Operational Risk Quantification
The Basel Committee has put forward a framework consisting of 3 options for calculating operational risk capital charges in a
'continuum' of increasing sophistication and risk sensitivity. These are, in the order of their increasing complexity, viz.,
(i) the Basic Indicator Approach
(ii) the Standardised Approach and
(iii) Advanced Measurement Approach.
Reserve Bank has initially allowed the banks to use the Basic Indicator Approach for computing regulatory capital for
operational risk. Some banks are expected to move along the range toward more sophisticated approaches as they develop
more sophisticated operational risk management systems and practices which meet the prescribed qualifying criteria.
The Basic Indicator Approach
At the minimum, banks in India should adopt this approach immediately while computing capital for operational risk. Under this,
the banks have to hold capital for operational risk equal to a fixed percentage (alpha) of a single indicator which has currently been
proposed to be "gross income". This approach is available for all banks irrespective of their level of sophistication. The charge may
be expressed as follows:
K BIA = [ E (GI a)]/n
Where: KBIA = the capital charge under the Basic Indicator Approach.
GI = annual gross income, where positive, over the previous three years
a =15% set by the Committee, relating the industry-wide level of required capital to the industry-wide level of the indicator.
n = number of the previous three years for which gross income is positive.
The Standardised Approach
In the Standardised Approach, banks' activities are divided into 8 business lines given above.
Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the
likely scale of operational risk exposure within each of these business lines. The capital charge for each business line is calculated
by multiplying gross income by a factor (denoted beta) assigned to that business line. Beta serves as a proxy for the industry-wide
relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that
business line_ It should be noted that in the Standardised Approach gross income is measured for each business line, not the whole
institution, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line.
Beta factors for different business lines
Corporate finance Gross income 18% Trading and sales Gross income 18%
Retail banking Gross income 12% Commercial banking Gross income 15%
Payment and settlement Gross income 18% Agency services Gross income 15%
Asset management Gross income 12% Retail brokerage Gross income 12%
Advanced Measurement Approaches (AMA)
Under the AMA, the regulatory capital requirement will be equal the risk measure generated by the bank's internal operational risk
measurement system using the quantitative and qualitative criteria for the AMA. Use of the AMA is subject to supervisory approval.
Supervisory approval would be conditional on the bank demonstrating to the satisfaction of the relevant supervisors that the
allocation mechanism for these subsidiaries is appropriate and can be supported empirically.. The board of directors and senior
management of each subsidiary are responsible for conducting their own assessment of the subsidiary's operational risks and
controls and ensuring the subsidiary is adequately capitalised in respect of those risks.
Generic Measurement Approach
Measurement approach implementation begins with operational risk profiling which involves the following:
Identification and quantification of operational risk
Prioritization of operation risk and identification of risk concentrations
Formulation of strategy by the bank for operational risk management and risk based audit. The
estimated levels of operational risk depend on:
(a) Estimated probability of occurrence which is mapped on a scale of 5 which implies
1. negligible risk
2. low risk
3. medium risk
4. high risk &
5. very high risk.
(b) Estimated potential financial impact : It is also mapped on,a scale of5 as above.
(c) Estimated impact of internal controls: This is estimated as fraction in relation to total control which is valued at 100%.
For example if the probability of occurrence is medium i.e. 2, potential financial impact is very high i.e. 4 and impact of internal
controls is 50%, the estimated level of operational risk can be worked out as:
Estimated level of operational risk = estimated level of occurrence x estimated potential financial impact x estimated impact of
internal controls.
=I (2 x 4 x (1— 0.5] ^0.5 =1.73 or Low.
Risk mitigation
Under the AMA, a bank will be allowed to recognise the risk mitigating impact of insurance in the measures of operational risk used
for regulatory minimum capital requirements. The recognition of insurance mitigation will be limited to 20% of the total
operational risk capital charge calculated under the AMA. A bank's ability to take advantage of such risk mitigation will depend on
compliance with the following criteria:
The insurance provider has a minimum claim paying ability rating of A (or equivalent).
The insurance policy must have an initial term of no less than one year. For policies with a residual term of less than one year, the
bank must make appropriate haircuts reflecting the declining residual term of the policy, up to a full 100% haircut for policies with a
residual term of 90 days or less. The insurance policy has a minimum notice period for cancellation of 90 days
The insurance policy has no exclusions or limitations triggered by supervisory actions or, in the case of a failed bank, that
preclude the bank. receiver or liquidator from recovering for damages suffered or expenses incurred by
the bank, except in respect of events occurring after the initiation of receivership or liquidation proceedings in respect of the
bank, provided that the insurance policy may exclude any fine, penalty, or punitive damages resulting from supervisory actions.
The risk mitigation calculations must reflect the bank's insurance coverage in a manner that is transparent in its relationship to,
and consistent with, the actual likelihood and impact of loss used in the bank's overall determination of its operational risk
capital.
The insurance is provided by a third-party entity. In the case of insurance through captives and affiliates, the exposure has to be
laid off to an independent third-party entity, for example through re-insurance, that meets the eligibility criteria_
The framework for recognising insurance is well reasoned and documented.
The bank discloses a description of its use of insurance for the purpose of mitigating operational risk.
Scenario analysis
A bank must use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity
events. This approach draws on the knowledge of experienced business managers and risk management experts to derive
reasoned assessments of plausible severe losses_ For instance, these expert assessments could be expressed as parameters of an
assumed statistical loss distribution. In addition, scenario analysis should be used to assess the impact of deviations from the
correlation assumptions embedded in the bank's operational risk measurement framework, in particular, to evaluate potential
losses arising from multiple simultaneous operational risk loSs events. Over time, such assessments need to be validated and reassessed
through comparison to actual loss experience to ensure their reasonableness.
Business environment and internal control factors
in addition to using loss data, whether actual or scenario-based, a bank's bank-wide risk assessment methodology must capture
key business environment and internal control factors that can change its operational risk profile. These factors will make a bank's
risk assessments more forward-looking, more directly reflect the quality of the bank's control and operating environments, help
align capital assessments with risk management objectives, and recognise both improvements and deterioration in operational
risk profiles in a more immediate fashion. To qualify for regulatory capital purposes, the use of these factors in a bank's risk
measurement framework must meet the following standards:
The choice of each factor needs to be justified as a meaningful driver of risk, based on experience and involving the expert
judgment of the affected business areas. Whenever possible, the factors should be translatable into quantitative measures that
lend themselves to verification.
The sensitivity of a bank's risk estimates to changes in the factors and the relative weighting of the various factors need to be
well reasoned. In addition to capturing changes in risk due to improvements in risk controls, the framework must also capture
potential increases in risk due to greater complexity of activities or increased business volume.
The framework and each instance of its application, including the supporting rationale for any adjustments to empirical
estimates, must be documented and subject to independent review within the bank and by supervisors.
Over time, the process and the outcomes need to be validated through comparison to actual internal loss experience, relevant
external data, and appropriate adjustments made.
Integrated Risk Management (IRM)
IRM stands for management of all risk that are associated with the activities undertaken across the entire organistion. For banks
these risks are liquidity risk, interest rate risk, market risk, credit risk and operational risks.
Total risk to an organization is the net effect of all risks associated with the activities of a bank. Net effect of all risks may not be
same as sum total of all risk due to diversification effect of risk. Hence integration implies a coordinated approach (and not
accounting approach) across various activities and taking benefit of various diversification opportunities that exist or may be
created in the bank.
Need for IRM: This approach centralizes the process of supervising risk exposure so that the organization can determine how
best to absorb, limit or transfer the risk. The information available with the bank can be analyzed to determine the overall
nature of organizational risk exposures including their correlation, dependencies and off-sets. The advantages are:
1. It aligns the strategic aspects of risk with day to day operational activities.
2. It facilitates greater transparency for investors and regulators
3.- It enhances revenue and earning growth
4. It controls downside risk potential.
Integrated Risk Management Approach
The process of IRMconsists of :
(a) strategy—integration of risk management as a key corporate strategy.
(b) organization—establishment of Chief Risk Officer position with accountability to board.
(c) process— identifying, assessing and controlling risk should be common across the banks
(d) systems — risk management systems should be developed to provide information to support the enterprise risk management
functions.
Organizational structure : The Board is the apex unit responsible for the entire risk of the bank. Risks are not to be seen in
isolation and have to be managed in an integrated manner.
Policies and procedures: These should be developed using a top down approach and consistent with one another. Risk
limits: Such limits assist in maintaining overall exposures at acceptable levels.
Risk reporting : Bank wide risk reports are used to quantify sources of risk across the bank and to estimate total exposure to
financial markets.
Integrated systems: The framework should be supported by an information technology architecture consistent with such
integration.
The Basel Committee has put forward a framework consisting of 3 options for calculating operational risk capital charges in a
'continuum' of increasing sophistication and risk sensitivity. These are, in the order of their increasing complexity, viz.,
(i) the Basic Indicator Approach
(ii) the Standardised Approach and
(iii) Advanced Measurement Approach.
Reserve Bank has initially allowed the banks to use the Basic Indicator Approach for computing regulatory capital for
operational risk. Some banks are expected to move along the range toward more sophisticated approaches as they develop
more sophisticated operational risk management systems and practices which meet the prescribed qualifying criteria.
The Basic Indicator Approach
At the minimum, banks in India should adopt this approach immediately while computing capital for operational risk. Under this,
the banks have to hold capital for operational risk equal to a fixed percentage (alpha) of a single indicator which has currently been
proposed to be "gross income". This approach is available for all banks irrespective of their level of sophistication. The charge may
be expressed as follows:
K BIA = [ E (GI a)]/n
Where: KBIA = the capital charge under the Basic Indicator Approach.
GI = annual gross income, where positive, over the previous three years
a =15% set by the Committee, relating the industry-wide level of required capital to the industry-wide level of the indicator.
n = number of the previous three years for which gross income is positive.
The Standardised Approach
In the Standardised Approach, banks' activities are divided into 8 business lines given above.
Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the
likely scale of operational risk exposure within each of these business lines. The capital charge for each business line is calculated
by multiplying gross income by a factor (denoted beta) assigned to that business line. Beta serves as a proxy for the industry-wide
relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that
business line_ It should be noted that in the Standardised Approach gross income is measured for each business line, not the whole
institution, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line.
Beta factors for different business lines
Corporate finance Gross income 18% Trading and sales Gross income 18%
Retail banking Gross income 12% Commercial banking Gross income 15%
Payment and settlement Gross income 18% Agency services Gross income 15%
Asset management Gross income 12% Retail brokerage Gross income 12%
Advanced Measurement Approaches (AMA)
Under the AMA, the regulatory capital requirement will be equal the risk measure generated by the bank's internal operational risk
measurement system using the quantitative and qualitative criteria for the AMA. Use of the AMA is subject to supervisory approval.
Supervisory approval would be conditional on the bank demonstrating to the satisfaction of the relevant supervisors that the
allocation mechanism for these subsidiaries is appropriate and can be supported empirically.. The board of directors and senior
management of each subsidiary are responsible for conducting their own assessment of the subsidiary's operational risks and
controls and ensuring the subsidiary is adequately capitalised in respect of those risks.
Generic Measurement Approach
Measurement approach implementation begins with operational risk profiling which involves the following:
Identification and quantification of operational risk
Prioritization of operation risk and identification of risk concentrations
Formulation of strategy by the bank for operational risk management and risk based audit. The
estimated levels of operational risk depend on:
(a) Estimated probability of occurrence which is mapped on a scale of 5 which implies
1. negligible risk
2. low risk
3. medium risk
4. high risk &
5. very high risk.
(b) Estimated potential financial impact : It is also mapped on,a scale of5 as above.
(c) Estimated impact of internal controls: This is estimated as fraction in relation to total control which is valued at 100%.
For example if the probability of occurrence is medium i.e. 2, potential financial impact is very high i.e. 4 and impact of internal
controls is 50%, the estimated level of operational risk can be worked out as:
Estimated level of operational risk = estimated level of occurrence x estimated potential financial impact x estimated impact of
internal controls.
=I (2 x 4 x (1— 0.5] ^0.5 =1.73 or Low.
Risk mitigation
Under the AMA, a bank will be allowed to recognise the risk mitigating impact of insurance in the measures of operational risk used
for regulatory minimum capital requirements. The recognition of insurance mitigation will be limited to 20% of the total
operational risk capital charge calculated under the AMA. A bank's ability to take advantage of such risk mitigation will depend on
compliance with the following criteria:
The insurance provider has a minimum claim paying ability rating of A (or equivalent).
The insurance policy must have an initial term of no less than one year. For policies with a residual term of less than one year, the
bank must make appropriate haircuts reflecting the declining residual term of the policy, up to a full 100% haircut for policies with a
residual term of 90 days or less. The insurance policy has a minimum notice period for cancellation of 90 days
The insurance policy has no exclusions or limitations triggered by supervisory actions or, in the case of a failed bank, that
preclude the bank. receiver or liquidator from recovering for damages suffered or expenses incurred by
the bank, except in respect of events occurring after the initiation of receivership or liquidation proceedings in respect of the
bank, provided that the insurance policy may exclude any fine, penalty, or punitive damages resulting from supervisory actions.
The risk mitigation calculations must reflect the bank's insurance coverage in a manner that is transparent in its relationship to,
and consistent with, the actual likelihood and impact of loss used in the bank's overall determination of its operational risk
capital.
The insurance is provided by a third-party entity. In the case of insurance through captives and affiliates, the exposure has to be
laid off to an independent third-party entity, for example through re-insurance, that meets the eligibility criteria_
The framework for recognising insurance is well reasoned and documented.
The bank discloses a description of its use of insurance for the purpose of mitigating operational risk.
Scenario analysis
A bank must use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity
events. This approach draws on the knowledge of experienced business managers and risk management experts to derive
reasoned assessments of plausible severe losses_ For instance, these expert assessments could be expressed as parameters of an
assumed statistical loss distribution. In addition, scenario analysis should be used to assess the impact of deviations from the
correlation assumptions embedded in the bank's operational risk measurement framework, in particular, to evaluate potential
losses arising from multiple simultaneous operational risk loSs events. Over time, such assessments need to be validated and reassessed
through comparison to actual loss experience to ensure their reasonableness.
Business environment and internal control factors
in addition to using loss data, whether actual or scenario-based, a bank's bank-wide risk assessment methodology must capture
key business environment and internal control factors that can change its operational risk profile. These factors will make a bank's
risk assessments more forward-looking, more directly reflect the quality of the bank's control and operating environments, help
align capital assessments with risk management objectives, and recognise both improvements and deterioration in operational
risk profiles in a more immediate fashion. To qualify for regulatory capital purposes, the use of these factors in a bank's risk
measurement framework must meet the following standards:
The choice of each factor needs to be justified as a meaningful driver of risk, based on experience and involving the expert
judgment of the affected business areas. Whenever possible, the factors should be translatable into quantitative measures that
lend themselves to verification.
The sensitivity of a bank's risk estimates to changes in the factors and the relative weighting of the various factors need to be
well reasoned. In addition to capturing changes in risk due to improvements in risk controls, the framework must also capture
potential increases in risk due to greater complexity of activities or increased business volume.
The framework and each instance of its application, including the supporting rationale for any adjustments to empirical
estimates, must be documented and subject to independent review within the bank and by supervisors.
Over time, the process and the outcomes need to be validated through comparison to actual internal loss experience, relevant
external data, and appropriate adjustments made.
Integrated Risk Management (IRM)
IRM stands for management of all risk that are associated with the activities undertaken across the entire organistion. For banks
these risks are liquidity risk, interest rate risk, market risk, credit risk and operational risks.
Total risk to an organization is the net effect of all risks associated with the activities of a bank. Net effect of all risks may not be
same as sum total of all risk due to diversification effect of risk. Hence integration implies a coordinated approach (and not
accounting approach) across various activities and taking benefit of various diversification opportunities that exist or may be
created in the bank.
Need for IRM: This approach centralizes the process of supervising risk exposure so that the organization can determine how
best to absorb, limit or transfer the risk. The information available with the bank can be analyzed to determine the overall
nature of organizational risk exposures including their correlation, dependencies and off-sets. The advantages are:
1. It aligns the strategic aspects of risk with day to day operational activities.
2. It facilitates greater transparency for investors and regulators
3.- It enhances revenue and earning growth
4. It controls downside risk potential.
Integrated Risk Management Approach
The process of IRMconsists of :
(a) strategy—integration of risk management as a key corporate strategy.
(b) organization—establishment of Chief Risk Officer position with accountability to board.
(c) process— identifying, assessing and controlling risk should be common across the banks
(d) systems — risk management systems should be developed to provide information to support the enterprise risk management
functions.
Organizational structure : The Board is the apex unit responsible for the entire risk of the bank. Risks are not to be seen in
isolation and have to be managed in an integrated manner.
Policies and procedures: These should be developed using a top down approach and consistent with one another. Risk
limits: Such limits assist in maintaining overall exposures at acceptable levels.
Risk reporting : Bank wide risk reports are used to quantify sources of risk across the bank and to estimate total exposure to
financial markets.
Integrated systems: The framework should be supported by an information technology architecture consistent with such
integration.
No comments:
Post a Comment