Operational Risk Management By: A V Vedpuriswar October 4, 2009 Introduction Globalization and deregulation of financial markets,combined with increased sophistication in financial technology, have made banking activities very complex. Events such as the September 11 terrorist attacks, rogue trading losses at Barings and the Y2K scare serve to highlight the importance of operational risk management. Operational risks faced by banks today include fraud, system failures, terrorism and employee compensation claims. 1 Typical Bank Org Structure 2 Front Office The more client-facing side of the business is known as the front office. These personnel typically include: – sales people who act as the main contact point between the bank and its clients. – traders/market makers, who are responsible for executing trades with various counterparties. 3 Middle Office 4 Middle Office functions Initial trade verification The input of trades into relevant trading systems Investigation of any discrepancies in trade details Daily P&L reporting Reconciliation and updating of trading positions Monitoring risk limits 5 Middle Office functions The middle office function attempts to bridge the gap between – the front office – the back office The middle office typically gets involved in – risk management – control aspects of trading. The middle office personnel are capable of independently – valuing portfolios – analyzing risk positions. 6 Back Office In performing its role, the operations area has a major responsibility to control operations risk. The back office should quickly detect errors and bring to the attention of dealers and management. Some key responsibilities of back office employees include: – capturing trade details in the settlement system – validating trade details – issuing settlement instructions – ensuring that the trades settle on the value date – making payments by electronic transfer mechanisms – ensuring timely delivery of securities 7 More about the Back Office The term ‘operations’ or ‘back office’ describe those operational areas within the bank that deal with the result of trading by the front office. Following the execution of a trade and recording of the trade within the system, trade details are typically fed through an interface between the trading system and settlement system. The starting point for the settlement of trades and all subsequent activities is the capture of the trade details within the settlement system. The moment the details of a trade are captured within the settlement system, the trading position for both securities and cash, at a trading book level, must be updated. 8 Trade skeleton The typical trade information fed by a trading system and captured by the settlement system could be described as the ‘trade skeleton’. These are the minimum details a trader or market maker must provide as these items are variable and cannot be guessed by the settlement department. 10 Recording details Though the basic details of a trade may appear very clear-cut, the inaccurate recording of the details can lead to unnecessary costs being incurred and risks being taken by the STO. In an attempt to prevent inaccurate information being sent to the outside world, the process of validating trade information is adopted by many banks. 11 Trade agreement/validation Failure of the bank and its counterparty to agree about the details of the trade, can result in monetary losses if the discrepancy remains unresolved at the value date. Consequently, it has become standard practice in many markets to strive for trade agreement as soon as possible after trade execution. In many securities marketplaces, individual trade details must be sent to the regulator by a specified deadline. 12 Settlement : Exchanging Securities and Cash The exchange of securities and cash is known as settlement with the securities industry. The most efficient and risk-free method of settlement is known as Delivery versus Payment (DvP). DvP involves simultaneous exchange of securities and cash between buyer and seller (through their custodians). The seller is not required to deliver securities until the buyer pays the cash. The buyer is not required to pay cash until the seller delivers the securities. 13 Free of Payment The alternative to settling a DvP basis is to settle on a Free of Payment (FoP) basis. Parties will need to arrange delivery of securities or payment of cash prior to taking possession of the other asset. Due to the risks involved, most STOs avoid settling in this manner, whenever possible. 14 Settlement Department The STO must issue a settlement instruction to its custodian in order for settlement to occur. All pending incomes against securities must be carefully monitored. The first step in collection of the benefit is to become aware that the issuer is making a specific income payment. The bank must calculate whether it is in fact entitled to the income. If so, it must assess who will remit the income and monitor the receivable amount until full payment is received. Where it offers a safe custody service to clients, the STO is expected to collect income on behalf of its clients. 15 Static data Static data (sometimes referred to as ‘standing data’) describes data that changes occasionally, or not at all. The two principal components are: – Securities static data – Counterparty static data. The data must be carefully maintained. If for instance, the coupon rate on a bond is not set up correctly, incorrect trade cash values will result. 16 Static Data Likewise, the setting up of an incorrect counterparty postal address could result in a client failing to receive a trade confirmation. Books and records must be accurate, up-to-date, complete and reflect reality. Reconciliation is achieved through the comparison of specific pieces of information within the bank’s books and records, and between the bank’s books and records and the outside world. 17 Compliance The compliance officers within a bank are responsible for ensuring conformity to the various rules and regulations, as laid down by the local regulatory authority. This includes ensuring that: – only qualified personnel execute trades on the bank’s behalf; – reporting of trade and positional information to the regulatory authorities is complete and effected within the stated deadlines; – methods of investigating trade disputes between the STO and its counterparties are carried out in a thorough and correct manner; – measures are taken to prevent unlawful activities within the STO, such as insider trading 18 Settlement failures Insufficient securities Insufficient cash Unmatched settlement instructions 19 Definition The Basel Committee defines operational risk as: "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." This definition includes legal risk, but excludes strategic and reputational risk. Banks can adopt their own definitions of operational risk, if the minimum elements in the Committee's definition are included. 20 Types of Operational Risk Internal fraud External fraud Employment practices and workplace safety Clients, products and business practices Damage to physical assets Business disruption and system failures Execution, delivery and process management 21 Internal Fraud Intentional misreporting of positions Unauthorized undertaking of transactions Deliberate mismarking of positions Insider trading (on an employee's own account) Malicious destruction of assets Theft/robbery/extortion/embezzlement Bribes/kickbacks Forgery Willful tax evasion 22 External Fraud Theft/robbery Forgery Computer hacking damage Theft of information Check kiting 23 Employment practices and workplace safety Employee compensation claims Wrongful termination Violation of health and safety rules Discrimination claims Harassment General liability 24 Clients, products and business practices Breaches of fiduciary duties Suitability/disclosure issues (KYC, and so on) Account churning Misuse of confidential client information Antitrust Money laundering Product defects Exceeding client exposure limits 25 Damage to physical assets Natural disasters (earthquakes, fires, floods, and so on) Terrorism Vandalism 26 Business disruption and system failures Hardware and software failures Telecommunication problems Utility outages/disruptions 27 Execution, delivery and process management Miscommunication Data entry errors Missed deadline or responsibility Model/system misoperation Accounting errors Mandatory reporting failures Missing or incomplete legal documentation Unapproved access given to client accounts Non-client counterparty disputes Vendor disputes Outsourcing 28 Qualitative assessment Environment Activities Supervision Disclosure 29 Risk Assessment Checklists Questionnaires Workshops Scorecards 30 Operational Risk Indicators Operational risk indicators attempt to identify potential losses before they happen. Some indicators are applicable to specific organizational units (for example, transaction volumes and processing errors). Others can be applied across the entire bank (for example, employee turnover, new hires and number of sick days). In practice, the most common risk indicators are lagging or ex-post measures. They provide information on events that have already taken place (eg, failed trades, settlement errors, and so on). 31 From lagging into leading indicators The challenge for risk managers is to transform lagging indicators into leading or predictive indicators. This can be done by changing the focus of the indicators that are tracked or by adding new information to these indicators. Thus the focus of the indicators could be changed to highlight issues that are still outstanding or remain open after a specified period of time (for example, 24 hours) has elapsed. In reality, however, it is not easy to transform lagging indicators into predictive indicators. 32 Statistical Approaches Statistical approaches to operational risk measurement generally involve the use of methodologies to quantify operational risk . The approaches involve the collection of actual loss data and the derivation of an empirical statistical distribution. An unexpected loss amount, against which banks must hold a capital buffer, can then be calculated from the distribution. In theory, the unexpected loss can be calculated to any desired target confidence level. In practice, many banks are working towards measuring operational risk to a 99.9% confidence level. 33 Legal risk The Basel Committee's definition of operational risk explicitly includes legal risk. Legal risk is the risk of disruption or adverse impact on the operations or condition of a bank due to: – unenforceable contracts – lawsuits – adverse judgments – other legal proceedings It can arise due to a variety of issues, from broad legal or jurisdictional issues to something as simple as a missing provision in an otherwise valid agreement. 34 Master Agreements There are now master agreement forms for many financial products. These agreements: – create a common legal framework that can be understood by all market participants. – cover most of the major legal points that should be agreed as part of documenting the transactions. Individual transactions are tied to master agreements with confirmation documents containing specific terms of each transaction. 35 The master agreements should ideally be negotiated prior to any individual transaction being agreed. But, in many cases, the master agreement is only negotiated as a consequence of the first transaction. Master agreements cover how the parties will conduct themselves in case of the early termination of the contractual agreements due to credit default or other unforeseen events. The agreements specify how the exposures for more than one transaction under the master agreement will be netted against each other. 36 Reputation risk Reputation Risk Negative public opinion regarding an institution's practices, whether true or not, may result in a decline in its customer base, expensive litigation and/or a fall in revenue. Reputational risk may cause liquidity difficulties, fall in share price and a significant reduction in market capitalization. In 1994, Bankers Trust was accused of having misled customers by selling them inappropriate derivatives positions. Its reputation was so badly damaged that it was forced into acquisition. 38 Strategic Risk Strategic(Business) Risk It incorporates the risk arising from an adverse shift in the assumptions, goals and other features that underpin a strategy. Business Risk is a function of: – a bank's strategic goals – the business strategies developed to achieve these goals – the resources deployed in pursuit of these goals – the quality of implementation of these resources Business risk, however, is difficult to assess in practice. It can be particularly difficult to separate from other forms of risk, such as market risk. 40 Model Risk Model Risk Model risk arises out of the failure of a model to sufficiently match reality, or to otherwise deliver the required results. It can arise from a number of issues, including: – mathematical errors (for example, in determining the formulas for valuing more complex financial instruments) – the lack of transparent market prices for some of the more illiquid market factors – invalid assumptions – inappropriate parameter specification – incorrect programming 42 Dealing with model risk Companies must model the instruments and the portfolio carefully. Very large and unexpected moves may occur in market factors sometimes in conjunction with each other. Liquidity can suddenly vanish. Being based on assumptions, models are always a simplified representation of what happens under real-life conditions. If these assumptions break down, then the model is worthless. Therefore, modeling for disaster as well as for normal market conditions is highly desirable. This is why stress testing is important in addition to value at risk calculations. 43