An Operational Risk Management Tool for the Cypriot Bank Sector

An Operational Risk Management Tool for the Cypriot Bank Sector Charalambides Marios*, Vassiliou Vassos**, Avgousti Rodoula*** and Menicou Michalis**** Operational Risk although relatively new to the banking sector has become a crucial part of any banking institution s risk department. Although the current European economic crisis has surpassed any known loss derived from an Operational Risk event, stricter controls enforced by the European Authorities highly affected the Operational Risk capital requirements. As a result these capital requirements must be quantified as accurate as possible in order for any banking institution to be considered solvent and healthy. This paper presents the efforts for developing an Operational Risk Management software tool for countries such as Cyprus, at which the banking sector is significantly larger than the county s GDP. Starting with an overview of the Cyprus banking sector and its particularities, the paper then continues with the presentation of the discrete stages towards the development of the software tool, emphasizing on key findings along the way. Track: Banking, Operational Risk Management, Risk Software Tools 1. Introduction During the last few years the banking sector has experienced considerable losses due to operational failures. The increasingly stricter requirements and policies imposed by Regulatory Authorities, the European Union (EU) and the Local Authorities for applying controls and safeguards to increase their viability and competitiveness, gave rise to many Solution Providers to develop Governance, Risk Management and Compliance software (GRC). Many financial institutions, Insurance Companies and other Organizations across the globe have already taken necessary and sufficient steps and with the assistance of rich and functional GRC solutions are already in a very strong position in the Operational Risk Management (ORM) business area. At this point, the majority of the Cypriot banking institutions mainly collect data only on some loss events without using a systematic approach on data collection and assessment practices. *Dr. Charalambides Marios, Frederick Research Centre, Frederick University, Nicosia Cyprus. Email: bus.chm@fit.ac.cy, Tel: +357.22.34.51.59 (ext. 112), Fax.: +357.22.43.82.34 **Mr. Vassiliou Vassos, Frederick Research Centre, Frederick University, Nicosia Cyprus. Email: eng.vv@fit.ac.cy ***Rodoula Avgousti, Synectics Ltd, Nicosia, Cyprus. Email: rodoula@synecticsconsulting.com ****Dr. Menicou Michalis, Frederick Research Centre, Frederick University, Nicosia Cyprus. Email: eng.mm@fit.ac.cy 1

In light of the current legislation and realities, Cypriot banking institutions must proceed to the next level of documenting all loss events using a centralized risk framework. The size of the institutions, the allocation of business in different geographic areas and the type of business lines they operate, create a mixture of characteristics that has to be assessed accordingly. These individualities have led to the creation of a consortium of local experts together with the Association of Cyprus Banks for the development of a software database tool, customized for these the special needs and desires but at the same time up to the international standards. The following paper is structured as follows; firstly, an overall description of the Cyprus banking system is given pointing out the major particularities and its key weaknesses that emphasize the need for customized software tool. Next, the description of aim and objectives of the performed market research is presented, followed by a detail methodology walkthrough. Crucial findings from all phases of the market research are presented next outlining the existing gap between the commercial software tools, the Operation risk level of Cyprus banking sector and the institutions needs. The extracted findings are then translated into must-have specifications and business requirements the software tool must incorporate and finally, some of the important software modules are given in more detail. 2. The Cyprus Banking system The Cyprus Banking System is quite unique compared to the corresponding systems in Euro zone. To begin with, Cyprus has one of the largest banking systems compared to its economy, 896% of Gross Domestic Product (GDP) in 2010 while the EU s average is about 360%, (Stephanou, 2011). From this perspective the Cyprus banking system is not unique since there are other countries with similar statistics such as Ireland and Malta while Luxembourg s banking system is more than 2100% of its GDP. Figure 1 below, (Stephanou, 2011), gives the size of the banking system for selected countries in the EU. Figure 1: Size of Banking System for selected EU countries end 2009 (ECB 2010) Two characteristics though seem to differentiate Cyprus from the other countries. Firstly, locally owned institutions accounted for about 63% of the total assets in 2009 while the remaining percentage of foreign presence is 2

mostly limited to subsidiaries of mostly Greek Banks. On the other hand, foreign presence of large banking institutions is considerable in Ireland, Malta and Luxembourg either in the form of foreign branches or subsidiaries. At the same time, Cyprus banking institutions have expanded their operations considerably, mostly in Greece and concurrently they have invested a large percentage of their capital into Greek government bonds. The above mixture is now creating an unstable environment due to the current economic crisis in Greece and the large amounts of losses Cyprus banking institutions are experiencing due to the Greek bond haircut. The current, explosive mixture of political uncertainty in Greece brings great concerns about the new possible losses (defaults etc) that will materialize in the case Greece exits the Euro zone. Cyprus banking institutions are small in absolute figures but their large size as a proportion to GDP as well as the characteristics pointed out earlier set them apart from those of other countries. The Bank of Cyprus, Laiki Bank (very recently known as Marfin Laiki Bank) and Hellenic Bank control about 55% of domestic deposits and 48% of domestic loans as of March 2011 (Stephanou, 2011), and they dominate in most financial services. Figure 2, also from Stephanou (2011), shows the size of selected institutions as a percentage of GDP. Figure 2: Size of selected Credit Institutions to GDP end 2009 (The Banker, World Bank) The large size of Cyprus banking institutions generates systemic risk. By definition this is the risk of disruption to financial services that is caused by an impairment of all or parts of the financial system and has the potential to have serious negative consequence to the economy (IMF, BIS and FSB, October 2009). In simple words these institutions are often characterized as Too Big to Fail. At a time when the European crisis is growing and European economies are either in decline or in the best case, in stagnation, the government bonds of Republic of Cyprus are rated junk by most accreditation agencies. The size of financial support needed for these institutions is probably going to force the 3

Cyprus government to resort to the European Financial Stability Facility (EFSF). It turns out that the policies and the form of Cyprus banking system will change considerably in the near future to say the least. Major change will affect the way management is calculating credit risks but with no doubt changes will influence all kinds of risks assessments including Operational Risk. What follows is the description of an endeavor to develop an Operational Risk Management software tool that will encourage, support and enable the Cyprus banking sector to evolve and apply higher complexity methods for calculating the Operational Risk capital requirements, in order for it to survive in recent highly volatile environment. 3. Market Research At the time of composing and submitting the research project that its results are presented within this paper, the European economies were in the calm state of transition from the credit crunch in the US, unaware of the forthcoming financial tsunami. The following subsections present the full scale exploratory market research for the Cyprus banking system. The basic aim was to examine the operational risk awareness and practices of the Cyprus banking system and to evaluate appropriate existing software solutions. The objective was to collect all necessary information needed for the development of a new, lighter, dedicated, operational risk management software that will be designed and engineered to incorporate all particularities of the Cyprus banking system while at the same time incorporate worldwide considered best practices. 3.1. Methodology The market research was divided into three phases, the first being a survey among the existing operational risk management software solutions. The second phase had the typical form of a structured questionnaire composed out of three main sections each of which intended to extracted different set of information. The third and final phase was the focus group meetings that took place, at which unstructured discussions were made regarding all of the aspects Operational Risk. During the first phase, the survey conducted by the research team was focused on identifying the key features of the various software tools that are currently used by organizations for operational risk management. The methodology followed was organized in the following steps; (a) literature review of articles and books in the areas of governance, operational risk management, data loss collection, risk assessment, control assessment, key risk indicators, risk analysis, dashboards for risk managers and, audit and compliance; (b) definition of software evaluation criteria such as cost, technology, industry and, software related features; (c) design of task implementation plan that included both resources and timelines; (d) investigation using the World Wide Web and references found in the bibliography; (e) preparation of list of software used widely for risk management; (f) software evaluation which included collection of software features from demos, brochures, screenshots, websites and existing client s evaluations, and detailed analysis of the capabilities of each feature. In this 4

way, was made possible to identify the strengths and weaknesses of each software, and also list possible features of the new tool to be developed. For software analysis, a shortlist of popular operational risk software solutions was created with information from Chartis (2010), a leading research and advisory services firm focused exclusively on the risk technology market. This shortlist consisted of the following software tools, (1) Open Pages, (2) SAS, (3) BWise, (3) Metric Stream and (4) SUNGARD Ambit The results of the market survey together with the experience of the software team as service providers of the banking sector were used for the design of a questionnaire which was disseminated to the participating companies, all of which are members of the Cyprus Bank Association. Second phase followed the procedures of typical market research at which the target population, sampling frame and sample size were set. In particular, the target population was the entire member list of the Association of Cyprus Banks and in particular the operational risk departments of these institutions thus the surveyed unit were the institutions departments. The sampling frame was then easily produced since all institution could be found and categorized thus the sample size was 12 banking institutions in total from which it was aimed to collect at least one response per institution. The sampling procedure was nonprobability, a straightforward method taking into account the fact that the market research aimed specifically at the operational risk departments of financial institutions. In particular the purposive sampling type was chosen that allowed us to include the specific units in the sample frame. The questionnaire was developed into two languages and disseminated with an accompanying letter explaining the survey s purpose, ensuring the anonymity of responders and the safety of the information collected. The research lasted for three weeks and the response rate was significantly high, getting 9 responses out of the 12 institutions. The questionnaire had a structured form composed out of 3 sections titled, (A) questions referring to the Institution/Organization and the Operational Risk department; (B) questions regarding the current practices and processes for recording and managing Operational Risk; and (C) questions referring to the development of a new Operational Risk Management Software Tool designed for the Greek & Cyprus market. A total of 23 questions constituted the questionnaire which was disseminated to the interviewees via the email. The questions were of 4 types, (a) multiple answers, (b) multiple answers grated by a Likert scale, (c) open-ended and (d) dichotomous. The analysis was done through the SPSS v16. 3.2. Key Results and Discussion A part of the marker research s first phase was the evaluation of existing, commercial software tools. To this end, 26 different criteria were identified that were categorized into 4 relevant categories which were (a) cost; (b) technology; (c) industry; and (d) software features. Each tool was then 5

evaluated across the 26 criteria using a scale of 0 to 5, where 0 indicated that a feature is not supported while 5 that a feature is fully supported. Table I below (Synectics Ltd, 2011a) depicts a part of the tools evaluation scores against the 26 criteria. Note that each criteria category and criteria carries the same weight thus the summation of all leads to the overall evaluation score for each tool. The individual scoring was decided by a team of IT specialists and business experts through, and not only, demos, brochures, screenshots, websites and existing clients evaluations. Table I Evaluation of commercial ORM tools Software Tool Criteria Open Pages SAS Boise Metric Stream SUNGARD - Ambit Cost Licensing 3 4 4 4 0 Investment in hardware Direct Sales & support in EU Technology 3 0 0 0 0 5 5 3 3 4 Web-application 5 5 5 5 5 Windows-application 0 0 0 0 0 Database independent Industry Internal Audit Support 0 0 5 0 0 5 5 5 5 5 Risk Assessment 5 4 5 4 0 Heat Maps 5 4 3 3 Software Features Report export in xls, csv 5 5 0 0 0 Email Notifications 3 5 4 3 4 Task manager 3 0 5 0 0 Total Score* 98 88 89 80 79 Source: Authors calculations *Includes the sum of all 26 criteria not shown here Following the evaluation of the commercial tools the second phase of the market research took place using the results extracted above. The following paragraphs focus on the questionnaire s questions related directly to the development of the new Operational Risk software and present key results extracted through the descriptive statistics analysis. The analysis starts with Figure 2 which describes the approaches currently used at Cyprus banking institutions for the calculation of the capital requirement based on the New Basel Capital Accord also known as Basel II (FRC, 2011). As it turns out, only one bank uses the Standardized Approach while all others are still at the first level of analysis as described through the Basic Indicator s Approach. This finding is crucial taking into account the size of banking institutions compared to the country s GDP and how an adverse 6

event can actually destroy the whole economy thus signifying the need for moving to a higher level of Operational Risk Management approach. Figure 3: Approach used from Cyprus Banks for calculating the Capital Requirement The following Figure 4 illustrates the answers of question 11 regarding the challenges faced by the institutions for moving to the next approach. It is obvious that Inadequate software tools, Quality of data and Lack of historic data, are the major constraints for not proceeding to the next level. On the other hand, the department employees have the necessary training as depicted by the Inadequate employee training option as well as the support of the top level managers, both critical elements for successful implementation of more complex methods. Figure 4: Challenges faced in order to move from the Basic Indicator approach to the Standardized approach Other Inadequate soft. tools for collecting & analysis data High volume of data pending processing Low priority Lack of time Low quality data Lack of historic data Lack of manag. support Inadequate employee training in loss event collection 0% 20% 40% 60% 80% 100% Yes No Missing Finally, Figure 5 below illustrates the features that are considered by institutions representatives, as important in an Operational Risk Management tool. 7

Figure 5: The degree of importance of different features as rated by the banking institutions Other Flexible & extendable to comply with regulations Easy import of external data Compatible with Oracle & Microsoft databases Posting of email notifications Multilingual interface Adaptable in the Organization's structure Small Investment in hardware Historic Data & Full Audit Embedded reports for Superv. Authorities Parameterised & Customisable BL & Event Type Heat maps Reports Exporting in Excel & PDF Desktop application Web application 0% 20% 40% 60% 80% 100% Yes No As it can be seen, the features that get approval by the majority of the responders are the report exporting ability to MS Excel and pdf file versions; the need for the software to be flexible and expandable to the regional regulations; the adaptability feature so as to incorporate the particularities of the organization; and finally, to be a web application. In contrast, features such as the development of Heat maps and the importing of external data do not have a consensus of the responders answers. Here it also important to state that the option Other with importance 100% indicates that all responders also proposed extra features that they consider essential for the new software. The aforementioned results helped the research team perform a form of gap analysis for the Cyprus banking sector. It basically identified the strength and weakness of the commercial software tools, as these appear when applied to the domestic banking sector, and at the same time evaluated the banking institutions preparedness level in terms of Operational Risk, covering key areas such as type of approach used, obstacles in applying more complex methods, level of personnel training, etc. The third and final phase of the market research considered the arrangement of focus group meetings. The meetings were scheduled with small teams of participants in order to discuss mainly the market research results. In particular 2 focus group meetings took place during which key findings were discussed. To further facilitate the discussion the participants were asked open-ended questions giving them the opportunity to express their opinion regarding the market research findings based on their experience. These meetings further enhanced the authors understanding about all aspects of Operational Risk practices and management at the Cyprus banking sector. 8

4. Specification Catalogue The findings extracted from the first phase of the market research and the end users feedback assessment received through the next two phases of the market research, together with the directions of the European and Cypriot Central Bank and the Basel Accords regarding banking supervision, has led to the finalization of the characteristics of the system to be developed. Below are the technical characteristics that the developed System must include in order to be competitive in the market place of Operational Risk (Synectics Ltd, 2011b). Figure 6: Technical requirement of new OR tool Moreover, the following Table II presents a detailed view of the main business areas and their requirement that the developed software tool must cover in order to provide a complete and an effective Operational Risk Management, as these were identified through the marker research. Table II Business requirement (Synectics Ltd, 2011b) Business Requirements Business Requirements 1 Loss Data Collection 2 Risk Management Loss Event Details Risk Register Near Misses Control Register Mapping to Event Type and KRI Register Business Lines Basel II Compliant Risk Assessment (before & after the implementation of Controls) Support Multiple Currencies Risk Mitigation Support Causal Analysis Action Plans Linking Risks to Loss Events RCSA Exercise Documentation 3 Rich Reporting Functionality 4 User Management Statistical Reports User Role Management Graphs Reassign Ownerships Heat maps Matrices 5 Historical Data/ Full Audit Trail 6 Email Alerts / Reminders / Notifications 7 Export of Data in MS Excel for 8 User Manual additional Statistical Analysis using expert tools 9 System Administrator Manual 9

5. Operational Risk Management Software Tool The aggregation of the all aforementioned information and data helped the development of an Operational Risk Management software tool aiming to assist organisations in minimizing operational loss, risk mitigation and at the same time identify areas for improvement (Synectics Ltd, 2011c). The tool is highly parameterized with an appropriate infrastructure to support organisations of any size within the EU. It is configurable enough to accommodate differences in the methods of event classification, legislation and organisational structure. The software tool acts as a portal for recording operational loss events and provides functionality for document risk and control self assessments. It includes approval cycles, and provides ability to relate events with risks, generate reports and implement a full audit trail. The following Figure 7 illustrates the priority pyramid and how the developed tool can assist a banking institution. As far as technical aspects are concerned, the software is a web application that can be accessed using a simple web browser and can rely on either an Oracle or an MSSQL database. Figure 7: Priority pyramid 5.1. Loss Events Management Registration of Loss Events is the first step towards the Operational Risk Management and it is very important to be aligned with the organisation s policy but also meet regulatory and legal standards. The developed software tool comes with a Loss Events Management module that is designed to support the recording and the management not only loss events but also near misses. It includes recording of general information the purpose of which is to describe the event in such a depth that will favour both the organisation itself and the supervisory authorities via the reporting functionality. Events are assigned to Event Types, Business Lines and Risks, while cause effect analysis is supplied. Financial details on the loss amount, recovery amount and insurance amount are recorded, while drilled down analysis functionality is provided trying to disseminate the financial impact in the organisation s different sectors via the linking with Business Lines. The concept of Gross and Net amounts is also satisfied. Significant emphasis is given to time periods, like time spend between occurrence, discovery, recording, 10

recognition and reporting. This information can be related later on with the possibility of occurrence for the selection of mitigation actions. Ownership is an additional concept introduced for the complete and proper management of Risks. Mitigation Actions are recorded and monitored by the owner of the Event until they are considered as closed events. 5.2. Risk Management Risk Register is another module of the developed software tool which acts as a repository for the possible Risks an Institution might face. Risks are categorized and are assessed during Risk and Control Self Assessment (RCSA) Exercises. Risk categorisation was requested by the potential users, during the requirements collection phase, to be parameterised enough and in such a general form to enable the linking of Risks with products, services, departments, always according to the institutions structure and way of business. Modelled RCSA Exercises provide the user the ability to assess risks, add controls, re-assess risks after controls and define what type of mitigation actions require events that fall under this kind of risk category. Visual representation of institution s risk tolerance level is provided via the usage of Heat maps. According to the likelihood and the impact parameters, software suggests the minimum mitigation level, while any deviation between suggested and actual mitigation level is recorded. An important add of this module is that information can be transferred from one RCSA Exercise to another enabling the RCSA cycle to continue until risk is considered as under control. Finally, the developed software also enables the linking of identified Risks with Key Risk Indicators (KRIs) which are considered as a very important aspect in the whole Operational Risk Framework. KRIs assist in the proactive management of Risk and they are used prove the effectiveness of the Risk Management Process. 5.3. Reports Operational risks occur throughout an institution, and this is well recognised by the Basel committee who has defined numerous principles regarding the information flow across the banking institution and more recently between banking supervisory authorities. Cypriot banking institutions like many other banking organisations, as Figure 5 proves, have recognised the need for a reach reporting functionality that will favour this information sharing. Software reporting module comes with some predefined reports concerning both the Risks and the Loss Events. These predefined reports were designed to be aligned to the Basel Committee s requirements and to what is considered nowadays as best practice. Reports are expandable and customisable enough to accommodate different requirements based on which is the receiving reporting entity. Reporting module also includes visual representation of importance and urgency which is a characteristic that it is not considered any more as an advantage but rather a must. Heat maps, graphs and matrices are also used in order to make an initial translation of collected information into data. Having in mind that reporting flow should 11

enable the banking institution to monitor the effectiveness of the current risk management framework and at the same time oversees the operation performance at different levels, reporting entities are parameterised. 5.4. Parameters Management Proper and complete Operational Risk Management implies alignment with directions coming from recognised supervisory authorities or even from the hosting organisation itself. The developed software is highly parameterised enabling the user to define and expand the Operational Risk Framework under which it operates. Event Types, Business Lines, Causes, Effects, Controls, Risks and Key Risk Indicators are categorised lists, expandable up to any whished level. Proper event taxonomy can be achieved since the developed software is initially feed with the suggested by the Basel Committee lists. 5.5. Import / Export of Data System architecture enables the easily transfer of data via the usage of comma separated values (.csv) files. The export functionality, supports Portable Document Format (.pdf) and Microsoft Excel (.xls) Format which are the most common formats used for the exchange of information in Banking Systems. 5.6. Audit Trail The market research pointed out the need of an Audit Trail module, which can ensure complete documentary of any sequence of activities within the Software. Hence the developed Software is considered to handle sensitive type of data such as banking data. Nowadays the complete audit trail is a security standard requirement and a compliance prerequisite. 5.7. Enabling the Operational Risk Management process Consequently, all the aforementioned modules integrate highly with the needs of the Cypriot banking institutions and fill the existing gap of the commercial tools. The iterative, day-to-day activities required to understand and most importantly manage the Operational Risk Management process is highly aligned with the developed tool s architecture. Risk identification, classification, assessment, reporting, monitoring and finally, managing can be easily be performed within the developed software tool, as shown in Figure 8. 12

Figure 8: Operational Risk Management process 6. Conclusions Developing an Operational Risk Management tool is a multifaceted endeavour requiring various different types of information as input and common understanding by a variety of different scientific principles for the completion of successful commercial product. This paper presented the approach of such an endeavour with description of the methodology followed at different stages of the project and the end result. The paper emphasized the uniqueness of the Cyprus banking sector with its significant size compared to the country s GDP and at the same time, presented the low Operational Risk Management preparedness of the country s major institutions as shown in the Operational Risk capital approach utilized. These, combined with the weaknesses of the existing commercial software tools to accommodate the particularities of the Cyprus banking sector are putting the institutions and consequently, the whole country at risk. The combination of these findings makes the development of an Operational Risk Management software tool an imperative need. References Chartis Research Ltd, 2010. Operational Risk & GRC Software Solutions, Available at: www.chartis-research.com European Central Bank, September 2010, EU Banking Structures. Frederick Research Centre (FRC), 2011. Consolidation of questionnaire analysis and focus group findings, Unpublished report. Stephanou, C. 2011, Big Banks in Small Countries: The case of Cyprus, Cyprus Economic Policy Review, Vol. 5, No. 1, pp. 3-2. 13

Synectics Ltd, 2011a. Software Evaluation Report, Unpublished Report. Synectics Ltd, 2011b. Software Requirements Specification, Unpublished Report. Synectics Ltd, 2011c. Software Design, Unpublished Report. 14