Plenary Sessions slides - Glasgow Caledonian University

advertisement
Institute of
Operational Risk
2nd Scottish Annual Conference
26th October 2012
(in conjunction with Glasgow Caledonian University)
© The Institute of Operational Risk
Institute of Operational Risk
26 October 2012
Data Capture, Accuracy and
Recording of Operational Risk
Losses
Andrew Sheen (FIOR)
Manager, FSA
Risk Frameworks team (PBU)
1.
Context
2.
Internal Data
3.
External Data
4.
Supervisory Concerns and Issues
5.
Relevant Papers
3
1.
Context
2.
Internal Data
3.
External Data
4.
Supervisory Concerns and Issues
5.
Relevant Papers
4
The nature and outcome of operational
risk data collected ….affects not only
the outcome of the bank’s
quantification process but also
operational risk management
decisions.
(Observed Range of Practice in Key Elements
of AMA, BCBS, July 2009)
5
So loss data collection is about:
•
•
Risk management, including
–
Risk events and impact
–
RCSA
–
Scenarios
Risk measurement, including
–
Scenarios
–
AMA
–
Pillar 2
6
1.
Context
2.
Internal Data
3.
External Data
4.
Supervisory Concerns and Issues
5.
Relevant Papers
7
Business line / unit
Event type
-to what level
Event description
Cause of event
Gross loss amount
–Date of discovery
–Date of occurrence
–Date of accounting
Recovery
–Insurance
–Other
Net loss amount
-Management action taken
–Immediate to deal with event
–Changes to policy and controls
Lessons learnt
8
1.
Context
2.
Internal Data
3.
External Data
4.
Supervisory Concerns and Issues
5.
Relevant Papers
9
•
Data sources
–
–
•
Consortium –
•
May exclude key events (ie they did not happen to a member firm
(rogue trading))
•
Limited supporting information
Public data –
•
Is the information accurate
•
What about events that did not get into the press
Issues include–
Data quality
•
Completeness
•
Consistency
–
Thresholds
–
Scaling
–
That could not happen here
10
1.
Context
2.
Internal Data
3.
External Data
4.
Supervisory Concerns and Issues
5.
Relevant Papers
11
1.
Loss definition
•
Range of practice between firms
using gross and net loss for AMA
calculations
•
For the firm to justify its choice
•
Problems calculating the insurance
allowance if using net loss
12
2.
Loss Data Thresholds
•
Considerable variation in thresholds by firm and
business line
•
Influences the management and measurement of
operational risk
•
Should be based on statistical evidence showing items
below the threshold are immaterial when calculating
capital
•
Should not omit operational risk loss event data that are
material for operational risk exposure and for effective
operational risk management
•
Choice of threshold should not impact credibility
13
3.
Date of Internal Losses
–
BIS does not provide any guidance - Banks have
several reference dates
•
Date of occurrence *
•
Date of discovery * ‘
•
Date of contingent liability
•
Date of accounting (first financial impact) * ‘
•
Date of settlement
* Typically used by banks
‘ Most prudent
–
–
Supervisory concern – can the selected date result in
the omission of large internal losses and therefore
significantly impact OR capital at a given point in time
and over time
Firms can select which date to use as long as material
loss data is not omitted
14
4.
Grouped Losses
– Banks sometimes group a number of losses
and treat the group as a single loss for
recording, management and modelling
purposes. Depending on the reasons for
grouping the following different guidelines
apply
•
•
Losses caused by a common operational risk
event should be grouped and entered into the
loss calculation dataset as a single loss, unless
the firm chooses to model causality or
dependence among those losses in a different
manner
Small losses grouped with no causal relations for
data collection and registration should be
excluded from the calculation dataset
15
5.
Review and Validation
– Has the data collection process been
reviewed and validated by
•
•
•
•
Reconciling to the General Ledger
Internal audit
Third party
Using loss data and events to inform:
–
–
–
RCSA
Scenarios
KRIs
16
6.
Other Issues
– Near Misses
– What % of losses are missed
– Frequency
– How relevant is old data
– How are losses allocated across
business lines
– Boundary Issues
– Losses, near misses and P2
17
1.
Context
2.
Internal Data
3.
External Data
4.
Supervisory Concerns and Issues
5.
Relevant Papers
18
Key documents
•
•
Enhancing frameworks in the Standardised Approach to
Operational Risk, FSA, January 2011
–
http://www.fsa.gov.uk/library/policy/guidance/2011/gn11.shtml
–
http://www.fsa.gov.uk/pages/Library/Policy/guidance_consulta
tions/2011/11_17.shtml
Operational Risk – Supervisory Guidelines for the Advanced
Measurement Approaches, BCBS, June 2011
–
•
Observed Range of Practice in Key Elements of the Advanced
Measurement Approaches, BCBS, July 2009
–
•
http://www.bis.org/publ/bcbs196.htm
http://www.bis.org/publ/bcbs160.htm
Results from the Loss Data Collection Exercise for Operational
Risk, BCBS, July 2009
–
http://www.bis.org/list/bcbs/page_2.htm
19
Andrew Sheen (FIOR)
Risk Frameworks team (PBU)
Financial Services Authority
andrew.sheen@fsa.gov.uk
20
Institute of
Operational Risk
2nd Scottish Annual Conference
26th October 2012
(in conjunction with Glasgow Caledonian University)
© The Institute of Operational Risk
Institute of Operational Risk
Scottish Conference
3 Lines of Defence
George Clark, Glasgow, October 2012
The 3 Lines of Defence
Internationally recognised go to model for financial services firms.
Referenced by:
• ECIIA/FERMA – Guidance on the 8th EU Company Law Directive, Sept 2010
• Basel Committee on Banking Supervision – Sound Practices for the Management
and Supervision of Operational Risk, December 2010
• COSO – Exposure Draft: Internal Control Integrated Framework, December 2011
Key objective is sound internal governance but perhaps a better term is effective
internal governance.
The 3 Lines of Defence Model
Board/Audit Committee
Senior Management
1st Line of Defence
2nd Line of Defence
3rd Line of Defence
Credit
Internal Controls
Operational Risk
Others
External Audit
Compliance
Internal Audit
Operational
Management
Which in simple terms...
Do
Review
Overview
The first line:
The second line:
The third line:
•
•Provide policy and
framework
•Independent
assurance over the
first two lines of
defence
•
•
•
•
Identify, assess,
control, mitigate and
manage risk
Comply with risk
framework
Ensure effective
design,
implementation and
operation of controls
Escalate material
threats and risk
exposures
Operate good
governance of the
business function
•Monitor, oversight of
and challenge to 1st line
•Support good
Governance of the
company
•Report and escalate
threats and risk
exposures
•Quality assurance
on the application of
the framework
•Evaluation of control
adequacy
Big 5 factors which influence success
•
•
•
•
•
Context and Environment
Roles and Responsibilities
Training, Education and Communication
Data
Culture
Context and Environment
•
•
•
•
•
•
Capability
Complexity
Scale and spread
Retail
Wholesale
Automation
Roles and Responsibilities
•
•
•
•
•
•
NOT about structures but about “real world”
Clear, documented, understood and agreed
There will be grey areas – embedded risk
Align risk management silos
Don’t forget Senior Management and Board
Challenge for risk to be both trusted advisor
and policeman
• Learn from others experience – HR and IT
Training, Education and
Communication
•
•
•
•
•
Awareness both initial and ongoing
Skill and capability
Build reliance and resilience
Align with company objectives and strategy
Don’t forget Senior Management and the
Board nor the new entrant
Data
•
•
•
•
•
•
Intelligence gathering
Monitoring
Relationship Management
Management information
Key measures of success
What gets checked gets done
Culture
“Banks in this country are “two decades behind”
other keystone global industries like aviation
and oil and gas in recognising the critical
importance of individual behaviour and
corporate culture in managing and minimising
their operational risks. The dominant banking
instinct is to “reach for the sticking plaster”
rather than confront the root cause of risk
failures”
Source: The Back Office front line, Chartered Banker Magazine October/November 2012
Culture
•
•
•
•
Tone from the top
Communication
Paradigms and environments
Influences and drives business outcomes,
including the taking of risk and the quality of
processing
• Major failings during the global financial crisis
The culture house
Closing observations
• Be proportionate and practical
• Look for that “use test”
• Ride out the storm, it gets worse before it gets
better
• Expect progress not perfection
• Implementation is king
Questions and Comments
??
Institute of
Operational Risk
2nd Scottish Annual Conference
26th October 2012
(in conjunction with Glasgow Caledonian University)
© The Institute of Operational Risk
Risk Culture + Behaviours
Reflections From A Reformed Banker
Scene Setting
•Culture and behaviours are highly prized and
difficult to change
•They’re not all standard
•They’re not always rational.
•They shift for the better...and worse
Culture & Behaviour Issues
And it gets worse
McKinsey Survey of 2,207 executives:
28% say the quality of strategic decisions were
generally good?
60% say good and bad decisions occur in equal
measure
12% say nearly all decisions are bad
51% say major risk decisions are
attributed to a single function?!?!?
Is it taken seriously?
Ivory Tower?
•ACCA survey – 2012
Where to start
•Root causes are ambiguous, multi
faceted and outside your control
•Be practical so start @ home:
•It’s not someone else’s responsibility
•People or admin?
•Risk MI identification &
integration
Keep going
•Be mindful of barriers
• ‘2nd line of defence’
• fear
•habit
•history
•Use internal and
external audit
•Avoid orderly inaction
•Engage senior management
in your thoughts
Don’t Stop
•Don’t drop the ball
•Events, issues and actions MUST be complete,
accurate and managed through to completion
•Learn from other firms hard earned lessons
•Map and assess the existence and design of
the control environment
•Focus on positive assurance arrangements
•Keep communicating outcomes and
next steps
That’s just the start
•Review and amend governance
arrangements
•Adequacy of performance
•Business engagement and ownership
•Don’t think this is a Co Sec responsibility;
below Board/Exec level it’s often a gap
•Recruit talent and relocate tasks
•Build Risk IT capability
•Then the fun starts...
The journey continues
• Recruit and reallocate existing talent
• Integrate IT and Op risk processes
with business processes, including
outsourcers
• Evaluate organisational and e2e
process design
• Use the Exec and Board using
‘position papers’
And continues
• Maintaining credibility
• Benchmark your Op Risk unit
• Horizon scanning and increased
engagement with ‘Corporate
Change’
• Get a risk change budget!
• Develop cross discipline expertise
• Reward and recognition
Questions and thanks
alan.esson@swip.com;
0131 655 8809
Institute of
Operational Risk
2nd Scottish Annual Conference
26th October 2012
(in conjunction with Glasgow Caledonian University)
© The Institute of Operational Risk
Download