time. A selection of the most valuable of these indicators are then elevated to "key indicator" status. The market has coined three different names for such indicators which are relevant for OpRisk management: Key Performance Indicators (KPI) are normally used for monitoring operational efficiency; red flags are triggered if the indicators move outside the established range. Examples: failed trades, staff turnover, volume, systems downtime. Key Control Indicators (KCI) demonstrate the effectiveness of controls. Examples: number of audit exceptions, number of outstanding confirmations. Key Risk Indicators (KRI) are primarily a selection of KPIs and KCIs. This selection is made by risk managers from a pool of business data/indicators considered useful for the purpose of risk tracking. A KRI gives insight on the extent of stress of an activity. Examples include a number of failed trades, severity of errors and omissions, cancel and corrects, change management events, contract staff versus permanent staff, IT security breaches, breaches in Service Level Agreements, unfilled vacancies, absence levels and customer satisfaction surveys. Typically, a business unit or department uses 10-15 different KRI's. KRIs must be used as a time series to monitor and foresee trends. If skilfully used, such trend analyses can serve as an early warning system and provide directional input for senior management involvement. A few important KRIs are more relevant for management tracking and escalation triggering than the unimportant many. The example of chart 7.4 is based on the structure applied by CSG.
72
CSG
Chart 7.4: Group-wide KRI - Rolling up from Base Data to Group OpRisk Indicators
Group OpRisk Indicators Group OpRisk Indicators
OpRisk Indicators used for OpRisk Reporting to Ex Board and BoD [Group-wide specific KRI + common BU KRIs]
BU KRI - Composite BU Composite KRIs

OpRisk Indicators used for OpRisk Reporting to Ex Board [Rolled-up/Aggregated BU level, simple KRIs]
BU KRI - Simple BU Simple KRIs

Simple KRIs used for local management at the Business Units level
BU Base Data BU Base Data

Departmental/functional Units control and performance data and statistics (a.k.a. KCI/KPI).
7.5
Risk and Process Mapping
OpRisk mapping is based on self-assessment / perception survey and is a qualitative technique to identify, categorise, analyse and assign: S S S S Specific risks against a standard template Controls or other tactics to manage identified risks Residual risks and desired levels of residual risks Responsibility for management of identified risks
Chart 7.5: Example of an OpRisk Mapping

OpRisk Category Technology OpRisk Subcategory Software Specific OpRisk Programming error Control & Residual OpRisk Control: Continual program of checking/up dating of critical systems Residual OpRisk Rating Medium Resp. / Action IT department
Process or activity mapping is a technique employed to describe business processes in a clear, visible way. In the context of OpRisk, it is designed to provide a reflection of the diverse activities that take place within the departments, identifying risk drivers and controls. It can also help highlight issues such as: S The time delay between the risk and the control that identifies it. This gives an indication of how long a risk may exist before its controls discover it. S S More than one control to prevent the same risk may indicate over-inspection and inefficiencies or lack of confidence in the process. Lack of control to prevent a risk may be a consequence of a process inadequacy.
73
CSG
7.6
OpRisk Dashboard
Risk versus Process Mapping is a detailed bottom-up tool and reflects the staff's skills and understanding; thus, too detailed for senior management use. A more relevant presentation is the one attached and presently being introduced at CSG, as shown in Chart 7.6. CSGs OpRisk Dashboard is intended to provide senior management with a simple overview of operational risk levels and directional trends at the highest reporting aggregation level per business unit. The dashboard works on the traffic light principle, grading category-aggregated risk per BU by colour. Risk indicators aggregated to categories as BU-specific composites or via group-wide sub-categories are evaluated and given a weighting which contributes to the overall OpRisk category risk grade. For reporting of data aggregated below the category level, a similar dashboard is used. This version, however, makes use of the additional grading colour black, which denotes fields for which no data is being reported.
Chart 7.6: OpRisk: Risk Category by Business Unit (example):

Organisation Process Policy Technology Human External
CSPB CSFB CSAM BU 4 BU 5 BU 6 Legend:
1 0 0 0
0 0 1 1 1 0
0 1 0 0 1
0 Trend:
Safe - Acceptable Caution - Marginally Acceptable Danger - Unacceptable

Source: Credit Suisse Group / GRM 2000
0 1
Improving Constant Deteriorating
7.7
Loss Event Database
A loss event database captures and accumulates individual loss events across business units and risk types. A loss event database is the only tool which measures, quantifies and provides financial OpRisk data. An established and complete database can potentially be used for modelling purposes and be applied to external loss events - assuming apples and apples are compared!
74
CSG
7.8
Applications and Limitations of Tools
While each tool is valuable, they work best in concert. Combined they support a comprehensive OpRisk initiative. The applications and limitations of each tool are outlined in Chart 7.7. Chart 7.7: Applications and limitations of each tool
Tool Self- or risk assessment* Applications Reinforce responsibility with business units Gain agreement on the operational risks and required next steps Bring together independent views Limitations Depends on method employed - some are more robust than others and can provide greater insights and buy-in Some alternatives can be time consuming Primarily qualitative
Impact Scorecard
Assess the impact of identified risks by examining its impact on finance, reputation, regulatory, human and organisation Assess the frequency of identified risks by examining its likelihood of occurrence
Scoring consistency depends on correct interpretation of a well-defined scoring system Scoring consistency depends on correct interpretation of a well-defined scoring system Determination of frequency score may be validated by internal loss history which may be incomplete Tool for lower level staff use - too detailed for senior management Limited value to senior management Difficult to maintain current Primarily qualitative Risk/indicator correlations are unproven Some operational risks difficult to measure Uncertainty if the right measures are being used or just where data are available Depends on the quality of the target setting and the risk indicators used Data difficult to collect on a consistent basis
Frequency Scorecard
Risk maps/ process * flows
Detail understanding of the operations and the specific operational risk
Risk indicators
Measure effectiveness operational risk management Objective, quantitative As often as daily updates
Escalation triggers
Predetermine decision or intervention point for management

*
Loss event database
Provides financial loss-based measures Tool for empirical analysis Tool for risk modelling and support for cost/ benefit analysis
Note: * = BBA (1999), p. 71. Source: Credit Suisse Group / GRM, 2000.
"Act in the valley so that you need not fear those who stand on the hill." (Danish Proverb)
75
CSG
8.
8.1
Operational Risk Transfer: Insurance and Finance

Insurance as Part of Risk Management
Risk avoidance, risk reduction and control were discussed previously. This chapter deals primarily with risk transfer through commercial insurance and also with risk financing through special purpose vehicles and other financing options. Some argue that insurance is a waste of money: "Buying a bank stock is implicitly buying an industry which is exposed to OpRisk fluctuations; losses disappear between the cracks as part of doing business and often disappear in the P&L." Insurance - in my opinion - is a valuable instrument to transfer risk and to complement also OpRisk management; it forces a bank to analyse its OpRisk and to differentiate between their impact and frequency; it avoids the high risk/low frequency situation; it helps to optimise economic risk capital and regulatory capital requirements - if the insurance coverage can be deducted; it smoothes earnings and provides liquidity assuming a proper contract: insurance is part of OpRisk management (see Chart 8.1).
Chart 8.1: Insurance - Part of the Risk Management Process

Evaluation of the Risk Situation Risk Strategy: Avoid Reduce Transfer
Avoid Reduce
Transfer
Insurance Options
Financing Options Bear
Non-transferable Risk
Cash Flow
Source: Credit Suisse Group / GFF, 1999
A bank should - if possible - hedge non-core risk areas that cannot be diversified within the bank itself as they most often represent low probability high impact risks. An insurance company per se is in the business of pricing and holding a portfolio of such risks; it can diversify these risks across many banks, corporations and non-correlated risk classes. Naturally, what should be insured depends on a bank's strategy, activity, size, stakeholders and risk appetite. In my opinion, it is only good OpRisk management to insure diligently against unexpected catastrophic losses.
76
CSG
8.2
Availability of Insurance
At this stage, various forms of insurance related to Organisational risks (see structure, system, IT etc.), Human risks and especially External risks are usually available, presently at reasonable prices. What the coverage - see Chart 8.2 - in reality represents, depends on the fine print, the historical relationship and the standing of the insurance company as well as the competitive situation in the insurance industry.
Chart 8.2: OpRisk Insurance: general Availability

Organisational Risks (Structure, System, IT) Loss to Bank Directors & Officers Liab. Entity Liab. (organisational Liab.: loss scenario to 3rd parties, customers etc. 3rd Party loss Employment Practises Liab. Bankers Profess. Liab. Directors & Officers Liab. Human Risks External Risks
Loss to Bank Unauthorised Acts (incl. trading) Crime Ins. 3rd Party loss General comprehensive Liab. Employers' Liability Employment Practises Liab. Bankers Profess. Liability Directors and Officers Liab. Unauthorised acts Crime Ins.
Property Insurance Accident and Health Criminal Acts: Computer crime Hacking Cyber Attacks Bankers Blanket Bond Theft Kidnapping and Extortion Business Interruption
Increasing coverage is available for the protection of information assets and e-business activities
Source: Credit Suisse Group / GRM based on Kessler Consulting, Zurich, 2000
Innovative insurance companies are developing more integrated risk cover products for OpRisk. Swiss Re New Markets has recently created a product labelled FIORI (Financial Institutions Operational Risk Insurance).25 It adopts a rather broad-based OpRisk definition and - contrary to traditional contracts - provides a more preferable and timely reimbursement of loss. AON has come up with e-business risk insurance solutions.
25
Avery, R.,Milton, R. (2000): "Insurers to the rescue?" in Operational Risk Management, p. 65.
77
CSG
8.3
Strategy and Structure for Insurance Coverage
The insurance strategy of any bank varies by nature: own cash-flow, self-insurance, captive insurance, finite insurance, reinsurance are solutions of varying degree. A possible model is presented in Chart 8.3.
Chart 8.3: Insurance Program Strategy: a possible Model

(amounts for illustrative purposes only)
Amount of Loss (USD MM) > 250
Impact
Frequency
catastrophic
Principles of Risk Management avoid/prevent/ reduce
101 -249 51 - 100
major significant
rare
Possible Insurance Strategy reinsure at reasonable premium / Captive insurance/ self insurance/ Captive insurance/ self insurance/ Cash Flow self insurance/ Cash Flow
11 - 50
small
< 10
low
frequent
observe/ manage
Source: Credit Suisse Group / GFF, 1998
At CSG, the insurance set-up is structured the following way: Group responsibility S S S S S S S S Focus on strategy Provide protection for catastrophic and large sized losses Set uniform insurance framework for all BUs, including minimum retention levels Management of captive Claims handling and administration outsourced, but monitored by CSG Assist in loss prevention initiatives at BUs Receive potential claim notifications and losses exceeding a certain amount Place cumulative/aggregate risks
Business Unit responsibility S S S Analysis of BU's needs Implementation of strategy Responsibility for first losses remains entirely with BU which strengthens loss prevention discipline at BU
The allocation of the insurance activities by the Group is based on a %-weighting along the following components: loss history, allocated capital, number of employees, trading activities, US/UK activities (see greater litigation risks), common basis.
78
CSG
8.4
Funded Captives
Captives today enjoy an important integrated role in many companies' risk and financial strategy. It is estimated that there are around 5000 captives worldwide today. Occasional limitation in the supply of certain contracts and insurance pricing in the market have fostered this growth. McKinsey26 estimated in 1998 that more than a 20% share of insurance coverage is taken up by self-insurance and captives, increasing to more than 40% within a few years. Centralised buying of insurance and greater flexibility vis vis reinsurance and for loss settlements are the most relevant justifications for captives. While the financial justification remains essential, captives enter the mainstream of corporate financial strategy with a focus on shareholder value. We estimate that some firms will even diversify by writing more of their own risks including "nontraditional" risk, writing unrelated business insurance, funding employee benefits and purchasing reinsurance on a direct basis. Captives will be used to manage more OpRisk, not just hazard type risk. Some are transforming captives into profit centres by writing policies for 3rd parties. Important is that captives regularly have to prove their value relative to market alternatives.
8.5
Alternative Risk Transfer
Over the last few years, we have observed a complementary shift from Traditional Risk Transfer (TRT) to Alternative Risk Transfer (ART). Three types of ART solutions27 can be differentiated: 1. Finite risk insurance is an extension of traditional insurance with 3 - 5 years contracts, involving a tailor-made packaging of different types of insurance, including some risks normally difficult to place. Finite insurance - the naming implies limits - can be layered between traditional insurance programs and selfinsurance. Insurance derivatives have their limitations as there are no suitable indices to track with underlying economic variables being rather heterogeneous. Therefore, it is not surprising that the only really active insurance derivatives market is the property catastrophe options market at the CBOT. Securitization or "Insuritisation" based on bond products are modelling the underlying loss experience of an insurance risk portfolio, offering the investor an uncertain return, but a low systematic risk. The underlying insurance losses are largely random which is attractive for a portfolio diversification. Equity based securitization takes the form of a contingent claim on equity markets; capital is only raised when a large loss takes place. The move from risk transfer to risk finance equals the move from standard "off the shelf" products to "structured product solutions", for which the number of specialist providers decreases substantially.
2.
3.
26 27
Weczel, R., de Perregaux, O. (1998) - McKinsey Quarterly, N (1998), pp. 95-109. See also Gerry Dickinson: Insurance finds a blend of innovation and tradition, FT 6/6/2000.
79
CSG
8.6
1.
Risk Transfer: 12 Guiding Principles The need for risk transfer solutions will increase arising from factors like complexity, globalisation, new technology types of risks, regulators' requirements and pressure for rational capital allocation. In a more litigious society, there will be a growing scope for liability insurance. Up to recently, insurance buying was an independent function among others, reporting to the firm's secretary or chief accountant. There was a limited choice of coverage offered, often dictated by insurers. Today, management is recognising that insurance is a risk transfer tool and has an impact on the firm's value. Insurance has become a more integral part of risk and financial framework insurance and can replace capital or represent "contingent capital". Therefore, direct access and/or reporting to senior management has become best practice.
2.
3.
Insurance must not be a safety net for management failures. Insurance can help to mitigate economic and reputational consequences. It is not a substitute for sound OpRisk management. Insurance complements risk management and is part of an integrated approach. Actuarial analyses on financial institutions since 198528 suggest S S S S S Known claims/losses in the market can potentially rise beyond USD 2bn (very rare) The database suggests that larger companies are more exposed to large claims Risk does not increase proportionally to the assets - thus implying that an OpRisk regulatory capital charge should not be based on volume/size Claims tend to grow in terms of number of claims as well as size of institution Any large losses of financial institutions can have a negative impact on competitors due to the cross-linking among the banks, resulting in temporary stock market reactions, increased pricing, etc.
4.
5.
Confidentiality of existence and/or terms of insurance coverage is key due to the following: S "Moral hazard" - there may be a tendency for insured parties to exercise less care and control and potentially experience greater losses than the uninsured S "Adverse selection" - the likelihood that insurers will get a riskier-than-average sample, given the current tendency of the majority to self-insure CAT Exposures - can discourage the purchase of insurance by those potential policyholders that are of perceived lower risk profile in comparison to their peers.
28
Based on internal, AON and Milliman & Roberts assessment, 1999.
80
CSG
6.
Insurers - with 300 years experience - cover the risk they can measure, diversify and comfortably assess. This is the reason why they are good in statistically proven areas. Some of the banks' OpRisk areas seem to be difficult to assess; statistics / figures are not readily available as in credit and market risks. OpRisk losses are mostly kept confidential or are part of doing business. Comparable pooled OpRisk statistics are rare or under construction. An improved base of mutual trust between bank and insurance company and of confidentiality assurance is needed. Third party insurance is a complementary OpRisk management instrument. This is especially the case when it also includes an insurance consulting service by a knowledgeable 3rd party as to: S S S S S S Risk assessment Risk monitoring On site inspection Risk statistics Requirements on risk management systems Senior management contacts
7.
8.
A risk categorisation by insurance companies along an "all banks carry the same risk" methodology may lead to unfair pricing of the risk. Such a situation is also a function of the insurance cycle and/or availability of coverage through alternative risk transfers, including capital markets. Insurance has been, and to some extent still is, a largely ring-fenced, highly conditional and often illiquid instrument. There is limited data-exchange between insurance companies. What is known to one is not known to the other insurance company; risk transfer pricing remains somewhat opaque. Some insurance companies, however, have come up with rather extended coverage for new risks, some also have improved on more accommodating payout solutions.
9.
The increasing "insurability of OpRisk" and a firm effectively being able to get coverage and integrated seamless cover of new types of risks should be a very positive indicator for supervisors as well: another 3rd partyspecialist has seriously screened an operation and considers the respective bank as an attractive professional partner. Regulators should give credit against any potentially upcoming capital charge, especially for integrated seamless cover.
10.
Risk transfer by third party insurance and risk financing through special purpose vehicles and other financing options have to be carefully structured, particularly in view of: S S S S Tax aspects, e.g. deductibility in the USA US GAAP, SEC reporting Regulatory requirements Perception in the market
81
CSG
11.
Banks traditionally have spread risk coverage among various insurers in order to spread their counterparty risks. With increased insurance coverage, the reinsurance aspect becomes more important. In addition, all the other counterparty exposures to insurance companies have to be judged on a consolidated basis (e.g. lending, trading exposures). Insurance company quality, capital availability and the anticipated consolidation of the industry become an issue. Increased insurance demand might lead to major insurers becoming market-makers for capital market transactions, thereby spreading the risks on a global scale.
12.
OpRisk transfers into "Alternative Risk Transfer" solutions have been limited up to now because of: S S S S S The absence of credible banking OpRisk statistics The low number of catastrophic events in banking - low probability / high impact events - given the 35'000 banks worldwide with over USD 35 trillion assets The differing "individual" causes; mostly being management issues The confidentiality aspects The difficulty of standardising OpRisk accordingly
Few new inventions for the financial industry have actually been completed; there are concepts, but only rare solutions. There is little transparency on the track record of executed transactions. In addition, the transactions are complex and time-consuming. A stronger insurance market, combined with lots of efforts and creativity might change the situation. The market is working on OpRisk bonds with embedded options: the option would allow to retain the principal if an OpRisk loss of a predetermined size takes place. Perhaps one can compare the situation with the one 10 years ago when the banks started developing modern credit risk management systems. They all knew that available data were far from perfect, but would improve over time. OpRisk issues are somewhat in the same situation today, if banks, supervisors and consultants concentrate on the relevant issues. With data improvements, insurance companies could provide improved capital and liquidity protection. However, there remains the crucial major difference between market/credit risks and OpRisk: the individual bank itself is the major OpRisk, whereas external risks are largely insurable.
"Call on God, but row away from the rocks" (Indian Proverb)
82
CSG
9.
The Data Challenge
Models and quantifications are only as good as the data they build on. In fact, the rule "garbage in, garbage out" is of extreme importance when quantifying OpRisk. 9.1 1. Risk Data Methodology: 12 Issues Data availability is a precondition. Activities only turn into data, if they are recorded in a form which can be retrieved at a later stage. Basically, it is like taking a photograph. Clearly, while recording many of their actions, financial institutions cannot record everything in permanence. In OpRisk particularly, most banks have "photographed" only bits and pieces of the big OpRisk picture in the past. The question for OpRisk data is: what do we have already, what do we still need and by which means to get it? In particular, we will have to establish clarity on two aspects: S The frequency in which OpRisk data are available or should be available. Do we have and do we need daily, monthly, quarterly, annual, century based data? There is a tendency to argue, the more frequent the better, which would call for daily data. I would say this is neither realistic nor relevant. The level of detail at which OpRisk data are or should be available. Probably, many banks can already find OpRisk data at the overall level (such as litigation costs) of their organisation or for very specific areas (such as transactions or IT). However, we can also think of having OpRisk data systematically collected for all departments, business lines or clusters.
Presently, useful data with information content is limited. While more OpRisk data are now being collected on a regular basis and sometimes even down to the business line level. I believe, however, that it will still take some years until OpRisk data availability is such that it provides credible, transparent and relevant databases. 2. Many risk areas just cannot be measured. They require judgement. Accordingly, two types of data, qualitative data and quantitative data must be distinguished. These data types are just like pictures taken by two totally different instruments - say a camera and a tape recorder. They therefore also require different treatment, interpretation and analysis. In this context it is extremely important that the information to be captured in the data is clearly defined, in terms of content, feature, unit. This is a precondition for standardisation and tracking possible failures of reporting, formats, etc. 3. Structured data is a key rule to success: discipline is required in allocating tags to OpRisk data such as definition, time-, source-, organisation-, frequency - references, etc. to be able to make use of them. Only with this discipline, is it possible for data points to be combined in a reliable and credible database system and turn them into real information.
83
CSG
The financial industry has experienced restructurings and M&A, and will continue to do so. In the data structure, significant challenges arise when transforming an organisation or putting two different firms together. In such situations, data structures - which are flexible and dynamic in terms of the "sorting" angle from which they can be looked at - help prevent us from comparing apples and oranges or the loss of information. Disciplined tagging enables comparability across structure and consistency over time. It is a prerequisite of fully integrated risk management and risk aggregation. 4. Data quality and its consistency over time is the issue. Any decent analysis is useless without it. See "garbage in, garbage out effect". Cumbersome data collection can significantly distract from important risk management tasks. Consistency of statistics is core; be inquisitive if line people want to change the format; run and compare the old and the new approach parallel for some time. The lack of data credibility results in scepticism and cynicism and undermines any risk management framework. 5. Filtering data into useful decision-supporting information is like extracting a diamond out of tons of mud. OpRisk data of an entity is unique as to e.g. availability, characteristics, causality, subjectivity, transactions and portfolio types. External loss and pooled data known in the market have to be carefully interpreted. Are the OpRisk figures pure OpRisk or are they combined with an element of market, credit or other risks? Are they insurance claims or estimated losses? Are the figures gross or net figures? Do they include the cost to fix the damage? Are the known OpRisk losses relating to banks or to insurance companies or to corporations in general? What are the specific losses compared with revenues, turnover, earnings and equity of the respective company? A USD 25 Mio. loss is not the same for a large and a small entity. The third party data providers normally do not explicitly publish statistics on OpRisk along industry segments, size of companies, evaluation on causes of losses, definition of losses, geography. Caveat vendor?
84
CSG
"Ten crates of data and one little envelope of information. Sign here."
Ted Goff, 1999
6.
Relevance has to be ensured. Times do change. New environments, new products are put in place. Constant surveys and checks of the type of data being used must be performed to avoid "white noise" or unrealistic indicators. New data content needs have to be assessed and old, less trust-worthy and nonsense data must be weeded out. This is an ongoing process. Banks have very different activities, sizes, management styles, structures and processes. Such fundamentally different risk drivers can make the credibility of data comparisons and transfers between the banks highly suspect. How can you measure and compare, if you are not sure what to measure and to compare? How can you have confidence in answers on questionnaires of all sorts and even use such for modelling? Assuming a bank collects all operational losses diligently, is there a credible benchmark as a guideline? The only really reliable benchmark is most probably the relative stock market valuation - which naturally also includes various performance indicators and other factors. Once more, OpRisk data of an entity is unique as to e.g. availability, characteristics, causes, subjectivity, transactions and portfolio types.
7.
8.
Pollution of databases happens. Polluted and fake data produce not only incorrect or incomplete but also misleading indicators. Moreover, in any database development, adjustments are normal practice. These adjustments can provide data users with non-transparent or undocumented indicators. It is important that we remain aware of these issues if we do not want the "figure-evidence" to mislead us!
9.
Without maintenance, a database engine cannot run. Data must consistently be reported, loaded and updated. This process has to include quality checks within a predefined structure. Set procedures and automation help to minimise the error potential of loading wrong data and the time resources necessary to perform the data maintenance. Awareness of IT issues for automated loading could avoid many "operational risks of operational risks".
85
CSG
10.
The diffusion and spreading of data are essential for a properly functioning management process and to ensure a control of OpRisks: get the right data to the right person at the right time in the proper form. Some of the data are and have to be highly confidential, especially legal / court disputes which are mostly under a client - attorney privilege; respective built-up provisions could be interpreted as evidence of a liability admission by the adversary. Legal disputes may take long until settlement. These aspects should be fully appreciated for the transfer of data and by the regulators. Legal disputes and their OpRisk losses are not ideal candidates for data pooling.
11.
Data access issues have to be settled. Sources on OpRisk data can be created through data sharing agreements or consortiums. Many shy away from such an approach - understandably so given specific circumstances such as confidentiality aspects, media, and plain embarrassment. Assuming that ways and means for guaranteeing anonymity and confidentiality are found, a data sharing pool for hopefully only relevant figures could become one way for better OpRisk management and benchmarking, assuming apples are compared with apples. There are various market initiatives for risk data sharing including Multinational OpRisk Exchange (MORE), PWC's Op VaR Consortium, and the BBA's Global Operational Loss Database (GOLD). These initiatives encountered various obstacles to build a credible and efficient consortium structure. User transparent data are essential to have control of OpRisk. Statistics can be irritating, confusing and misleading, especially when apples are compared with oranges. What is the rationale for a statistic? Who is the provider of data? How trustworthy is the source? Is there a mismatch between intention and interpretation? H. Truman's word: "If you cannot convince them, confuse them" is dangerous in a serious risk management framework! Serious data and statistics show the following characteristics: relevant, complete, objective, consistent, transparent, comparable across the institution, interpretable, auditable, replicable, teachable and, above all, credible by facts and perceptions. In addition, the data collection must be in a reasonable cost/benefit or cost/risk mitigation relationship. For senior management purposes, OpRisk statistics should to enable a business view on future potential risks and to take corresponding action.
12.
9.2 1.
Using Data: 12 Issues Never forget the purpose for which you require data! "Not every thing that can be counted, counts. And not every thing that counts, can be counted" (A. Einstein, 1879 -1955). For example, specific individual OpRisk exposures - which might potentially even be modelled with great pains - should be judged in the overall context vis vis total revenues, earnings and capital. How relevant and value adding is such an approach if the relevance amounts to 0.03%?
86
CSG
I personally have reservations about attempts to collect loss data below USD 50000 or USD 25000 in the case of transaction processing events, even if they are frequent. Is such minimal data collection exercise setting the right priorities? How about the relevance vis vis total revenues, capital, turnover, expenses? Can the collection cost involved be justified? Are the data complete (if not, the model might prove wrong)? 2. Measurement encompasses a wide variety of concepts, transformations, tools and information bases. Most organisations have worked on this internally and often in a vacuum. Connections between cause and effect of losses have often not been proven statistically. You cannot manage risks if you do not have information about them. Chapter 7 presented some of the tools, primarily oriented towards control and measurement of performance and past developments. With the exception of the collection of loss data, the existing tools do not usually produce results in financial terms. Only the "hard hits" in the overall context are relevant. At CSG, a renewed attempt has started to collect loss data along the 5 major categories: organisation, policy and process, technology, human and external.
3.
In spite of my critical observations on data and statistics, I am a proponent of a credible and relevant internal database system, which is structured, cost efficient, systematic and consistent - along the suggested 5 major categories: organisation, policy and process, technology, human and external. It fosters transparency and is good modern management. Today, there is also a better ITconnectivity potential. Good management is a bargaining position vis vis insurance companies and potentially capital markets, rating agencies, analysts' requirements and regulators' concerns. At the minimum we can say: "What gets measured and observed gets done." Identifying and measuring relevant data and even quantifying risks is good discipline and can be an opportunity. "Life leaps like a geyser for those who drill through the rock of inertia." (A. Carrel) A credible internal OpRisk data set should be part of the risk management strategy and framework. At least within the organisation, identical definitions, standards, accounting codes and relevant key data sets, including for senior management reporting have to be agreed. This must happen along the line suggested in previous chapters. The internal set-up should ideally be structured so it can be an adjunct to external databases.
4.
Data collection can help enhance transparency. Data information extraction tools, as well as data measurement systems have to be efficient and avoid errors. The tools - just by the effort of collecting data - raise OpRisk awareness and widen the scope of reference points for decision-making.
87
CSG
5.
Credible data based risk aggregation measures are more easily accepted. They result from a mix of top-down co-ordination and focussing and bottom-up information collection. Their background is more easily understood, because it is reproducible and the result of clear criteria. Data based aggregation provides the structure and system for treating business lines equally. This is particularly important when OpRisk capital is allocated to specific business lines. A more judgementally driven capital allocation could be perceived as a "dicing-out", particularly when data exist and could be used to perform this exercise at reasonable cost. Compliance with documentation duties requires data. Due diligent data collection, reporting and maintenance is an important part of a good OpRisk management. The possibility of destroying or not reporting material data has to be kept to a minimum. Automated data loading and the limitation of access to records and the creation of data backups is key to controlling OpRisk resulting from staff fraud. Collecting data constitutes an important step for fostering a learning knowledge organisation, particularly if this exercise also includes more qualitative elements, such as best procedures to handle customer complaints. It allows to internalise the know-how of individuals into the firm thereby ensuring that it is not lost once these leave the company and to make it accessible to other staff. A "common language" among banks is difficult, particularly for OpRisk data. Even if regulators were to require a specific approach for "measurement", its application and interpretation could still vary widely. Communication of data to outsiders requires credibility. How can we convince our shareholders that we know our risks, if we provide them with contradicting, irrelevant or no data at all? How can we expect to perform a risk transfer, particularly for OpRisk, if we do not have a credible framework for the relevant data and information extraction to help the insurer assess these risks? Insurance providers and capital markets are more reluctant to take on OpRisk of a bank as long as there is neither: S S Serious internal data or information base of an individual bank nor Pooled and credible industry wide, relevant database for a major push of insurability
6.
7.
8.
9.
10.
11.
Data and information collection and maintenance is expensive. It requires devoted personnel resources and extended IT-support tools. A cost / benefit analysis is imperative and bound to set priorities and focus. The latter must primarily reflect the firm's specific needs, before including other stakeholders concerns. Nevertheless I am convinced that the gaps, which are presently experienced in such areas as OpRisk, will be filled in small but realistic steps. As time goes by, more and more data and relevant information on financial institutions actions will be readily available.
88
CSG
12.
Data should never prevent from relying on good judgement. Data assists us in gaining transparency and making founded decisions. However, data and information cannot and should not substitute for using judgement. Relevant losses should always be the subject of senior management discussion and have a post mortem and conclusions for the future; otherwise your organisation is not a learning organisation.
"Risk without knowledge is dangerous. Knowledge without risk is rather useless." (P. Jennings, ABC)
89
CSG
10. Quantification of Operational Risks

10.1 Introduction
Quantification is a powerful tool for enhancing transparency, as long as it is credible. Since the 16th- 17th century, with the Scientific Revolution in Western Europe, the quest for knowledge has focused on the quantifiable aspects of phenomena or events.29 This has allowed significant progress in both science and technology and in management techniques. It is thus not surprising that in the financial industry managers and regulators have an increasing interest in quantifying OpRisk. Critiques, however, have also been raised about the limitations and less desirable consequences of blind quantification.30 In addition, despite the numerous conferences convened on quantifying OpRisk and involving the top specialists, little substantive has emerged.31
Chart 10.1: Issues in quantifying OpRisk

1. Object
Dimension Qualitative vs. quantitative Cause/effect vs. causal link Direct observability Depends on purpose:
. Mgt control: bottom-up approach;

qualitative risk change monitoring
What
How
. Risk level quantification:

top-down approach; modelling
OpR
Multidimensional & qualitative features make it exponentially more difficult to quantify than say MR or CR
QUANTIFY
3. Method
OpR
Expert inputs (quali. assessment) Data analysis (statistical distr., etc) Modelling (EVT, scenarios, etc.)
Why
2. Purpose
Management control Prevention vs. mitigation Economic capital loss buffer Capital allocation Efficiency optimisation Regulatory pressure
OpR
OpRisk features suggest potential for improving mgt. control Necessity for untested assumptions on OpRisk limits application to capital allocation
29
See Young, R. M. (1979), "Why Are Figures so Significant? The Role and the Critique of Quantification", in Irvine, J. et al., eds., Demystifying Social Statistics. Pluto, 1979, pp. 63-75. 30 See Young, R. M. (1979). 31 See Ong, M. K. (1998), "On the Quantification of Operational Risk, A Short Polemic" in Jameson, R. (1998), Operational Risk and Financial Institutions, Risk Books, London 1998, pp. 182-184.
90
CSG
This chapter investigates the three major questions to be answered when proceeding to quantification, as shown in Chart 10.1: what object, why, and how is it to be quantified? This will help us to identify 1) OpRisk quantification possibilities and limitations, 2) the areas of OpRisk where a measurement could be performed and 3) the most appropriate methods for this measurement in order to thrive for: S S S The relevance of OpRisk vis vis the total risks Acceptable costs of gathering OpRisk information The credibility of the OpRisk quantification outcome
10.2 What is Quantified in OpRisk ?

Chapters 3 and 9 show that OpRisk includes a vast variety of different elements. To ensure a credible outcome of the quantification, it is thus necessary to look at each element of OpRisk one by one, as each might require a specific quantification method, before considering an aggregate OpRisk. In this exercise, we will look whether it is possible to measure each element of OpRisk separately or whether only a qualitative assessment can be performed. Quantification / measurement generally involves looking at four aspects of a phenomenon within an organisation:32 S S S S Its size, severity or intensity Its frequency Its context dependency: different in different situations Its interaction - contagion/correlation - with other events
The size describes the observed extent of a move. The frequency describes the number of times a move of a given size occurs within say a given time period or a given organisational unit. Both require the ability to observe the phenomenon. These aspects are at the core of the quantification of market and credit risk. For OpRisk, as shown in Table 10.1, fewer elements are effectively observable. The context dependency describes whether the move size is different in different situations or not. This tells whether every OpRisk event is unique in itself or shows regularities in occurrence as drivers do not alter. Context dependency - in contrast to market and credit risk - is generally high for OpRisk as its major drivers - people and organisation - are unique and change permanently. This is why the use of databases of industry OpRisk events has limited relevance for the specific firm. Also, the higher the context dependency, the less the past will be a good indicator for the future. The interaction describes the interlinkages between moves. In the area of OpRisk - as for market risks - this aspect is very important as several OpRisk elements are highly interrelated.
32
See also for example Boose, A. (1996), "Characterisation of Tremor", University of Tbigen 1996.
91
CSG
Table 10.1 provides a crude, rather judgemental assessment of the observability of the size and frequency of moves as well as of the relevance of context dependency and interaction for each OpRisk sub-category. The lower the observability of moves in terms of size and frequency and the higher their context dependency and interaction, the more difficult it will be to measure the OpRisk sub-category. In such cases a qualitative assessment offers the best alternative for quantification. You should not make a rule of something unique, as presented in chapter 4 in the case of BCCI, Barings, CS Chiasso, etc. Table 10.1 shows that, while some elements should be measurable, most are difficult to measure. "Technology" and "external risks" should allow for a database based quantification, similar to the one performed for market or credit risk. Fields marked in green indicate a somewhat credible data based measurement. "Organisation, policy and process", however, only permit a quantification based on qualitative assessments. For these elements of OpRisk, quantification would allow identifying and tracking changes of the risk level over many years, but not determine the absolute level of this risk.
92
CSG
Table 10.1: Features of the 20 CSG Operational Risk Sub-categories33 Observability Observability Relevance of Relevance of OpRisk Sub-category
of size of frequency context dependency:
different in different situation
interaction:
correlation with other subcategories
Organisation Governance/Structure Culture Communication Project Management Outsourcing Business Continuity Security Policy/Process Policy and Process Compliance Product Client Technology Technology Infrastructure Software and Hardware IT Security Human Employee Employer Conflict of interest External Physical Litigation Fraud High High Low High High Low Low Low High Low Low High High High Low High High Low Low High Low Low High Low High High High High High High Low Low Low High Low Low Low High Low Low Low High Low Low High High High High High High High High Low Low Low Low Low Low Low Low Low Low Low Low Low Low High High High High High High High High High High Low High High High
Source: Credit Suisse Group / GRM (2000)
33
The assessment of the various dimensions in the table is based on a crude - Low/High - intuitive scale to allow simple preliminary understanding. The scaling is not absolute but relative. Each individual line assessment is made relative to all the other lines (sub-categories) of the table: e.g. context dependency is high for Governance as compared to say for Software. Clearly the quality of the assessment highly depends on the number and degree of refinement of each individual OpRisk sub-categories. The subjectivity implied by the coarseness of the assessment forbids a generalisation and founding decisions on quantification on it. Refinements of the scale should be made within the particular context of each institution - particularly in assessing the relevance of context dependency and interaction.
93
CSG
Given the challenge that only relatively few elements in OpRisk are credibly measurable and quantifiable, it is essential on the management level not to make the measurable important, but the important measurable.34 Chart 10.2 summarises the major issues involved in this managerial challenge.
Chart 10.2: Major Challenge in OpRisk Quantification resides in Low Probability High Impact Events
OpRisk evidence shows that this option is common: High probability low impact
events are a feature of some OpRisk sub-categories Measured data exist => Potential for quantification => Measurement of risk level is possible, but is it relevant in overall context?
OpRisk evidence shows that this option is highly unlikely: Extreme events are very rare and Probability of Event
not comparable across firms or over time
Medium Risk
High Risk
OpRisk evidence shows that this option is the most common:

Low probability high impact events are a feature of several OpRisk sub-categories Problem of few measured data => Priority for quantification => Scenario based risk level quantification => Measurement of the change in risk level possible, based on qualitative OpRisk assessment
Risk-return considerations question the building up of databases:

=> No relevance in overall context => No priority for data search and quantification
Low Risk
Medium Risk
Severity of Impact
Limitations of databases of past losses from numerous sources to quantitatively fill a hypothetical "high probability, high impact" OpRisk box are twofold. Such databases consider different definitions and causal environments of OpRisk and are thus difficult to apply to a specific firm environment. Also, significant changes have occurred in the area of OpRisk making the past a bad indicator of the future in OpRisk. These changes include: S S S S S S Restructured - merged entities Increased transaction volume and interdependencies Changes in delivery channels and underlying business processes Greater distribution of control responsibilities New technology Organisation and cultural changes
Therefore, the focus on the more realistic "high probability low impact" and "low probability high impact" events would allow better possibilities in progressing in the quantification of OpRisk. However, the quantification of the overall level of OpRisk will be subjective, as only HIGH PROBABILITY LOW IMPACT OPRISK EVENTS provide enough observable data to allow the measurement of the OpRisk LEVEL. THE LOW PROBABILITY HIGH IMPACT OPRISK EVENTS merely allow the tracking of the CHANGE of the risk level over time. Using external data to populate the internal database on such events is of limited help: often, it would boil down to attempting to make a rule out of something unique - e.g. BCCI, Barings, etc.
34
McNamara.
94
CSG
10.3 Purpose of OpRisk Quantification

Before starting quantifying OpRisk, one has to be clear about the purpose it should serve. Here we have to make sure that the quantification of OpRisk - whether via modelling or another method - is focused on and compatible with the business needs of the firm. In other words, we have to ensure that: S S Quantification output is geared for management needs Quantification makes the most efficient use of existing resources and is relevant and credible
As discussed in chapters 6 to 8 and summarised in Chart 10.1, several management needs can be distinguished. Each has a different requirement on the approach to and output of an OpRisk quantification. These are loosely summarised in Chart 10.3. The decision of which purpose OpRisk quantification should primarily serve will determine its output and, by the same token, the input - in terms of data or qualitative assessments - it requires. However, it also helps to avoid trying to crack a walnut with an air drill!
Chart 10.3: Focusing OpRisk Quantification on Management Needs

Management need
Control
Minimum output requirement

Qualitative OpR assessment OpR change over time Accountability allocation OpR driver identification Qualitative assessment of OpR drivers OpR mapping & contingency plans OpR driver identification Qualitative assessment of OpR drivers OpR mapping & early action triggers
Coverage & Approach

Selected mgt units Bottom-up / line mgt Selected mgt units Bottom-up / line mgt Selected mgt units Bottom-up / line mgt Overall firm Top-down Overall firm Top-down Selected mgt units Bottom-up / Top-down Overall firm, all mgt units Initially top-down Advancing to bottom-up
Note: OpR = OpRisk
Mitigation
Prevention
Capital loss buffer
Quantitative OpR level assessment Identification of overall OpR risk appetite Quantitative OpR level indicator Credible or industry standard method Link of OpR indicator to economic capital Quantitative time-mapping of work flow 80/20 focus on core processes Cost allocation on work flow elements Quantitative OpR level for each mgt unit Units OpR level correlation matrix Allocation rule based on units risk level
Regulatory demand
Efficiency optimisation
Capital allocation
Chart 10.335 indicates that for OpRisk control, mitigation and prevention purposes, only a coarse assessment of the CHANGE OF OPRISK OVER TIME is required. Qualitative assessments - such as periodic checklist-based reviews requiring relatively simple input - are sufficient to perform such tasks. Their output could be a scaling or rating of the OpRisk level to monitor its development over time. Such assessments can be implemented on a stand alone basis by a management unit. Using elaborated databased OpRisk systems for such purposes would at best be overdoing the job and most likely wasting precious time and human resources.
35
In the column on "output requirements", the simpler requirements - qualitative and overall OpRisk assessments - are shaded lighter than the more difficult requirements - quantitative and level OpRisk assessments. In the "coverage & approach" column, the less resource intensive coverages / approaches are shaded in green, while the more resource intensive ones are shaded in pink.
95
CSG
The improvement of operational efficiency and the generation of a capital allocation taking OpRisk into account require the assessment of the OpRisk level ideally for each individual organisation unit - and an OpRisk correlation-based capital or cost allocation mechanism. This requires many data points and thus a more complex input, generally relying on large databases of KPIs and KRIs. The output that would have to be produced for such purposes can range from a precise overall level of OpRisk to a risk adjusted return on capital (Raroc) or an OpRisk-VaR. The methods used to perform these tasks have to allow for integration in the market and credit risk quantification and cover a large part of the firm activities. They offer the advantage of providing a firm-wide, standard and systematic framework to OpRisk. As indicated in Chart 10.3, the most suited approaches to and extent of coverage of OpRisk quantification differ, depending on the management need. All encompassing bottom-up approaches - covering the entire organisation of a firm are resource intensive and costly. In contrast, focused bottom-up approaches limited to key parts of the firm - and top-down approaches mobilise much less resources. This is because bottom-up information gathering is time intensive and cumbersome as long as no automatically loaded OpRisk database exists.36 Very often therefore, top-down approaches offer a more pragmatic and adequate alternative to quantify OpRisk. They also allow a coarse quantification of the overall OpRisk capital.
10.4 How to Quantify/Model OpRisk

Once the questions are solved of what and for which purpose OpRisk is to be quantified, the most suitable quantification or modelling method can be chosen. Chart 10.1 shows that there are a number of choices including: S S S A qualitative assessment A process mapping A quantitative modelling
36
Because of this, Bankers Trust abandoned quantifying OpRisk based on a bottom-up information gathering. See Hoffman, D (1998a), " Getting the measure of the beast", Risk, Nov. 1998, p. 40.
96
CSG
Chart 10.4 provides an overview of the methods at disposal - at least theoretically - to quantify and model OpRisk.
Chart 10.4: Modelling Methods of OpRisk

Data Analysis
Best suited when:
Modelling
Best suited when:
Expert Input
Best suited when:
High context dependency All types of events Observable & qualitative data
Low context dependency High frequency events Many observable data
High context dependency Low frequency events Few observable data
Methods:
Methods:
Statistical / Actuarial / Empirical distribution Stochastic Simulation Fit parameter / Regressions
Stochastic processes Extreme value theory (EVT) Factor / Indicator-based / Causal theories Decision/Event/Fault trees Scenarios / Influence diagrams
Methods:
Delphi method Relative fractiles assessment Preference among bets Log of odds assessment Bayesian approach
Possible OpR application:

Organisation risk Policy / Process risk All other categories of OpR => using quali & quantitative data

Technology risk Employee risk External risk => Using quantitative OpR data
Organisation risk Policy / Process risk Conflicts of interest risk => Producing qualitative OpR data Note: OpR = OpRisk
The techniques depicted in Chart 10.4 under "Expert Input" - such as for example the "Delphi method" or the "Log of odds assessment" - as well as the most simple forms of "decision trees" and "influence diagrams" are essentially qualitative assessment and process mappings. These have been discussed under the US Army experience in chapter 5 and also in chapter 7. In this section we concentrate, therefore, on the techniques depicted in Chart 10.4 under "Modelling" and "Data Analysis", as they are more quantitative by nature. We will focus on three of the most discussed methods in the OpRisk debate:37 S S S The factor-derived or indicator-based quantification models The statistical/actuarial or simulation based quantification models The scenario models, which range from quantitative sensitivity analysis to - in their simplest form - qualitative assessments
It is to note that the trend is not to use particular models and techniques on a standalone basis but increasingly in combination with each other to do justice to the complexity of OpRisk. This trend of combining various quantification approaches allows firms to tailor make quantification approaches to their own specific OpRisk environment.38
37
Underlined in chart 10.4. See also Hoffman, D. (1998), "New Trends in Operational Risk Measurement and Management", in Operational Risk and Financial Institutions, Risk Books, 1998, p. 34 ff. 38 In such cases, aggregating various components of OpRisk- if their calculation is based on different models - could be questionable. The consistency of the assumptions underlying to the various models used should then be ensured - e.g. one should not aggregate the results of say an extreme value theory inspired model with the results of a normal distribution inspired model, otherwise one might end up comparing apples with oranges.
97
CSG
10.4.1 Factor-derived / Indicator based Models These models apply causal factors to build a prediction of the LEVEL of RISK. For example, they would use a combination of error rates, failed reconciliations, employee training expenditure, staff turnover, indicators of the IT system complexity, indicators for the quality of governance, etc. to project a level of OpRisk. They tend to produce a figure for the relative future value of the causal factors on OpRisk, but not necessarily of the operational LOSS amount. They are also considered to be only partially representative of OpRisk root causes.39 Along these lines, the BIS has suggested an indicator-based quantification as a possible method for the quantification of OpRisk and the corresponding regulatory capital allocation.40 The level of OpRisk is identified by a multiple of a simple observable indicator or a combination thereof. Suggested indicators include: gross revenues, fee income, operating costs, managed assets or total assets adjusted for off-balance sheet exposures. The BIS method is a factor / causal theory model simplified to its extreme. It assumes a linear link between the level of OpRisk and business activity, thereby offering the advantage of being easily implementable. Empirical tests show that this assumption is not verified.41 But, the most important drawback of the BIS causal theory model is that an OpRisk quantification based on exclusively measurable indicators is bound to produce incorrect and misleading approximations of OpRisk. This is because the high context dependency of most OpRisk elements makes qualitative, nonmeasurable OpRisk aspects critical in determining its level. The BIS method also bears the danger of creating perverse incentives.42 For example, lowering control related costs would save capital, but also raise the OpRisk. Lowering fee income would save capital, but also crowd-out the regulated fee-income banking activities in favour of unregulated financial actors and thereby increase the systemic risk within the financial markets. The drawback of relying exclusively on measurable indicators in factor / causal methods can be overcome by integrating qualitative aspects of OpRisk. These methods could be particularly useful in top-down frameworks to gain insights in both, low and high frequency events. However, there is still a long way to go. Up to present times, the OpRisk literature has remained nebulous about OpRisk explanatory variables.43
39 40
See Hoffman, D. (1998), p. 35. See Basle Committee on Banking Supervision (1999), A new capital adequacy framework, BIS, Basle June1999, p. 50f. 41 See Shih J., Samad-Khan A., Medapa P. (2000), "Is the Size of an Operational Loss Related to Firm Size", in: Operational Risk, Feb. 2000. 42 See for example Swiss Bankers Association (2000), Comments on the Paper "A New Capital Adequacy Framework" of the Basle Committee on Banking Supervision, Preliminary Draft, Mimeo Jan. 2000, p. 13. 43 See Ong (1999), p. 181.
98
CSG
10.4.2 Statistical / Actuarial / Simulation-based Models These models use actual loss data to construct representations of operational loss frequencies and severity in the form of statistical probability distributions. To do this, they require many data points and have to rely on the existence of complete OpRisk databases. Simulation-based quantification models are very popular in the literature on OpRisk, particularly the actuarial inspired Monte Carlo simulation technique.44 The prime reason for this is that they allow filling the data gap prevailing in OpRisk for low probability events. For each OpRisk category or sub-category these models generate a loss distribution. To do this - applying randomly generated inputs to the underlying risk distribution of an OpRisk sub-category - thousands of hypothetical years are simulated, until a stable "empirical" loss distribution is produced. The process can also be scaled down to individual business lines; loss distributions for each of their relevant OpRisk sub-subcategories can be generated. Interdependencies among OpRisk elements can also be taken into account. The outcome of this exercise (see Chart 10.5) is familiar to market and credit risk specialists. The flaw is that the present state of OpRisk data does not allow for any backtesting of the correctness of the generated distribution. In addition, slight changes in the environment, due to the high context dependency of OpRisk, will have a significant impact on the generated distribution. These would require reviewing the entire underlying simulation setting.
Chart 10. 5: Possible Monte Carlo Simulated OpRisk Loss Distribution for a given OpRisk Sub-Category
Expected loss Unexpected loss Severe Catastrophic
Probability of loss
Loss level given confidence level (might be a function of OpRisk appetite) appetite)
Severity of Loss
To be covered by pricing To be covered by OpRisk capital
44
See for example: Austega, "Banking and Risk Management", Jan. 2000 or Samad-Khan A., Gittleson D. (1998), "Measuring Operational Risk", in: Global Trading, Q4 1998, p. 34f.
99
CSG
The simulation method offers four advantages: S S S S Strong quantitative support, once validated with sufficient firm specific data Methodology parameters (distribution, confidence interval, holding period) consistent with those employed for market and credit risk A specification which would allow the model to generate OpRisk Raroc or VaR measures A high degree of integration in the overall risk framework allowing to derive bottomup capital allocation mechanisms for OpRisk
However, the simulation method has also the drawback of a high degree of complexity, assumptional intransparency and its implementation will require important resources.45 Also, the present state of data augurs for having to wait several years before backtesting or validation is possible. 10.4.3 Loss-Scenario / Qualitative Assessment Models These models produce a subjective loss estimate for a given time horizon (say one year) and confidence level (say 99%), based on the experience and expertise of key managers. Weaker assessment forms could just require ranking of the OpRisk level for each elements of a risk map or checklist. Qualitative assessment models have been put forward, as they are particularly well suited for tackling both the frequent inobservability of OpRisk and its high context dependency. A purely qualitative assessment can also be turned into a quantification method. This could involve four core elements:46 S S S S A check list for a periodic and systematic qualitative assessment of each element of OpRisk A grading scale-based assessment considering criteria such as severity, probability and time horizon of occurrence Grading dependent management escalation procedures, action triggers, or compensation rules and reports in, as shown in Chapters 6 and 7 A transformation of the grading into an OpRisk level expressed in say USD
Such methods have the advantage of enhancing transparency of the CHANGE of OpRisk. They also allow a proactive management of the level of OpRisk. However, as they rely on the subjective judgement of experts, they are only appropriate for a crude quantification of the OpRisk economic capital level and OpRisk capital allocation.
45
An interesting discussion of the features and weaknesses of a distribution function based risk measurement can be found in Kimball, R (2000), "Failures in Risk Management", New England Economic Review, Jan./Feb. 2000, pp. 3-12. Kimball notes that two major advances in risk management have been to: 1) describe risk in terms of the distribution of potential outcomes and, 2) recognise that, while individual outcomes are not predictable, their distribution was. However, Kimball also points to the three major challenges this approach to risk faces: Orienting capital on the tail or the "hundred-year-storms" of a correctly estimated distribution; getting a correct estimation of the distribution of outcomes, e.g. measuring correctly; recognising that a risk exposure exists, e.g. not ignoring risks particularly in new business lines. 46 For more details see also chapter 5, the section on the US army experience.
100
CSG
10.5 Capital Allocation

As yet, few financial institutions have used modelling techniques to derive or aimed at deriving an OpRisk economic capital or establishing an OpRisk capital allocation mechanism. Very few are really happy with their approach. However, more plan to do so in the years to come. 10.5.1 Bankers Trust Approach: Combining Methods47 Bankers Trust is seen by many as the leading thinker in quantifying OpRisk. This, however, did not prevent it from incurring other problems! BT has been building and expanding an operational loss database since 1993. It applies Raroc since the 1970s, the characteristics of which - a one-year time horizon and a 99% confidence level being particularly well suited for an integration of OpRisk in the general risk framework. BT's approach is most suited for financial firms in possession of a sophisticated OpRisk MIS. A top-down approach is followed for the attribution of OpRisk capital to business lines. It involves two steps: S S The risk measurement The capital attribution
In the risk measurement process, an actuarial model and Monte Carlo simulation is applied to the loss database combined with a loss scenario modelling. A loss potential is generated for each OpRisk class and for the overall firm. The capital attribution process builds on a factor-based modelling using a broad array of risk factors. These risk factors are detailed at the individual business line and profit centre level, e.g. the training expenses of a given business line or the settlement error rate. The factor-based model produces OpRisk weights for each business line. Based on these weights, the overall firm OpRisk capital is then allocated/distributed to the individual business lines. To perform both these steps, the firm relies on its well-populated OpRisk database covering the whole range of the loss distribution, including the long-tail losses. The database consists of two sections: internal losses and losses from other firms. Significant efforts have been devoted to developing ways of making the external loss information relevant to the firms features in order to combine both sections and make them complementary. The loss events are classified in the database within one of the firms OpRisk classes. These classes have been kept to a minimum - given that operational loss events are relatively sparse - and defined based on causation sources such as: resource, asset, etc. This has led to the creation of five classes: relationships, people, physical assets, technology resources, and external issues. These classes are more geared to risk management purposes than control oriented.
47
This section bases on Hoffman, D. (1998) and (1998a).
101
CSG
10.5.2 Credit Suisse Groups Approach: Scenario Based In the process of allocating Economic Risk Capital (ERC) for OpRisk, CSG went through an interesting bottom-up and top-down exercise. While market, credit and business volume risks are based on an ever improving and accepted model for all the various business units, the OpRisk ERC - with all the complexity and limitation of such an approach described above - has been and will continue to be an issue of discussion. We asked OpRisk specialists of the business units to come up with a 99% confidence figure on each business unit's estimates on their OpRisk - including restoring to normal operational conditions, but excluding market and credit losses. Not surprisingly, these specialists could not agree even after heated deliberations. Therefore, the CFO and the CRO of the Group were asked to come up with a figure based on past experience, market and literature observation. Both, CFO and CRO, with different backgrounds came up with a very similar overall figure X. This figure X was then allocated to the business units based on a mix of size of assets and staff, past experience and allocated activity. The figure X and its allocation to business units are subject to regular review, based on practicability and experience over time.
10.6 OpRisk Quantification: 12 Conclusions

1. 2. 3. Make the important measurable not the measurable important (McNamara). OpRisk is very different in nature to market or credit risk. OpRisk is extremely multifaceted, bending it into one simple figure requires making a significant amount of unstable assumptions. An overall quantification of OpRisk is exponentially more complex than the quantification of market or credit risk. The OpRisk quantification faces two major challenges: S S The high context dependency - different in different situations - of many OpRisk categories / sub-categories The priority to deal with low probability high impact events, for which only very few internal data are available, thereby requiring a credible scenario analysis. For many such risks, insurance coverage is increasingly available
4.
5.
Each element of OpRisk has a preferred method for its measurement, so when bringing it back to the whole OpRisk, securing consistency is almost impossible. Quantitative OpRisk models have a long way to go before they can be backtested or validated: until then they suffer from the garbage in garbage out syndrome. Model outputs cannot only be wrong but also misleading. Monte Carlo simulation models can be useful in tackling low probability high impact events. They also require important resources (staff, time, IT).
6.
7.
102
CSG
8.
OpRisk management tends to benefit more from the use of risk control indicators (RCIs) than from complex models which would compute and /or allocate an OpRisk amount. RCIs dive into the business process and help to effectively control, cap or reduce OpRisk. Models, on the other hand, would only provide for a more or less precise estimation of the overall level of OpRisk and thereby for an ex-post measurement, but not for an active management of OpRisk.
9.
In the near future, it is more realistic / relevant / credible to rely on measures capturing the CHANGE of OpRisk than on measures capturing its doubtful absolute level. An OpRisk management based on relevant and credible OpRisk CHANGE measures is more effective than if it would rely on partial OpRisk LEVEL measures. A combination of qualitative and quantitative approaches offers the most promising avenue to get a grip on OpRisk. A benchmark based capital charge is counterproductive to the control of OpRisk, e.g. based on fee income. The pragmatic good judgement approach generally provides a valid base for good OpRisk management - as long as there are no credible, relevant and validated models.
10.
11.
12.
" . ." Give me a place to stand on, and I will move the earth. (Archimedes)
103
CSG
11. Concerns of Supervisors

11.1 The Three Pillar Approach by the BIS The Basle Committee on Banking Supervision48 has taken a bold step towards updating the international capital framework for banks. In general terms, the role of regulators is the protection of the saver / creditor and the assurance of well functioning banking and financial systems, which includes the avoidance of systemic risks. The BIS Porposal targets four main goals: S S S S Promote safety and soundness in the financial system; the new framework should at least maintain the current overall level of capital in the system Enhance competitive equality Establish a more comprehensive approach addressing risks Refocus orientation towards internationally active banks; underlying principles take into account the varying levels of complexity and sophistication
The BIS is moving from the single pillar of minimum capital requirement to a 3 pillars approach. Consultations with market participants are still going on. I do not wish to forego any conclusions or predict the outcome of the final version. In the following pages, I want to describe the original intentions of the Basel proposal as to the treatment of Other Risks, and add some of my own concerns and ideas. Pillar 1: Minimum capital requirement
Two alternatives are being studied for credit and other risks: S S A "standardised" approach to be used by a large number of banks Internal risk ratings to be used by major international banks Supervisory discretion
Pillar 2: S
A strong national supervisory and regulatory process ensures the maintenance of adequate capital. Supervisors expect that banks will exceed the regulatory minimum requirements. They have the authority to require from banks to hold more than the minimum capital. Banks must have internal procedures and tools to determine their own risk profile with corresponding capital; they must have a strategy for the maintenance of a proper capital level. Supervisors must examine the internal capital measurements and the strategy of the banks. They must examine the compliance with the regulatory capital requirements. Supervisors should intervene early if there is a threat of capital inadequacy and require prompt remedial action.
S S
48
BIS (1999).
104
CSG
The Pillar 2 principles effectively extend the current capital ratio approach to a more active and comprehensive framework for managing capital standards. Simplified, regulators move from primarily macro-regulation to micro-management of a bank. Back to the traditional, but intensified CAMEL approach: Capital, Asset, Management, Earnings, Liquidity. This approach puts a heavy burden on the supervisors' judgemental capability. Supervisors may become - directly or indirectly part of a bank's risk management. Pillar 3: S S Market discipline
Greater disclosure of timely and reliable information relating to capital structure and risk exposures by banks is proposed. Confusion of greater transparency with huge data quantity and increased market pressures should encourage banks to manage risks and capital more effectively. My suggestion
Pillar 4:
From a practitioners perspective, it is interesting that a lot of efforts are devoted to Pillar 1. I would argue that a clearly stated Pillar 4 is needed. A bank can comply with all existing and future capital changes, have an outstanding qualitative risk approach with the most sophisticated quantitative models and still represent a supervisory problem: lack of profitability. Sustained, sound and diversified profitability is THE precondition for protecting creditors and avoiding systemic risks. EARNINGS CAPACITY IS MORE IMPORTANT THAN CAPITAL. Such a Pillar 4 - I would have preferred calling it Pillar 1 - should always be in the minds of the supervisors for the overall judgement of a bank and its risks, including OpRisk. While supervisors cannot and should not be directly responsible for profitability, the level playing field issue needs serious attention, this not only among banks, but also vis vis non-banks. Supervisors are concerned about systemic risks and the role of the banks in the ecommerce environment. They are concerned that services are offered by respectable, well trained people with appropriate standards of probity. At the same time, there is convergence of almost all aspects of financial activities. In addition, market participants have become emancipated; the savers save less, they increasingly invest in non-traditional savings products; money is actively managed through other vehicles than "savings". Why do regulators not apply the same requirements for converged and changed activities? Is there not a unique chance to level the field for banks and non-banks? A meaningful contribution would support the credibility of the new 3 Pillar requirements which are targeted at banks only.
105
CSG
11.2 1.
The OpRisk Regulatory Solution: 12 Points from a Banker's Point of View A prime concern for supervisors should be my Pillar 4: sustained, sound and diversified earnings and profits, which are based among others on good OpRisk management. Survival is not only about capital, compliance and controls, it is also about performance: revenue growth and its diversification, geographic distribution, clients distribution, major clients gained or lost, provisions, new activities, efficiency ratios, years of uninterrupted dividend record, etc. There are at least 10 different analysts' reports on any major bank per year, with cross comparisons on strategies and industry development. They can be quite revealing for supervisors' concerns. There is a lot of information to digest for 50 major banks worldwide: 500 reports, sometimes twice or more often per year. To complete the picture, rating agency reports could also be a major source for a supervisor's judgement. In addition, Pillar 3 should improve the risk transparency even more.
2.
It takes quite an irrational attitude to take risks with the aim to fail. There has to be a reasonable amount of trust in the checks and balances of a market, also by supervisors. Markets judge and discipline every working minute, much more than 10 years ago. While stock markets can temporarily overshoot both ways, the relative share price performance should be revealing also for supervisors. For argument's sake, there are 50 major quoted banks with an assumed 20'000 shareholders each: 1'000'000 professionals and other intelligent individuals, many of them clients, opine every trading day on these banks' total risks. One million judgements cannot be that wrong, at least not all the time. One million investors buy or hold a favourite stock, fully knowing that a major portion of banking is taking and incurring daily risks, including OpRisk. How important is confidence in market signals for supervisors? Supervisors seem to have an increasing interest in exercising their power along Pillar 2, even as Pillar 2 may not become that relevant for regulatory capital purposes. Such new judgemental capability, management know-how and industry knowledge will be a unique challenge. Such power should be exercised in a transparent, proportionate and consistent manner. With their requirements and interventions, supervisors can replace a firm's business judgement, for which banks have no option but to "agree". Supervisors pursue disciplinary and other actions with the benefit of hindsight, potentially even applying new standards to old frameworks. How predictable will future supervisors' actions for banks become? In reality, what mechanisms are there for banks to fall back upon if there is a misjudgement by supervisors? Will this result in banks not establishing official policies because supervisors might not agree with them? Unfairly treated staff can leave the bank for better shores; should banks have a choice to select their supervisors?
3.
106
CSG
Audits and regulatory requirements by one established supervisor have to be acceptable to other regulators; they have to be taken into account, whether positive or negative. Doubling up efforts is unacceptable. Senior management should be able to concentrate on managing the organisation, to control and prevent undue risk taking for which it needs the necessary time. A material, "real crisis" cannot be managed by regulators, only by management. If management is not "fit and proper", the supervisors have the power to oust them, if the Board of Directors and/or the shareholders have not done so before. Cumbersome, irrelevant issues in the overall context, uncoordinated requirements, supervision based on media gossip, choosing publicly one bank to set a new industry-standard, numerous questionnaires, calls on branches around the world are increasingly becoming a burden for banks. Materiality is the issue. Good regulators and supervisors know when to start and when to stop. Supervisors should be positively motivating, e.g. the timely resolution of a deficiency and how it was handled by management should be recognised, without constantly bringing up past or insignificant deficiencies. Assume the past handling of a deficiency as a lesson from which management has learnt and as a new base for handling future deficiencies. No bank can avoid deficiencies: the issue is, how they are handled. 4. It is a truism that misjudgements by banks will happen in the future. It is equally true that banks are still around. Banks have managed up to now the more recent OpRisk challenges such as the introduction of the Euro, the Year 2000 transition and the e-commerce security design rather well. It may also be worth mentioning that LTCM was not a bank, but was saved by banks under FED leadership - any bank with a major LTCM exposure would have survived based on the direct LTCM exposure in case of an LTCM collapse. To be fair, the FED initiative was appropriate, given the circumstances. You can stress any bank to death with all its capital. It only depends on your perspective of life, your assumptions and your model. Doomsayers find doom anyhow, anywhere, anytime. But this is not how successful business is orchestrated. Banking and its supervision make no exception there. Capital serves as a cushion for unexpected market situations or an immediate buffer against a bank's quality deterioration. However, capital does not ensure that banks are immune from any failure or a global nuclear war. Regulators are aware that OpRisk measurement and its quantification is questionable somehow but they want it for regulatory charge purposes anyway. Regulators and supervisors should re-examine this simple "fixation" on capital. Good regulators intervene before the "capital" is called upon. External shocks can increasingly be mitigated with risk transfer. 5. Regulators and supervisors should be concentrating on the real issues: what-if analyses, with reasonable assumptions. What kind of hits can the firm sustain with regard to revenues, net income before tax, capital? What could such a hit imply for the rating? How is it insured against OpRisk? What kind of insurance does it get compared with others?
107
CSG
6.
Various supervisors prefer - generally and simplified - "objective boxticking" for capital requirements based on the formula: Total Risk = Market Risk + Credit Risk + Other Risks. "Other Risks" should include - according to some supervisors - primarily risks as to strategy, reputation, business volume, interest rate, legal, operations. Ideally for some, models would produce one regulatory capital for all "Other Risks". But life is more complicated: Risks as to strategy, reputation and business volume should be handled separately. They should be of prime concern for the shareholders, expressed in the share price.
7.
The 9 major mishap cases presented in chapter 4 and others were cases unfit for a modelling approach. In today's context, they all should be typical cases for the proposed Pillar 2, assuming non-banks are equally supervised. To "punish" the banks today for major mishap cases in the past - including those incurred by non-banks - with "corresponding" regulatory capital requirements in the future would erase banks' competitiveness. To ask them for only a "promemoria" capital charge might revive the memory, but would certainly not solve the problem: the issue is good OpRisk management or good management in general. One of the justifications for the planned Pillar 2 must be to react to insufficient OpRisk management.
8.
Why is it that - with the potential introduction of Pillar 2 and its close monitoring, intervening and additional capital requirement power for sub-standard banks - there should be at least as much capital in the banking system as at present? Let us assume: the BIS proposal was introduced already in 1988 instead of the BIS 1988 scheme; also assume there has been no Pillar 1 charge for OpRisk since 1988. Would any of the mishaps in chapter 4 have been greater than actually was the case? No. Would the mishaps have been avoided or would they at least have been smaller? Yes or maybe, as Pillar 2 with its supervisory intervention should have worked. Pillar 2 is - simplified - an additional risk management layer by an official outside third party.
9.
Market risk management models have, at least theoretically, access to a history of daily prices of tens of thousands of stocks, bonds and derivatives, and this over many years; worldwide, there are close to USD 40 trillion bonds and notes outstanding. Credit risk models combine, theoretically speaking, the experience of more than 30'000 banks around the world with assets over USD 35 trillion. In addition, third party ratings allow cross-checks. With all this background, regulators require the following for internal credit risk models: a model must be well integrated with the bank's day-to-day credit risk management, conceptually sound, empirically validated and produce capital requirements that are comparable across institutions. Can a similar framework also be applied for OpRisk, an area which is so much more in-house oriented? There is no credible model for multidimensional, context dependent OpRisks as a whole identified (yet).
108
CSG
10.
The characteristics of OpRisk are markedly different from other risks S Market and credit risks are - with relatively objective market prices or ratings willingly taken for revenues sake. OpRisks are usually not willingly incurred and not priced in the market. Reasonable tolerance of defaults or mistakes should not be risks burdened with capital requirements; this is part and cost of doing business. Checks and controls of the market and reputation aspects entice every bank to NOT occur operational losses as they increase expenses and/or affect the share price. OpRisks are primarily internal risks or "bank made". External risks have to be handled differently and are largely insurable, or increasingly will be. Data on OpRisk are often vaguely defined, unreliable, incomplete, and of limited comparability over time for benchmarking purposes. If a common definition of "other risk" or OpRisk already presents a problem, how about measuring, quantifying and modelling, even if only internally? How about industry commonality? OpRisks are incredibly multifaceted, a major portion is qualitative / judgemental, interdependent, often not clearly discernible from other risks like market or credit. OpRisks are unique in terms of context dependency. Therefore, modelling is highly complex or not credible, and often not relevant in the overall context of risk exposure. The value of loss distribution based modelling with proper data for a subOpRisk or a sub-sub OpRisk might be limited if the modelling approach of another sub-group is completely different. The value is certainly limited if the risk figure is not relevant in the overall context. OpRisk management is largely good general management with quantitative and qualitative targets and is - parallel with other factors expressed in the share price and its level above book value.
S S
11.
Arguments against an OpRisk Pillar 1 regulatory charge: S S The completely differing characteristics of OpRisk vis vis other risks are described above. Risk awareness in general and for OpRisk specifically, is much higher today than 5 years ago. More attention to a more analytical approach is increasing. OpRisk methodology is in infancy stage; rapid industry efforts might be hampered by a regulatory charge. The latter could actually create perverse incentives, if based on some of the suggested indicators and statistical methods.
109
CSG S
A minimum charge might provide a false sense of security and not foster adequate controls, especially if the charge is in no relation to the underlying risk. If regulatory market risk capital has a "safety multiplier", why not reduce this multiplier - which includes OpRisk issues - with the introduction of an OpRisk Pillar 1 charge? One-size-fits-all basically is an unsatisfactory approach, as proven in the past. Use Pillar 2 for "outliers": serious deficiencies - in an overall context serious can be "penalised" with a regulatory charge. Any "unreasonable" charge makes banks uncompetitive. Pillar 2 is the vehicle that disciplines a bank which represents a serious threat to the system.
There should be no charge under Pillar 1 until: S S S S S S S S S Sensible definitions for OpRisk are agreed (including clear boundaries to Market and Credit Risks) Relevant risks have been determined No double counting is ensured Existing multipliers for Market Risk are reduced Assurances have been given that less capital will be needed for lending Risk transfer is made deductible Only quantifiable risk - credible and relevant in the overall context - is selected Only for credible unexpected losses A credible attempt is made to create a level playing field with non-banks
OpRisk management is much more than a capital charge; it is about good management. Allocating regulatory capital is not the most effective way to improve OpRisk management. The 9 mishaps in chapter 4 were not "cases for capital", they were about good management, structural and control issues. In case of a "reasonable" OpRisk disaster of a firm, it is the shareholders who suffer first. Then comes earnings power after which the "capital" is affected only. The real issue is liquidity and funding. Assuming a reasonable position of such affected bank excluding the OpRisk mishap, what an acquisition opportunity for third parties! Such reasonable position should prevail, assuming the supervisors have done their job before. An OpRisk Pillar 1 charge could be interpreted to mean that the supervisors are not convinced about their successful implementation of Pillar 2.
12.
My concerns about the feasibility of OpRisk models and Pillar 1 do not imply that OpRisk management is not a serious issue. It is very much so. If I were a supervisor, I would proceed the following way, considering the previous points raised:
110
CSG S
What is more important: a regulatory charge or good management? What does the stock price of a financial institution - also in relative terms indicate? What is the opinion of rating agencies / analysts? How often are interbank premiums of an institution checked?
Above all and of prime concern: What is the loss absorption capacity of an institution? Apply simple models and stress testing such as: "hit absorption capacity" versus earnings and capital. Effect on ratings, clients, capital raising? This way, a majority of potential OpRisk issues can be judged and ticked off quickly and easily. Agree with the industry on a definition of OpRisk and its categories, along the lines described in chapter 3. Forget the broad "other risk" definition and concentrate on what OpRisk really is. What are the really relevant OpRisks in the overall context of an organisation? Concentrate on high impact low frequency risks. This is the real issue, not the modelling of a sub-group risk, or losses irrelevant in the overall context (even if convincing as to calculation). What is the organisation doing about high impact low frequency risks? Become knowledgeable on OpRisk insurance. What is the high impact low frequency risks exposure of the organisation after having transferred risk to third parties?
S S
Check regularly on business continuity plans, including IT aspects: This is crucial risk awareness and disaster preparation management. Check regularly on the 5 major OpRisk-categories. Organisation, policy and processes, technology, human and external risks and their subcategories. Are there significant problems, issues, plans, solutions? Ask for over-budget projects, including IT. Ask for major legal disputes on a confidential, unnamed basis.
Go through the 12 S's of an organisation as presented: Supervisors should be concentrating on structures, system, systems and safety measures, not on specific judgements on counterparties and personalities. I would suggest: that some of the S's could be used for simple weighting of deductions or add-ons for Pillar 1 - "if there has to be one" - or of a potential Pillar 2 charge for outliers. Example: S S S S S Structure: System, systems: Safety: Staff, skills, style: Synchronisation: 20% 20% 20% 20% 20%
111
CSG S S
Check regularly on the status of data collection and modelling efforts. Ask regularly for the 3-5 major, self-assessed concerns in the OpRisk area. Check on ongoing or planned efforts handling them. Re-check and supervise closely if the firm has missed a major one ex-ante. Check on netting arrangements of all sorts. Major restructuring cases, major IT-projects, new activities, mergers etc. deserve special attention. The capital charge under Pillar 1 seems to be a foregone conclusion for the supervisors. They will calibrate according to their idea of the charge desired. If "there has to be a minimum OpRisk capital charge, because regulators - for lack of better arguments - simply decide so", then it has to be a low in amount, simple to manage and cost efficient. I personally argue against it, because the issue is not capital, but management. Pillar 2 provides the supervisors with enough power to correct a situation. There are various ways to calculate a simple charge for Pillar 1: a simple low percentage of the "other regulatory capital" for lenders and traders; a low percentage on assets managed for asset gatherers. If the percentage becomes too high, the level playing field becomes even more rocky. Again, as there are no correlations between size and risk, this is an unfair approach for larger entities; a decreasing scale would reduce unfairness. Credible insurance contracts, credible models for OpRisk with credible statistical evidence have to result in lower capital requirements.
S S S
S S
Add-ons based on Pillar 2 assessments would be eliminated in a timely fashion after the clean-up of a deficiency. Pillar 2 concerns with a regulatory charge should primarily be oriented towards a reasonable probability of systemic risk or towards failure of the respective firm. Check on the contribution of each firm regarding OpRisk industry efforts, teach-ins, etc. Support and recognise each bank's contribution to improved settlement mechanisms: These are the real issues for avoiding systemic risks, not capital charges of OpRisk or semi-credible OpRisk models. Establish a rapid deployment force in case of crisis. Have accessibility to all major counterparties.
S S
112
CSG S S S
Become more flexible and market oriented: If parameters of the industry and the industry have changed, they have changed. Co-ordinate with other supervisors. Do not double up. Be more credible with level playing field efforts. Make it attractive for banks to remain supervised as a BANK. Life is not only sticks, it is also carrots!
"Half the failures of this world arise from pulling in one's horse as he is leaping" (August Hare)
113
CSG
12. Selected Areas of Future Concern

As mentioned in the introduction, almost anything in daily banking life has an OpRisk touch. In this final chapter, I have selected - there are more - some areas of future concern. These are concerns for any financial institution, irrespective of size and scope. 1. 2. 3. 4. 5. 6. 7. 8. 9. Business Continuity Planning Customer Complaints IT Migration IT Security Outsourcing Money Laundering Fraud Settlement Communication
12.1
Business Continuity Planning
Business Continuity Planning (BCP) is defined as disaster prevention and disaster recovery planning: the goal of disaster prevention is to reduce the threat of a disaster before it takes place. In contrast, disaster recovery seeks to re-establish the critical functions after an interruption or disaster. BCP depends mainly on 4 resources: people, location, IT and external services. Effective and efficient management of such a situation is overall probably more important for the stakeholders than the economic contribution of an insurance. Good OpRisk management - also for low probability / high impact situations - is essential for perception and reputation.
Business Continuity Planning: 12 Basic Checks 1. Does the BCP fit the activity? What are the core activities to prioritise? What are the non-core activities? How much and what information can a core activity afford to lose? How much time can be allowed to restore a core activity normal activity? What activity needs to be fully mirrored with a back up facility? Does the BCP cover all essential business processes and locations and not only IT and communication infrastructure? Clear responsibilities for shared facilities? Does the BCP include not only electronic data, but also paper archives? How often a year are backup procedures tested for IT-modules and ITproduction? How about connectivity, application and user awareness testing? Does the BCP include all IT platforms, including e-commerce? Is the market for emergency procurements large enough or is a two-vendor-policy more advisable?
2. 3. 4. 5.
6.
114
CSG
7.
In case of building outages: what percentage of normal business volume has to be functioning e.g. within 1 day and within 2 weeks?
8.
How often and thoroughly is the BCP tested and rehearsed with disaster simulation? Is the BCP user awareness sufficient? Does staff understand that a rehearsal is not a performance evaluation, but an evaluation of a plan? Are outsourced activities included in rehearsals? Is the PR department included? Is the BCP regularly updated, especially concurrent to transformation projects? Is it checked at least once a year? Is a backup of a backup needed? Is the BCP consistently a subject for internal audit for all relevant activities and locations? Are the reporting lines in a crisis clear? Is an emergency call list at hand?
9.
10. 11.
12.
A proper OpRisk management requires these questions to be addressed periodically.
12.2
Customer Complaints
Every financial institution pledges customer service and customer satisfaction. But how many really have a proper set-up to live up to this promise? Good customer complaints' handling is good quality and retention management. It can be an OpRisk mitigation tool, which again helps to maintain a good reputation. Only a very small percentage of unhappy customers actually complain, but they tend to tell many others. Customer Complaints: 12 Basic Checks 1. Do you have a clearly communicated customer complaints organisation with corresponding service lines? Is the service line available 24 hours and accessible in reasonable time? Toll free? Do you have appropriate communication channels to third parties to speedily investigate and respond to a client's complaint that concerns a third party mistake? Is your staff properly trained to counsel irate and even unreasonable customers? Is personnel trained to not trivialise the client's account? Is your staff empowered to make on the spot decisions and gestures? How long does the customer have to wait? How are the complaints referred to specialists or specifically responsible management and staff? How long does the customer have to wait for an answer? Are written complaints answered in writing? In a positive tone? When the bank makes a mistake, is it corrected to the customer's satisfaction?
2.
3.
4.
5.
6. 7.
115
CSG
8.
Does your staff handle the situation correctly in case the client made the mistake? Do you keep a complaints log? Does management look at the complaints log? Do recurring complaints lead to action? Do they indicate a faulty organisation, system, systems or unqualified staff? Do they suggest an operational risk? Are customer complaints a KRI? Do you have an institutionalised control mechanism for follow-ups? Even if only a very small percentage actually complains, do you use customer satisfaction surveys? Do the surveys lead to action?
9. 10.
11. 12.
12.3
IT Migration
IT migration is the process of shifting or adapting an organisations current IT platform in order to accommodate new products/services or regulatory conditions. In doing so, it may be layering existing software with updates, or brand new software may be employed altogether. As IT migration involves the inception of new methods and systems, the OpRisk potential is vast.49 A poorly performed IT migration can have long lasting effects on the operation of a business unit, as well as regulatory repercussions. Once it has been decided that an existing IT infrastructure is no longer suited to a product line or fails to meet regulatory requirements, the attributes of the new system need to be agreed upon. IT migration: 12 features for success 1. Strong top management support for the project is required. The business strategy and product list should be kept constant throughout the development of the software, as changes after the design has begun may cause expensive delays. A "project building culture" should be fostered in order to create an open and collaborative environment in which a successful IT migration can occur. It should secure that the common involvement of software specialists, team leaders, staff and end users remain open and viable. Users have to be involved early with their buy-ins. Good project management skills for non-IT related areas are key: leadership is required to complete a successful IT migration. Planning and scheduling of the project and line activities across the Back Office need to be transparent. While accountability cannot be delegated, tasks can. Managers need to prioritise their functions and sign up to a 1 year business plan to ensure that the business remains stable. Projects must plan and budget to keep the core project team in place through the implementation and beyond to manage post-migration issues.
2.
3.
4.
5.
49
Meridien Research Inc., Time for a New Look at Operational Risk, February 2000, p. 3.
116
CSG
6.
Standard controls on new processes need to be enforced, along with the associated MIS. If an interim scenario exists where the old and new IT platforms run simultaneously, controls need to facilitate the take-over of the new system as smoothly as possible. Laws can change regardless of a firm's preparedness: expedient completion of a project becomes even more important. Project teams and their management need to be located appropriately in order to ensure better resource-utilisation. Implementation ownership should be given to those who will be responsible for the new processes. Testing of the new system should occur across a set number of days and production data and in a "parallel run" against the old system. After delivery and thorough testing of the new system, staff and user training and preparedness is key. All significant projects should go through a formal review against project objectives. Accountability of all individuals is key.
7.
8.
9.
10.
11.
12.
12.4
IT Security
The central concept that unites all security related issues is that of a "securityawareness culture". Be it the availability of safe networks, adequate staff training or data storage and backup, the absence of a focused security work ethic will undermine protection efforts. From the perspective of OpRisk, failure to provide sufficient security is perhaps the greatest worry, as networks virtually define the operations of the business.50 As IT continues to develop at a rapid pace, firms come under pressure to understand the security implications of these advances. For competitors, the incentive to take advantage of this time lag is great. A weak security infrastructure is increasing the number of people gaining access to the skills required to attack a network or data. As networks become ubiquitous, access to infrastructure and data becomes a primary concern.
50
For example, the cost measured in lost productivity due to denial-of-service attacks to the US economy last year was estimated at USD 10 billion. This figure will arise in the foreseeable future, and therefore firms which fail to recognize the urgency of a security culture will bear the brunt of those costs. Furthermore, the loss of public goodwill and client confidence will vastly outweigh the costs of installing and maintaining satisfactory security.
117
CSG
IT security: 12 issues 1. IT security begins with the front line user on a day-to-day basis. Users can be changing, erratic, capricious and unreliable. An organisation must have a security culture approach to protect its data and IT. Do we have a culture that minimizes reaction times and the frequency of lapses and errors? Can data and files become lost or vulnerable because of unclear storage habits in shared drive networks? Are there clear and systematic rules for data access and storage? It is the responsibility of management to create a security culture that is equipped to handle the pace of change, and remain motivated to further improve systems. The password is the first mode of data and network protection. Is staff, although asked to change network or software passwords frequently, effectively doing so? Are passwords shared just for convenience sake? Are the passwords complicated enough to be "safe"? Network of networks have to be protected by firewalls which monitor the flow of information from the outside world. Most typically, this will include traffic from the Internet, contact from travelling employees or communication via e-commerce platforms. A breach at any one of these points could cause damage or theft. The system in place is only as good as the training provided to users. Are training manuals, support focal points, documented user rules available? Is regular awareness training assured? E-mail technology, while common, is one of the least secure methods of communicating. An e-mail may be intercepted, and since multiple copies are usually generated, deletion is more complex than usually imagined. E-mails that are sent to external addresses pose further risk, as the messages leave the closed network of the firm. Users need to be made aware of these and similar facts before a casual error results in damage. Virus authors and hackers are creative; a false sense of security should never be allowed to blossom. E-mail security also involves the sender information. E-mail encryption is one part of data transmission security. However, there are commonly used tools which allow the sender of e-mails to change his/her identity and claim to be someone else. Proper IT security will, therefore, have to verify additional sender information, which is harder to fake. None of the present precautionary measures and future variations of them will ever ensure a system that is 100% secure. Some infiltrators will always be able to break firewalls, ID cards, signature files and encryption codes. Computer security is about minimising risk, detecting intrusions and tracking down perpetrators. Protections significantly reduce the number of infiltrators who can break in. Use specialists who are engaged to try to infiltrate your systems.
2.
3.
4.
5.
6.
7.
8.
9.
10.
118
CSG
11.
Computer virus attacks are not going to disappear. Once a virus has infiltrated the network, damage in some form is highly probable, irrespective of the duration and scope of the attack. With this in mind, the first step in preventive measures is following common sense rules of conduct. User awareness promotion and training is the answer. A clear and efficient contingency planning is necessary. Backing up crucial information is the most obvious (and simplest) form of a contingency plan, however this too requires a clear structure. Broader IT contingency planning should be done by each separate business unit by the respective IT Security Officer.
12.
12.5
Outsourcing
Outsourcing remains an avenue by which a firm can attain a competitive edge. Nevertheless, outsourcing is not free of operational risk issues, which must be considered in turn. Primarily, while an operation or service may become outsourced, the ultimate responsibility for it is not. This principle is firmly enshrined in law.51
Outsourcing: 12 issues 1. The final responsibility of the outsourced service remains with the firm. It retains the obligation towards its customers and supervisors to ensure that quality, security, transparency and management reporting of the service(s) are sufficient. Outsourcing an operation allows a firm to focus on core activities, gain efficiency and save costs. These advantages have to outweigh the loss of direct control over the service, particularly as the firm retains the inherent risk. As outsourcing generally extends over long periods of time, the selection of the provider has to include an assessment of sustainability of his/her financial health and the extent of the mutual dependence. Know-how, information and some infrastructures are lost when activities are outsourced. These cannot be recalled within short notice. Therefore, the institution loses some flexibility and potentially its availability to judge whether the provider remains at the cutting edge in the service it provides. Key processes and core competences should not be outsourced. Too much is at risk. Managers should establish clear Service Level Agreements in order to mitigate the risks. This involves communicating precise minimum quality and reliability expectations.
2.
3.
4.
5.
51
For example the UK Banking Act of 1987. The Act states, "The FSA continues to hold a banks management accountable for the adequacy of systems and controls for the outsourced activity". The FSA also requires that banks inform them if outsourcing an operation may have a "material" effect on the risk profile. The FSA then must consider the proposal at hand and may object to it. See: FSA, Guide to Banking Supervisory Policy, January, 2000.
119
CSG
6.
According to FSA rules, Service Level Agreements must exist even if the outsourcing takes place between units of the same firm. Data that is used by the outsourcing firm may include proprietary information, over which managers will lose direct control. It is, therefore, vital that a Service Level Agreement includes provisions for securing confidentiality. An outsourcer must be convinced that the insourcer has adequate safeguards in place. The transparent segregation of duties to be performed has to be made clear to both sides. Confusion in this regard will hamper both the operation of the contracted service, as well as recovery efforts should they be required. The dependence on external entities may pose hidden risks which could only become apparent at a much later time. These can involve a wide ranging number of issues, such as the supply and/or software failure that the service provider relies upon. Open channels of communication must exist between the outsourcer and the contracted firm in order to make contingency plans realistic. Without satisfactory management reporting structures in place by both parties, outsourcing can become inefficient and ineffective.
7.
8.
9.
10.
11.
12.
12.6
Money Laundering
Financial Service institutions are - factually and by perception - exposed to money launderers using and abusing the financial system. This is yet another management concern which every financial organisation has to take very seriously. Money Laundering: 12 Techniques and Schemes 1. Alternative remittance scheme involves shifting value from location to location, sometimes using elements of the legitimate economy, including the services of regulated institutions (layering). Physical disposal of cash (art, precious stones etc.). Trade Related Money Laundering - trade in international goods and services, as well as other commercial transactions are used as a cover. Exploitation of varying VAT rates in different countries facilitated by the legal import/export of goods. Profiting from commission-driven brokerage or securities firms willing to invest huge sums on the behalf of money launders, or even controlled by criminal elements specifically for that purpose (e.g. BCCI). Placement of funds into real estate. Structured cash transactions through currency exchange bureaux and ATMs (automated teller machines).
2. 3.
4.
5.
6. 7.
120
CSG
8. 9. 10. 11.
Smuggling of cash, especially from one country to a less vigilant one. Placing large scale regular bets through casinos. Cash purchase and early encashment of life insurance policies. Company Formation Agent: Such agents - individuals or entities - create juridical persons or legal entities, specifically "shell companies", or companies with no registered assets or operations where they are registered. These activities are used to layer and integrate illegitimate funds. A major new issue is Internet - Online Banking: Opening and transacting through an online account can remove the face-to-face contact between customer and institution which often is the point at which suspicion initially arises. Internet banking allows for a single individual to simultaneously control several accounts with different institutions without attracting attention from those institutions with whom the accounts are maintained. The identity and location of persons accessing the online account (via the ISP), are often unverifiable, allowing unrestricted access to and control of accounts from any location.
12.
Counter Measures for Financial Services: The UK FSA - as one example - will have an explicit and adequately empowered role in setting and enforcing standards in regard to money laundering.52 The role is no longer implicit as to ensuring firms' "fitness and properness". The proposed rule on compliance: "A firm must take reasonable care to establish and maintain adequate systems and controls for compliance with its regulatory obligations and for countering the risk that it might be used for further financial crime." The essence of counter measures and controls are: S S S S S S S To exercise care when commencing business with a new customer At that stage, and subsequently, to give alert and informed consideration to the possibility of money laundering by a customer or prospective customer Where suspicion of money laundering arises, to communicate them to the authorities To ensure senior management oversight and control (without impeding the communication of individual suspicions to the criminal investigation authorities) To secure and maintain the informed participation in these systems of all relevant employees of the business To keep records which may prove significant for subsequent criminal investigations and prosecutions Traditional money laundering methods pose serious problems for the financial industry already: the e-money technology widens the scope of criminal activities available for the laundering of money today: establish systems which follow unusual transactions
Governments, law enforcement agencies, financial services and supervisors worldwide are faced with an enormous challenge. It is, however, financial institutions which arguably bear the lions share of responsibility in limiting the spread of illicit money via ecommerce. This must happen by adherence to a policy as suggested above and development of IT solutions that resist the trend towards unrestricted size, movement of value and anonymity of users of e-commerce technology.
52
FSA Consultation Paper 46: "Money Laundering: the FSA's new role", London, 4/2000.
121
To put it simply: reinforcement of the KYC - Know Your Client - policy is a core OpRisk issue. Fraud53
12.7
Fraud: 12 Issues 1. It is people, not businesses or systems that commit fraud. In today's "connected economy" fraud is increasing. Fraud permeates every area of business. Almost one third of all frauds are committed by management. Since management usually makes up a much smaller portion of the workforce, this finding suggests that managers are more likely to commit fraud than other staff. Frauds are "disasters waiting to happen". They often start with a small incident, followed by some sort of a "spiral". 2. What makes people to commit fraud? In simple terms, fraud is being committed when a motive coincides with an opportunity. Among the main initiating factors are: S S S 3. Pressure to perform: a key factor Personal pressure: debt, excessive lifestyle, gambling, etc. Other triggers can be: beating the system, greed, revenge, boredom
Watch for the unusual as well as for some common fraud indicators: S S S S S S S S S S S S Autocratic management style; mismatch of personality and status; unquestioning obedience of staff Unusual behaviour; expensive lifestyle; untaken holidays Illegal acts of any sort Poor quality staff; low perceived status Low morale; high staff turnover; lack of intellectual challenge Results at any cost; compensation tied to nominal performance Poor commitment to control; poor reputation Remote locations poorly supervised; several firms of auditors Poorly defined business strategy; no "buy-in" by managers and staff Continuous profitability in excess of firm and industry norms Mismatch between growth and systems development Complex structures
The following points illustrate some means and tools to combat fraud: 4. Management and staff being alert to fraud and to warning signs, help stopping fraud in the early stage.
53
Partly based on Fraud Watch 2 information, London.
nd
Edition, Davies, D., KPMG, ISBN 185355 958 X abg professional
CSG
5.
Management structures and systems: Structures are the foundation of internal control. Problems with structure and system may therefore completely undermine good controls. The following issues should therefore be given particular consideration: S S S S S S S S S S S Degree of collective responsibility Role of the chief executive Dominant personalities on board and management level Interaction between top management Relationship between head of division and division staff Status of support functions, including risk management Remoteness of the reporting lines Business unit defensiveness: "them and us" Status of front office. i.e. "front office heroes" Reward structure undermining the management structure Risk alertness
6.
Matrix management structures while not inherently more risky, simply involve different kind of risks which are not always easily recognised. Possible points of friction can be: S S S S S S S Loyalty to a local business head rather than the functional head Incentives not aligned with structural responsibilities Special arrangements outside the normal management structure Lack of relevant expertise to operate a new structure Structure impedes implementation of risk management procedures Conflicting business objectives Culture and ethics
7.
Style and shared values: There are many ways of expressing what is an accepted standard and what is not. Essential is that all staff at all levels in a company are bound to work under a set of rules which everyone has to accept. Disciplined acting by management according to what is not acceptable is essential. A good mean to identify the hallmarks of a companys culture is to ask employees which adjectives describe best what it is like to work there. Where there is excessive pressure, risk increases. Problems can also occur where staff or a local entity is not assimilated into a group culture.
8.
Communication: Effective communication contributes to a successful operating environment by securing staff buy-in to strategies and policies and giving management early warning signs of issues.
123
CSG
9.
People and technology: In more recent times computer fraud has become a global issue. The Internet age has removed the traditional safety previously provided by physical boundaries and can replace it potentially within an information and communication "free for all" environment. The attitude of needto-know is being replaced with need-to-share. The "job for life" ethos has disappeared and - along with it - the traditional loyalty to the firm. IT departments are increasingly staffed with high levels of contractors or are outsourced all together which poses risk culture issues. Technology cannot provide all the controls necessary. There remains a high reliance on staff and the application of manual controls. Organisations with loyalty are hard to develop and to retain. The "modern" culture can quickly move toward the "something for nothing" attitude. In such an environment, an increasing number of employees - given the opportunity - will commit fraud.
10.
IT Security: The growing reliance on the Internet for communication makes the issue of IT securities more critical. The days are gone when security could be viewed as an IT activity delegated to the IT department. Today, security practices need to be an integral part of the way in which every employee carries out his or her job. To test one's own IT security, the same tools are employed as those used by the hackers. An example is the program SATAN, which was developed in the USA and can be downloaded for free from the Internet. Penetration testing has become another major tool for organisations to look for assurance over one's security arrangements. The testing is normally carried out by an "independent" who will attempt to intrude into the system in one or more scenarios such as "an unknowledgeable outsider" or "a knowledgeable outsider", etc. Good testers will use a variety - technical and social engineering techniques to break into the system only to draw corrective measures. Digital signatures are likely to become the most common method of verifying a user's identity in the electronic environment.
11.
For each category of business risk there is in principle always an equivalent fraud risk. A "fraud shadow profile" can visualise fraud risks more clearly.
12.
12 Rules for limiting hackers' attacks: S S S S S S S S S S Use regularly up-dated virus software Do not allow online merchants to store your credit card information purchases Use hard-to-guess passwords and change frequently Use different passwords for different Web sites and applications Use the most up-to-date version of your Web browser Send credit card information only to secure sites Install firewall software to screen traffic if you use DSL or a cable modem to connect to the net Do not open e-mail attachments unless you know the source of the incoming message Have an regular awareness and training program Act fast to attacks and coordinate the virus control mechanism worldwide
124
CSG
12.8
Settlement
The concept of settlement risk is not anything new to the financial community. Most famously, the Bankhaus Herstatt was rendered insolvent in 1974 due to settlement problems.54 The term "Herstatt risk" has since been used to describe the risk that involves banks making and receiving payments at different times. The degree to which a bank is at risk will depend on trade and settlement window size. While it would be possible to mitigate Herstatt risks via speeding up reconciliation across settlement systems, a live-feed system that simultaneously settles transactions is the obvious preferred solution. That solution will come with the Continuous Linked Settlement (CLS) system in the form of the CLS Bank, which received regulatory approval in the United States. The CLS settlement process itself will follow three steps: a) the matching of trades, b) the debiting and crediting of accounts held at CLS and finally, c) the liquidity movement between users. The CLS Bank will not allow counterparty substitution, and strict adherence to paying-in times and limit checks are crucial. At present, intra-day trades will not be accommodated, but these may be feasible later. As discussed in the KPMG survey of the CLS Bank, the basic structure involves three types of users. The first, "Settlement Members" are shareholders of the Bank, and settle trades using their own accounts held at the Bank. A "User Member" also inputs trades directly into the CLS books, but is not a shareholder or involved in liquidity management. The final user type are the "Third Parties" which conduct settlement via the previous two member types.55 Without going into any further detail of the settlement risk complexity, I am listing key issues that can be used as a check list.
54 55
BIS (1996), Report, p. 6. KPMG Continuous Linked Settlement Survey, January 2000, p. 32.
125
CSG
Settlements: 12 Checks 1. Data on trade volumes have to be collected: Statistics should be available to provide daily evidence of trade volumes for both securities and monies transacted. Time series of trade volumes over time show changes in trade volume (expressed in percent or units), allowing management to allocate resources and recognise potential critical issues. This is especially relevant when comparing these statistics to a third party benchmark, e.g. cash trading volume on a selected number of stock exchanges. Know your failed trades: It is imperative that a financial institution knows quickly if trades have been successfully concluded or failed, for whatever reason. Ageing of failed trades is critical: The ageing of failed trades has to be monitored. Failed trades over a certain amount of days vary from institution to institution, but delays longer than 30 days raise serious questions. Drill-down reviews should be performed: Statistical evidence should be reviewed regularly on the lowest level of operations management, reflecting their respective action/influence parameters. As the seniority of operations management increases, the frequency of reviews should decrease. Monitoring and analysis is necessary: Detailed daily analysis should be monitored at the lowest operations management level. The monitoring and analysis should - if required - lead to the identification of concrete remedial actions. Benchmarking emulates excellence: Establish benchmarks for each division, sub-division or any group/entity within the organisation: Monitor the discrepancies versus the benchmark and allocate a rating, e.g. acceptable, warning zone, unacceptable. Make the report more easily readable by applying a different colour to each level. Risk rating reports: Senior operations management should be made aware of the development of settlement risks, at least on a monthly basis. Accountability drives the implementation of control actions: Senior operations management must be accountable for actions after warning signs have been analysed. Management plans should be drawn up: Action plans - for cleaning up the ongoing business issues - should be produced, including its monitoring by management. Speak to operations staff: All statistics should only be seen as a means of control, they cannot always tell "the whole story" - to be an informed manager it is necessary to speak to staff in regular intervals.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
126
CSG
12.
Co-ordinate business plans with front offices: To avoid unforeseen settlement problems (e.g. unexpected significantly higher and unmanageable volumes, processing of new instruments, entering new markets) it is imperative that senior operations management is well connected with the front office business drivers (see synchronisation).
12.9
Communication
Communication is the lifeline of any financial institution. The structure, system, processes and organisation in regard to communication is an OpRisk as such. In addition, an ineffective communication set-up can escalate any other loss or risk situation, whether factual or by perception: from cracks to crisis. Communication in a loss, risk or crisis situation needs careful judgement of external risk concerns versus external confidence and trust. In a high external risk concern situation, communication is a must, regardless whether external confidence in the institution is low or high. Below is a short description of a risk mitigants framework for communication risks. It basically is a demanding task in regard to all of the 12 S's of an organisation: easy in wording, sometimes awesome in implementation. Each of the following 12 priorities or mitigants has OpRisk inherent56. Corporate Communication: 12 Priorities 1. Listen to the internal and external world: "Machine room visits", media clippings and discussion with constructive but critical in- and outside sources can reveal real concerns significantly. Understand the context: Get the right information on a problem, determine the risk communication type, develop the objective. Listen to communication specialists, but senior management determines the message and the audience. Build the communication team: Turn to the specialist for specific problems, internally and externally. Ideally, a core group has practised before and knows each other well from experience. Credible specialists provide details or background information. Design the message: Assess the consequences of releasing an information early or later. Too early an information might endanger the accuracy - waiting too long is an invitation for third party speculations. Companies should identify the risk proactively in order to get the trust of the internal / external world that everything in its power is being done to manage the risk. It is not easy to separate internal and external communication in crisis situations. Important, however: internal communication has to take place at least at the same time as external announcements. Be honest, open and frank - or your credibility will suffer; it is only a question of time.
2.
3.
4.
56
Some suggestions for the 12 Priorities are based on Thiessen, K.: "Don't gamble with Goodwill", The Conference Board of Canada, 284 - 00 Report.
127
CSG
The media has an immense influence on many employees of the company concerned, so that outside message / media is also relevant for internal people management. 5. Co-ordinate and co-operate with other credible sources: Examples include: regulators, auditors, consultants, administration, politicians, etc. Align the message with the target audience: Where does the audience live? Profile? Concerns? Opinions? Perceptions? Specific issues for specific "high interest" group? Spokespersons of stakeholders? NGO's, experts, special interest groups in the audience? Complete the "four R's" in crisis situations: Should a loss or risk situation develop into a crisis situation, the following four "R's" apply: regret, reform, restitution and responsibilities have to be covered. Always consider the "12 Priorities for media: Complexity-reduction criteria in a complex world" S S S S S S S S S S S S 9. Bank activities are complex and difficult to understand: dealing with large sums are ideal media targets. Circumstances are less important than loss quantification, personalities involved and "victims". The headlines these days: money, sex, crime, sports plus envy, fear, despair, hate and hope. New is what is new to media. What might be old for a bank, might well be new for media. Quotes used imply seriousness of research: selection along newness value, conflicts, emotions, drama, money. Quotes are often taken out of context. Therefore, repeat your real message over and over. Conflicts always help to dramatise: Chairman, CEO and ExB Members are prime targets. Quantification implies preciseness of research. Banks with their losses and risks are especially interesting: it is so easy to put up a headline - myth of money and size at work. Localisation gives a sense of identification: the closer, the more visible, touchable, emotional. Deviations from factual and normative expectation make the news, e.g. a large fraud in a trusted bank. Moralisation along "good" and "bad": moralisation is always personification. Personification reduces the factual issue complexity: "bad guy" in a complex loss situation. "Telling a story" is more "attractive" than factual description. Simplification of all the above is a means to differentiate in the ever increasing "Information-Gau". We have to live with it.
6.
7.
8.
Review the communications program prior to implementation: Communication has to be integral and consistent: "use same language". Test and practice the program internally and externally with a trusted, but critical group. Depending on the situation, communicate with supervisors ahead of public statements.
128
CSG
10.
Delivery is at least as important as the content: Depending on the situation, empathy rates higher than competency. Be brief, clear and concise. Avoid negativisms: it takes four positive words to erase the meaning of one negative word. Use statistics and research, but only in lay terms. Evaluate the communication program after implementation: An evaluation should be the base for the next - improved - program. Risk communication programs deserve at least the same attention as the usual corporate programs. Be credible: Professionalism and credibility are precondition for effective risk and loss communication.
11.
12.
12.10 Transformation Management

Common denominators for major restructurings, mergers and acquisitions: 12 Imperatives 1. Self-critical SWOT analysis: S S S S 2. Challenge core assumptions: intellectual and emotional honesty is the issue If environment / parameters change: * transform even if still successful * ideally: be ahead of change or force change Focus on opportunity, not on problem Look hard how organisation / target / project really function
WILLINGNESS to change and COMMITMENT to the transformation process: S S S S S S S Hope = engine for achievements: perpetual triumph of hope over experience Have a clear mission and a clear purpose Have a common vision and a "clear and simple" strategy Capitalise on sense of urgency: "burning platform" Never forget human emotions Absolute priority: desire and ability to change and commitment to lead by example Earn the trust of the audience: credibility throughout the process is the issue
3.
Goals and activities must generate ADDED VALUES and be perceived as such: S S S S Focus on what mission really is in its environment Use power of argument, not order Top-projects are top-tasks for top-management Get advocacy through "committed champions"
4.
Mobilise a FORWARD-LOOKING corporate culture: S S S New mission sent to everybody Key to success: work WITH and not AGAINST the organisation "Stretching and pain for everybody" as policy
5.
The CUSTOMER / END-USER is the final arbiter: S Limit internally generated enthusiasm for projects: include customer / end-user early
129
CSG
6.
Client only interested in QUALITY he / she receives during transformation: S S S View the world through your customers' eyes The better the ongoing service, the better the internal and external credibility of the project Continuously adjust Business Continuity Plans
7.
CREDIBLE ORGANISATION and CREDIBLE TOOLS: S S S S S S S Source, share, synthesise and store knowledge of past projects Both - rational and emotional reactions are to be taken seriously Avoid "not-invented-here" syndrome Get and keep key talents: money and opportunities Have a retention program for key players, incl. transformation team Be careful on early retirements: watch the need for organisational knowledge Implement with "high-performance" team: those who cannot follow are not part of the team
8.
TIMING and TEMPO are key success factors: S S S S Trade off between speed of execution (short-term) and building a common culture (long-term) Fight of large global Goliath against flexible, local and e-Davids Allow for "productive impatience": allow for mistakes Cut through "permafrost" of people's attitude: people do not welcome consequences of transformation, generally
9.
Recognise the "NEW VALUES": S S S S Transform the whole organisation, not just the "bottom" Promote a culture of success, with lifetime learning: create a winner-mentality Detect and support new talents Foster the brand as HR tool
10.
Avoid RESIDUAL COST BURDENS: S S Examine old structures and processes Outsource non-core activities
11.
Manage INTERNAL AND EXTERNAL EXPECTATIONS: S S S Use open, simple and ongoing communication Use surveys, "town hall meetings" with global reach, Intranet responses by top management "Over-communication" is mostly better than "under-communication"
12.
Major transformation projects only have ONE CHANCE: S S S Execute the decisions in the spirit of the mission If environment / parameters change during transformation project: change the shift Continuously monitor control / supervise: guarantee for early corrections and an objective final assessment
130
CSG
"People may doubt what you say, but they believe what you do" (Lauris Cass)
131
CSG
List of Abbreviations
ART ATM BBA BCCI BCP BIS BoD BT C&F CAMEL CBOT CEO CFO CLS COO CORE CR CRO CRSA CS CSFB CSG CSPB DSL ECB EMI EQ ERC EU EVT FED FIORI FOBO FT FSA GFF GIGO GOLD GRM GSTPA HBCI HO IQ IRT ISDA ISP IT KCI KISS KPI KRI KYC L&C LTCM M&A MIS MGT MORE MR NGO NIAT OECD OpRisk Alternative Risk Transfer Automated Teller Machine British Bankers Association Bank of Credit and Commerce International Business Continuity Planning Bank for International Settlements Board of Directors Bankers' Trust Commission and Fee Capital, Asset, Management, Earnings, Liquidity Chicago Board of Trade Chief Executive Officer Chief Financial Officer Continuous Linked Settlements Chief Operations Officer Compendium of Operational Risk Events Credit Risk Chief Risk Officer Control and Risk Self-Assessment Credit Suisse Credit Suisse First Boston Credit Suisse Group Credit Suisse Private Banking Digital Subscriber Line European Central Bank European Monetary Institute Emotional Quotient Economic Risk Capital European Union Extreme Value Theory Federal Reserve Financial Institutions Operational Risk Insurance Front Office Back Office Financial Times Financial Services Authority UK Group Corporate Development / Finance Garbage In Garbage Out Global Operational Loss Database Group Risk Management Global Straight-Through Processing Association Home Banking Computer Interface Standard Head Office Intelligence Quotient Internet Related Technologies International Swaps and Derivatives Association Internet Service Provider Information Technology Key Control Indicators Keep It Short and Simple Key Performance Indicators Key Risk Indicators Know Your Client Legal and Compliance Long Term Capital Management Mergers and Acquisitions Management Information System Management Multinational Operational Risk Exchange Market Risk Non Governmental Organisation Net Income After Tax Organisation of Economic Cooperation and Development Operational Risk / Risks
132
CSG
PKI PR PwC RAROC RMA RMG SEC SSL SWIFT TQM TRT USAF USGAAP VAR VAT WGR
Public Key Infrastructure Public Relations PriceWaterhouseCoopers Risk Adjusted Return on Capital Robert Morris Associates Risk Management Group Securities and Exchange Commission Secure Sockets Layer Society for Worldwide Interbank Financial Telecommunications Total Quality Management Traditional Risk Transfer US Air Force US Generally Accepted Accounting Principles Value at Risk Value Added Tax Winterthur Group
133
CSG
Bibliography
Aichele, C., H. Hanebeck, A. Kiang (no date), "A short Course on Business Process Re-Engineering with ARIS", IDS-Gintic Pte. Ltd. Airtevron one, VX.1 Safety/Naptobs Dept., "Introduction to Operational Risk Management". Austega (2000) "Banking and Risk Management", Jan. 2000. Avery, R., P. Milton (2000) "Insurers to the Rescue?", RiskProfessional, Special Issue on Operational Risk, Spring 2000, pp.61-69. Basel Committee on Banking Supervision, Risk Management Group (2000), "Other Risks (OR) Discussion Paper", BS/00/27, BIS, Basel, Apr. 2000. Quoted as BIS (2000). Basel Committee on Banking Supervision (1998), "Framework for the Internal Controls Systems in Banking Organisations", BIS, Basel, Sept. 1998. Basel Committee on Banking Supervision (1999), "A New Capital Adequacy Framework", BIS, Basel, Jun.1999. Quoted as BIS (1999). Basel Committee on Banking Supervision (1999a), "Enhancing Corporate Governance for Banking Organisations", BIS, Basel, Sept. 1999. Quoted as BIS (1999a). Basel Committee on Payment and Settlement Systems (1996), "Settlement Risk in Foreign Exchange Transactions", BIS, Basel, March 1996. Quoted as BIS (1996). Bieberdorf, W.J. (1997), "Operational Risk Management", MCO 3500.27, Naval Safety Centre, Norfolk, Va, Apr. 1997. Boose, A. (1996), "Characterisation of Tremor", University of Tbigen 1996. British Bankers Association, ISDA, RMA, PricewaterhouseCoopers (1999), Operational Risk, the Next Frontier, RMA, Philadelphia, 1999. Quoted as BBA (1999). CMG, "Operational Risk - Can it be Quantified?". CORE (1999), CORE Database. Davies, P., (2000), Fraud Watch 2
nd
Edition, KPMB, London, 2000.
Dickinson, G. (2000), "Insurance Finds a Blend of Innovation and Tradition", Financial Times, Jun. 6, 2000. FSA (2000), "Money Laundering: the FSA's new role", FSA Consultation Paper 46, London, Apr. 2000. FSA (2000), Guide to Banking Supervisory Policy, London, Jan. 2000. Gapper, J., N. Denton (1997), All that Glitters - The Fall of Barings, Penguin Books, 1997. Hoffman, D. (1998), "Getting the Measure of the Beast", Risk, Nov. 1998 pp. 38-41. Hoffman, D. (1998a), "New Trends in Operational Risk Measurement and Management", in Jameson, R. (1998), Operational Risk and Financial Institutions, Risk Books, Arthur Andersen, 1998. Irvine, J. et al. (1979), Demystifying Social Statistics, Pluto, 1979. Jameson, R., ed. (1998), Operational Risk and Financial Institutions, Risk Books, Arthur Andersen, UK, 1998. Jewell, C. (2000), "Lies, Damned Lies and Usable Statistics", Operational Risk Manager, Jun. 2000, pp.7-8. Jung, J. (2000), From the Schweizerische Kreditanstalt to Credit Suisse Group, NZZ Verlag, Zurich, 2000. TM Kessler & Co. (2000), "Protecting Your Information Assets and e-Business Activities", Net Secure , Zurich, 2000.
134
CSG
Kimball, R. (2000), "Failures in Risk Management", New England Economic Review, Jan./Feb. 2000, pp. 3 -12. Kimber, M. (2000), "Finding Value in a Collection of Losses", Operational Risk Manager, Jun. 2000, pp.11-13. KPMG (2000), Continuous Linked Settlement Survey, Jan. 2000. Lukaszewski, J. (1988), (no title), White Plains, NYC, 1998 Meridien Research Inc. (2000), Time for a New Look at Operational Risk, New York, Feb. 2000. Morris, S. (2000), Operational Risk Control, What FSA Expects... and You Must Do, CMS, London, Jun. 2000. Norris, F. (1994) "Orange County Crisis Jolts Bond Market", The New York Times, Dec. 8, 1994. Norton, J. (no date), Security and Data Protection, FKM. Ong, M. K. (1998), "On the Quantification of Operational Risk, A Short Polemic" in Jameson, R. (1998), Operational Risk and Financial Institutions, Risk Books, London, 1998. Rachlin, C. (1998), "Operational Risk in Retail Banking", in Jameson, R. (1998), Operational Risk and Financial Institutions, Risk Books, London, 1998. Randall, J. (2000), "Digital Buccaneers Caught in a Legal Web", Financial Times, May. 30, 2000. Samad-Khan, A., D. Gittleson (1998), "Measuring Operational Risk", Global Trading, Q4 1998, pp. 34-35. Saunderson, E. (2000), "Operating the Learning Curve", Banking Technology, Feb. 2000, pp. 36-40. Senior, A. (1999), "A Modern Approach to Operational Risk", RiskProfessional, Issue 1/3 May 1999, pp. 2427. Shih, J., A. Samad-Khan, P. Medapa (2000), "Is the Size of an Operational Loss Related to Firm Size?" reprint of Operational Risk, Feb. 2000. Sommer, D. (2000), Global Council on Risk Management, The Conference Board of Canada, 2000. "Sumitomo Losses Show Up Poor Links", Computing, Jun. 20, 1996. Swiss Bankers Association (2000), Comments on the Paper "A New Capital Adequacy Framework" of the Basel Committee on Banking Supervision, Preliminary Draft, Mimeo, Jan. 2000. Thiessen, K. (2000), Don't Gamble with Goodwill, The Conference Board of Canada, 284-00 Report, 2000. US Air Force (no date), Operational Risk Training. US Navy 27 Fighter Wing (no date), Air Combat Command. US Navy (1997), "OPNAVINST 3500.39", Submarine on Board Training, Apr. 1997. Weczel, P., O. de Perregaux (1998) "Must It Always Be Risky Business?", McKinsey Quarterly, N1, 1998, pp. 95-103. Young, B. (2000), Quantification of Operational Risk, Centre for Operational Risk Research & Education, 2000. Young, R. M. (1979), "Why Are Figures so Significant?", The Role and the Critique of Quantification, in Irvine, J. et al., eds., Demystifying Social Statistics, Pluto, 1979.
th
135

Operational Risk

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Operational Risk

Diunggah oleh

Hak Cipta:

Format Tersedia

OPERATIONAL RISKS IN FINANCIAL SERVICES

AN OLD CHALLENGE IN A NEW ENVIRONMENT

HANS-ULRICH DOERIG, VICE CHAIRMAN

CREDIT SUISSE GROUP

ADVICE TO THE READER

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Introduction and Overview

The 100 Risks in Financial Services

Operational Risks in Financial Services

Chart 1.1: 100 Risks in Financial Services

Low ProbabilityHigh Impact Losses

Cross Border Balance Sheet Structure Know-How

100 Risks in Financial Services

H.-U. Doerig, 1998

Coping with Risk Complexity

Operational Risks in Financial Services

Chart 1.2: Building an Organisation for the Management of 8 Major Risks

Major factors shaping the risk disposition of an individual and an organisation

Scope and challenge of an integrated firmwide risk management

Values, Society & Politics

Action and Reaction by Management and Staff Knowledge

Co mp eti tio Pe n rc ep tio n

5 Prime Value Generators for the Product or Activity Groups

H.-U. Doerig, 2000

& ies lic Po

H.-U. Doerig, 2000

ur s vio ion ha lat Be gu Re

Markets & Economy

Wholesale national = global

Operational Risks in Financial Services

Operational Risk in Risk Management

Operational Risks in Financial Services

The 12 Golden Organisational Principles in Risk Management

Operational Risks in Financial Services

The 12 Key Principles in Risk Management

Operational Risks in Financial Services

Table 1.1 (continued): The 12 Key Principles in Risk Management

Operational Risks in Financial Services

Summary and Outlook: 12 Conclusions

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks in Financial Services

Operational Risks: Framework for Definitions and Dimensions

Exclusive (TR-MR-CR) definition, 15%

No formal definition, 31%

Source: BBA (1999).

Operational Risks in Financial Services

Five major OpRisk-Categories and their Sub-Categories

Operational Risks in Financial Services

Human 15. 16. 17. Employee Employer Conflict of interest

External 18. 19. 20. Physical Litigation Fraud

Operational Risks in Financial Services

Overlaps between Risk Classes

Chart 3.2: Overlaps between Risk Classes

Market Risk = Risk of losses from value changes of financial instruments