Operational Risk, Scenario Analysis, and External Events: A Regulatory Perspective

Size: px

Start display at page:

Download "Operational Risk, Scenario Analysis, and External Events: A Regulatory Perspective"

Dortha Miles
7 years ago
Views:

1 Operational Risk, Scenario Analysis, and External Events: A Regulatory Perspective Cambridge Centre for Risk Studies 7-8 December 2011 Peter McCormack Risk Specialists Division, Financial Services Authority This presentation does not constitute FSA guidance and should not be relied on as such. For the authoritative explanation of the FSA position on Operational Risk, Scenario Analysis, and External Events please see the FSA Handbook or contact your relationship manager.

constitute FSA guidance and should not be relied on as such.

2 Introduction Section 123 of the Insolvency Act 1986 sets out two criteria for a company to be insolvent: Company cannot pay its bills as they fall due; and The company s liabilities are greater than it s assets It is the same for a bank and regulation tries to address both of these issues: The first in banking terms is known as liquidity risk, reflecting the risk in maturity transformation, and regulation requires banks to hold sufficient liquid assets The second in banking terms is known as capital adequacy and requires the bank to understand the risks in their business and hold adequate capital in respect of those risks. 2

terms is known as liquidity risk, reflecting the risk in maturity transformation, and regulation requires banks to hold sufficient liquid assets The second

3 Capital Adequacy from a capital adequacy perspective, the key risks are the Basel risks of: Credit Risk; Market Risk; and Operational Risk The key differentiating factor about operational risk is that it is not a risk that most firms take on to make a profit, but rather a cost of doing business In addition at the foundation of taking market and credit risk is operational risk 3

operational risk is that it is not a risk that most firms take on to make a profit, but rather

4 Interest in Operational Risk Operational risk has been the subject of much interest in the last 20 years and was a key driver of what is known as the Basel 2 Accord (requiring all banks to hold capital against operational risk) Drivers of its interest are the major operational risk failings: - BCCI - Barings - All First - Soc Gen - UBS 4

(requiring all banks to hold capital against operational risk) Drivers of its

5 What is Operational Risk? What is Operational risk it is defined by the Basel Accord as People, Process, Systems, and external events, including legal risk Why is it so fundamental you cannot run a business without people, process, and systems All business are at risk from external events which are largely outside of their control 5

Systems, and external events, including legal risk Why is it so fundamental you

6 Management of Operational Risk People have always managed operational risk intuitively based on their experience Modern operational risk management allows firms to combine that intuitive management with systematic operational risk management based on a risk framework and a common language Operational risk can generally be managed on an expected loss (EL) basis (absorbed by annual profitability) and on an unexpected loss (UL) basis (large losses that may need to be absorbed by capital) 6

based on a risk framework and a common language Operational risk can generally be managed on an expected loss (EL) basis

7 Management of Operational Risk - EL Expected Loss the most common form of this is the use of RCSA supported by a common language risk identification risk assessment probability / impact analysis inherent / residual risk analysis preventative, detective, and mitigative controls design and performance of controls control cluster analysis Risk appetite Key Risk Indicators Management Information 7

inherent / residual risk analysis preventative, detective, and mitigative controls design and

8 Risk Assessment Severe IT Systems failure (residual after identification and assessment of controls) IT Systems failure (inherent no controls) Impact on Achievement of Objectives Minor Low Probability High Note: where the residual risk position comes out depends on the risk, the performance of the existing control infrastructure and cost-benefit analysis 8

Objectives Minor Low Probability High Note: where the residual risk position comes out

9 Management of Operational Risk - UL Unexpected Loss scenario analysis and stress testing use of workshops bias* availability / anchor / motivation / * Watchorn, E (2007), Applying a Structured Approach to Operational Risk Scenario Analysis in Australia, APRA Working Paper 9

anchor / motivation / * Watchorn, E (2007), Applying a Structured

10 External Events Individual firm scenarios FSA scenario Macro-economic scenario FSA Market Wide exercise 2005 terrorism 2006 pandemic 2009 severe weather 2011 Cyber attack and the Olympics 10

Wide exercise 2005 terrorism 2006 pandemic 2009

11 Market Wide Exercise Introduced in 2003 to give key players in the UK financial markets the opportunity to respond collectively to major operational disruption Process has attracted attention across the world and is copied by regulatory authorities by US, Canada, Singapore and Australia referred to as the gold standard of sector exercising by the SEC scenarios are designed and challenged by independent market experts web-site set up by the FSA, HMT and the Bank of England: 11

Canada, Singapore and Australia referred to as the gold standard of sector exercising by the SEC scenarios are designed and

12 Market Wide Exercise 2011 testing the ability of participants to respond to a concerted cyber attack on the financial sector; and Examining the impact of transport disruption against the backdrop of the Olympics Approximately 5000 people from 87 organisations across the financial sector Over 100 FSA staff participating and playing roles in the exercise FSA tests its own Incident Management Framework 12

Olympics Approximately 5000 people from 87 organisations across the financial sector Over 100 FSA

13 National Risk Register (2010) Cabinet Office

14 Reverse Stress Testing Reverse stress testing requires firms to: Explicitly identify and assess the scenarios that render a business unviable Analyse the likelihood of these scenarios occurring Take mitigating actions now, or put in place triggers for actions in the future Recovery and resolution Recovery plans require firms to identify options to recover financial strength and viability should a firm come under severe stress Resolution planning requires firms to submit detailed information about their business and operational structure via a Resolution Pack 14

and resolution Recovery plans require firms to identify options to recover financial strength and viability should a firm come under severe

15 Integrated Approach to Stress Testing 15

16 Conclusions Operational risk continues to be a cause of major losses for firms. Even when the loss appears to be in another risk category the rootcause analysis often indicates that the underlying cause was an operational risk event. Although it generates less of a capital requirement than credit or market, senior management ignore operational risk at their peril. The severity of scenarios produced by firms, on an objective basis, continues to underestimate the risk suggesting that firms have not been very successful at factoring out bias. 16

17 Questions Dr Peter McCormack Senior Risk Specialist Risk Frameworks & Governance Risk Specialists Division Prudential Business Unit Financial Services Authority 17

November 2007 Recommendations for Business Continuity Management (BCM)

November 2007 Recommendations for Business Continuity Management (BCM) Recommendations for Business Continuity Management (BCM) Contents 1. Background and objectives...2 2. Link with the BCP Swiss Financial