Loss Data Collection: Expectations & New Approaches. OpRisk North America Conference March 19, 2013 Lou Santamaria, Director Operational Risk

Transcription

1 Loss Data Collection: Expectations & New Approaches OpRisk North America Conference March 19, 2013 Lou Santamaria, Director Operational Risk

2 Disclaimer The observations and commentary provided as part of this presentation are my own and do not necessarily represent those of Scotiabank. 1

3 Agenda Expectations Loss Data Elements Key Considerations Developments in Internal Loss Data Developments in External Loss Data Data Gaps Operational Risk Reporting How Is Success Measured? 2

4 Expectations The objectives for the verification and control of OpRisk loss data includes ensuring the accuracy, consistency, completeness and timeliness of data. What is required? 1. Data collection and change standards. 2. Ownership must be clearly defined. 3. Completeness and accuracy. 4. Internal and External loss data. 5. Ability to compute Expected Losses and Unexpected Losses 6. Ongoing status quo is not an option. 7. As data gathering capabilities and industry practices evolve, there is an expectation that ongoing improvements are made to systems. 3

5 Loss Data Elements 1. Data Collection Complete, accurate and timely. 2. Data Processing Automation, validation and processing controls. 3. Data Access & Retrieval Extract & query capabilities and no limitations if database / system is outsourced. 4. Data Storage & Retention Documented policies & procedures regarding storage, retention and archiving. Back up & recovery. 5. Data Reporting & Analysis Reporting thresholds in place and monitored. Verification & validation work completed and distributed. Root cause analysis completed, identify corrective actions and apply lessons learned. 6. Business Process Mapping Policies & Principles Policies & procedures in place re: business process mapping practices. Independent challenge to identify business processes which cut across multiple groups. All activities mapped into the eight level 1 business lines. 4

6 Key Considerations Identify risk factors influencing the data being obtained, establish thresholds. Does your organization have a centralized structure for collection and reporting? Do you have established data sources or is there a reliance on the general ledger? Losses are identified firm-wide based on global industry standards. Analysis is being conducted. Consider back testing to ensure reliability. Is reconciliation to your General Ledger possible in your organization? Are escalation and reporting processes in place to keep senior management and the Board informed. Let s not forget Timeliness of reported data. Applied to economic capital model and regulatory capital model for the Advanced Measurement Approach. 5

7 Developments In Internal Loss Data A financial institution must have operational risk data and assessment systems that capture operational risks to which the bank is exposed. 1. No fault culture. 2. Aggregation of related internal events. 3. Credit / Operational Risk Boundary events. 4. Legal events. 5. Near Misses / Rapid Recovery. 6. Expand analytics by developing ability to recognize patterns to identify repeating sources of losses. 7. Thresholds for collection and reporting are critical. 8. Loss Data is a key input into AMA Capital models. 9. Establish a Risk Tolerance or Risk Appetite. 10. Some losses are recoverable (partial or whole). 11. Operational Risk Loss Data Cycle: Anticipate Mitigate Recoveries 12. Inflation factor as your loss database matures. 6

8 Developments In External Loss Data 1. External loss data sources 2. Participation in Industry taxonomy 3. Consider different types of industry services 4. Exchange rates When using global or regional data Fluctuations over time (do we adjust ongoing?) 5. Challenges with External Data: Filtering of external data large events tend to skew data Scaling of external data may be required to improve data relevance to your organization (But How?) Inconsistencies in loss reporting Capturing capabilities Event classification Aggregation of root cause loss events Geographic issues / risks (Europe vs. North America vs. South America) Anonymity makes us incapable to be more granular in its use 7

9 Data Gaps Data Gaps can be defined as not having sufficient data or loss events in a particular cell, or more specifically, for a particular event type or business line. Steps to take: 1. Ensure all applicable data is being captured and collected. 2. Reach out to business line contacts to minimize gaps. 3. Develop a reconciliation process and engage stakeholders to ensure completeness and accuracy. Inspite of your best efforts, data gaps may still be present: 1. Develop a process to supplement with external data. 2. Scenario analysis could be selectively used as a comparison to model simulation of capital calculated. (Can be a benchmark) 3. Stress test your model results against scenario analysis results (firewall is important here). 4. Ask business line experts as to their opinion of loss events below the reporting thresholds. LDA modelling can be used to estimate losses below established reporting thresholds The fit above reflects the ability to recover the percentage of unreported losses (in this example it is 60%). 8

10 Operational Risk Reporting Operational risk management has been generally focused on estimating the extent of actual potential losses. How can reporting assist in minimizing future losses? Global operational risk reporting provides a foundation for global communication of key operational risk related issues and trends. Steps are: 1. Data gathering; 2. Analysis that produces meaningful information; 3. Engage Senior Management; and 4. Synthesize the information. Reports should not just provide raw data such as loss totals. How is reporting helping your organization to better manage operational risk? Issues and trends should be identified. Benchmark against your main competitors and the industry as a whole. Reporting should be transparent and facilitate management decision making. Ask yourself How is loss identification and reporting assisting in mitigating future losses? Scorecard? Consider the So What? factor. 9

11 OpRisk Losses OpRisk Losses How Is Success Measured? There can be Qualitative and Quantitative measurements of success: A reduction or increase in Operational Risk Losses measured in dollars (severity)? A reduction or increase in Operational Risk Losses measured in number of events (frequency)? How about in how much capital is required and allocated? Measurement against established thresholds or benchmarks? How do we deal with this as loss data capabilities improve? As losses increase, does this mean improved reporting and capture of events, or deteriorating controls? Measurement against Industry peers (how to properly compare?) Effective Risk Identification Level of Success Effective Risk Controls Level of Success 10

12 How Is Success Measured? (Cont d) Expansion of, or introduction of, new procedures within the business lines or support areas to mitigate future losses. Are operational risk issues on senior managements radar? Implementation of an Operational Risk Framework Establishment of an Operational Risk Committee within each business line. Governance Organization Risk Appetite Tools & Processes Risk Ownership 11

13 Questions? 12