May 01, 2008
Its just human nature
I read all this garb about the SocGen deal, lack of internal control, failed control processes, collusion between the front and back office; come on be real did this guy just go delinquent? No I would say management, may be not at the top, but halfway up the ladder had to be in on the job; surely. Well on the spectrum of matters we know they are one of two things:
Assuming the bank has some definition of risk appetite these people are either incompetent or corrupt; which is a worse place to be?
If one draws a line between these two positions, management probably sat somewhere at a place where they tolerated huge positions while the ticket was paying but cut it when the tide turned. Good honest fair people I am sure.
This is one of the problems with trading losses from operational risk (trading outside policy), it is the modus operandi of it all. Traders are rewarded on performance as are most artisans in most professions however in the broker environment this encourages increased risk taking. Under the typical model, risk aversion and return are negatively correlated (through a narrow quantile of the correlation range) that is less risk aversion higher yield; so to enjoy marginal utility of reward, a trader must continue to step further from the baseline of risk aversion until there is of course negative marginal utility of return. One can liken it to ethanol consumption, the first drink is just an appetiser for the second and after the fourth, light dirty humor and a savage grope of ones appendages is a pleasant place to be, after the tenth unit the negative aspects of intoxication through saturation become evident, unfortunately well after the fact and the only cure is to ditch the margin account by unwinding anything that is open and then to vomit profusely only to commence the whole process again a week later.
There are so many human ills that fall in this bucket, taking in obesity and exercise junkies through to other obsessive compulsive disorders, perhaps the feedback model around fear itself at the other end of the scale is part of this insatiable human flaw. In this case paranoia brings those afflicted to a false and safe nirvana in the belief that risk aversion itself allows them to seek pleasure by moving as far away from pain as possible. Like our trader in reverse, if maximum risk aversion is left unchecked (too many rules, too many controls)such distortion of what is real and what is not leaves a different `non-sentient` in another baron place where returns are as low as the residual risk around them.
May be we are all suffering some kind of sickness, myopia, call it what you may. From statistical data I have reviewed from cash operations in several banks it is evident that given opportunity to defraud without risk, most people will take the chance. Its a simple calculation, an ATM cash dispenser can be in one of four positions:
1) Dispensing cash on value demanded - Operating as designed
2) Dispensing more cash than demanded - What we call an Over Pay
3) Dispensing less cash than demanded - One of those Short Pays
4) Not operating at all - Plenty of those around
The bank is looking for option one however these other places do occur. In reality, these are dumb machines and when you choose to withdraw $100 from your account, the device will simply pull a note or a mars bar wrapper from a bin and debit your account the numbers you entered on the keypad. Now say the 50 dollar notes are in the 100 bin, you`d be short 50 bucks when you withdraw and it follows that if the 100 dollar notes are in the 50 dollar bin you`d be creaming it in, being debited 50 bucks and paid 100 and that is truly money for nothing.
When these machines are loaded the operators sometimes stack the right notes in the wrong bin and that can go either way; 50% chance being under or 50% chance being over.
Now the outcome. There is a bank in Sydney, name withheld of course which receives around 3000 calls a month on complaints about ATM cash dispensary, seems like a lot but a sick machine will serve many customers incorrectly. So to work with our probability model above the average complaints over a year should be down the middle 50/50 however in reality what happens is that 2995 calls out of three thousand are for short pays and 5 or so calls are for over pays. Sadly for me I have only ever been underpaid which is one of the reasons I avoid Citi and for the 50 sing dollars I will forever be due, I feel restituted talking about them here.
So after this digression, let`s go back to our trader just to round it up. Can we seriously cut them alone for stepping outside policy and shouldn`t we implicate the management, may be the whole People-Response-Appetite system as well because being human and given the chance most people will take the over pay any day and complain, persecute and demoralize when they are out of pocket.
Posted by CausalEvents at 04:10 PM
| Comments (0)
January 13, 2008
Is there any point in AML?
Over the last few months some of the media attention on the craziness in the financial sector leaves one pondering whether perhaps some of the risk approaches employed by banks are worthy of the budgets underlying them. None the less, I meet enough of these risk managers to believe in them, just. I do pity situations such as the one at Barclays only a few days ago.
A conman is believed to have found the chairman Mr Agius details online and then successfully convinced call centre staff to issue a Barclaycard in his name which resulted in a GPB 10,000 loss. I suppose the good news is that the bank was able to report the loss and the BBC stated:
``Bank chiefs were said to be `burning up` with embarrassment`` and they have chosen to fully refund their chairman.
BBC Report
Let`s leave this one alone, it`s only a drop in the ocean of control weakness across an entire industry. In November the UK government itself (HM Revenue and Customs) lost a couple of computer discs that hold the personal details of all families in the UK with a child under 16. The discs include names, addresses, date of birth, national insurance numbers along with the guardians bank details and while the Chancellor Alistair Darling said there was no evidence the data had gone to criminals, he did urge people to monitor their bank accounts ``for unusual activity``. At this point I suppose one does need to pity 25 million or so people who live in the UK with a child under the age of 16 because their details are floating around out there, wherever there is, let`s hope its not in the Barclays call centre.
BBC Report
What is the real nexus in it all is that the underworld may now potentially be sitting on a permanent source of future opportunities, awash with millions of details from a pool it can draw on to prefabricate new accounts for fraud, money laundering, layering, tax evasion, criminal insinuation, harassment or any device it chooses, an asset with a value in itself I am sure.
Let`s broaden this out a tad, how big is the problem globally?
Well, Good Morning America coincidently ran an article at about the same time as the UK scandal stating ``More than 10 million Americans are victims of identity theft each year, which comes with a hefty price to both consumers and businesses, costing more than 50 billion annually.``
When I read these numbers, that faith in risk management at some of these financial institutions is starting to wane. As a financial community in general of course; I am sure there are some institutions out there doing something sensible outside the norm, but as a risk community do we have any grip over fraud or anti money laundering?
As I see it and the way it appears to be panning out, we are truly kidding ourselves if we believe we are any closer in answering that question.
Posted by CausalEvents at 04:04 AM
| Comments (1)
October 01, 2007
Simpson's Paradox
Recently I was at one of those typical conferences where pensive bankers float around the tea and cakes while the hoard of speakers promote one novel yet convoluted topographic framework after another. Some of the speakers delivered quite convincing, highly vocal demonstrations crammed to the brim with hard hitting cliches and a bouquet of consultant friendly diagrams but were alas such empirically vacuous pieces of work. My abdication from frustration finally came during the break where I was lucky enough to entertain an intriguing conversation with a lonely soul who was propping up the symmetrically stacked chocolate eclairs. He claimed that in his opinion control self assessment is the longest running institutional fraud of the operational risk camp and even with game theory under check by auditing departments directly, the results were staggeringly wrong. Business units that were showing the highest signs of improvement when benchmarked seemed to have most of the problems, how could this be?
Perhaps the problem lies in a Simpson's Paradox.
Simpson's Paradox is a fascinating puzzle that often appears when inferred causal relationships are aggregated based on two variables and it is particularly common when percentages are used to present holistic data that has many entry points, a typical structure for control self assessment and a breeding ground for the disorder.
This condition was apparently publicly discovered (however I doubt that something this obvious could fool statisticians for so long) in a submission of statistics for the University of California at Berkeley in 1973. In short, a study was carried out to assess whether the admission process for the university was fair, was the university discriminating based on gender and if so which gender was loosing out. The top level report showed favoritism towards male students however analysis of the underlying data painted a very opposite picture and the study sample was so large that it could not be blamed on variation of random variables, so how could a reversal and a very misleading error occur?
The best way to explain this is with a simple example. Imagine two departments (Department A and Department B) are running a control self assessment program which reports the results on improvements to specific controls that have been assigned to the business units for correction:
-------------Month 1----Month 2----Overall
Dep A----62.10%-----20.00%-----58.09%
Dep B----80.00%-----26.30%-----31.42%
Department B for month 1 and month 2 appears to be out performing department A each time however when the overall tally for department B is shown, it is well below the real performance of department A.
What is going on here?
The proof with this one is in the detail; In the first month department A corrected 59 out of 95 controls (62% ish) and department B processed 8 out of 10 (80%) corrections. In month 2 department A corrected 2 out of 10 controls (20%) while department B cleaned up 25 out of its core 95 controls (26% ish). Both departments are running 105 control corrections and while department B is performing much better than department A each time, the real truth is being hidden.
All this is quite obvious however couple this paradox with the differential in risk profiles between departments and the random volume number that each department processes daily and you could a have a real governance issue on your hands.
Posted by CausalEvents at 02:56 AM
| Comments (0)
September 29, 2006
What is the hardest risk to model?
Recently I was asked this question at a conference and after some thought I would have to say that reputation damage in the operational risk camp would be the most difficult to understand, not just because of the varied potential drivers that seem to cause it but also because there seems to be total random and unpredictable outcome(s) from the mix of these nebulous triggers and catalysts.
Basel II – Pillar II, Paragraph 742:
Other risks: Although the Committee recognizes that ‘other’ risks, such as reputation and strategic risk, are not easily measurable, it expects industry to further develop techniques for managing all aspects of these risks.
So In Basel II, it has been flung into the Pillar II bucket and on occasion one does tend to feel that Pillar II is the dumping ground for the un-solvable, to hard basket. But while it is out sight it isn’t gone of good. Then I suppose one does also feel a little reserved to stand on any kind of ‘soap box’ with a panacea bright spark solvent, not that I have discovered such a workable structure for Reputation Risk as yet nor have I seen any bank with one.
An obvious move would be to use scenario analysis to fasten potential reputation damages against an event and in that way we are able to at least tie an event to reputation or more importantly reputation to an event. Then one does ponder if every event could have reputational outcome or components? Some banks have leapt on this idea and their risk systems have been modified to include additional investigative pages during loss reporting that allow staff to estimate the potential brand damage from an incident. I have also heard many risk practitioners state reputation damage is actually the poor management of a crisis and in that respect each operational loss could be seen as a potential driver for reputation risk.
If one thinks of their own experience on the other hand, it seems to be the companies that frustrate me most are the ones that insult our own internal and personal moral being and in that respect, reputation damage would be tied to the inability of a company to deliver targets as sold, to meet perhaps a minimum industry standard or to build an image that is compatible with the disposition of its clients. If we look at reputation damage in this light, it is now a very difficult and different task because no customer demographic is the same and every bank wants to be able to cross sell to as many communities as possible even if these communities are incompatible with each other.
If reputation risk wasn’t so impacting a sane risk manager would put it at the end of the to do list and it would become the hasta mañana of all risk event classifications. There is however, so many evidential news articles of companies both in and out of the banking sector that are alike with total failure from this disorder; so we can't right it off as a ludicrous exercise.
In an old article from the British Bankers Association
Reputation Risk a secondary risk to which capital is not the answer. Proper systems and controls, through senior management approval of, for instance new products, ensure that a bank's intangible reputation capital is not eroded.
I am not quite sure what reputation capital is but I assume it is the capital that is at risk from reputation damage, whether that includes lost opportunities or not is undefined.
There are currently no robust methods to quantify the amount of extra capital required if any - to address issues such as reputation risk and residual risk.
Some years back at a customer satisfaction forum I attended one participant stated to the auditorium, “brand damage was the continual erosion of moments in time.” That is many customers are resilient to a single fault but it is the general lack of quality or the disappointment of working with an organisation through “mini-inadequacies” that perturb customers from furnishing a business with their custom. Such clients are more likely to close their accounts if a branch’s climate was too cold or hot AND difficult to locate AND slow due to long queues AND aesthetically unpleasing to the eye OR even if it in some way did not satisfy their socio-political beliefs. So in this way there are a lot of conditions and variables that need to be weighted and accumulated before failure occurs. Some logical gates that could be grouped together and mapped out in a causal network of NOTs/ORs/ANDs for definition and then calculated using a Bayesian or Boolean~Binomial algorithm.
On the subject of Socio-political beliefs however, we have all experienced this first hand and customs that are accepted as polite in some cultures can be obtuse to others. The mere fact though that we are debating these subjective intangible qualities does lead me to believe that the operational risk team may not be the most sensible place to house this exposure and perhaps the marketing department should be taking the lead particularly as the quantification tools available to banks for reputation damage seem to me as crude and sparse.
Comments are certainly welcome from anyone and everyone specifically if they have a heads up on a neat tool or methodology to measure this creature.
Posted by CausalEvents at 03:42 AM
| Comments (0)
May 21, 2006
Working together to fight fraud
Traditionally most banks small and large keep their management techniques for tackling potential business problems under tight wraps specifically if it results in the bank being more competitive however, when dealing with issues such as fraud banks often work together to form information sharing hubs to reduce such exposures.
In April this year the FSA and mortgage lenders have joined together to set up such an information sharing hub and have established a streamlined reporting system designed to reduce the level of fraud involving mortgage loan applications. The process has been designed to allow lending firms report specific account details they deem suspicious at any point within the loan process, both after the application has been approved or before. This reporting can also relate to single or multiple loans from one customer and has been designed to also target intermediaries that are not following appropriate practice when assisting customers through the loan approval process.
Mortgage fraud comes in many forms starting with applicants that misinterpret their income or employment details so that they are able to borrow larger amounts to customers that manipulate the valuation of the asset for an over inflated loan. At the other end of the scale entirely false documentation is used to draw down funds that the borrower has no intention of paying back and that are usually destined for an entirely different purpose than funding the purchase of a property. The minor mendacious detailing on a loan application form is often missed during application approval activities and will result in a higher probability of the mortgage defaulting or in the lending not being totally secured. While this appears on the surface as a credit loss to the bank it is in reality operational in nature because the bank has made a choice to bare a risk that is outside credit policy and thus becomes a non-chosen risk.
Some intermediary brokers have a tendency to assist the more impoverished customers and some even search out these demographics of clients when professionally these firms should be adjusting a customer’s expectations appropriately. Banks usually need to measure rejection rate and the concentration defaults for loans from specific intermediaries to identify whether there is an abnormal volume before being sure that such brokers are inappropriately operating and of course then it is often too late.
It is likely that this new initiative from the FSA is going to be welcomed considering only some of the factors we have listed here. The reporting system is of course going to require formalization for its long term success. Simply reporting suspected and fraudulent loans may assist in legal discourse but most banks would prefer to eject potential applicants very early on in conveyance process. They would also prefer to review potential brokers in a shared database for a rating of professional worthiness before engaging them and that then requires a process for fair treatment. Specifically in the case a broker or customer was incorrectly listed they need to be able to resolve their standing within this mortgage fraud database but before we jump ahead of ourselves we must accept that most good systems start of as an embryonic concept and will evolve over time, this FSA aspiration is well worth watching.
More information from the FSA.
Posted by CausalEvents at 09:46 PM
| Comments (0)
May 13, 2006
Different Strokes for Industry Folks
One recent trend that seems to be a common land on my desk is an interest in risk systems for the utility sector. Certainly energy is the hot topic of 2006 with advancements in technology on renewable sources and then market diversification of formal buying, selling and hedging is taking these companies into the financial markets and as they enter that realm there seems to be some incentive to improve or perhaps formalize operational risk. These organizations are certainly going about that, but they are doing it in quite a different manner than the financial sector as we shall see.
Really Operational risk in concept is the same in bank as it is in a utility provider however the emphasis seems to be on reducing faults in utility providers while in banks it is all about capital. Many analysts from the financial sector in particular argue that both are the same creature dressed in a different skin but with our more 'heavy industry' based businesses such as manufacturing and utilities the focus is generally towards bottom up techniques.
In particular Basel II doesn't seem to stress best practices for fighting risk, its’ focus is all about measuring the potential exposure so that a reserve of money can be held and this reserve is referred to as the tier I, II [III] capital reserve. There have been many critiques on this thinking, I am far from the first and I am also a big believer that if banks treated this risk class in a more real manner, closer to the cause and by learning techniques from operational risk programs in these adjacent industries then management of events becomes an easier task. Specifically if a bank simply treats risk as a compliance exercise then working tangible outcomes are often lost, tacit knowledge of staff is not utilized and enthusiasm for the program dwindles as costs escalate.
Utility providers on the other hand tend to lend themselves to being real about creating systems that actually reduce potential exposure and at the coal face of the business where such exposures can be seen. Their programs will generally include and be written in manner that:
# There is an ability to capture loss data and assign those events to a cause for a better understanding on the businesses problems in the context of the business.
# The company has incentives to locate and find potential pathogens for failure through an investigative approach into understanding causality. Causality and hazard solutions allow event description to be built up in a manner that one event can be proven to cause another, for example:
Water + slippery surface + people present = possible occupational & safety hazard.
That's the hazard, now we remove the hazard by destroying the equation. Here is a solution: It’s raining, we have a paved floor and people are at the door, we reduce the hazard by laying out a carpet and/or putting up a sign stating "the surface is wet watch out for a slippery floor".
Of course there are many of these hazard reducing tools in a power station and they form the key basis for policy; the rules of how staff use machinery around so that a safe, productive and importantly continuous environment is sustained.
A good program will also have a process for showing how to monitor potential causes that increase the likelihood of fault so that planning of activities can be carried out to reduce failure. Such a program is an ongoing exercise of review and record otherwise it is not representative of new potential threats and their associated problems.
The system also needs to allow the business to easily track its best practice so it should create a list of workable actions for staff to engage during failure, so that faults are resolved quickly, effectively and without incurring additional knock-on effects.
Taking this one step further these workable actions also allow benchmarks to be created between departments for a formal monitoring and reporting process. This process then tracks whether a department is reducing its operational risk as planned or whether there is an erosion on quality in staff efforts and that means more hazards.
I am not saying banks don’t do this, because they certainly do. Most financial institutions have a comprehensive branch audit team, and controlled self assessment is usually scattered throughout their operations however one is left with the feeling that many staff in banks don’t actually know why they are doing something when it is operational risk in nature. They simply tick the box and most data in operational risk sits in silos and is used to calculate capital reserves.
Risk and reliability assessment techniques in other industries tend to be put into two classes, quantified or heuristic. Quantified assessment techniques in these industries use specific algorithms to calculate the actual likelihood and consequence of a failure by proceeding to a solution from an explicit and complete step analysis such as FMEA or Fault modes and Effects Analysis. FMECA is a popular set of methodologies employed by heavy industry for understanding the critical nature of a fault, the pathogens that drive the fault and what the consequences are. Banks on the other hand don’t seem to become tied up with FMECA and I would beg to wonder whether the typical operational risk analyst in a bank would be up on FMECA at all. Yet outside the world of finance FMECA has such a following that some industry regulated bodies have published failure modes for specific systems and structures they know their regulated companies use. These publication notes of course can be used by any company for a plan for managing the predictability of outages in specific cycles of operation.
Here is the list of such cycles taken from the MIL-SD-1629A US Military Standard:
# Premature operation
# Failure to operate at a prescribed time
# Intermittent operation
# Failure to cease operation at the prescribed time
# Loss of output or failure during operation
# Degraded output or operational capability
# Other unique failure condition based on system characteristics and operational requirements or constraints
Looking at risk this way has some distinct advantages, primarily understanding the probability of a systems up time we are able to plan business continuity programs. We are also able to understand what processes need to be carried out by staff during each cycle of operation. Another advantage of course is being able to describe the Mean Time to Repair for each component and this leads to a good threat analysis for change management staff and that is where operational risk is often featured yet not factored into capital.
Posted by CausalEvents at 06:24 PM
| Comments (0)
