A brief history of Operational Risk Management - Lessons Learned? Dr. Sebastian Fritz-Morgenthal London, 25th of November 2015
1
Lessons learned? A brief history of Operational Risk Management
1
Evolutionary Steps of Operational Risk Management
2
Challenges
3
Lessons Learned?
4
Summary
2 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Step 1: Denial
There is no such thing as Operational Risk (before the roaring 1980s at Wall Street) We are in banking and banking is about managing clients, loans and deposits and trades. We have credit, market and liquidity risk, nothing else!
3 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Step 2: Ignorance
We do not have Operational Risks (The early 1990s) Well, mistakes happen, but not in our institution!
4 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Step 3: Zero Tolerance
We do not accept Operational Risks (before the Millenium) Whenever we identify one, we close it!
5 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Step 4: Collect
We collect (and classify) Operational Risks (2000ff – Basel 2 preparation) We collect events, hence have full transparency about what is going on in our institution.
6 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Step 5: Measure
We use our own (and external) events to measure and simulate operational risk (Basel 2 AMA in action – 2007 - 08) Our measurement gives us a precise view of our operational risk profile. Hence, we can actively manage it.
7 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Step 6: Wake up
Apparently, our AMA has not much to do with our true risk profile (2009ff – Multi Billion OR Losses …) Our model describes the past and has nothing to do with what is going on in the bank.
8 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management You know these three chaps?
9 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Ever heard about the whale of London?
10 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management How about this one?
11 Reply Annual Risk Symposium London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management A view on Data Security from an Insurer
September 2015 – Zurich Insurance Group 12
ICT: Information and Communication Technology Reply Annual Risk Symposium London – 25th of November 2015
1
From the Vasa to the Basel framework: The dangers of instability
Speech by Mr. Stefan Ingves, Chairman of the Basel Committee and Governor of Sveriges Riksbank, at Unique Lecture at the 2015 Annual Convention of the Asociación de Mercados Financieros, 2 November 2015, Madrid, Spain. The Committee will publish proposals around the end of the year related to the use of models. In some cases, the proposals will remove internally modelled approaches for some risk categories.
One example is operational risk, where most would agree that the benefits of the Advanced Measurement Approaches are not proportionate to the related costs and complexity. In other cases, the proposals will consist of introducing additional constraints to internally modelled approaches. More detail on the Committee's thinking in these areas will come in due course. http://www.bis.org/speeches/sp151102.htm 13 Reply Annual Risk Symposion London – 25th of November 2015
1
Evolutionary Steps of Operational Risk Management Step 7: The new normal
How can we improve Operational Risk Measurement and Management? (2015ff) What does not work? What do we need instead?
14 Reply Annual Risk Symposium London – 25th of November 2015
2
Lessons learned? A brief history of Operational Risk Management
1
Evolutionary Steps of Operational Risk Management
2
Challenges
3
Lessons Learned?
4
Summary
15 Reply Annual Risk Symposium London – 25th of November 2015
2
Challenges
1. How to manage the risk of human failure? 2. How to deal with the threat to the bank‘s data and systems?
3. How to overcome the complexity of the banks operating model?
16 Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? A brief history of Operational Risk Management
1
Evolutionary Steps of Operational Risk Management
2
Challenges
3
Lessons Learned?
4
Summary
17 Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? What did not work?
Human Failure 88%
External Fraud Internal Fraud Execution, Delivery & Process Mgmt. Clients, Products & Business Practices Employment Practices & Workplace Safety Natural Disasters & Public Safety Technology & Infrastructure Failures
18 2012 ORX Report on Operational Risk Loss Data: average total gross loss of 1.88 € per €100 gross income Source: Operational Riskdata eXchange Association (ORX), Newspaper
Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? Some studies show a relationship between individual risk appetite and behaviour or even the tendency to bend the rules Example – Similarities between Jèrôme Kerviel and Kweku Adoboli
Société Générale (SG) Jérôme Kerviel 2008
UBS Kweku Adoboli 2011
Decent degree at secondary university
Decent degree at secondary university
Straight to SG after university
Straight to UBS after university
Key Risk Indicators
Lifestyle (Gambling and Debt)
Personal Account Dealing Tracking of Mandatory Time Away /
Former trade support/control; Former trade support/control; knowledge of back office processes knowledge of back office processes and controls and controls
Adherence to Holiday Policy
No possibility of personal gain except bonus
No possibility of personal gain except bonus
Chat protocols / Emails / Bloomberg Messenger / Social Media
SG describes him as single person acting on his own
UBS describes him as single person acting on his own
Password misuse
Supposed to be client facilitation
Supposed to be client facilitation
Aged 31 when arrested
Aged 31 when arrested
Tracking of unusual office hours
Unauthorized use / access of profiles Code of Conduct Breaches
19 Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? However, risk management functions usually do not include the acting of their employees Operational Risk Management Framework
Include individual behaviour as well ad interaction within and between teams
Operational Risk Management
Monitoring Identification
Treatment
Human Failure
Assessment
Risk Reporting
Policies, Strategy & Procedures
Governance and Organization
Profiling Individual
Team
Culture and Awareness
20 Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? Potential Risks and propensities can be extracted from individual and team assessments ILLUSTRATIVE
Control Dimension
Orientation Dimension
Potential Risks of Individuals
Potential Risiks of Teams Decision based on own advantage
Late decision taking
Missing collaboration High
Z
W Controlled
Introvert Activated
Performance Driven
H
C Extrovert Activated
Activated
A
F
Behavior Medium
E
Cautious X
G
Introvert
Balanced
Extrovert
Introvert Inhibited
Inhibited
Extrovert Inhibited
Impulsive Y
D
Low
No decision taken
B
Low
Hasty decision taking
Problem announcement was too late
Medium Orientation
High
Potential Risk
21 Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? Massive data growth rates are potentially overwhelming risk management capabilities New Market Trends
Regulatory Requirements
Business Model Risk
Key Questions Risk of Fraud
Treasure of internal data secure? How to measure legal risk?
External Data
Reputational Risk
Internal Data
Do you know your data?
Risk of data theft
What controls are in place to prevent fraud? Do we adapt too slow to market trends? Or too quickly? Can business processes adapt fast enough to market changes?
22 Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? To Do List on Cybersecurity
1. Push accountability for cyber risks, starting with board-level cyber risk management. Cyber risks could bankrupt companies, so companies must include a broad view of global aggregations of cyber risk in their risk registers, hold executives accountable, and move away from a checklist/ audit perspective. 2. Get insured. With cyber insurance, companies can transfer cyber risks, especially for third party risks associated with data breaches or business interruption.
3. Extend the horizon of risk management to counterparties, contract and outsourced partners, and upstream infrastructure. For example, one financial institution reviewed every contract and outsourcing agreement, rating the criticality of each, and auditing those on which they had the most exposure.
Source http://knowledge.zurich.com/cyber-risk/overcome-by-cyber-risks/ 23 Reply Annual Risk Symposium London – 25th of November 2015
3
Lessons learned? Process mapping shows process and control issues ILLUSTRATIVE
Trade Capture
Trade Validation
No counterparty hierarchy or single identifier could result in inadequate RWA calculation Trading & Settlement System Identify Trade Capture Exception Clarify & Approval
Processing Notes Print BOTicket
Confirmation
Prepare Confirmation
Printout Input New Input Change
Hedging does not comply with T/Cs
Fixing confirmation
Word Adjust
Prepare
Confirmation does not comply with T/Cs
Trading & Settlement System Automat. Prepare Fixing 14h Confirmation
Payments Reconciliation
Confirmation is in wrong currency
Load system data
Manual Reset
Trade Event Monitoring
Final maturity
Suboptimal allocation of collateral Trading & Settlement Syst. Task Station
Trading & Settlement Sys. Liquidation Report
Clarify with Front Office
MaDS Update Status Reclamation List Capture recla
Capture Tx
Confirmation List
Aggregation
Confirmation statistics
Reclamation List Capture recla
Capture recla
Capture Tx
Done list
Fixing
Fax/Notes/ Markitwire Print Word Adjust
Send BO Ticket
Dunning
BANKING EXAMPLE
Capture break
Ex-Decision Rp Capture
Overdue list Capture overdue item Manual Reset Report Capture manual reset
Nostro breaks list
Iron Mountain
MaRisk list Agent fee tool Agent confirm list Cost allocation
Common cross-functional errors in legal document management
Auxiliary systems 24
Manual step
Automated step
Process issues
1 Share Price Development in Appendix; 2 Total net interest and trading income of 6.847 bn CHF in 2010 (before event) and 4.872 bn CHF in 2012 (UBS Annual Report 2012) Reply Annual Risk Symposium London – 25th of November 2015
4
Lessons learned? A brief history of Operational Risk Management
1
Evolutionary Steps of Operational Risk Management
2
Challenges
3
Lessons Learned?
4
Summary
25 Reply Annual Risk Symposium London – 25th of November 2015
Summary (I/II)
4
Steps
Approach
Description
1
Denial
There is no such thing as Operational Risk
2
Ignorance
We do not have Operational Risks
3
Zero Tolerance
We do not accept Operational Risks
4
Collect
We collect (and classify) Operational Risks
5
Measure
We use our own (and external) events to measure and simulate operational risk
6
Wake up
Apparently, our AMA has not much to do with our true risk profile
7
The new normal?
How can we improve Operational Risk Measurement and Management?
26 Reply Annual Risk Symposium London – 25th of November 2015
4
Summary (II/II)
Use and care for your internal OR model
But do also the following: 1. Implement clear process mapping AND Three Lines of Defense 2. Manage your data and systems as if it were your crown jewels 3. Have a clear view on the risk of human failure AND try to manage it 27 Reply Annual Risk Symposium London – 25th of November 2015
