Measuring Capital for Operational Risk: A Scenario based AMA Budapest, September 2003
Agenda Introduction The Road to AMA Overview of the AMA approach in Intesa The Scenario-based Self Risk Assessment Background & definitions Principal phases Using the Results Model structure & assumptions Conclusions 2
Introduction Intesa wishes to extend its current Risk Management framework to also cover Operational Risk with a view to risk integration and achieving a more comprehensive management of its overall risk profile. Intesa s goal is to develop an integrated approach which qualifies for AMA by 2006. The project will deliver an overall framework incorporating analysis, measurement and management models and tools, the organisation and processes to support it, and an aggressive change management & incentive programme. Progetto ORIGIN : Goals & Objectives Promote & build ORM framework and environment Develop integrated methods & models Collect OpRisk data Implement supporting processes & IT Provide management reports & decision support tools 3
The Road to AMA The ORIGIN Project is co-ordinated by a Steering Committee in the Corporate Centre and impacts all operating units within Intesa Group Each of the main operating units within the Group has an Operational Risk Manager who is responsible for the local implementation of the OpRisk Framework and co-ordinates the activities with the ORIGIN Project Manager as well as reporting status and progress to the operating units Top Management Promote & build ORM framework and environment Organizational Model Governance policy & procedures Change Management Develop integrated methods & models Quantitative Approach Qualitative Approach Risk Financing Collect OpRisk data Implement supporting processes & IT Documentation Management & Publishing Loss Data Management Data Analysis Quantitative Analysis Self Risk Assessment Provide management reports & decision support tools Allocate Economic Capital for OpRisk Use Test 2001 2002 2003 2004 2005 2006 4
Challenges in Practical Implementation The information to consider when modelling Operational Risk should comprise Internal loss data and risk indicators, External loss data, Potential Internal Losses, Quality of Controls and Changes in the Business Environment, and the Risk Financing options. The quality of the data is critical. Main Issues Internal Loss data collection & Categorization External Loss Data quality & relevance Data truncation / dispersion / limited data Quality of scenario assessments (potential loss events) Presence of Hidden Risk Continuous changes in the Business Environment Determine the amount of Risk Transferred Tools & Solutions Org structure, IT, policy & procedure, model, training, culture, help desk Industry recognized data pools, methods for use Statistical solutions (EVT, Bayesian analysis..) SRA Methodology & model, training, policy & procedure, IT Analysis of control quality versus internal best practice benchmark Expert opinion (collected during SRA) Mapping of Insurance products to Loss Event Types, methodology & model, IT 5
The OpRisk Management Model ENVIRONMENT FRAMEWORK Group Risk Committee Group Organizational Model Governance Processes Training & Communication Direzione Risk Management Centralized Function Market Risk Credit Risk Operational Risk Portfolio Management Decentralized Functions Corporate Division Foreign Banks Division Local Risk Committee Italian Banks Division Local OpRisk Controller or OpRisk Manager And OpRisk Business Line Managers Product Companies Corporate Center & Services OpRisk Business Line Managers Retail Division 6
The OpRisk Process Model ENVIRONMENT FRAMEWORK Group Organizational Model Governance Processes Training & Communication Operational Risk Planning & Stategy Method,model and tool management Measurement of Risk Profile Development and implementation of mitigation actions Monitor & Control Operational Risk Change Management Consultancy Data Management 7
Overview of the AMA approach in Intesa Bayesian LDA Quantitative Analysis Hidden Risk Qualitative Analysis Validation Factor Gross CaR Mitigation Net CaR Scenario-based Self Risk Assessment The Intesa Internal Model approach is designed to take into account all of the main components and analysis methods, and also to allow for the fact that a method may compliment or substitute another or be used as a supplement. The use of all the components is key to ensuring a better understanding of the phenomenon The Model principally relies on two "tracks": quantitative and qualitative analysis and is designed to use both of them according to relevance and quality 8
What is a Risk Assessment? The Industry has developed a variety of different definitions and tools to describe and implement Self Risk Assessment techniques. In general a Self Risk Assessment is a guided process of evaluating one s own exposure to risk thorough the analysis of robustness, vulnerability, efficiency and coherence of the management process. The definition of Self Risk Assessment in Intesa A qualitative analysis tool based on the evaluation of relevant scenarios by the business owners. It is aimed at identifying operational risks, measuring the risk exposure, analysing the vulnerability, the quality of the controls and the eventual mitigation plans. 9
Who uses Risk Assessments? 10
What tools are commonly used? Checklists Questionnaires Scorecards Internal investigations Process / Risk Mapping Workshops 11
Some implementation considerations How often? How much time / how complex? How to validate the results? Who should be involved? Monitornig assessment and mitigation measures 12
The Principal Phases of the SRA The Intesa SRA is governed by the following macro process Preparation Cross Reference Planning Execution & Validation Output Coherence Check The process is quite complex and requires a high-level of support and integration between the methodological, organizational and IT elements of the process. 13
The Preparation & Planning Phases Preparation Planning The exercise of SRA in Intesa Group is carried out once a year typically between July and October. The Group ORM plans and coordinates the assessment Process (facilitated or remote) Organizational Mapping Gruppo Intesa Unità di supporto Unità di Buisness 1 Unità di Business 2 Unità di Business 3 Unità di Business n Appropriate scenarios are derived from the Intesa Risk Class Model (MIRO), matrix of critical resources and states, workshops with the ORM correspondents and other relevant data :- Internal/External Loss Data KRI / Last years SRA Audit & security reports Underlying Statistical Model Predefined severity /WC classes 14
The Execution Phase Execution The scenario forms (questionnaires) are distributed by an Intranet based (Java) assessment tool (GAS) with on-line help Each questionnaire refers to a part of the organisation based on the Intesa organisational mapping. The Head of each Division or department executes the assessment The goal is to evaluate each BU s Risk profile: Risk is the combination of magnitude and probability of potential total loss over a given time horizon. Potential total loss over a given time horizon is described by the severity of a single loss event and the frequency of events The evaluation form is divided in sections (Risk Factors) We have identified 9 risk factors (critical resources which could be exposed to threats) 15
The Analysis, Checking & Validation Phase Cross Reference & Coherence Check Validation The individual results for each question are subject to a rigorous process of analysis, checking (by the ORM department) and finally validation (by Internal Audit and the Security Office). Cross reference & Coherence Checking involves verifying : Completeness of the answer to the scenario Coherence between the scenario, the answer, vulnerability and control quality Outliers (via benchmarking etc) Comparing with loss data and KRI Validation : This activity involves assessing the quality of the answers given by the Risk Owner for each Risk Class and supplying a score which expresses the deviation from the original risk profile as perceived by the Audit or Security function 16
Reporting Output The risk reporting structure is hierarchical (by BU, by risk class etc) and the target users are quite numerous due to the different uses of the information: Group Top Management & BU Directors HR & Audit Departments, IT and Legal Departments The output is fully integrated into the management decision processes Capitale Economico OpVaR 2003 Basic Standardized Modello Interno Gruppo Intesa 1.488.600 1.366.455 1.268.186 Confronto con altri Indicatori Operativi OpVaR 2003 Basic Standardized Modello Interno (2) 131.683 91.789 Divisione Banche Estero (1) Intesa CEE Dipendenti Sportelli Operating Net Operating Ne t P/L Cost/Income Ratio (%) Intesa CEE 96.079 77.146Operating Costs Margin (mln euro) (mln euro) Indicators 2002 (mln euro) Privredna Banka Zagreb 41.447 38.389 13.594 CIB 1350 44 97 169 43 57,5 Vseobcna Uverova Banka 31.586 31.444 21.296 PBZ 3678 200 152 276 86 55,1 VUB 4502 247 128 189 40 67,8 Central European International Bank (4) 25.533 26.245 42.257 Relazione tra perdite e n. dipendenti Relazione tra perdite e costi di esercizio VUB VUB PBZ PBZ 1. Valori in migliaia di euro 2. Escluso Sudameris Group 3. Il Capitale Economico è calcolato al lordo dei recuperi assicurativi 4. Cfr. Analisi Descrittiva, pg. 11 CIB 0 10000 20000 30000 40000 dipendenti IF+TE&PM SRA (Pe+Pr) CIB 0 50 100 150 200 250 300 Operating Costs/PE Operating Costs/PA VUB 3 Net Operating Margin / CaR 70,0 Relazione tra Cost Income e Perdite Attese interne PBZ CIB 0 5 10 15 20 25 Cost Income 60,0 50,0 40,0 0 5 10 15 20 25 Perdite Attese interne 10 17
Using Qualitative Information Provides a benchmark for the loss data analysis Supports the ORM function in the comprehension of the nature of the underlying risk, highlights incompleteness in loss data collection and gaps in the OpRisk Culture Integrates Quantitative analysis in the Capital at Risk computation Supports management processes (use test) Mitigation intervention Capital Budgeting Risk Financing Defines priorities in Audit plans Business Continuity Planning 18
The foundation of the SRA Intesa Risk Model A hierarchical risk model is used to develop a complete set of possible risk events (potential losses) Other Risks Operational Risk Risk Class Risk Factor Risk Event 19
MIRO Modello Intesa Rischi Operativi Driver delle Classi di Rischio rispetto ai quali vengono inviduati gli INDICATORI di RISCHIO (EI, KRI, KPI) Fattori/Vulnerabilità interne che espongono l azienda al concretizzarsi degli Eventi Rischiosi. Ad ogni fattore sono associate specifiche Vulnerabilità Classi rispetto a cui si riclassificano i potenziali Eventi Rischio 20
Intesa CEE Dipendenti Sportelli Operating Net Operating Net P/L Cost/Income Operating Costs Margin (mln euro) Ratio (%) Indicators 2002 (mln euro) (mln euro) CIB 1350 44 97 169 43 57,5 PBZ 3678 200 152 276 86 55,1 VUB 4502 247 128 189 40 67,8 Relazione tra perdite e n. dipendenti Relazione tra perdite e costi di esercizio VUB VUB PBZ PBZ CIB CIB 0 10000 20000 30000 40000 0 50 100 150 200 250 300 dipendenti IF+TE&PM SRA (Pe+Pr ) Operating Costs /PE Operating Costs/PA Net Operating Margin / CaR Relazione tra Cost Income e Perdite Attese interne VUB 70,0 60,0 PBZ 50,0 CIB 40,0 0 5 10 15 20 25 0 5 10 15 20 25 Perdite Attese interne 10 Overview of the Scenario-based SRA approach Risk Model Mathematical Engine Indicators and reporting CaR Confronto con altri Indicatori Operativi Cost Income Severity Worst Case Questionnaire Evaluation Output Expected loss Capital at risk Detailed Statistics Coherence Analysis 21
Modelling Assumptions A good model for risk measurement must be consistent, robust and stable over time, so that economic capital results from changes in the underlying risk profile and not from changes in the model Assumptions about distributions Severity: Gumbel, Weibull, Frechet Frequency: Poisson Historical Loss Data Answers to Scenarios Estimation of parameters The parameters are position and shape parameters of the severity distribution, and the average frequency. Correlation Scenarios are aggregated assuming perfect correlation We compound severity distributions and frequency distributions into one overall aggregated potential loss distribution using a Monte-Carlo-Simulation. 22
Principles of the Intesa Scenario-based approach The entire approach is designed in order to guarantee the following pre-requisites : Stability of the answers: the model uses estimates of ranges rather than point estimates. In addition the uncertainty implicit in subjective responses has been considered within the underlying statistical models. "user friendly": execution: the questions are clearly formulated in sufficient detail for the assessor to understand the scenario. Completeness & Relevance of the spectrum of the scenarios to be analysed. This is supported by the Intesa Risk Model (MIRO) and states matrix which is subject to CPI. Uniformity & Consistency during the SRA macro process via: A single Framework (the use of the same Model (calibrated), processes, rules and IT tools for all Business and Support Units within the Group) Uniformity & Consistency with the Quantitative Analysis approach via : Complete mapping between the Risk Model and the LET Consistent underlying methodologies 23
Benefits of the Intesa Scenario-based approach Focus Forward looking Identifies the major risks exposures Creates a link between controls, risks and vulnerabilities Business specific Supports the diffusion and progress of OpRisk culture Transparent Promotes Risk Ownership Incentivates pro-active risk management Reacts to changes in: organisational structure strategies and business external context Decision support tool 24
Critical Success Factors The entire approach is focused on the development of a risk based capital model and management toolset. The principle critical success factors are listed below: Top Management Sponsorship Communication Application ORM Team Project Management Collaboration Approach Starts Simple Transparent Robust Model Comprenhensive Uniform & Consistent Ownership Regulator Involvement Committed to achieving the goals of the ORIGIN project (RM,IA,CFO, CTO, HR&ORG) Delivers clear messages of commitment to all levels Uses OpVar in decision processes (Capital Budgeting, Capital Allocation, BCP, Audit Plans ) Develops and delivers the "Solution" throughout the Group Partcipates in Industry working groups in order to share experience Increases in sophistication as understanding improves Provides a clear understanding of the contributing elements Becomes more meaningful over time (learning process) Uses all the "knowledge" avaliable Applied homogeneously across all operating units within the group Clearly identifies responsability for managing operational risk Receives regular updates on the project progress and ORM strategy 25
2001 Level 1 AMA Maturity Model 2004/5 2003 2002 Level 4 Level 3 Level 2 2005/6... Level 5 Traditional Awareness Quantify Monitor Improve Internal Controls Reliance on Internal Audit Individual Mitigation programmes Reliance on quality of people and culture Operational Risk Manager Identify ORM staff in the BU Definition & Policy, model development Self Risk Assessment Begin data collection Training Scenario-based economic capital models Governance Structure ORM Vision & goals, model refinement Begin indicator collection Basic escalation processes Consolidated reporting part-time time staff in the BU First generation Risk- based economic models Active operational risk committee Comprehensive loss databases & limits Model integration 2nd generation Risk- based economic models dedicated staff in some of the main BU s New Insurance Stategy & Model Fully integrated methodology and tools Cross-function risk analysis Correlation between indicators & losses Insurance linked with risk analysis & capital RAR linked to employee compensation 26
Reference Material Basel Committee on Banking Supervision The New Capital Accord Consultative Paper 3 - (April 2003) Basel Committee on Banking Supervision Working Paper on the Treatment of Operational Risk - (September 2001) Basel Committee on Banking Supervision Sound Practices for the Management and Supervision of Operational Risk - (December 2001) M. Balfan, P. Gledhill, M. Haubenstock Self Assessment of Operational Risk The Risk Management Alert Journal February 2002 S. Jung, F. Topper Risk and Control Self-Assessment at stanford: The next plateau College and University Auditor Magazine, August 2000 G. Sampson, D. Kumar, D. Lau Firm-wide Issues for Financial Institutions: Risk Model Selection Advances in Operational Risk, Risk Books 2001 R. Kennett How to Introduce an Effective Operational Risk Management Framework - Advances in Operational Risk, Risk Books 2001 27
Questions Dott.ssa Maria-Louise Arscott Group Operational Risk Manager Banca Intesa Piazza Ferrari, 10 20121 Milano Tel : (02) 8793 7725 Fax : (02) 8793 7333 Email : MariaLouise.Arscott@bancaintesa.it 28