Understanding, experience and technology for success
Roadmap to Advanced Measurement Approach (AMA) and better business performance
Alan Greenspan, Chairman of the Federal Reserve American Bankers Association, during Annual Convention on October 5, 2004 held, “It would be a mistake to conclude that the only way to succeed in banking is through ever-greater size and diversity. Indeed, better risk management may be the only truly necessary element of success in banking.”
Banks and financial institutions are undergoing a sea change and today face an environment marked by growing consolidation, rising customer expectations, increasing regulatory quirements, proliferating financial engineering, uprising technological innovation and mounting competition. This has increased the probability of failure or mistakes from the operations point of view – resulting in increased focus on managing operational risks.
Operational risk losses have often led to the downfall of financial institutions, with more than 100 reported losses exceeding US$100 million in the recent years. The regulators of financial companies and banks are demanding a far greater level of insight and awareness by directors about the risks they manage, and the effectiveness of the controls they have in place to reduce or mitigate these risks. Further, compliance regulations, like Basel II and SOX, mandate a focus on operational risks, forcing financial organizations to identify, measure, evaluate, control and manage this ubiquitous risk. This has led to an increased emphasis on the importance of having a sound operational risk management (ORM) practice in place, especially when dealing with internal capital assessment and allocation process. This makes ORM one of the most complex and fastest growing risk disciplines in financial institutions.
Basel II and Operational Risk
Old perceptions and behaviors towards risk are changing. ORM is acquiring new credibility as a roadmap to add value to the business; and is garnering new attention from regulators and key stakeholders.
A recent Chartis Research's1 report on ORM systems, suggests that the worldwide financial services ORM market will continue to grow, reaching a total value of $1.55 billion by 2011. This indicates a growing concern among banks and financial institutions for managing their operational risk. The report has three main findings:
There are two main drivers for this development. Firstly, there is a growing acknowledgement from banks that a consistent and effective operational risk management framework can help them achieve organizational objectives and superior performance. For example, by including a well-constructed operational risk process in the entire value chain, a bank can help ensure that the risks inherent in those activities are understood and addressed. In many instances an early involvement of operational risk management can increase the development speed of new initiatives.
The second key development is the launch of the Basel II Capital Accord (the New Accord) by the Basel Committee for Banking Supervision, which requires banks to set aside regulatory capital for operational riskan important development that has affected most financial services institutions worldwide. One of the major improvements in Basel II is that it ensures closer linkages between capital requirements and the ways banks mange their actual risk. As summed up by a U.S. regulator, “The advanced approaches of Basel II represent a sea change in how banks determine their minimum level of required capital for regulatory purposes. It intends to better align regulatory capital with inherent risks and banks' internal economic capital”
The advanced approach for measurement of operational risk requires economic capital to be calculated on the basis of bank’s own operational risk management & measurement technique. It is imperative to strengthen the soundness and stability of operational risk management practice by employing Advanced Measurement Approach (AMA); in order to ensure that it does not become a significant source of competitive inequity over rival banks & financial institutes. Further, AMA fosters risk sensitive environment and promotes efficiency in managing risk. The road ahead should lead to “Advanced Measurement Approach” (AMA) as described under Basel II accord.
An Ernst and Young's Global Basel Survey in 2006 indicates that senior banking executives are beginning to appreciate the long term business impacts of Basel II on their organizations and banking industry as a whole. It suggests a realization that Basel II adoption is a growing imperative in order to succeed in the competitive race. About 89% of the participants in the survey believed that the banks with robust risk infrastructures will have competitive advantage over others.
Source: Ernst & Young
To comply with the accord, banks are making significant investments to improve their internal risk processes, data infrastructure and analytical capabilities. Firms focused on competing effectively are already incorporating many elements of the Basel II requirements into their risk and capital management practices, as a blueprint fo improved growth and profitability.
As a result, Basel II compliance programs offer a rare opportunity to rethink the way banks approach risk measurement and managementz and to look again at how risk measures can be integrated with each other and with management’s approach to running the business. Susan Schmidt Bies2, one of the U.S. regulators, stressed, “The emphasis in the new Accord on improved data standards should not be interpreted solely as a requirement to determine regulatory capital standards, but rather as a foundation for risk management practices that will strengthen the value of the banking franchise.”
Although Basel II compliance opens up many strategic opportunities to leverage improved data standards and risk management practices, it also offers many implementation challenges. The next section highlights the major challenges in successfully implementing ORM.
The discipline of operational risk is at a crossroads. Despite the industry's efforts to control operational risk, institutions still have much work to do. Risk Managers are grappling with questions like, ‘How does the discipline add value to my organization?’; ‘What does the advanced measurement approach’s (AMA) modeling techniques say about the operational risks my firm is facing?’; ‘What is the strategic role of operational risk my firm should adopt?’. Let’s take a look at some of the unique challenges that ORM brings:
By adopting an integrated operational risk framework, companies can ensure that all operational risks management initiatives are sustained and are aligned with the corporate strategy. Next section throws light on essentials of an ideal operational risk framework.
Building an Operational Risk Framework
Operational risk management is at the core of a bank's operations - integrating risk management practices into processes, systems and culture. As a pro-active partner to senior management, ORM's value lies in supporting and challenging them to align the business control environment with the bank's strategy by measuring and mitigating risk exposure, contributing to optimal return for stakeholders. For instance, HSBC3 has invested heavily in understanding customer behavior through new systems initially designed for fraud detection, which is now being leveraged beyond compliance to address more effective customer service.
The ORM group of an organization keeps its people up-to-date on problems that have happened to other financial institutions, allowing it to take a more proactive approach. "Our goal is for employees to look at ORM as a business stakeholder and a shareholder, involving them on all levels and bring stability into their jobs," said senior vice president of Operational and Compliance Risk Management Group. A noted financial services company, on the other hand, incorporates its ORM approach as an extension of its business line and not a separate entity. The company has implemented an operational risk umbrella that encompasses all aspects of potential risks - bank protection, fraud prevention, key risk indicators, capture of operational loss data, business line risk oversight and new products and initiatives for data security. Its Chief Risk officer quotes, "We utilize our ORM practices to gain respect and appreciation of all our business lines by really understanding their issues, and being part of the overall solution."
What elements should a financial institution consider when developing an analytical framework for operational risk?
There is no ‘one-size-fits-all’ approach to ORM – as every enterprise follows a framework that is specific to its own internal operating environment. When inquired about the standard ORM framework, a risk expert notes, “There is no "standard" standard. Ultimately, the Operational risk framework should not merely be Basel-compliant; it should also provide the bank with mechanisms for improving overall risk culture and behavior towards operational risk management. Understanding our risks should lead to better decision making and refelect in our performance”. A robust operational risk management framework is made up of the following core components:
An award winning Banking Group states that it is focused on the regular monitoring of its operational risk profiles and material exposures to operational losses- with senior
Carries out risk-audit activities, assessments of operational risks and prepares recommendations for risk mitigation.
Implements a number of tools recommended by the Basel Committee including: internal loss collection and reporting, key risk indicators, external loss data collection; and control and risk self-assessments.
Analyzes new products and intrabank regulations.
Holds comprehensive insurance policy, which is designed with ORM participation.
The group has received the Operational Risk Achievement Award for two consecutive years.
Finally appropriate risk mitigation and internal controls procedures are established by the business units such that residual risk is mitigated to the acceptable level. Regular reviews must be carried out, to analyse the control environment and test the effectiveness of implemented controls, thereby ensuring business operations are conducted within acceptable risk limits. Further, it is essential that the top management ensures consistent monitoring and controlling of operational risk, and that risk information is received by the appropriate people, on a timely basis, in a form and format that will aid in the monitoring and control. Operational risk metrics or “Key Risk Indicators” (KRIs) are established to ensure timely warning is received prior to the occurance of an event. Key to effective KRIs lies in setting threshold at the acceptable level of risk. Execution and implementation of Operational Risk framework is key to setting up effective Operational Risk environment ensuring that business is conducted within appropriate risk tolerance limit.
Business Benefits: Moving Beyond Compliance
As ORM efforts mature, and gain both the support and the confidence of management, they are becoming increasingly valuable to the business. Perceived initially to support regulatory requirements, these efforts can be leveraged and aligned with business performance management. To be successful, however, such alignment must be based on a clear vision of the potential benefits. Few of the benefits are discussed below:
However, successfully navigating the road from compliance to value creation can be daunting without a roadmap and a clear vision. By taking a holistic approach to ORM an organization can significantly lower its risk profile and improve responsiveness to risk scenarios leading to strategic and operational benefits.
MetricStream offers industry’s most advanced and comprehensive solution designed to meet Operational Risk needs of banks & financial services. The solution is based on an integrated Enterprise Compliance Platform (ECP) for successfully managing risk and meeting regulatory requirments while lowering the associated costs that can otherwise be substantial. ECP, a proven infrastructure for building risk and compliance application, provides core modules and services to automate and streamline Opertaional Risk processes.
Its embedded best practices Expected loss is the amount a business should budget to cover its annual cost of operational failure while unexpected loss is the amount the business ought to reserve as capital.
MetricStream uniquely combines software and content to deliver ORM solutions content helps define the scope of processes and sub-processes for which risk management needs to be performed and guides development of control and test libraries. It brings together all risk management related data - a reusable library of risks and their corresponding controls and assessments, results from individual assessments, key risk indicators, events such as losses and near-misses, issues and remediation plans - in a single solution. It also provides other intelligent and content driven features such access to training content from an expert community from within the solutions and integration of business processes with regulatory notifications and industry alerts. Key components of MetricStream solution for ORM would include:
Roadmap to Advanced Measurement Approaches (AMA)
MetricStream ORM solution provides a platform for organizations to develop an integrated ORM approach which can help them qualify for Basel II AMA approach. Solution implements strategies, methodologies and risk reporting functionality to identify, measure, monitor, control and mitigate operational risk. It ensures that the organization’s internal systems and controls are “credible and appropriate”, “well reasoned and well documented”, “transparent and accessible”, and are capable of being “validated” by internal and external auditors. Moreover, it provides capability to ensure that the risk management practices are embedded across the entire value chain.
|Meeting AMA qualifying criteria through MetricStream ORM solution|
|Qualifying Criteria||MetricStream solution capability|
|Sound Operational Risk Management System||
|Systematic tracking of 3-5 years of historic loss data||
|Measurement integrated in day-today risk management||
Review of management and measurement processes by internal/external audit
Operational Risk Management Systems 2008 - Navigating through a fragmented market
Remarks by Governor Susan Schmidt Bies: At the International Center for Business Information's Risk Management Conference: Basel Summit, Geneva, Switzerland
OpRisk & Compliance