Operational risk assessment : the commercial imperative of a more forensic and transparent approach

This book shows readers how to manage operational risk, improve the quality and stability of earnings, and reduce the probability of failure by optimizing risk. It shows financial institutions how to provide investors with the best approaches for assessing the standing of firms and determining their true potential. Brendon John Young (London, UK) is CEO of Operational Risk Forum and founding President of the Institute of Operational Risk. Dr. Rodney Coleman (London, UK) is a lecturer in mathematics at Imperial College in London who specializes in statistics and finance.

Foreword. Preface. Acknowledgements. About the Authors. Abbreviations. PART I THE ASSESSMENT OF RISK AND ITS STRATEGIC IMPORTANCE. 1 Introduction. 1.1 Executive Overview: Responsiveness, Competitive Advantage, and Survival. 1.2 Understanding the Increasingly Complex and Competitive Banking Environment. 1.3 Risk Management and Strategy - Identifying Winners and Losers. 1.4 Capital - Understanding and Assessing its Importance and Limitations. 2 The Importance of Corporate Governance. 2.1 Defining Corporate Governance. 2.2 Understanding the Importance of Corporate Governance and Ethics. 2.3 International Organizations and their Activities. 2.4 The Basel Paper on Corporate Governance for Banks. 2.5 Countries: Their Different Requirements and Experiences. 2.6 Board Structures. 2.7 Shareholder Activism and Extra-Financial Issues. 2.8 Assessing Governance, Bribery, and Corruption. 2.9 Key Considerations. 2.10 Conclusions. Appendix 2A. 3 Fundamental Assessment. 3.1 Introduction. 3.2 The Fundamental Relationship Between Credit Risk, Market Risk, and Operational Risk. 3.3 External Assessment Frameworks. 3.4 Credit Rating Agencies' Approach: The 7 Pillars 3.5 Moody's Operational Risk Assessments - Towards a More Forensic Approach. 3.6 The Regulatory Approach - Development of the Arrow Framework. 3.7 Enhanced Analytics. 3.8 Measuring Customer Satisfaction and Loyalty. Appendix 3A. Appendix 3B. 4 An Introduction to Risk and Default Analysis. 4.1 Predicting Soundness. 4.2 Argenti's A-score: Causes of Business Failure. 4.3 Statistical Failure Prediction Models. 4.4 Credit Risk Models. 4.5 Merton's 1974 Model. 4.6 The KMV Model. 4.7 CreditRisk+. 4.8 Portfolio Credit Risk Models. 4.9 Internal Operational Risk Models. 4.10 Commercially Available Operational Risk Systems and Models. 5 Control Risk Self Assessment (CRSA) - A Behavioural Approach to Risk Management. 5.1 Introduction. 5.2 Advocates. 5.3 Defining Control Risk Self Assessment. 5.4 Benefits and Limitations of a CRSA Approach. 5.5 Residual Risks. 5.6 Methodology. 5.7 Types of Meeting. 5.8 Questionnaires and Weightings. 5.9 Resource Allocation. 5.10 Loss Data. 5.11 Determination of Capital Requirement. 5.12 Developing and Refining the System. 5.13 Achieving and Maintaining Credibility and Appropriateness. 5.14 Validation. 5.15 Auditing. 5.16 The Relationship between Risk Management and Knowledge Management. 5.17 Aetiology of Knowledge Management. 5.18 Avoiding Ossification. 5.19 Managing Risk within Communities of Practice. 5.20 Flexibility and Responsiveness. 5.21 The Limitations of Enforced Best Practice. 5.22 Benchmarking and Stress Testing Human Factors. 5.23 Reasons for Failure. 6 Data and Data Collection. 6.1 The Importance of Data. 6.2 The Regulatory Perspective. 6.3 Sources and Limitations of Data. 6.4 Not All Data will be Recorded. 6.5 Differences in Approach Lead to Variations in Capital Requirement. 6.6 Gross or Net Losses. 6.7 Date of Loss. 6.8 Damage to Physical Assets. 6.9 Allocation of Central Losses Across Business Units. 6.10 Boundary Issues between Operational Risk, Credit Risk, Market Risk and Other Risks. 6.11 Extreme Events do not Lend Themselves to Detection by Data Analysis. 6.12 The Small Sample Problem (Overrepresentation and Underrepresentation). 6.13 The Past is Not Necessarily a Good Predictor of the Future. 6.14 Inflation and Currency Variations Limit the Use of Historical Data. 6.15 Error and Accuracy. 6.16 External Data is Not Readily Transferable from One Organization to Another. 6.17 Data is Not Readily Scaleable. 6.18 Emergent Properties. 6.19 Risk Types and Causes. 6.20 Actions by People. 6.21 Systems and Process-based Loss Events. 6.22 External Events. 6.23 Random Events. 6.24 Accumulation of Errors and Weaknesses. 6.25 Granularity. 6.26 Validation and Adjustments. 7 Data Analysis, Quantification, and Modeling. 7.1 Analyzing Data. 7.2 Empirical Distributions. 7.3 Theoretical Probability Distributions - Why is it Necessary to Combine Separate Curves for Frequency and Severity? 7.4 Choosing Appropriate Curves. 7.5 Testing the "Goodness of Fit". 7.6 Characteristics (Moments) Defining a Distribution Curve. 7.7 Combining the Severity and Frequency Curves Using Monte Carlo Analysis. 7.8 Extreme Value Theory (EVT). 7.9 Interpreting the Results - the Adequacy of Regulatory Capital is Difficult to Determine. 7.10 The Causes of Risk Measurement Error. 7.11 Model Validation, Back Testing and Stress Testing. 7.12 Loss Data is Comprised of Many Different Risk Types, Hence the Need for Granularity. 7.13 Risk Assessment Requires Both Quantitative and Qualitative Methods. 7.14 The Risk Analysis and Modeling Continuum. 7.15 Stochastic Modeling and Stochastic Differential Equations (SDE). 7.16 Regression Equations. 7.17 Quantifying Expert Testimony. 7.18 Causal Analysis. 7.19 Conclusions and Recommendations. 8 Causal Analysis. 8.1 Introduction. 8.2 History of Causality. 8.3 Mapping Causality. 8.4 The Bayesian Approach. 8.5 Summary. 9 Scenario Analysis and Contingency Planning. 9.1 Introduction. 9.2 Historical Development. 9.3 Morphological Analysis. 9.4 Model Development. 9.5 Management and Facilitation. 9.6 Relationship between Scenario Analysis and Quantitative Techniques. 9.7 Validity and Repeatability. 9.8 Application of Scenario Analysis to Risk Management within Banks. 9.9 External Business Environment Assessment. 9.10 Shell Global Scenarios to 2025. 9.11 Conclusions. 10 Dynamic Financial Analysis. 10.1 Introduction. 10.2 Background. 10.3 The Generalized DFA Framework. 10.4 DFA Methodology. 10.5 Data Considerations. 10.6 Aggregation, Correlation and Diversification. 10.7 Limitations of DFA Models. 10.8 Outputs and Analysis. 10.9 The Future. 11 Enterprise Risk Management. 11.1 Introduction. 11.2 ERM Frameworks. 11.3 ERM Modeling. 11.4 Risk Correlation and Integration. 12 Insurance and Other Risk Transfer Methods. 12.1 Introduction. 12.2 Background. 12.3 Findings. 12.4 Conclusions and Recommendations. 13 Observed Best Practices and Future Considerations. 13.1 Introduction. 13.2 Governance and Management. 13.3 Quantification and Assessment. 13.4 Contingency and Business Continuity. 13.5 Information Technology. 13.6 Insurance and Other Risk Transfer Options. 13.7 Transparency. 14 Industry Views. 14.1 The effective owners of companies (i.e. the large pension funds and insurance companies) do not appear to be taking sufficient action to prevent excessive risk taking. What needs to be done? 14.2 How important do you think "extra-financial enhanced analytics" factors are? 14.3 The pressure to perform, from analysts, is often said to be a contributory factor to fraudulent events such as Enron. What can be done to improve the quality of reporting and the accuracy of forecasting? 14.4 The credit rating agencies are often criticized for their inability to spot problems early. (a) To what extent is this criticism justified? (b) What have the credit rating agencies done to improve their ability to predict possible loss events earlier? 14.5 There appear to be differences between what a credit rating agency provides and what securities analysts and investors want. Why is this? 14.6 Is a more forensic approach towards risk assessment and rating necessary or do you think that complexity and chaos limit the extent to which risk can be deconstructed and accurately assessed? 14.7 How important is enterprise risk management (ERM) to the rating process? 14.8 Do you use models to quantify operational risk and capital adequacy? 14.9 Models that use market data are claimed by some to be better predictors than traditional credit rating agency methods. 14.10 What level of loss or risk would trigger a downgrade? 14.11 What analysis is done into the reasons for default, and what does this analysis show? 14.12 Should credit rating agency analysts be given smaller portfolios in order for them to devote more time to the analysis of each company, or would the costs be prohibitive? 14.13 Should specialists be employed to carry out more forensic analysis and, if so, what specialists are required? 14.14 The rating agencies are in a privileged position in that they receive confidential information about a firm, which has the effect of adding credibility to their ratings and statements. 14.15 Is it possible for the rating agencies to highlight concerns about a particular firm, to the market, without precipitating a crisis? 14.16 Should the rating agencies be given the opportunity, or indeed be required, to discuss in confidence any concerns they may have about a particular firm with the regulators? 14.17 Is litigation likely to become an increasing problem, with the possibility of investors suing where information later proves to be inaccurate and misleading? 14.18 Do you think that greater transparency, as proposed by the third pillar of Basel II, will bring the benefits envisaged by the regulators, or is transparency somewhat of an illusory concept? 14.19 A fundamental requirement of externally audited accounts is to provide shareholders with a "true and fair view." However, banks have been deliberately concealing important information affecting the levels of risk faced. This has brought into question the value of their audited accounts, the integrity of external auditors (who are in fact paid by the bank being audited), the appropriateness of practices such as the use of off-balance-sheet activities, and the relevance of mark-to-market ("fair value") valuations in a time of high market uncertainty. 14.20 What further changes do you think are necessary to improve the stability and credibility of the financial system? 14.21 What are the major challenges currently facing the sector? What changes do you think are necessary and what is preventing them? 15 Summary, Conclusions, and Recommendations. 15.1 Introduction. 15.2 Institutional Shareholder-Investors. 15.3 Regulators, Legislators, and Central Banks. 15.4 Accountants, Auditors, and Financial Reporting Bodies. 15.5 Rating Agencies. 15.6 Insurance Companies. 15.7 Banks. PART II QUANTIFICATION. 16 Introduction to Quantification. 16.1 Objectives. 16.2 Measuring the Unmeasurable. 16.3 Loss Data Analysis: Regulatory Requirements under Basel II. 16.4 What Comes Next? 17 Loss Data. 17.1 Data Classification. 17.2 Database Creation. 17.3 Use of Questionnaires. 17.4 Illustrative Examples of Data Sets. 17.5 Summarizing Data Sets with a Proportion Plot or Histogram Plot. 17.6 Summarizing Data Sets with Sample Moment Statistics. 17.7 Summarizing Data Sets with Sample Quantile Statistics. 17.8 Checking Data Quality. 17.9 Difficulties Arising in OR Modeling. 18 Introductory Statistical Theory. 18.1 Discrete Probability Models. 18.2 Continuous Probability Models. 18.3 Introductory Statistical Methods. 18.4 Regression Analysis. 18.5 Validation: Testing Model Fit. 18.6 Subjective Probability and Bayesian Statistics. 19 Frequency Models. 19.1 Bernoulli Distribution, Bernoulli ( theta ). 19.2 Binomial Distribution, Binomial ( n , theta ). 19.3 Geometric Distribution, Geometric ( theta ). 19.4 Hypergeometric Distribution, Hypergeometric ( N , M , n ). 19.5 Negative Binomial Distribution, Negative Binomial ( nu, theta ). 19.6 Poisson Distribution, Poisson ( theta ). 19.7 (Discrete) Uniform Distribution, (Discrete) Uniform ( k ). 19.8 Mixture Models. 20 Continuous Probability Distributions. 20.1 Beta Distribution, Beta ( alpha, beta ). 20.2 Burr Distribution, Burr ( alpha, beta ). 20.3 Cauchy Distribution. 20.4 Exponential Distribution, Exponential ( lambda ). 20.5 Frechet Distribution, Fr e chet ( xi, mu, sigma ). 20.6 Gamma Distribution, Gamma ( nu, lambda ). 20.7 Generalized Extreme Value Distribution, GEV ( xi, mu, sigma ). 20.8 Generalized Pareto Distribution, GPD. 20.9 Gumbel Distribution, Gumbel ( mu, sigma ). 20.10 Logistic Distribution. 20.11 Normal Distribution, N ( mu, sigma 2 ). 20.12 Lognormal Distribution, Lognormal ( mu, sigma 2 ). 20.13 Pareto Distribution, Pareto ( xi, mu, sigma ). 20.14 Power Function Distribution, Power ( xi ). 20.15 Tukey's g-and-h Distributions. 20.16 Tukey's Lambda Distributions. 20.17 Uniform Distribution, Uniform ( alpha, beta ). 20.18 Weibull Distribution, Weibull ( xi, lambda ). 21 What is Risk and How Do We Measure It? 21.1 Return Values. 21.2 Quantile Functions. 21.3 Simulation Data from Continuous Distributions. 21.4 Quantile Regression. 21.5 Quantile Functions for Extreme Value Models. 22 Frequency Modeling from Small Data Sets. 22.1 Introduction. 22.2 Assessing the Quality of Fit: Model Selection Uncertainty. 22.3 Simulating Frequency Distributions. 23 Severity Modeling. 23.1 Which Severity Model Should We Use? 23.2 Extreme Value Theory. 23.3 Modeling Excesses. 23.4 Estimating the Tail Shape Parameter from the Largest Order Statistics. 23.5 Goodness-of-Fit Tests. 23.6 Fitting a GPD Tail to a GEV. 24 Case Studies. 24.1 Case Study: Fitting a Loss Data Set. 24.2 Case Study: Fitting Sequential Loss Data. 25 Combining Frequency and Severity Data. 25.1 Aggregating Losses. 25.2 Simulating Aggregated Losses. 25.3 Aggregation with Thresholds. 25.4 Aggregation Incorporating External Data. 26 Brief Notes. 26.1 What is VaR? 26.2 Coherent Risk Measures. 26.3 Dynamic Financial Analysis. 26.4 Bayes Belief Networks (BBN). 26.5 Credibility Theory. 26.6 Resampling Methods. 26.7 Data Mining. 26.8 Linear Discriminant Analysis. 26.9 Copulas. 26.10 Quality Control and Risk Management. Bibliography. Index.