• No results found

Operational Risk Management in the Financial Services Industry

N/A
N/A
Protected

Academic year: 2021

Share "Operational Risk Management in the Financial Services Industry"

Copied!
12
0
0

Loading.... (view fulltext now)

Full text

(1)

Operational Risk Management in the Financial Services Industry

International benchmark survey conducted by SAS and Risk magazine June 2004

Enterprise Intelligence | Supplier Intelligence | Organizational Intelligence | Customer Intelligence | Intelligence Platform

(2)

This report presents the results of the 2004 international benchmark survey into operational risk management in the financial services industry. Building on a similar report from 2003, the survey reveals once again that the economic returns of a successful operational risk program are significant, amounting to millions of dollars annually. But while there has been considerable progress over the past 12 months there is still

Management summary

“Financial institutions recognize that a successful operational risk management program will deliver clear economic rewards and business benefits. The main obstacles to that success relate to basic issues such as the availability of data and data quality. These issues need to be addressed as a matter of some urgency.”

Peyman Mestchian, Head of Risk, SAS UK a lot to do. It appears that the lack of a clear regulatory framework may be holding some organizations back.

This is a mistake. It will be some years before best practices are established, and in the meantime financial institu- tions can reap considerable benefits by pursuing their own programs. A fifth of global respondents still have no program in place, including many in Europe and North America.

Difficulties in collating clean data and poor awareness among staff are the major obstacles to successful implementation, and companies have not yet worked out the best organi- zational framework for addressing operational risk.

(3)

Survey

demographics

The survey was carried out by SAS together with Incisive Financial Publishing and distributed primarily through www.risknet.com, Risk maga- zine and Operational Risk magazine.

Data was collected in February and March 2004. We received more than 250 responses to a global survey. The majority of organizations represented in the survey are medium to large financial institutions: 41 percent have a turnover in excess of $1 billion and a further 13 percent have a turnover between $500 million and $1 billion (Figure 1).

Figure 2: Business line responsibility for operational risk management

0% 5% 10% 15% 20% 25% 30% 35%

Other Technology and systems Insurance Asset management Agency services Payment and settlement Commercial banking Retail banking Trading and sales Corporate finance Dedicated operational risk team at senior management level

31%

10%

2%

2%

1%

5%

3%

5%

6%

28%

7%

Figure 1: Company turnover Figure 3: Distribution of respondent

location

Europe 49%

Rest of world

3% North

America 22%

South America Africa 4%

3%

Middle East 4%

Asia Pacific 15%

Seventy percent of respondents are employed directly by financial institutions.

Twenty-eight percent work in dedicated senior operational risk management functions within such organizations. Technology and Systems was also a strongly repre- sented line of business (Figure 2).

This was a global survey. The geo- graphic breakdown was 49 percent Europe, 22 percent North America, 15 percent Asia Pacific and the

$50–$99 million

4%

$750 million–

$1 billion 6%

$500–

$749 million 7%

$100–

$249 million 11% $250–

$499 million 8%

Less than

$50 million 23%

Over $1 billion 41%

(4)

remaining 14 percent from the rest of the world (Figure 3).

• Nearly one-fifth of respondents say their firms do not have an opera- tional risk program.

• There is a “tension” between regula- tory and business drivers of opera- tional risk management programs.

• Respondents still identify IT and systems failure as the biggest source of operational risk.

• Losses in the $5 to $10 million range seem to hit hardest in terms of aver- age loss per year.

• Average loss sizes increase with size of company; one third of respondents reported operational risk losses in excess of $20 million per year.

• Estimates of the economic rewards of operational risk management are high, though down slightly on last year:

— Average amount of expected reduction of economic

capital—10 percent.

Key findings

• The biggest obstacles to successful operational risk management are difficulty in collating historical data and poor awareness among staff.

Financial institutions regard opera- tional risk as a rather ambiguous area compared with credit risk and market risk. It is less well defined and poten- tially a greater challenge. In our survey we therefore asked respondents to comment on the maturity of their operational risk management pro- grams. Nineteen percent still have no operational risk program whatsoever, though this is a 24 percent improve- ment on our findings in the 2003 survey. This is not purely a matter of geography. Seventeen percent of European firms have no operational risk program, compared with 20 per- cent in America and 24 percent in Asia Pacific. Rather, the firm’s size is a better guide than geography to the absence of a program. Firms with less than $100 million annual turnover are most likely not to have a program (29 percent). Even so, nine percent of respondents from companies with a turnover exceeding $1 billion reported that they have no operational risk program in place. One third of respon-

Maturity of operational risk programs

— Average amount of expected reduction of operational losses—17 percent.

• Other benefits identified include increased revenue and better business performance.

• Forty-eight percent of respondents have a core operational risk group or committee supplemented by full- or part-time risk managers—up from 36 percent in 2003.

• Expenditure on operational risk continues to increase, though at a slower rate.

(5)

1.0 1.5 2.0 2.5 3.0 3.5 4.0 Terrorist attacks and related

business continuity issues Increased shareholder pressure for operational risk management and disclosure Prominent accounting scandals and regulatory

responses (e.g., Sarbanes-Oxley) Industry/association technology/operational risk

initiatives (e.g., Straight-through-processing) Concern over levels of internal losses Internal best practices benchmarking exercises Basel II and related domestic regulation

2.2

2.7 2.6 2.6

2.9

3.1 2.3

1 = No impact 4 = Very high impact dents said their operational risk man-

agement program had been in place for less than two years (Figure 4).

We then asked respondents what they consider to be the key factors driv- ing their programs (on a scale where 1 = “no impact” and 4 = “very high impact”), Basel II and related domes- tic regulation was clearly the most important reason (3.1). However, many of the drivers also rated highly deal with internal business issues. Internal benchmarking (2.9) was one, and there is also widespread concern about the impact of internal losses on business performance (2.7). Recent accounting scandals and the regulatory response have raised concerns; respondents were more likely to rate this factor as a driver than in 2003. Terrorism and its potential impact on business continuity are not a major concern, though slightly more so than in our

Figure 4: Maturity of operational risk programs

0% 5% 10% 15% 20% 25%

More than five years Three to five years Two to three years Between one and two years Less than 12 months Does not currently have such a program

12%

16%

22%

17%

19%

14%

Figure 5: Factors driving development of operational risk programs

(6)

2003 survey. The larger the company, the greater the worry about terrorism (Figure 5).

When asked what they regard as their main sources of operational risk (also on a scale of 1 to 4) respondents put IT systems failure at the top of the list (3.1), which is consistent with what we found last year. The biggest

“mover” is customer relationship risk, up to second from seventh place in 2003. However, this could be due to some recent high-profile “mis-selling”

scandals. Regulatory and compliance issues (including taxation) come third.

Definitional issues aside, in surveys like this one companies often report what they can most easily identify and quantify as a risk. It might be argued that loss of key personnel in a bank is a much greater risk than IT systems failures, which are already subjected to all sorts of controls such as disas- ter recovery and business continuity planning. In reality if you lose one of your top trading teams the loss will probably be much greater because it is difficult to plan around it. But it is

much more difficult to measure the impact of such human losses, so it is often a case of “out of sight, out of mind” (Figure 6).

According to the survey, the average total of expected losses per year is

$18.8 million. As expected the most commonly occurring events are the smaller ones. Losses diminish in fre- quency according to size. Those in the

$5 million to $10 million range seem to have the greatest cumulative impact (Figure 7). Of course, the losses increase significantly with the size of the company. American companies experience the highest average levels of loss ($23.4 million) and Asia Pacific

Risk factors

Figure 6: Operational risks rated in terms of their impact on the business

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 Political/country risk

Loss/damage to physical assets Inability to attract high quality staff Lack of internal transparency on operational risk information Legal liability Internet fraud Key person retention Anti-money laundering/external fraud Inadequate financial controls Transaction processing failures Financial accounting/reporting Regulatory/compliance (including taxation) Customer relationship risk IT systems failure/inadequate MIS

2.1 2.3

2.5 2.6 2.6 2.7 2.7 2.8

2.9 2.9 2.9 3.0

3.1 3.1

1 = No impact 4 = Very high impact

Scale of losses through

operational risk

(7)

Figure 7: Operational risk losses in terms of size and occurence 0%

$10K–

$99k

Percent of respondents experiencing loss in category Average loss in category

$100K–

$499K

$500K–

$999K

$1m–

$4.9m

$5m–

$9.9m

$10m +loss 10%

20%

30%

40%

50% Total average loss across

all categories: $9,372,112

Size of loss

Frequency Total cost

60%

49%

34%

24%

$16m

$14m

$12m

$1m

$8m

$6m

$4m

$2m

$0

$2,957,483

$4,504,854

$2,479,167

$5,927,419

$15,000,000

$13,695,652

21%

17% 15%

companies the lowest ($11.5 million).

European companies reported an average loss of $20 million per year.

We asked companies to quantify the economic rewards of operational risk management. Respondents felt that on average they could achieve a ten per- cent reduction of economic capital as a result of their operational risk program (Figure 8). What would this mean in practice? To verify the impact of such a reduction in economic capital we applied it to a large UK-based financial institution (medium-sized in global terms). This bank has 20 percent of its

$10 billion economic capital allocated to operational risk, so this translates into a $200 million reduction. Applying a standard 10 percent rate of cost of capital, this means that operational risk management would give them an annual net benefit of $20 million.

In addition, there are of course signifi- cant benefits to be secured as a result of actual loss reduction. On average, survey respondents expected these to be more than 17 percent. Even if we apply this to expected losses, this would deliver a net benefit ranging from about a million dollars per year for the smaller financial institutions and tens of millions, or greater, for the larger European and U.S. firms (Figure 9).

It is necessary to add a word of caution here: When financial institutions imple- ment operational risk management programs, performance may appear to get worse before it gets better, because companies will start reporting

Rewards and benefits

Figure 8: Estimated reduction of economic capital over the next 12 months

5% 10% 15% 20% 25% 30% 35%

More than 20%

11% to 20%

6% to 10%

1% to 5%

No change

20%

13%

21%

34%

12% Average = 10%

losses that previously went unreported.

So it would be unrealistic to expect that 17 percent reduction in losses will be achieved immediately; it would also be wise to prepare senior management for some bad news, or you could be setting unrealistic expectations. It is difficult to predict the time lag between the initial dip in performance and the expected improvement; this will vary

enormously between organizations depending on how accurately they are currently measuring risk.

Also bear in mind that a significant proportion of the survey participants (28 percent) are themselves dedicated senior members of an operational risk

(8)

ahead of “Reduction in operational losses” (3.4). “Protection against loss of reputation” scored 3.3 (Figure 10).

What sort of organizational framework do companies have for managing operational risk? According to our sur- vey, nearly half (48 percent) of those responding have a core operational risk group or committee supplemented by managers who focus on risk full time or part time. This is one of the most significant changes from last year, up from just over a third (36 per- cent) (Figure 11).

Seventeen percent of respondents say they still have no operational risk man- agement team at all. Half of respon- dents say they have five members or fewer at group level, possibly supple- mented by part-time members from the business lines who have expertise in operational risk management. One third have dedicated operational risk teams of six or more, up from 23 per- cent in 2003 (Figure 12).

Forty-two percent of respondents plan to expand their team of full time operational risk managers over the next 12 months (28 percent were unsure, and 30 percent said they had no plans). It is unlikely that the increases will be substantial, in our opinion. There is still considerable argument about whether it is better to have a strongly centralized team or a more federal organization with risk specialists embedded in the geogra- Figure 9: Estimated reduction in the cost of operational losses over the next 12 months

5% 10% 15% 20% 25% 30%

More than 20%

11% to 20%

6% to 10%

1% to 5%

No change

15%

23%

26%

13%

23%

Average = 17%

Figure 10: The most important benefits of successful operational risk management

1.0 1.5 2.0 2.5 3.0 3.5 4.0

Optimized allocation of economic capital Greater levels of accountability (staff and business unit level) Protection against loss of reputation Reduction of operational losses Improved business and performance management

2.8

3.5 3.4 3.3 3.2

1 = No importance 4 = Very high importance

Organizational framework

management team, so it may be that the practitioners are “overselling” the benefits of operational risk manage- ment programs. That said, there is a very clear business case emerging for operational risk programs. Even if the stated economic rewards were

cut in half, they would still make a dramatic impact on any company’s bottom line.

Moreover, respondents see the ben- efits of operational risk management going far beyond short-term financial benefits. Asked what they saw as the main benefits of successful opera- tional risk management (on a scale of 1 to 4) respondents rated “Improved performance management” (3.5)

(9)

Figure 11: Common phrases describing firms’ operational risk framework phies and business lines as agents of

change. It could be some time before companies settle on what is “best practice” in this regard.

ensure that everyone assumes their share of responsibility. Operational risk is not like credit or market risk, where it makes more sense to build up teams of professional practitioners.

Most of the communication strategy around operational risk management remains traditionally hierarchical, with limited knowledge sharing and busi- ness units reporting up the line. Since 2003, companies have not substan- tially changed their level of reporting to management (now 29 percent of companies, actually down slightly from 2003), though reporting to the board of directors is up (now 24 per- cent, compared to 19.5 percent in 2003), as is feedback to business units. However, there is still much to be done to increase the general level of awareness throughout the organization. Companies need to focus on ensuring that there is under- standing of where risks are, establish- ing a common language on risk, developing knowledge bases and improving reporting procedures.

Internal

communication

Figure 12: The size of dedicated operational risk measurement and management teams among respondents

Our belief is that companies need to

“democratize” operational risk man- agement. In other words, make it an issue that reaches every corner of the enterprise. Operational risk exists in all the key processes, so it makes sense to embed risk experts locally and

3 to 5 24%

6 to 10 20%

11 to 20

6% 21+

8%

No team at present 17%

1 to 2 25%

0% 5% 10% 15% 20% 25% 30%

A centralized operational risk committee/group focused on regulatory compliance

Operational risk handled by the audit/compliance departments Operational risk handled at the business unit level

with no centralized committee/group No operational risk framework is in place at this time A centralized operational risk committee/group focused on setting policy for business units A core operational risk committee/group supplemented by dedicated operational risk managers at the business unit level A core operational risk committee/group supplemented by managers who focus on operational risk part-time at the business unit level

5%

15%

14%

7%

22%

26%

7%

(10)

Major obstacles to successful operational risk management

If these issues are not addressed quickly then the rest of the initiative can easily break down.

The type of systems that have most commonly been implemented already are internal loss databases and self- assessment methodologies. Key risk indicators and triggers may already be in place, but in our experience they have not yet been applied to operational risk. Statistical modeling and analytic tools will come in at a later stage, as will the use of external operational risk databases, artificial intelligence and expert systems-based modeling (Figure 13).

Operational risk tools and methodologies

Rather surprisingly, nearly twice as many respondents say they are going to use the Advanced Measurement Approach (AMA) to calculate their capital allocation requirement as say they are going to use the Standardized Approach. This is good news, and the regulators will be pleased to hear it. The question is, however, to what extent companies are saying that AMA is what they are going to do before they have really thought about how they are going to do it—AMA meth- odologies remain rather ill defined. It could be some years—perhaps three to five—before there is widespread agreement on common methodologies and best practices, just as it took time to standardize on credit risk and mar-

ket risk in the 1990s. Only one thing is fairly certain: managing operational risk in five years will be different than managing it today.

Perhaps the most striking finding in the survey is the identification of key obstacles to effective operational risk management. This reveals that the market has not moved much over the past year or two; the main obstacles relate to basic issues that need to be addressed with some urgency.

We asked respondents to rate obsta- cles on a scale of 1 to 4. The number one issue (with an average score of 2.9) was “Difficulty in collating suffi- cient volume of historical data” (Figure 14). Based on SAS’ experience, this is absolutely correct. You can have the most sophisticated analytical tools in the world, but if you are not working with comprehensive, real-world data, you’re likely to miss the real dangers.

Moreover, the third biggest issue (2.8) was closely related: “Difficulty in ensuring data quality”—again, if you are working with inconsistent and inaccurate data, you are sure to run into problems and disagreements.

Second on the list (2.9) was the issue of poor overall awareness of opera- tional risk issues: this is a cultural chal- lenge and is going to take time. Other factors that merited high scores were

“Cost and time of implementation,”

Figure 13: Operational risk tools that respondents have implemented, are implementing or will implement

0 20 40 60 80 100 120

Internal loss database Self-assessment tool Key risk indicator/trigger Statistical modeling of risk data External operational risk database AI/expert system modeling Internal reporting tool External compliance reporting tool

Implemented Implementing Number of respondents

Will implement

(11)

About SAS

“Difficulty in modeling operational risk”

and “Lack of clarity and best practice from regulators” (Figure 14).

It will take some time for the regula- tory environment to clarify and for best practices to emerge. This is not necessarily a bad thing; best practices

cannot be imposed from above, and a certain amount of creative tension can be helpful. The bottom line is that organizations need to focus on their data, processes and people, and not get hung up on regulatory details or finding the magic solution. This survey has revealed the economic case for

an operational risk management pro- gram, and solutions should focus on addressing business needs.

SAS is the market leader in providing a new generation of business intel- ligence software and services that create true enterprise intelligence.

SAS solutions are used at more than 40,000 sites—including 96 of the top 100 of the 2003 Fortune Global 500—to develop more profitable rela- tionships with customers and suppli- ers; to enable better, more accurate and informed decisions; and to drive organizations forward. SAS is the only vendor that completely integrates leading data warehousing, analytics and traditional BI applications to cre- ate intelligence from massive amounts of data. For nearly three decades, SAS has been giving customers around the world The Power to Know®.

Figure 14: Potential obstacles to successful implementation of an operational risk management system

1.0 1.5 2.0 2.5 3.0 3.5 4.0

Difficulty in integrating internal and external loss data Access to operational

risk expertise/talent Difficulty in accessing/reporting operational data System integration issues

Difficulty in mixing qualitative and quantitative information Inadequate management buy-in

Lack of clarity and best practice from regulators/professional bodies Difficulty in modeling operational risk

Cost and time of implementation (the sheer size of the project) Difficulty in ensuring the quality of the data

Overall awareness and knowledge of operational risk issues amongst general staff DIfficulty in collating sufficient volume of historical data

2.6

2.7

2.8 2.7 2.6

2.7

2.8 2.8

2.9 2.9 2.8 2.6

1 = No impact 4 = Very high impact

(12)

World Headquarters and SAS Americas SAS Campus Drive Cary, NC 27513 USA Tel: (1) 919 677 8000 Fax: (1) 919 677 4444 U.S. & Canada sales:

(1) 800 727 0025

SAS International PO Box 10 53 40 Neuenheimer Landsr. 28-30 D-69043 Heidelberg, Germany Tel: (49) 6221 4160 Fax: (49) 6221 474850

www.sas.com

101635US_284827.0704 SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc.

in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright © 2004, SAS Institute Inc. All rights reserved.

The opinions expressed in this report are those of the author, Peyman Mestchian, and are based on a recent presentation of his.

References

Related documents

DISCUSSION DECISIONS/ OUTCOMES/ NEXT STEPS PERSON/ TARGET DATE Welcome and Introduction2. Brief introduction N/A

possible relationship of Christian values and principles to the maintained sector of education in contemporary British society, including the county schools.. In

Based on the results of the study, it can conclude that geographical area, psych- ological factor, maternal MUAC, fetal growth, birth weight, maternal education,

Using the framework of anti-oppressive practice, this article addresses Indigenous youth in the early to middle adolescent years, beginning with personal stories illustrating

Prioritization of travel & tourism Air transport infrastructure Ground transport infrastructure ICT infrastructure Price competitiveness in T&T industry Human resources

Q11: Please provide detail technical information of your Digital Asset Management system based on your understanding of CTC’s requirements as outlined in Section 2 – Scope of Work;

The issuance by the Basel Committee of the revised standardized approach for operational risk?. The IIF Working Group on Operational Risk

The results of our simulation model for the case show that the free dwell time of the container terminal does not have a large impact on the total cost provided the free time does