Estimated reading time: 29 minutes
Introduction
We now turn our attention towards book 3 in our extensive Level 2 FRM course summary.
(click here to see previous guide)
You may download this entire content on our shop page, free of charge.
FRM Level 2 Book 3 – Operational Risk and Resiliency
Management of Operational Risk
Loss data collection exercises, quantitative impact studies, and range of practice reviews covering governance, data and modelling issues have contributed to industry and supervisory knowledge and the emergence of sound industry practice
Supervisors should conduct regular independent evaluations of a bank’s policies, processes and systems related to operational risk
Supervisors should ensure that there are appropriate mechanisms in place which allow them to remain apprised of developments at a bank
Some supervisors may choose to use external auditors in assessment processes
Management Principles
Principle 1: The board of directors should take the lead in establishing a strong risk management culture
Principle 2: Banks should develop, implement and maintain a Framework that is fully integrated into the bank’s overall risk management processes
Principle 3: The board of directors should establish, approve and periodically review the Framework
Principle 4: The board of directors should approve and review a risk appetite and tolerance statement for operational risk
Principle 5: Senior management should develop a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility
Principle 6: Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems
Principle 7: Senior management should ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk
Principle 8: Senior management should implement a process to regularly monitor operational risk profiles and material exposures to losses
Principle 9: Banks should have a strong control environment that utilizes policies, processes and systems and appropriate risk mitigation and/or transfer strategies
Principle 10: Banks should have business resiliency and continuity plans in place to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption
Principle 11: A bank’s public disclosures should allow stakeholders to assess its approach to operational risk management
Enterprise Risk Management
The past two decades have seen a dramatic change in the role of risk management in corporations
Twenty years ago, the job of the corporate risk manager would typically be a low-level position in the corporate treasury— involved mainly the purchase of insurance
Over the last ten years, however, corporate risk management has expanded well beyond insurance and the hedging of financial exposures to include a variety of other kinds of risk—notably:
- Operational risk
- Reputational risk
- Strategic risk
A corporation can manage risks in one of two fundamentally different ways:
- One risk at a time, on a largely compartmentalized and decentralized basis; or
- All risks viewed together within a coordinated and strategic framework
The latter approach is often called “enterprise risk management,” or “ERM” for short
It is believed that companies that succeed in creating an effective ERM have a long-run competitive advantage over those that manage and monitor risks individually
Companies tend to find that some of their most troubling risks are the most difficult to quantify
- Notably, reputational and strategic risks
What Is ERM?
Risks are by their very nature dynamic, fluid, and highly inter-dependent
- As such, they cannot be broken into separate components and managed independently
Since the practice of ERM is still relatively new, there have yet to be any widely accepted industry standards with regard to the definition of ERM
A definition provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004:
“ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
ERM is all about integration, in three ways:
- First, ERM requires an integrated risk organization
- Second, ERM requires the integration of risk transfer strategies
- Third, ERM requires the integration of risk management into the business processes of a company
Implementing Robust Risk Appetite Frameworks
Key lessons learned from the 2007 financial crisis:
- Some firms took more risk in aggregate than they were able to bear given their capital, liquidity, and risk management capabilities
- Some firms took risks that their management and Boards did not properly understand or control
Overall Lessons:
- There needs to be a demonstrable commitment to explaining the importance the institution attaches to risk appetite
- It is important to develop measurable indicators of compliance with risk management norms
- Clear communication of risk appetite parameters and preferences is a prerequisite for developing the appropriate culture
- There must be consistency of messages and consistency of senior behaviors with these messages
- Communication and education on the benefits of a risk appetite framework are essential
- Limit setting is a key part of risk management
- Business unit heads must own local business plans
- Continuous and open dialogue about risks is seen as fundamentally important
- The risk appetite framework needs to incorporate all material forms of risk
- Firms should make a maximum effort to quantify such risks, making use of innovative approaches
- Maximum use should be made of proxies and other metrics
- Leadership from the top is crucial
Banking Conduct and Culture
Lesson 1: Managing culture is not a one-off event, but a continuous and ongoing effort
Lesson 2: Leadership always matters. Conduct and culture must be embedded from the top down
Lesson 3: The scope of conduct management is shifting from misconduct to conduct risk management
Lesson 4: Managing culture requires a multipronged approach
Lesson 5: A more diverse set of views and voices in senior management is needed for success
Lesson 6: The behaviors and outcomes that culture drives can and should be measured
Lesson 7: Regulation has a limited role to play given that culture cannot be mandated/defined by rules
Lesson 8: Restoring trust will benefit the industry as a whole
Risk Culture
Risk culture can be seen as a subculture with a central role in financial institutions
Culture is more complex than other organizational variables:
- It can be extremely effective and resistant to the need for change dictated by the environment
Culture has always been considered a key tool affecting corporate behavior, but authors do not agree on how this occurs
Some consider culture as a fixed effect on firm performance, while others argue that it is a variable that can be managed over time
Risk culture is essential for a prudent and sound bank management, and needs to be central in any evaluation
OpRisk Data and Governance
One of the most important phases in any analytical process is to cast the data into a form amenable to analysis
This is the very first challenge that an analyst or quant faces when determined to model, measure, and even manage OpRisk
There is a need to establish how the information available can be modeled to act as an input in the analytical process that would allow for proper risk assessment
The OpRisk framework starts by having solid risk taxonomy so risks are properly classified
Firms also need to perform a comprehensive risk mapping across their processes to make sure that no risk is left out of the measurement process
Banks rely heavily on quantitative analysis and models in most aspects of financial decision making
They routinely use models for a broad range of activities, including underwriting credits; valuing exposures, instruments, and positions; measuring risk; managing and safeguarding client assets
In recent years, banks have applied models to more complex products and with more ambitious scope, such as enterprise-wide risk measurement
But models also come with costs. There is the direct cost of devoting resources to develop and implement models properly
There are also the potential indirect costs of relying on models
Model risk should be managed like other types of risk
Model risk increases with greater model complexity, higher uncertainty about inputs and assumptions
Banks should consider risk from individual models and in the aggregate
Aggregate model risk is affected by interaction and dependencies among models
Reliance on common assumptions, data, or methodologies could adversely affect models and their outputs at the same time
Banks should also ensure that they maintain strong governance and controls to help manage model risk
Information Risk and Data Quality Management
The consideration of information as a fluid asset makes it difficult to envision ways to assess the risks related to data failures
Scorecards are effective management tools when they can summarize important organizational knowledge
Scorecards are effective in alerting the appropriate staff members when diagnostic or remedial actions need to be taken
Part of an information risk management program would incorporate a data quality scorecard that supports an organizational data governance program
The impact taxonomy can be used to narrow the scope of describing the business impacts
While the dimensions of data quality guide the analyst in defining quantifiable measures that can be correlated to business impacts
Validating Rating Models
A rating system ‘comprises all of the methods, processes, controls, and data collection and IT systems that support the assessment of credit risk, the assignment of internal risk ratings, and the quantification of default and loss estimates’ (Basel Committee, 2004)
It is clear that the validation scope is quite wide
Validation includes, too, the critical verification that the rating system is actually used (and how) in the various areas of bank operations
- This is known as the ‘use test’, also required by Basel II and better specified in Basel Committee (2006)
The results of the validation process need to be adequately documented and periodically submitted to the internal control functions and the governing bodies
- The reports shall specifically address any problem areas
Quantitative validation
Quantitative validation covers four main areas:
- Sample representativeness of the reference population at the time of the estimates and in subsequent periods
- Discriminatory power: the accuracy of ratings assignments in terms of the models’ ability to rank obligors by risk levels
- Dynamic properties: the stability of rating systems and properties of migration matrices
- Calibration: the predictive power concerning probabilities of default
Assessing the Quality of Risk Measures
VaR has been subjected to much criticism
- The sharpest critique: that the standard normal return model underpinning most VaR estimation procedures is simply wrong
But there are other lines of attack on VaR that are relevant even if VaR estimates are not based on the standard model
Three of these viewpoints:
- The devil is in the details: Subtle and not-so-subtle differences in how VaR is computed can lead to large differences in the estimates
- VaR cannot provide powerful tests of its own accuracy
- VaR is “philosophically” incoherent: It cannot do what it purports to be able to do, namely, rank portfolios in order of riskiness
A pervasive basic problem with all models, including risk models: the fact that they can err or be used inappropriately
The basic modeling problem facing VaR is that the actual distribution of returns doesn’t conform to the model assumption of normality under which VaR is often computed
Using a VaR implementation that relies on normality without appreciating the deviations of the model from reality is an example of model risk
- The term “model risk” describes the possibility of making incorrect trading or risk management decisions because of errors in models and how they are applied
Model risk can manifest itself and cause losses in a number of ways
- The consequences of model error can be trading losses, as well as adverse legal, reputational, accounting, and regulatory results
Model errors can occur in the valuation of securities or in hedging
- Errors in valuation can result in losses that are hidden within the firm or from external stakeholders
- Valuation errors due to inaccurate models are examples of market risk as well as of operational risk
Risk-Adjusted Performance Measurement
This segment takes a look at the roles of risk capital and at how risk capital can be attributed to business lines as part of a risk-adjusted performance measurement (RAPM) system
RAPM represents a key challenge for financial institutions and nonfinancial firms around the world today
Only by forging a connection between risk measurement, risk capital, risk-based pricing, and performance measurement can firms ensure that the decisions they take reflect the interests of stakeholders
Risk capital is the cushion that provides protection against the various risks inherent in the business of a corporation
Risk capital gives confidence to the corporation’s stakeholders
Risk capital is often called economic capital
- The generally accepted convention is that risk capital and economic capital are identical
Risk Adjusted Return on Capital (RAROC)
RAROC systems, developed first by large financial institutions, are being implemented in smaller banks and other trading firms, such as energy trading companies
Wherever risk capital is an important concern, RAROC balances the divergent desires of the various external stakeholders, while also aligning them with the incentives of internal decision makers
RAROC information allows senior managers to better understand where shareholder value is being created and where it is being destroyed
RAROC promotes:
- Strategic planning
- Risk-adjusted profitability reporting
- Better incentive compensation schemes
- Proactive allocation of resources
- Better management of concentration risk
- Better product pricing
Range of Practices and Issues in Economic Capital Frameworks
Economic capital can be defined as the methods or practices that allow banks to consistently assess risk and attribute capital to cover the economic effects of risk-taking activities
Economic capital was originally developed by banks as a tool for capital allocation and performance assessment
- For these purposes, economic capital measures mostly need to reliably and accurately measure risks in a relative sense, with less importance attached to the measurement of the overall level of risk or capital
Over time, the use of economic capital has been extended to applications that require accuracy in estimation of the level of capital (or risk)
- Such as the quantification of the absolute level of internal capital needed by a bank
This evolution in the use of economic capital has been driven by both internal capital management needs of banks and regulatory initiatives
Economic capital can be analyzed and used at various levels—ranging from firm-wide aggregation, to risk-type or business-line level
Many building blocks of economic capital are complex and raise challenges for banks and supervisors
Capital Planning at Large Bank Holding Companies
The Federal Reserve has previously noted the importance of capital planning at large, complex bank holding companies (BHCs)
Capital is central to a BHC’s ability to absorb unexpected losses and continue to lend to creditworthy businesses and consumers
Capital serves as the first line of defense against losses, protecting the deposit insurance fund and taxpayers
Even if current assessments of capital adequacy suggest that a BHC’s capital level is sufficient to withstand potential economic stress, it is robust capital planning that helps ensure that this outcome will continue to hold in the future
Stress Testing Banks
How much capital and liquidity does a bank need to support its risk taking activities?
Bank balance sheets are notoriously opaque and susceptible to asset substitution (easy swapping of high risk for low risk assets)
There are three kinds of capital and liquidity:
- The capital/liquidity you have
- The capital/liquidity you need (to support your business activities)
- The capital/liquidity the regulators think that you need
Stress testing, regulatory capital/liquidity and bank-internal (so-called “economic capital/liquidity”) models all seek to do the same thing:
- To assess the amount of capital and liquidity which is needed to support the business activities of the financial institution
Capital adequacy addresses the right side of the balance sheet (net worth), and liquidity the left side (share of assets that are “liquid”, however defined)
If all goes well, both the economic and regulatory capital/liquidity are less than the required regulatory minimum, and their difference (between economic and regulatory) is small
Special Note:
Prior to their failure or near-failure, financial institutions such as Bear Stearns, Washington Mutual, Fannie Mae, Freddie Mac, Lehman and Wachovia were ALL adequately or even well capitalized
- (…at least according to the regulatory capital rules disclosed in their public filings)
Guidance on Managing Outsourcing Risk
In addition to traditional core bank processing and information technology services, financial institutions outsource operational activities such as:
- Accounting
- Appraisal management
- Internal audit
- Human resources
- Sales and marketing
- Loan review
- Asset and wealth management
- Loan servicing
Financial institutions should consider the following risks before entering into and while managing outsourcing arrangements:
- Compliance risks – arise when a service provider fails to comply with applicable U.S. laws and regulations
- Concentration risks – arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations
- Reputational risks – arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution
- Country risks arise – when a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions
- Operational risks – arise when a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems
- Legal risks arise – when a service provider exposes a financial institution to legal expenses and possible lawsuits
Risks Associated with Money Laundering and Financing Terrorism
Many nations and international bodies have developed laws, regulations or guidelines focused on limiting the use of banking services to support criminal activities, particularly money laundering (ML) or financing of terrorism (FT)
Criminals and terrorists use payment services to finance their activities, or to convert funds linked to criminal activity (including tax evasion) to an untainted or laundered form
Because banks are at the heart of the global payment system, they are uniquely vulnerable to being ensnared in such activities
ML/FT risk management includes some specific activities that supervisors and other authorities expect at every bank:
- Risk assessment
- Customer due diligence and acceptance (CDD) [aka Know Your Customer (KYC)]
- Transaction and other monitoring
- Reporting of suspicious activity and freezing assets
- Addressing risks associated with global operations
- Attention to third-party risk and correspondent banking risks
- Awareness of an array of official sector pronouncements
Regulation of the OTC Derivatives Market
The exchange-traded market is a market where products developed by an exchange are bought and sold on a trading platform developed by the exchange
A market participant’s trade must be cleared by a member of the exchange clearing house
The exchange clearing house requires margin (i.e., collateral) from its members
- And the members require margin from the brokers whose trades they are clearing
- The brokers in turn require margin from their clients
The OTC market is a market where financial institutions, fund managers, and corporate treasurers deal directly with each other
- Here, an exchange is not involved
Before the 2007–2008 credit crisis, the OTC market was largely unregulated
- Two market participants could enter into any trade they liked
- They could agree to post collateral or not post collateral
- They could agree to clear the trade directly with each other or use a third party
- They were under no obligation to disclose details of the trade to anyone else
Since the crisis, the OTC market has been subject to a great deal of regulation
Capital Regulation before the Global Financial Crisis
Financial regulation has developed incrementally over the centuries, often in response to stressful periods which exposed the limitations of previous regulations
In the days before government regulation, banks or insurance companies could be created without official approval
- Success (or failure) was based primarily on whether they could persuade clients to use their services
Financial institution failures were frequent, and sometimes occurred not because of insolvency but because of a loss of client confidence
Later, governments required new financial institutions to obtain a license before being allowed to operate
The first “regulations” were the result of financial firms banding together to share resources in the event of runs
- Clearinghouse members shared financial statements with each other and had rights of inspection, and so monitoring and enforcement of solvency was a part of the arrangements
- However, this was done privately
Basel II introduced additional approaches to capital for credit risk that were much more risk-sensitive and more aligned with modern credit risk management analysis
Basel II also introduced two new pillars in addition to quantitative capital requirements: supervision and disclosure
Solvency, Liquidity and Regulation after the Global Crisis
The financial crisis that began in the summer of 2007 revealed limitations and gaps in the existing solvency and liquidity regulations
The financial crisis revealed market practices and product designs that proved ill-suited to stressed environments
Global regulators reacted with more restrictive regulations and supervision and with more coordination across nations
The Financial Stability Forum, a body that undertook occasional studies, was reconstituted as the Financial Stability Board (FSB) in the wake of the financial crisis
The FSB is composed of representatives from finance ministries, central banks, prudential regulators, securities regulators, and others from dozens of nations
Although organizations like the Basel Committee and IOSCO appeared to retain their independence and authority, as a practical matter, the FSB became the body in which many changes in international standards were approved
High-Level Summary of Basel III Reforms
The Basel III framework is a central element of the Basel Committee’s response to the global financial crisis
- It addresses a number of shortcomings in the pre-crisis regulatory framework
- It also provides a foundation for a resilient banking system to help avoid systemic vulnerabilities
The initial phase of Basel III reforms focused on strengthening the following components of the regulatory framework:
- Improving the quality of bank regulatory capital by placing a greater focus on going-concern loss-absorbing capital in the form of Common Equity Tier 1 (CET1) capital
- Increasing the level of capital requirements to ensure that banks are sufficiently resilient to withstand losses in times of stress
- Enhancing risk capture by revising areas of the risk-weighted capital framework that proved to be acutely mis-calibrated
- Adding macro-prudential elements to the regulatory frame-work
Basel III: Finalizing Post-Crisis Reforms
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events
- This definition includes legal risk, but excludes strategic and reputational risk
The standardized approach for measuring minimum operational risk capital requirements replaces all existing approaches in the Basel II framework
Consistent with Part I (Scope of Application) of the Basel II Framework, the standardized approach applies to internationally active banks on a consolidated basis
- Supervisors retain the discretion to apply the standardized approach framework to non-internationally active banks
Basel III: The Cyber-Resilient Organization
Cyber security in an organization typically places emphasis on maintaining a secure perimeter, with an emphasis on technology tools for monitoring internal traffic and external communications
Cyber security tools include antivirus software, firewalls, network traffic deep-packet inspection, data management systems, email security systems, server gateways, web application firewalls, and many others
The cyber risk management framework proposed by the National Institute of Standards and Technology (NIST) consists of five functions:
- Identify: Develop an organizational understanding to manage cyber security risk
- Protect: Develop / implement safeguards to ensure delivery of critical services
- Detect: Develop / implement activities to identify the occurrence of a cyber security event
- Respond: Develop / implement activities to take action regarding a detected cyber security incident
- Recover: Develop / implement activities to maintain resilience and restore any impaired capabilities
Basel III: Cyber-Resilience: Range of Practices
Regulated institutions’ use of technology includes greater levels of automation and integration with third-party service providers and customers
Increased use of third-party providers means that the perimeter of interest to financial sector regulators has gotten bigger, and greater use of cloud services means that the perimeter is also shared
Shared service models require regulated institutions to think differently about how they build and maintain their cyber-resilience in partnership with third parties
Given the increase in the frequency, severity and sophistication of cyber-incidents in recent years, a number of legislative, regulatory and supervisory initiatives have been taken to increase cyber-resilience
Operational resilience refers to the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions
Improving operational resilience might also be good for competition
- A shared understanding of minimum standards may help new entrants establish themselves in a market
Basel III: Striving for Operational Resilience
Operational resilience has become a key agenda item for boards and senior management
Increasing complexity in processes and IT, dependence on third parties, interconnectedness and data sharing, and sophistication of malicious actors have made disruptions more likely and their impact more severe
Resilience is fundamentally different from traditional business continuity (BC) and disaster recovery (DR)
- These disciplines have historically been heavily focused on physical events, were designed and tested in organizational silos, and are primarily viewed as a compliance exercise
Operational resilience, instead, focuses on the adaptability to emerging threats, the dependencies and requirements for providing critical end-to-end business services
Operational resilience requires a mindset shift in the organization away from resilience as a compliance exercise to resilience as a key organizational capability that is everyone‘s responsibility
Boards and senior management need to provide effective challenge of their organization‘s resilience ambitions, program, and critical risks
Achieving operational resilience is inherently challenging given the increasing complexity of processes, technology infrastructure, and organizational silos
In closing
Whenever you are ready, try the following links for more information:
Success is near,
The QuestionBank Family