NERA Operational Risk Benchmark
advertisement
MMC/NERA Operational Risk : An Assessment of Global Market Practices March 18, 2003 Table of Contents • Introduction • Approaches to Operational Risk Management • Capture of Operational Risk Loss Data • Capital Allocation for Operational Risk • Transfer of Operational Risk • Conclusions MMC/NERA – Operational Risk Management: Phase II Study 2 Introduction NERA Is A Marsh & McLennan Company (MMC) MMC Total 2001 Revenues: $9.9 billion Risk & Insurance Services Investment Management 2001 Revenue: $5.2 Billion Consulting 2001 Revenue: $2.6 billion 2001 Revenue: $2.1 billion Marsh Insurance Broking & Risk Management Services • Insurance broking and advice • Risk control and business continuity planning services for operational, property, casualty and IT risks • Risk information systems and technology • Structuring and placement of innovative risk financing alternatives` Guy Carpenter Reinsurance Broking & Services • Reinsurance broking advice and services • Sophisticated natural hazard modeling • Guy Carpenter Catastrophe Index • Instrat - Dynamic financial modeling for insurers Putnam Investments Investment Services • $328 Billion in assets managed (average 2001) • International portfolio management Mercer Management Consulting Strategy Consulting • Analysis and expertise in strategic risks • Analysis and expertise in supply chain risks • Modeling and research capabilities for business risks William M. Mercer HR Consulting • Advice and services to manage HR risks • Advice and services to manage treasury risks National Economic Research Associates (NERA) Economic Consulting • Risk Assessment and Analysis • Risk Modeling and Valuation • Mitigation Strategy Design and Execution • Legal Liability and Regulatory Advisory MMC/NERA – Operational Risk Management: Phase II Study 4 Introduction: Operational Risk Capabilities • MMC has assembled an Operational Risk Team from experts across its different entities in an effort to provide cutting edge expertise and advice for its clients on the complex and ongoing issue of operational risk. As part of this effort the MMC Operational Risk Team has been developing a number of tools to assist its clients in the financial sector in addressing some ongoing concerns related to operational risk, including: – Operational Risk Management Benchmarking Project – MMC Operational Risk Loss Event Database – Analytic quantification methods for Operational Risk within financial institutions incorporating qualitative and quantitative estimation techniques – Analysis of insurance effectiveness for covering operational risk MMC/NERA – Operational Risk Management: Phase II Study 5 Introduction: Review of Global Operational Risk Benchmark • MMC’s Operational Risk Management Global Benchmark study was conducted in two phases. Phase I sought to provide comparative data on current operational risk management practices at financial institutions and identify likely trends in the industry as captured in four distinct categories: – Approaches to Operational Risk Management (people, processes and systems) – Capture of Operational Risk Loss Data – Economic and Regulatory Capital Allocation – Risk Transfer • During Phase I, over 75 interviews were conducted in conjunction with written questionnaire surveys with global banking institutions. Interviews were conducted worldwide between June, 2002 and August, 2002. Participating institutions were located in the United States, Canada, Europe, Japan, Australia and South Africa. • MMC presented results to the Risk Management Group of the Basel Committee on Banking Supervision in Paris in September, 2002. • MMC presented individual benchmark presentations to 45 participants MMC/NERA – Operational Risk Management: Phase II Study 6 Introduction: Phase II Study • MMC’s Operational Risk: Emerging Best Practices Study seeks to provide regulators and participating firms extended data on outstanding issues relating to operational risk management. These issues include industry practices in resources and processes, the development of economic capital allocation models for operational risk, and the inclusion of insurance mitigation in operational risk management practices. • Over 30 interviews were conducted with global banking institutions during phase II resulting in NERA having conducted over 100 interviews over both studies. The Phase II institutions were selected from the Phase I study for follow-up due to their robust thinking in operational risk management. Interviews were conducted worldwide between December, 2002 and January, 2003. Participating institutions were located in the United States, Canada, the United Kingdom, Europe, Japan, and Australia. • Throughout both studies, MMC presented results to individual country regulators including: – The Federal Reserve System (New York and Washington, DC) – Office of the Comptroller of the Currency (OCC) – Bank of Japan – Canadian Office of the Superintendent of Financial Institutions (OSFI) – Financial Services Authority – De Nederlandsche Bank – Deutsche Bundesbank – Australian Prudential Regulation Authority MMC/NERA – Operational Risk Management: Phase II Study 7 Participating Institutions North America North America UK/Europe UK/Europe Japan/Australia AmSouth Bank Marshall & Illsley Corp. Abbey National Group Deutsche Bank Australia and New Zealand Bank Bank of America Corp. Merrill Lynch ABN Amro Group Dexia Group Bank of Tokyo-Mitsubishi The Bank of New York Co. MBNA Corp. Allied Irish Bank Dresdner Bank Bank of Yokohama, Ltd. Bank One Corp. Riggs Bank BBVA S.A. Erste Bank der Osterreichischen Sparkassen AG Bank of Queensland Ltd. Bear, Stearns & Co. U.S. Bancorp Banco Santander ING Bank Bendigo Bank Ltd. Citigroup Inc. Union Bank of California Bank of Ireland Intesa BCI Commonwealth Bank of Australia Comerica, Inc. Wachovia Corp. Barclays Bank KBC Group Macquarie Bank Ltd. First Tennessee National Corp. Wells Fargo & Co. Bayerische Hypotheken und Vereinsbank (HVB Group) Lloyds TSB Mizuho Holdings, Inc. Hibernia Corp. Bank of Montreal Bayerische Landesbank Girozentrale Nordea AB National Australia Bank, Inc. JP Morgan Chase & Co. Bank of Nova Scotia Caisse des Depots et Consignations Royal Bank of Scotland Sumitomo Mitsui Banking Corp. KeyCorp Canadian Imperial Bank of Commerce (CIBC) Capitalia Gruppobancario San Paolo – IMI Suncorp-Metway Ltd. Legg Mason, Inc. RBC Financial Group Commerzbank Societe Generale Groupe St. George Bank Ltd. M&T Bank Toronto-Dominion Bank Credit Agricole Standard Chartered Bank UFJ Holdings, Inc. Credit Lyonnais Swedebank Westpac Banking Corp. South Africa South Africa ABSA The Nedcor Group Credit Suisse Group UBS AG First Rand Bank Standard Bank of South Africa Danske Bank Westdeutsche Landesbank MMC/NERA – Operational Risk Management: Phase II Study 8 Approaches to Operational Risk Management Resources in Centralized Operational Risk Management Function • Firms have agreed on common definitions with the Basel Committee and have subsequently established independent operational risk functions. • Other than the smallest domestic banks, firms have enacted operational risk management functions universally. Does your firm have an operational risk management function? 3% 7% 90% Current Planned No Response MMC/NERA – Operational Risk Management: Phase II Study 10 Resources in Centralized Operational Risk Management Function • Firms have bolstered their operational risk management functions over the past few years, and many believe they have reached a critical mass. – Around 80% of firms in the study have more than 5 people employed at the corporate level in the centralized operational risk management function. This number tends to be bolstered even more with other support functions who have the identified operational risk management duties. These typically include: IT support and programmers Information security Centralized security Insurance What resources (FTEs) are employed in the corporate level in the centralized operational risk management function? 8% 21% 33% 38% Less than 5 5-10 10-15 More than 15 MMC/NERA – Operational Risk Management: Phase II Study 11 Extent of Operational Risk in Business Decisions • 63% of the banks responding said that operational risk was considered in overall business and strategy decisions. – A number of methods of consideration were noted, though the most common were methods based on examination of how the economic capital charge for operational risk would be impacted by a change in business plans/strategy. – A large number of the respondents noted that before a new business or product is launched it must undergo an operational risk assessment. A few banks noted that operational risk attracted special attention in considering and managing acquisitions. Does your bank consider operational risk when making overall business/strategy decisions? Does your bank consider operational risk when making overall business/strategy decisions? 16 15 14 12 38% 10 9 6 8 6 63% 5 4 2 4 2 4 3 0 Overall Yes North America No MMC/NERA – Operational Risk Management: Phase II Study Yes Europe Other No 12 Comparisons & Progress Over the Last 6 Months • Firms use operational risk considerations in strategy decisions to a similar extent as firms with strategic policies outlined in the Phase I Study. The same firms that outlined such policies in Phase I, now implement those policies in strategic decision-making. – In the Phase I study, 67% of the firms cited policies that outlined operational risk management use in overall strategic objectives. – The assessment of policies outlining strategic objectives and subsequent strategic considerations resulted in the following breakdown from the same 24 firms in Phase I and Phase II of the study. PHASE I PHASE II Do your firm's policies clearly define the objectives of ORM and how they relate to overall strategic objectives? 33% Does your bank consider operational risk when making overall business/strategy decisions? 38% 63% 67% Current Planned Yes MMC/NERA – Operational Risk Management: Phase II Study No 13 Operational Risk Reports • Firms’ operational risk reporting varies widely but always includes some cut of senior management, usually through an operational risk committee. – Business Units are often integral in creating the reporting, often being derived from risk self-assessments or collection efforts from the business units. The dissemination is usually through individual Business Unit Managers. The 17% who do not provide reports to business units largely have fundamentally and geographically diverse business lines – the reports created are general company-wide reviews and the business lines are left to their management to decide unit reporting. All Boards of Directors are aware of operational risks, though several firms are waiting for data and review experience to support ongoing reporting to the Board. Are operational risk reports provided to business units? 17% Are operational risk reports provided to the Board of Directors? 21% 79% 83% Yes No Yes MMC/NERA – Operational Risk Management: Phase II Study No 14 Comparisons & Progress Over the Last 6 Months • Firms have extended their operational risk reporting to include all firms reporting to senior management and extensive reporting to the Board of Directors. – The reporting lines noted in both studies resulted in the following breakdown from the same 24 firms in Phase I and Phase II of the study. PHASE I PHASE II Does the Board of Directors periodically review operational risk management reports, including operational risk exposures and loss experience? Are operational risk reports provided to the Board of Directors? 21% 42% 54% 79% Current Planned Does Senior Management periodically review operational risk management reports, including operational risk exposures and loss experience?? 17% Yes Are operational risk reports provided to Senior Management? 0% 83% Current Planned No 100% Yes MMC/NERA – Operational Risk Management: Phase II Study No 15 Operational Risk Reports • Operational risk reports that usually are presented to an operational risk committee are often only changed slightly for the Board of Directors and business unit documents. – At around 25% of the firms, reports were given quarterly to risk committees though firms ranged from monthly to annually. – More than half of the operational risk reports to the Board were presented annually as a section of the risk report and quarterly as a review from a group-wide risk review. – Reports typically included: Analysis and commentary on the operational risk environment, including Basel initiatives Top operational risks for the group and specific business units’ risks Representations of risk controls/action plans to combat the stated risks Reports of specific losses, causes and outcomes Reports of loss database developments Reports of self-assessment data Expectations and “hot spots” for future operational risk management MMC/NERA – Operational Risk Management: Phase II Study 16 The Use of Self-Assessments • The depth and detail of the self-assessments varied by firm and often varied within business units. The use of self-assessments in capital allocation signaled more depth and accuracy as business units were incentivized by capital allocation. In general, self-assessments were used to: Creates scenarios for deriving distributions in a capital allocation model Act as the basis of scorecards for business units, often adjusting business unit specific capital allocation Monitoring tool for management, and contributor to expert scenario analysis for risk control Act as the basis of allocating an aggregated pool of capital across the business units Promote sound operational risk management that identifies problem areas and initiates action plans Is your firm utilitizing self-assessments in operational risk management? Is your firm utilitizing self-assessments in operational risk management? 20 21% 19 15 10 7 7 5 5 5 1 2 2 - 79% Current Pilot Overall North America Current MMC/NERA – Operational Risk Management: Phase II Study UK/Europe Japan/Australia Pilot 17 Description of Risk Scorecards • 67% of banks interviewed are currently using scorecards as a tool in managing operational risk. – 15 of the 19 firms that have current self-assessment programs, also utilize scorecard systems. – Scorecards give some firms a way of viewing risk versus the mitigants of risk, as well as probability and severity. It is used simply to find where inherent risks are high and where controls are not commensurate with the risk. Is your firm utilitizing scorecards in operational risk management? 21% 13% 67% 18 16 14 12 10 8 6 4 2 - Is your firm utilitizing scorecards in operational risk management? 16 7 5 3 Overall Current Pilot No Scorecard 5 4 3 1 1 North America UK/Europe Current MMC/NERA – Operational Risk Management: Phase II Study Pilot 1 1 1 Japan/Australia No Scorecard 18 Comparisons & Progress Over the Last 6 Months • Only 36% of all firms in the Phase I study used risk self-assessments or scorecards to help determine economic capital for operational risk. – A comparison of banks that participated in both studies reveal that at least pilot scorecard and self-assessments have been implemented where banks had planned to implement them. – The consideration of risk self-assessments or scorecards in capital allocation models resulted in the following breakdown from the same 24 firms in Phase I and Phase II of the study. PHASE I PHASE II Is your firm utilitizing self-assessments in operational risk management? Does your firm use risk-self assessments or scorecards to help determine economic capital for operational risk? 8% 21% 79% 33% Current Current 58% Planned Anticipated Pilot Is your firm utilitizing scorecards in operational risk management? 21% 13% 67% Current MMC/NERA – Operational Risk Management: Phase II Study Pilot No Scorecard 19 Key Risk Indicators, Risk Thresholds & Limits • The majority of banks interviewed currently use Key Risk Indicators (KRIs) to manage operational risk on an ongoing basis. All of the banks that do not use Key Risk Indicators are either in the process of identifying and implementing them or are planning to undertake an effort to develop them in the foreseeable future. – Banks are in the process of monitoring potential firm-wide KRIs, often relying on their own business units’ experiences in collecting KRIs. Does your bank currently use KRIs to manage operational risk on an ongoing basis? Does your bank currently use KRIs to manage operational risk on an ongoing basis? 20 29% 17 15 10 7 6 4 5 71% 2 No 2 3 0 Overall Yes 7 North America Yes MMC/NERA – Operational Risk Management: Phase II Study Europe Other No 20 Comparisons & Progress Over the Last 6 Months • The use of key risk indicators to proxy operational risk exposures in the ongoing management of operational risk has expanded over the last six months. – 54% of the firms that were in both studies were not actively using key risk indicators in Phase I, while the percentage dropped to just 29% who were not using them in the Phase II study. – The use of key risk indicators resulted in the following breakdown from the same 24 firms in Phase I and Phase II of the study. PHASE I PHASE II Does your firm use risk indicators to proxy the level of operational risk exposure? 8% Does your bank currently use KRIs to manage operational risk on an ongoing basis? 29% 42% 71% 46% Current Planned Anticipated Yes MMC/NERA – Operational Risk Management: Phase II Study No 21 Capture of Operational Risk Loss Data Operational Risk Loss Events: Types, Examples • Most banks have begun collecting operational risk loss data generally adaptable to Basel guidelines: Potential Loss Events Basel Level 1 Event Types Internal Fraud External Fraud Discretionary losses External fraud Financing losses Insurance claims Internal fraud Employment Practices and Workplace Safety Clients, Products, and Business Services Damage and Physical Assets Business Disruption and System Failures Legal settlements Policy violations Processing losses Trading losses External effects Natural Disasters Management processes Personnel/HR losses Physical loss damage Sales practices Execution, Delivery and Process Management Technology Transaction and business processes Unauthorized activities MMC/NERA – Operational Risk Management: Phase II Study 23 How Long Have You Been Capturing Losses? • Most firms have begun to systematically collect operational risk losses within the last 3 years – all firms with systems in place longer than that have generally just adjusted general ledger systems and use historical GL collections within the database. For how long has your firm been capturing operational loss events in its operational loss database? 21% 27% 15% 37% Less than 1 Year Greater than 3 Years 30 For how long has your firm been capturing operational loss events in its operational loss database? 9 25 For how long has your firm been capturing operational loss events in its operational loss database? 8 8 8 8 25 7 6 18 20 15 1-3 Years No Response 5 5 14 12 4 10 10 3 5 7 6 4 7 7 4 5 4 3 4 3 3 3 4 3 3 3 7 4 4 2 2 2 1 1 0 0 Overall North America Less than 1 Year Greater than 3 Years Europe 1-3 Years No Response Other Under $75B $75B - $200B Less than 1 Year Greater than 3 Years MMC/NERA – Operational Risk Management: Phase II Study $200B - $500B Over $500B 1-3 Years No Response 24 Capture of the Basel Committee’s Historical Window • Most firms do not yet have the three years of historic data proposed by the Basel Committee, although many have just started the data collection process and plan on having the historical data by 2006. Is the historical window captured in your firm’s internal operational loss database at least three years? 7% 40% – “We question the veracity of going back to get data that far in the past, so while we don’t have the three years of data now, we will have it by 2006.” 52% Yes Is the historical window captured in your firm’s internal operational loss database at least three years? 10 35 9 9 35 8 27 9 9 9 8 7 7 25 6 6 20 17 15 9 10 No Response Is the historical window captured in your firm’s internal operational loss database at least three years? 40 30 No 4 10 9 5 5 2 5 5 8 3 3 9 2 3 0 0 1 1 1 0 0 Overall North America Yes No Europe No Response Other Under $75B $75B - $200B Yes MMC/NERA – Operational Risk Management: Phase II Study No $200B - $500B Over $500B No Response 25 Breadth and Scope of Data Collection Efforts • 52% of banks surveyed in Phase II have all business units currently contributing to their operational loss databases. The majority of banks placed the ultimate responsibility on each business unit to report losses. – While the thresholds for losses collected by banks varied from as high as $10,000 (US) to as low as one penny, the majority of banks are collecting all losses regardless of size. – Some firms are struggling with issues related to timing. Firms expressed confusion on accounting for the date of a loss: on the day that the event occurs, the day that the bank finds out about it, or the date that the full loss is realized. How comprehensive is your bank's internal loss data by business unit? 13% 52% 35% Complete Almost Complete Most, But Not All Business Units MMC/NERA – Operational Risk Management: Phase II Study 26 Comparisons & Progress Over the Last 6 Months • Since the Phase I Study, firms have implemented more definite operational risk management plans resulting in broader resources, reporting and database development. – The assessment of breadth of data collection resulted in the following breakdown from the same 24 firms from Phase I and Phase II. PHASE I PHASE II Does yourfirm systematically collect internal operational loss data? How comprehensive is your bank's internal loss data by business unit? 13% 17% 52% 35% 83% Yes No Complete Almost Complete Most, But Not All Business Units – Losses are now collected by all of our Phase II participants, with over half of the participants believing that their collection processes are complete. – The utilization of operational risk considerations in business decisions is growing slowly, but has maintained its importance in merger and acquisitions analyses. MMC/NERA – Operational Risk Management: Phase II Study 27 Determination and Tracking Losses in Market and Credit Risk • Firms were generally evenly split in their method for dealing with operational losses associated with market and credit risk, and several noted the need for further regulatory guidance on the issue. – The method for tracking operational risk losses associated with market and credit risk that is used by around a third of the firms is earmarking those events having an operational risk component to them but leaving them in the credit or market risk bucket for economic capital purposes. – Earmarking these losses allows for both the ability to recognize the need for additional controls, and the opportunity to retroactively parse out operational risk losses once a clearly defined policy is put into place. How does your firm track the operational risk losses related to market and credit activities? 21% 33% 29% 17% Policy Clearly Deliniates Determined on a Case-by-Case Basis Each Loss is Earmarked and Left in Market and Credit Have Not Examined This Issue MMC/NERA – Operational Risk Management: Phase II Study 28 Capital Allocation for Operational Risk Approaches to Calculating Economic Capital • Firms have taken two different approaches to creating distributions for modeling economic capital: What approach are you using to calculate economic capital allocation? – Some firms have implemented a loss distribution approach based mainly on internal data, external data or most often some combination of both. – Other firms have implemented a loss distribution approach based mainly on scenario analysis, often taken from risk and control self-assessments: 46% 54% Loss-data based LDA Scenario-based LDA Some scenarios are developed from analyses of internal loss events Other scenarios are developed from analyses of external events with some rough scaling and filtering of possible events. – The few firms that have not implemented a model for capital distribution are moving towards one of these methods this year. What approach are you using to calculate economic capital allocation? 14 12 10 8 6 4 2 0 13 11 7 1 Overall North America Loss-data based LDA MMC/NERA – Operational Risk Management: Phase II Study 6 3 UK/Europe 4 3 Japan/Australia Scenario-based LDA 30 Analysis of Loss-Data based Loss Distribution Approaches • Of firms that use a loss-data based loss distribution approach, most firms do not have the depth of internal data to create a full distribution of losses and therefore use a combination of internal and external data. If you are using an loss-data based LDA, what data feeds into the distribution? 18% 36% 9% 36% Internal Data Only Mostly Internal Data, External Data for Tails Mostly External Data Both Internal and External Data – Most firms are using at least a 99.9% confidence interval over a one-year holding period. Some firms are setting their confidence interval in such a manner so as to maintain corporate ratings – While basing the approach on loss data, these firms often still use risk self-assessments and scorecards systems to give management a reflection of the internal controls and the likelihood of a tail event in a given business line. Most firms will then adjust the capital allocation as a reflection of the qualitative assessments and use those as incentives for business lines. MMC/NERA – Operational Risk Management: Phase II Study 31 Analysis of Scenario Based LDA Calculations • Of firms that use a scenario-based approach, nearly 70% of the firms derive scenarios from a selfassessment process, while the remainder do top-down scenarios elicited from senior management. • All of the firms in the study have collected internal operational risk losses though firms using scenario approaches have used the loss data in different ways: As support for framing of scenarios in the self-assessment process or in reviewing and auditing selfassessments some firms have used the data to back-test and validate their scenario analyses. lf you are using a scenario approach, what are the scenarios based on? 31% 69% Bottom-up Scenarios, Typically from Self-assessments Top-down Scenarios from Experts or External Data lf you are using a scenario approach, how do you use internal data? 38% 46% 15% Support for Scenarios Small Part of Current Model Collected for Future Modeling MMC/NERA – Operational Risk Management: Phase II Study 32 Comparisons & Progress Over the Last 6 Months • Since the Phase I Study, firms’ economic capital allocation models have evolved with much more emphasis placed on quantitative approaches relying on loss data. – In the Phase I study, 29% of the firms used loss-data based distribution approaches (Quantitative), while that number jumped to 46% several months later. – The assessment of capital allocation models resulted in the following breakdown from the same 24 firms in Phase I and Phase II of the study. PHASE I PHASE II If you currently assess economic capital for operational risk, what method describes your assessment? What approach are you using to calculate economic capital allocation? 29% 46% 54% 71% Quantitative/Actuarial Approach Qualitative/Expert Opinion Approach Loss-data based LDA Scenario-based LDA – The evolution of loss databases in the last half-year contribute to the loss-data based LDA approaches taken in Phase II of the study. MMC/NERA – Operational Risk Management: Phase II Study 33 Use of Internal Data • All firms in the study are currently collecting internal data and plan to use it in operational risk modeling by 2006. – However, today only half of the firms in the study are currently using internal data in their economic capital allocation models: 50% of the firms use internal data as a direct input into a distribution model. Some firms use internal data exclusively, while others use it as a very small input into a more diversified distribution 25% of the firms are collecting data with the expectation that it will be useful for modeling after several more year’s worth of data for depth and breadth of operational risk losses 25% of the firms use internal data to support internal scenario analysis as well as to validate or back-test the expectations generated from different models; these firms also expect to use internal data as a key input in future capital allocation models How are you currently using internal operational risk loss data? 25% How are you currently using internal operational risk loss data? 14 12 12 10 8 6 6 6 6 50% 4 4 2 4 2 2 25% 1 2 1 2 - Part of Current Model Warehousing for Future Modeling Used for Scenario Support/Validation/Future Modeling Overall North America UK/Europe Japan/Australia Part of Current Model Warehousing for Future Modeling Used for Scenario Support/Validation/Future Modeling MMC/NERA – Operational Risk Management: Phase II Study 34 External Data – Comparisons & Progress Over the Last 6 Months • Nearly 80% of firms in the study use external data, while the vast majority of those firms use it to simply benchmark themselves. – Most firms still have problems filtering and scaling external data, making the use of it in modeling difficult. – The consideration of external data utilization in capital allocation models resulted in the following breakdown from the same 24 firms in Phase I and Phase II of the study. PHASE I PHASE II Does your firm use external loss data as a supplement to its internal loss data? How are you currently using external operational risk loss data? 21% 29% 29% 54% 25% 42% Current Planned No Analyzing Scenarios/Benchmarking Part of Current Model Not Using External Data MMC/NERA – Operational Risk Management: Phase II Study 35 Recognition of Internal Control Factors • 54% of the banks surveyed adjust their economic capital allocation for operational risk according to some measurement of the effectiveness of internal controls – Most of those banks that did not account for internal controls in their economic capital allocations were planning on instituting some adjustment in the future, though a few banks did not see any value in the exercise. – A number of banks insisted that the ability to reduce capital in this manner provided a good incentive for banks to improve their controls. Does your bank's allocation of economic capital for operational risk take into account internal controls? Does your bank's allocation of economic capital for operational risk take into account internal controls? 14 12 46% 13 11 10 8 54% 4 6 4 4 4 5 5 2 2 0 Overall Yes No North America Yes MMC/NERA – Operational Risk Management: Phase II Study Europe Other No 36 What Constitutes a “Tail” Risk? • 67% of the banks surveyed acknowledged using a confidence interval of around 99.9% with a one year holding period to define their “tail” risks. How does your bank determine what constitutes a severe "tail" risk? 33% 54% 13% Pick 99.9% off of distribution Define worst case scenario as 99.9% CI Don't use CI – While the majority of these banks simply picked this metric off of their loss distribution, some banks, used expert estimates of worst case scenario losses as the 99.9% risk event to define the parameters of their distribution. – Many banks used confidence intervals of greater than 99.9% to remain in accordance with corporate risk management guiding principles. MMC/NERA – Operational Risk Management: Phase II Study 37 Transfer of Operational Risk Use of Insurance in Operational Risk Management • The utilization of insurance to mitigate operational risk is an evolving issue that most firms have not reached a consensus on, but which all firms agree should have a place in the future of operational risk management. – Outstanding issues remain in the development of insurance as a mitigant in operational risk. These issues include: The development of modeling capabilities is evolving and thus how to include insurance in the models is unclear. The regulators have yet to identify the extent to which insurance will be included in the mitigation of operational risk capital. It is difficult to purchase insurance right now in the markets with very high deductibles and premiums. There is no singular definition for a tail event, and while it includes fraud in some cases, in other cases large property losses from weather-related events are considered the worst-case scenarios. Finally, there is a split in the analytical rigor of firms, some of whom develop sophisticated quantitative modeling, while others believe traditional and conventional approaches to insurance are currently sufficient to meet mitigation requirements. MMC/NERA – Operational Risk Management: Phase II Study 39 Use of Insurance as a Mitigant in Calculating Economic Capital • The utilization of insurance mitigation in capital allocation models is now beginning to grow with over a quarter of the firms in the study considering its effects in their internal models. – The timing of when it is considered varies from independent inclusion into Monte Carlo simulations to qualitative consideration by business units during the self-assessment process. “For each category and each department, we have the loss data and the insurance appropriate to that category and the coverage and limits on lower and upper parameters.” “In the self-assessment process, the business units should tell us how the risks are mitigated by insurance and report only a net risk.” Does your firm consider the risk-mitigating effect of insurance in its capital allocation model? Does your firm consider the risk-mitigating effect of insurance in its capital allocation model? 25 27% 22 20 15 10 10 8 5 5 7 5 1 2 0 73% Overall Yes No North America Yes MMC/NERA – Operational Risk Management: Phase II Study UK/Europe Japan/Australia No 40 Comparisons & Progress Over the Last 6 Months • Since the Phase I Study, firms’ economic capital allocation models have evolved resulting in much more focused consideration of the risk-mitigating effects of insurance. – 57% of all the firms in the Phase I study did not know or did not respond to the extent which insurance reduces economic capital, with only 12% saying it worked in their capital allocation models. The remaining 31% of firms noted no reduction from insurance mitigation. – The consideration of insurance into evolving models resulted in the following breakdown from the same 30 firms in Phase I and Phase II. PHASE I PHASE II To what extent does your use of insurance reduce the economic capital you allocate to operational risk? 21% Do you anticipate the incorporation of insuranc in your economic capital model? 20% 27% 41% 38% Well Not Well/No Reduction Don't Know/No Response 53% Already Incorporated Foresee Future Incorporation No Future Incorporation – The 41% of firms in Phase I with no expressed view have now formed their positions which trends towards more inclusion of insurance in the economic capital models. MMC/NERA – Operational Risk Management: Phase II Study 41 Mapping of Insurance into Loss Event Types • Most firms acknowledge that they track the types of insurance available and the types of events they cover, but most have not formally mapped those to specific loss event types. – Some firms have not mapped insurance because of time constraints while other firms note that insurance policies can fall into multiple categories, making the exercise moot. Does your firm consider the risk-mitigating effect of insurance in its capital allocation model? Does your firm have methods in place to map insurance to loss event types? 25 30% 21 20 15 10 9 9 2 5 70% 5 7 5 2 0 Overall Yes No North America Yes MMC/NERA – Operational Risk Management: Phase II Study UK/Europe Japan/Australia No 42 Operational Risk Losses and Insurance Performance • Firms have encountered a large variety of operational risk losses, with insurance performing well within its expectations. – Most firms are not experiencing the large losses from which they could evaluate the effectiveness of insurance in major tail risk situations, but insurance has performed well in addressing losses actually encountered. – Smaller firms contend that their tail events are not large enough to warrant buying the high deductible insurances, but rather consist of unexpected property losses or system breakdowns. – Insurance has performed very well in traditional policies, including resounding support for the property insurance regarding World Trade Center losses. – Typical loss experiences include: Property damages from various sources including external events and fire Weather-related Internal property losses due to floods, tornados, etc. fraud External fraud MMC/NERA – Operational Risk Management: Phase II Study 43 Operational Risk Losses and Insurance Performance • Firms have encountered some losses that are not insurable or lawsuits that have made recovery untimely or unattainable. – Several firms have encountered regulatory fines as their largest operational risk losses and there is no insurance available to protect against that risk. – Firms contend that the lawsuits necessary to recover losses from some events are prohibitively expensive, resulting in a loss because recovering it would cost more than the loss itself. – The markets are so expensive in insurance right now that most firms feel the insurance industry needs to work with them to try and meet their evolving operational risk needs, though several firms remain skeptical of insurance offsets. – Typical loss experiences include: Trading losses due to untimely execution Regulatory Credit fines default events Reporting Various errors lawsuits MMC/NERA – Operational Risk Management: Phase II Study 44 Conclusions Conclusions • Financial institutions’ approach to operational risk management has been evolving rapidly over the past 6 months, and emerging best practices have resulted in several key areas: – Resources are growing to a critical mass – Reporting has grown and familiarity with operational risk is pervading the banks – Self-assessment systems and data collection have been implemented in preparation for 2006 • Two disparate approaches have been adopted in economic capital allocation, though firms vary widely still on how they incorporate selfassessment data, scorecard data, internal and external loss data, key risk indicators and insurance considerations. The two approaches are: – A loss data-based Loss Distribution Approach – A scenario-based Loss Distribution Approach • Insurance is beginning to be incorporated into capital allocation models, and has performed well in many ways, though its utilization in operational risk management is still largely undetermined. MMC/NERA – Operational Risk Management: Phase II Study 46 Contact Information • Robert Mackay Senior Vice President National Economic Research Associates, Inc. 1255 23rd St., NW Washington, DC 20037 Tel: (202) 466-9291 Email: Robert.Mackay@nera.com.com • Bradley P. Ziff Vice President National Economic Research Associates, Inc. 1166 Avenue of the Americas New York, NY 10036 Tel: (212) 345-7717 Email: Bradley.Ziff@nera.com.com • Geremy Connor Analyst National Economic Research Associates, Inc. 1166 Avenue of the Americas New York, NY 10036 Tel: (212) 345-6773 Email: Geremy.Connor@nera.com • Chris Bolton Analyst National Economic Research Associates, Inc. 1255 23rd St., NW Washington, DC 20037 Tel: (202) 466-9205 Email: Christopher.Bolton@nera.com.com MMC/NERA – Operational Risk Management: Phase II Study 47
