Risk Management, PRMIA

March 28, 2006

Business Continuity and Outsourcing

The noise over pillar I of CP3 has subsided somewhat since its final release in 2004 and even though many organizations are still in the thick of their capital adequacy programs, in fact whole regions such as the US actually lag behind the agenda none-the-less, the Bank of International Settlements (BIS) is now onto the next urgent topic of debate; business continuity and financial sector stability.

Late last year a joint forum of regulatory bodies pioneered by BIS released a high-level principles consultative document for business continuity however they are far from being alone with this level of tenacity towards Business Continuity Management. The International Association of Insurance Supervisors, International Organisation of Securities Commissions, Financial Services Authority in the UK; all have been releasing material over the last twelve months that pertains various programs which address Business Continuity.

BIS Joint Forum 14

The Monetary Authority of Singapore defines Business Continuity Management as:

Business Continuity Management (BCM) is an over-arching framework that includes policies, standards, and procedures. It not only addresses the restoration of information technology infrastructure but also focuses on the rapid recovery and resumption of MAS' critical functions during disruptions. One important aspect of the framework is the formulation of BCM policies and exercise strategies.

This is also echoed in the BIS document as `A whole-of-business approach` that includes policies, standards, and procedures however many institutions have simply focused on central facility centres rather than the full value chain approach that considers a dependency analysis that describes the interaction of each business layer from human roles to third parties and outsourced functions.

+ Outsourced Functions
What about outsourcing in Financial Services?

Well ten months earlier BIS also released a white paper discussing the transference of this risk to third party services (TPS) however not all banks are actually measuring the dependencies they have with these other entities.

BIS Joint Forum 12
With many of these third parties not regulated, there is concern among regulators as to how outsourcing could possibly `impede the ability of regulated entities to demonstrate to regulators (e.g., through examinations) that they are taking appropriate steps to manage their risks and comply with applicable regulations.` Business Continuity aside, Banks are in most cases unable to control some of the more basic security exposures that are present in outsourcers and this has been identified as a contributing factor to the numerous source of increasing theft and distribution of account numbers, credit card details and other client personal information which forms the basic compliance agenda of a regulated entity.

The joint forum does however outline nine principles it expects financial institutions to have in place to ensure their relationship with third parties doesn’t impede the second party; that being the customer and the bank-to-bank relationship. It is a concise read describing clearly the types of risks that might be present, the hurdles that could be encountered reaching the nine principles and it also has several case studies from Australia, Germany and US; showing where each regulator is drawing the line on what it considers a banks responsibility.

Its not all bad news though, some third party providers of services are starting to ask questions on what they need to do to assist banks have a transparent reporting process of risk profiles available for their regulator and some are looking at offering ‘a measure of capital’ that the bank might be able to include in its modeling.

One of the largest concerns remaining of course is that many of these third party providers are servicing several institutions from the same jurisdiction and hence a systemic fault or outage would potentially impact multiple banks simultaneously and that presents the largest of all fears for regulators. An example of which occurred a couple of years ago in Australia where a cash carrier servicing four banks had an industrial dispute that resulted in staff departing their obligations of servicing the ATM network. Like most union focused agendas the strike action targeted one of the busiest times of the year when any service is required most and many customers where unable to access cash over the Christmas period. Literally ATM’s were emptied in hours not to be replenished for days and some branches had to close because they were unable to distribute notes.

+ Back to Business Continuity and Capital
The BIS paper also focuses on 'the tension' between resilience and 'the costs'. In institutional terms that is a focus on returns verses costs, while the regulators are striving towards a broader public interest of financial sector stability. All very similar agendas but all with a different emphasis.

Fortunately there are always comprises to be had particularly for those banks that have selected Advanced Measurement Approach to operational risk and even more so if they are using the sbAMA methodology for estimating capital. Theoretically under such methods the bank is able to add a set of scenarios that clearly describe a potential impact from an event (with these third parties) in combination of its discrete likelihood. Now we know business continuity can’t always prevent the likelihood component of the event particularly with environmental disasters however, the bank can often control the extent of how far these impacts draw out and that is easier to translate into a capital exercise. Good models will have the ability to append such scenarios against the loss curve and then reduce their scale of magnitude through corrective actions and that has the positive effect of pushing the tail of this loss curve left along the axis translating to a lower capital number.

Posted by CausalEvents at 01:57 PM | Comments (0)

March 19, 2006

What if a bunch of bankers had breakfast?

At a recent Risk Waters gathering late last year, a group of senior bankers sat down for a breakfast of scenario analysis and there were some credible names present; David Wong vice president of operational risk from ABN Amro, Todd Loudenslarger also vice president from US Bancorp amongst a splattering of consultants. Most of the debates revolved around the difficulties of implementation of a scenario program: `Have you seen any butting of heads with senior managers when it comes to implementing imagination in these scenarios` and in that respect they have a very valid point.

The Risk Waters Scenario Breakfast

Scenarios are an intricate and neat way to solving the dimensioning of severe events that describe the tail of the loss distribution but unlike the complexity of other alternatives such as extreme value theory they only really work if business units can be engaged.

In this article we are going to investigate the phases for a good scenario analysis program that is transparent throughout the bank.

+ The sbAMA Working Group
But before we do, we are going to refer to a similar working group of internationally active banks that identified the main steps way back in 2003. Then a so-called scenario based approach to AMA, has now become industry dubbed sbAMA and this peer group which consisted of Dresdner Bank, Lloyds TSB, UFJ, Barclays Bank just to name a few, identified six phases of the scenario lifecycle. In Theory if the phases are followed then a transparent scenario framework should result and it should cover worst case events in both front office and back office operations.

So let’s have a quick look at those phases.

+ Phase 1 – Scenario Generation
This represents the first step on the path for the establishment of a scenario framework however it requires the existence of solid and central taxonomy for operational risk to be present throughout the bank before its success is assured.

The scenario generation phase involves senior risk managers mapping out key products, services and related dependencies with the other divisional risk teams and they all collectively will determine the boundaries for developing realistic case studies for each risk event classification.

Without doubt this is by the longest phase of the program and requires continual business unit interaction to ensure that a plausible list of questionnaires is generated to fit all the central issues surrounding the operations of the bank.

+ Phase 2 – Scenario Assessment
With the scenarios now generated the business units must evaluate each scenario’s individual relevance in the context of their operations. The main objective being, to capture two key variables for each potential event; a frequency or likelihood point and a potential severity or magnitude number.

In reality this is best achieved by collecting a range of numbers showing both upper and lower bounds so that way business units are able to justify the responses in the next phase of the lifecycle.

+ Phase 3 – Data Quality
Simply estimating these two key variables or “lines in the sand” is not sufficient. These values have to be qualified and that is accomplished by reviewing assessment factors such as loss data, external data which is scaled to the business unit and other indicators that each business unit may possess to prove that the scenario is plausible.

During this stage it isn’t uncommon for scenarios to be readjusted or even canned altogether however the ones that remain must have the supporting documentation lodged against them in the scenario database.

+ Phase 4 – Determination of Parameter Values
The scenarios are worked backwards or as the paper puts it “Any required parameter values to be employed in the model for distributions or analytical solutions are determined from the scenario assessment data”

So each scenario's individual frequencies and severities that make up each class need to be combined in a matrix. The mean and deviation for each cell of the matrix is then investigated.

While this is a straight forward task statistically it does require the operational risk department to collect and handle a lot of different data points and from adjacent parts of the organization. These diverse that are likely to return such details in the most tardy of manner and as operational risk is not often the highest priority on their radar staff often have to be chased.

Once this data has been collected or proportionately gathered, each homogeneous matrix is tested for means and standard deviations across its individual cells and anomalies are more than likely to appear. These oddities should be investigated by the central risk department but what is an anomaly? Particularly when some business units will report low impacts from certain scenarios and others much higher or serious consequences. The analyst doesn’t want to become obsessed with the large numbers as much as the volatility of deviations for a department in any one cell compared to its other classes and of course the comparison is carried out against other business units. It is the volatile cells that should attract most attention.

Put it this way, it’s a big enough task I am thinking of building a system to do this and writing an article on it however that is future work.

+ Phase 5 – Model & Parameters
The fifth step is departed from the business units and involves group operational risk modeling the scenarios in the capital system. There are of course several ways of achieving such a function and all are dependent on what data has been captured to this point however one industry recognized method is to use Monte Carlo.

After collecting the discrete frequency points and the continuous magnitude of events across the organization, the system needs to create a hypothetical loss distribution by combining these two variables in for all cells of the matrix. Monte Carlo is one method of combing such families of distributions and I recommend reading the article at the end of this paper because it has a very down to earth explanation of how Monte Carlo works in theory.

The only catch with this approach and there always are catches with operational risk; is to be able to prove, ascertain or be confident that the correlation factors between the Risk-Event-Classifications has been captured. That is where one risk event spreads itself across several categories increasing in magnitude as it does and there are again several methods of achieving this understanding however we will leave that to another journal as it is out of scope for implementation debates.

+ Phase 6 – Model Output
Back to our implementation, one of the great things with this approach is that since the business units have been involved in all steps up to phase 5, their incentive and interest levels are usually higher than projects that have employed more pure stochastic methods however, at one point or another they are going to need to see their risk profile. The overall loss distribution values for regulatory capital can be established by fitting the hypothetical distribution to a curve type and identifying the quantile (an absolute value that corresponds to a given percentile of the probability distribution function), the business units usually need these reports to show specific data points so that they can understand which scenarios need to be managed and which ones are causing the capital numbers to expand. At the end of the day the bank wants to mitigate or transfer these scenario data points off its hypothetical event horizon and the business units will offer the best solutions to achieve that goal.

The landmark paper can of course be found at this address:

The sbAMA working group.

Posted by CausalEvents at 08:43 PM | Comments (0)

March 13, 2006

Link between internal capital and regulatory capital

One of the most articulate and well delivered speakers on the circuit of Operational risk would have to be Susan Schmidt Bies of the US Federal Reserve Board and she has been working her magic again late last year with another laudable speech at the international Centre for Business Information on risk management. In line with her previous addresses on subjects such as the demarcation of credit and operational risk, this delivery is as much interesting as it is true to the world of banking:

The linkage between internal capital measures and regulator capital requirements

Curiously, it’s a subject that doesn’t attract that much attention and there are many operational risk analysts I have met that actually don’t particularly distinguish between the two, even though they are quite different measures, reserves and methodologies as Ms Bies points out.

For safety and soundness reasons, bank supervisors must be sure that a bank with greater exposure to riskier lines of business, products and customers holds more capital than a bank that is more risk adverse and designs its business plan to minimise risk taking

Let me add a point about the differences between minimum regulator capital, as set out in the Basel accord and the level of capital that banks may choose to hold for business reasons

+ What is Capital in terms of risk
Before we look at the some of the gaps between these measures of risk and some of the misinterpretations that exist in the industry, let’s loosely define the terms. Capital, what is this? It is a term so often bantered around and hence becomes misused, perhaps even trendy to drop in conversation. In the context of banking and risk together it is a reserve that is held to preserve the “ongoing integrity” of the organisation, some people liken it to a buffer that ensures the institution can account for potential threats to its business and in this sense it provides protection against unexpected losses.

It generally comes in two forms Tier 1 and Tier 2, where Tier 1 is considered very safe, reliable and liquid and usually consists of common stock that is non-cumulative, irredeemable and retained earnings. Tier 2 is also accepted by global regulators as the second most reliable form of reserve and consists of accumulated after-tax surplus of captured earnings, revaluation reserves of fixed assets and long-term holdings of equity securities, hybrid dept/equity capital instruments and subordinated debt.

+Regulatory Capital vs Economic Capital
‘Regulatory Capital’ and ‘Economic Capital’ thus so far in our definition is the same thing however with regulatory capital the method in which to calculate the reserve is prescribed by the regulator, this ensures a greater comparability among banks and the Basel accord pillar II / III is specifically designed to facilitate this. Regulatory capital also defines what instruments can be used for Tier 1 and Tier 2 capital and, what risks the bank must measure, estimate and hold reserves for; the latter of that statement is all critical. By approaching operational risk from a regulatory capital perspective it is imperative for the bank to setup its event classifications so that it may integrate external data within its regulatory calculation.

Economic capital in comparison is a lot more dismembered because it encompasses risks that may not be directly part of the regulatory capital suite and ideally it would encourage the bank to include gearing of operations in the calculation. Economic Capital generally allows the bank to understand a profitability margin against associated or chosen risks and within each business line in turn. It is a metric often referred to in the theme of risk adjusted return on capital and it can be used to benchmark one business unit with another. Regulatory capital on the other hand is less focused on the business return and more on the bank describing its 99th percentile quartile of aggregated loss; a position it should have a complete aversion from and be holding reserves for.

While economic capital also enjoys the freedom of allowing the strategy of the framework to include calculation practices or remove them, this liberty often creates a major difference between the two methodologies. In particular, deriving regulatory capital from economic capital is a complex task, although many banks have taken to do both by bolting on reporting criteria for regulatory components within their economic capital systems. How this is done we will have to leave to another article as that is not what we are trying to drive out here. So back to Ms Bies, a statement she made left me pondering where the industry is truly at, well perhaps the outlook of some of those that operate in it.

One of the questions regulators have been asked as we work toward implementing Basel II is whether we can just continue to encourage the improvement in risk modeling at banks and stop there, I.E, Not tie risk models to capital.

I too have heard statements of similar tenor and was shocked, in fact every time I hear an operational risk analyst lean this way, one has this image of them traveling to a nine-to-five job with both fingers crossed; “please no BCP issues today”. They are generally well intentioned and following a check list but leaving the rest to go on luck.

In reality different banks don’t have the same risk and applying a blanket of audit check lists across the group doesn’t really assist senior management understand what causes their exposures. Most importantly focusing on the control cost effectiveness against risk in the light of products allows strategic decisions to be given a platform of justification. Then if we move back to our capital question surely risky business activities need higher reserves, not some smear across all organisations against a weird proxy such as “revenue”, that doesn’t present a real gauge to the type of risk a business entertains. For what it’s worth, I selected net profit as an example proxy because that is how the Basel II basic indicator approach operates and it has more critics than it does partisans.

Operational Risk in particular is nebulous, that is an auditor may follow a prescribed set of actions and still return an unsatisfactory result, quite simply because this risk classification is exogenous in nature and there are often many causes for a single fault, some of which no control can be 100% effective against. Quantifying operational risk from a capital perspective though is a solution to this unlikely problem because it ties probability, frequency and magnitude on the same curve and it is that curve that allows the analyst to best decide what the worse outcome may be and what should be reserved if such an event occurs.

So without further ado please find a link to the Bies speech here:
Bies on Capital

Posted by CausalEvents at 09:54 PM | Comments (0)

March 12, 2006

A different kind of liquid risk analysis

When modeling operational risk, it is usual for the practitioner to divide the analysis into two parts. This results in:

1) The creation of a severity of loss probability model

and

2) The construction of a frequency of loss probability system

In this brief article we will quickly link these two measures and also look at one contribution to statistical theory.

A single operational risk event is comprised as being part of a system of many events, each with a specific loss value of its own however, the primary reason for this division of analysis is that the numerical properties of these two distributions (frequency and magnitude) operate under completely different dynamics, right down to the application of measurement in variance and means. The severity loss model is part of a continuous distribution that may take on any value between a lower and upper limit, while the frequency model is likened to the random number of customers walking through the door and is a discrete analysis used to understand the count of events within the number of combinations of possibilities.

The simple essence of Monte Carlo is a convolution process used to combine these two forms of analysis and results in a single picture of what might occur considering the current variables that have been measured.

Interestingly though, the history of mathematical analysis is often derived from applications far from the field of science, banking or even economics.

That fundamental ideas in applied mathematics would be developed in a brewery sounds sufficiently improbable, but the story is true and intriguing. The statistical technique most often used to study events of low probability was discovered by a Polish mathematician and an employee of the Guinness brewery.

The scholars behind the stout - John Kay

Posted by CausalEvents at 03:01 PM | Comments (0)

March 07, 2006

Strategy Risk vs Operational Risk

The definitional boundary of Operational risk is intricately tied to that of strategy however while Pillar-I of the Basel Accord excludes it from operational risk Pillar-II, certainly does not. We are going to have a brief look at it here.

The reason it has been segmented this way is most likely due to BIS wanting to encourage financial institutions to establish a credible quantification framework and a solid operational risk management infrastructure into play before introducing more complex risk scalars. All good in concept but that then leaves the organisation to set about clearly defining what constitutes an operational event and that will require the institution to highlight the nature of strategic causes so that they can be put aside for consideration at a later date.

A recent debate with a colleague from a large Australian insurance company attested to such a problem.

---> Really what is the definition of strategic risk?
and
---> Is a poor strategy an operational event of the finance or planning department?

He has raised some good points here and the market risk section of Pillar-I can`t exist unless such boundaries are drawn; which they are in Pillar-I.

Clearly documented trading strategy for the position/instrument of portfolios, approved by senior management which would include expected holding horizon” and “dealers have the autonomy to enter into/manage the position within agreed limits and according to the agreed strategy

Operational risk on the other hand doesn`t make mention to such clear divisions, yet such segregation policies are paramount to establish if the bank is going to align losses accurately in a transparent taxonomical structure. If that fails then these loss repositories will be imbued with nebulous data points, all of which are difficult to statistically interpolate, particularly if opinion changes next financial year.

+ On with Pillar II and Strategic Risk
So onto Pillar II, this makes a good 17 references to strategic risk; from the strategy of holding capital itself which is in bold might I add, to “The analysis of a bank`s current and future capital requirements in relation to its strategic objectives”

One of the foundational problems with measuring anything though is starting out with a clear definition. The good old statement that everyone seems to throw around like loose change in a café “one has to measure what they manage and define what they measure”, might just be applicable here even though I generally avoid regurgitating overused paraphernalia however, if you pop out and search the web for a good definition you’ll enter a dungeon of burgeoning risk analysts all lobbying a concept that seems to suit their agenda.

A good place to begin and perhaps finish with is the TOWS matrix. At least it commences its piece by explaining the Greek origins of strategy, it does though move onto a process that could be effective in planning strategy and I certainly recommend having a peep by following this link:

TOWS

What I find appealing with the TOWS Matrix is that it offers a process for capturing alternative strategies along with internal weaknesses and strengths. This is very important because that levels how management should decide strategy. Really any risk decision is based on the following criteria: a good understanding of ones ability for success, what drives that success, the alternatives and an appetite for risk/aversion in the current environment.

The TOWS matrix also draws a line between tactical failure and strategic failure for they are very different beasts. Tactical failure of course has a closer proximity to operational risk than a poor steering choice, so now all one has to do is understand whether the inability to mobilize a good tactical team or understand what environment they operate best in belongs to poor strategy or an operational event.

Posted by CausalEvents at 01:36 PM | Comments (1)