Operational risk assessment The Commercial Imperative of a More Forensic
and Transparent Approach
“Brendon Young and Rodney Coleman's book is extremely timely. There has never
been a greater need for the financial industry to reassess the way it looks at risk. […]
They are right to draw attention to the current widespread practices of risk management,
which […] have allowed risk to become underpriced across the entire industry.”
Rt Hon John McFall MP, Chairman,
House of Commons Treasury Committee
Failure of the financial services sector to properly understand risk was clearly
demonstrated by the recent 'credit crunch'. In its 2008 Global Stability Report, the IMF
sharply criticised banks and other financial institutions for the failure of risk
management systems, resulting in excessive risk-taking. Financial sector supervision and
regulation was also criticised for lagging behind shifts in business models and rapid
innovation.
This book provides investors with a sound understanding of the approaches
used to assess the standing of firms and determine their true potential (identifying
probable losers and potential longer-term winners). It advocates a 'more forensic'
approach towards operational risk management and promotes transparency, which is seen as a
facilitator of competition and efficiency as well as being a barrier to fraud, corruption
and financial crime.
Risk assessment is an integral part of informed decision making, influencing strategic
positioning and direction. It is fundamental to a company’s performance and a key
differentiator between competing management teams. Increasing complexity is resulting in
the need for more dynamic, responsive approaches to the assessment and management of risk.
Not all risks can be quantified; however, it remains incumbent upon management to
determine the impact of possible risk-events on financial statements and to indicate the
level of variation in projected figures.
To begin, the book looks at traditional methods of risk assessment and shows how these
have developed into the approaches currently being used. It then goes on to consider the
more advanced forensic techniques being developed, which will undoubtedly increase
understanding. The authors identify 'best practice' and address issues such as the
importance of corporate governance, culture and ethics. Insurance as a mitigant for
operational risk is also considered. Quantitative and qualitative risk assessment
methodologies covered include: Loss-data analysis; extreme value theory; causal analysis
including Bayesian Belief Networks; control risk self-assessment and key indicators;
scenario analysis; and dynamic financial analysis.
Views of industry insiders, from organisations such as Standard & Poors, Fitch,
Hermes, USS, UN-PRI, Deutsche Bank, and Alchemy Partners, are presented together with
those from experts at the FSA, the International Accounting Standards Board (IASB), and
the Financial Reporting Council.
In addition to investors, this book will be of interest to actuaries, rating agencies,
regulators and legislators, as well as to the directors and risk managers of financial
institutions in both the private and public sectors. Students requiring a comprehensive
knowledge of operational risk management will also find the book of considerable value.
BRENDON YOUNG is recognized internationally as a leading expert in
risk management. He is chairman of the Operational Risk Research Forum and founding
president of the Institute of Operational Risk. He has been an advisor to prominent
financial institutions including Moody’s and the Financial Reporting Council Board of
Actuarial Standards. He has published papers and lectured widely, giving presentations at
the FSA, the Bank of England, BaFin, the Dutch National Bank, the OCC, and the New York
State Banking Department. Previously, he was director of Arthur Andersen’s risk research
centre. In academia he was business school associate dean, responsible for risk research
and business development. His early career was in consultancy with Deloitte and later in
venture capital. Initially he trained in industry with Rolls-Royce aero-engines and Jaguar
Cars, qualifying both as a chartered engineer and a chartered management accountant.
RODNEY COLEMAN, until recently, was a senior lecturer in mathematics
at Imperial College London, specialising in statistics and quantitative finance. He has
given presentations widely on loss data analysis, in Europe, Canada and the United States
and Korea. He has been involved with operational risk research for more than 12 years, and
is a founding fellow of the Institute of Operational Risk and an Associate Editor of the
Journal of Operational Risk. He was an author of the first published academic paper on
applying statistical methods to model loss data for quantifying operational risk. He has
been closely associated with the Operational Risk Research Forum since its beginnings, and
addressed its meetings at BaFin and the New York State Banking Department. He has given
presentations at the Dutch National Bank, the Oprisk Europe Conference, the Institute of
Actuaries Actuarial Teaching and Research Conference, the Actuarial Studies in Non-Life
Insurance UK meeting, and widely including universities in Canada, Italy and Korea. He is
a fellow of the Royal Statistical Society and a member of the International Statistical
Institute.
Table of Contents
Foreword.
Preface.
Acknowledgements.
About the Authors.
Abbreviations.
PART I THE ASSESSMENT OF RISK AND ITS STRATEGIC IMPORTANCE.
1 Introduction.
1.1 Executive Overview: Responsiveness, Competitive Advantage, and Survival.
1.2 Understanding the Increasingly Complex and Competitive Banking Environment.
1.3 Risk Management and Strategy – Identifying Winners and Losers.
1.4 Capital – Understanding and Assessing its Importance and Limitations.
2 The Importance of Corporate Governance.
2.1 Defining Corporate Governance.
2.2 Understanding the Importance of Corporate Governance and Ethics.
2.3 International Organizations and their Activities.
2.4 The Basel Paper on Corporate Governance for Banks.
2.5 Countries: Their Different Requirements and Experiences.
2.6 Board Structures.
2.7 Shareholder Activism and Extra-Financial Issues.
2.8 Assessing Governance, Bribery, and Corruption.
2.9 Key Considerations.
2.10 Conclusions.
Appendix 2A.
3 Fundamental Assessment.
3.1 Introduction.
3.2 The Fundamental Relationship Between Credit Risk, Market Risk, and Operational
Risk.
3.3 External Assessment Frameworks.
3.4 Credit Rating Agencies’ Approach: The 7 Pillars
3.5 Moody's Operational Risk Assessments – Towards a More Forensic Approach.
3.6 The Regulatory Approach – Development of the Arrow Framework.
3.7 Enhanced Analytics.
3.8 Measuring Customer Satisfaction and Loyalty.
Appendix 3A.
Appendix 3B.
4 An Introduction to Risk and Default Analysis.
4.1 Predicting Soundness.
4.2 Argenti's A-score: Causes of Business Failure.
4.3 Statistical Failure Prediction Models.
4.4 Credit Risk Models.
4.5 Merton's 1974 Model.
4.6 The KMV Model.
4.7 CreditRisk+.
4.8 Portfolio Credit Risk Models.
4.9 Internal Operational Risk Models.
4.10 Commercially Available Operational Risk Systems and Models.
5 Control Risk Self Assessment (CRSA) – A Behavioural Approach to Risk
Management.
5.1 Introduction.
5.2 Advocates.
5.3 Defining Control Risk Self Assessment.
5.4 Benefits and Limitations of a CRSA Approach.
5.5 Residual Risks.
5.6 Methodology.
5.7 Types of Meeting.
5.8 Questionnaires and Weightings.
5.9 Resource Allocation.
5.10 Loss Data.
5.11 Determination of Capital Requirement.
5.12 Developing and Refining the System.
5.13 Achieving and Maintaining Credibility and Appropriateness.
5.14 Validation.
5.15 Auditing.
5.16 The Relationship between Risk Management and Knowledge Management.
5.17 Aetiology of Knowledge Management.
5.18 Avoiding Ossification.
5.19 Managing Risk within Communities of Practice.
5.20 Flexibility and Responsiveness.
5.21 The Limitations of Enforced Best Practice.
5.22 Benchmarking and Stress Testing Human Factors.
5.23 Reasons for Failure.
6 Data and Data Collection.
6.1 The Importance of Data.
6.2 The Regulatory Perspective.
6.3 Sources and Limitations of Data.
6.4 Not All Data will be Recorded.
6.5 Differences in Approach Lead to Variations in Capital Requirement.
6.6 Gross or Net Losses.
6.7 Date of Loss.
6.8 Damage to Physical Assets.
6.9 Allocation of Central Losses Across Business Units.
6.10 Boundary Issues between Operational Risk, Credit Risk, Market Risk and Other
Risks.
6.11 Extreme Events do not Lend Themselves to Detection by Data Analysis.
6.12 The Small Sample Problem (Overrepresentation and Underrepresentation).
6.13 The Past is Not Necessarily a Good Predictor of the Future.
6.14 Inflation and Currency Variations Limit the Use of Historical Data.
6.15 Error and Accuracy.
6.16 External Data is Not Readily Transferable from One Organization to Another.
6.17 Data is Not Readily Scaleable.
6.18 Emergent Properties.
6.19 Risk Types and Causes.
6.20 Actions by People.
6.21 Systems and Process-based Loss Events.
6.22 External Events.
6.23 Random Events.
6.24 Accumulation of Errors and Weaknesses.
6.25 Granularity.
6.26 Validation and Adjustments.
7 Data Analysis, Quantification, and Modeling.
7.1 Analyzing Data.
7.2 Empirical Distributions.
7.3 Theoretical Probability Distributions – Why is it Necessary to Combine Separate
Curves for Frequency and Severity?
7.4 Choosing Appropriate Curves.
7.5 Testing the “Goodness of Fit”.
7.6 Characteristics (Moments) Defining a Distribution Curve.
7.7 Combining the Severity and Frequency Curves Using Monte Carlo Analysis.
7.8 Extreme Value Theory (EVT).
7.9 Interpreting the Results – the Adequacy of Regulatory Capital is Difficult to
Determine.
7.10 The Causes of Risk Measurement Error.
7.11 Model Validation, Back Testing and Stress Testing.
7.12 Loss Data is Comprised of Many Different Risk Types, Hence the Need for
Granularity.
7.13 Risk Assessment Requires Both Quantitative and Qualitative Methods.
7.14 The Risk Analysis and Modeling Continuum.
7.15 Stochastic Modeling and Stochastic Differential Equations (SDE).
7.16 Regression Equations.
7.17 Quantifying Expert Testimony.
7.18 Causal Analysis.
7.19 Conclusions and Recommendations.
8 Causal Analysis.
8.1 Introduction.
8.2 History of Causality.
8.3 Mapping Causality.
8.4 The Bayesian Approach.
8.5 Summary.
9 Scenario Analysis and Contingency Planning.
9.1 Introduction.
9.2 Historical Development.
9.3 Morphological Analysis.
9.4 Model Development.
9.5 Management and Facilitation.
9.6 Relationship between Scenario Analysis and Quantitative Techniques.
9.7 Validity and Repeatability.
9.8 Application of Scenario Analysis to Risk Management within Banks.
9.9 External Business Environment Assessment.
9.10 Shell Global Scenarios to 2025.
9.11 Conclusions.
10 Dynamic Financial Analysis.
10.1 Introduction.
10.2 Background.
10.3 The Generalized DFA Framework.
10.4 DFA Methodology.
10.5 Data Considerations.
10.6 Aggregation, Correlation and Diversification.
10.7 Limitations of DFA Models.
10.8 Outputs and Analysis.
10.9 The Future.
11 Enterprise Risk Management.
11.1 Introduction.
11.2 ERM Frameworks.
11.3 ERM Modeling.
11.4 Risk Correlation and Integration.
12 Insurance and Other Risk Transfer Methods.
12.1 Introduction.
12.2 Background.
12.3 Findings.
12.4 Conclusions and Recommendations.
13 Observed Best Practices and Future Considerations.
13.1 Introduction.
13.2 Governance and Management.
13.3 Quantification and Assessment.
13.4 Contingency and Business Continuity.
13.5 Information Technology.
13.6 Insurance and Other Risk Transfer Options.
13.7 Transparency.
14 Industry Views.
14.1 The effective owners of companies (i.e. the large pension funds and insurance
companies) do not appear to be taking sufficient action to prevent excessive risk taking.
What needs to be done?
14.2 How important do you think “extra-financial enhanced analytics” factors are?
14.3 The pressure to perform, from analysts, is often said to be a contributory factor
to fraudulent events such as Enron. What can be done to improve the quality of reporting
and the accuracy of forecasting?
14.4 The credit rating agencies are often criticized for their inability to spot
problems early. (a) To what extent is this criticism justified? (b) What have the credit
rating agencies done to improve their ability to predict possible loss events earlier?
14.5 There appear to be differences between what a credit rating agency provides and
what securities analysts and investors want. Why is this?
14.6 Is a more forensic approach towards risk assessment and rating necessary or do you
think that complexity and chaos limit the extent to which risk can be deconstructed and
accurately assessed?
14.7 How important is enterprise risk management (ERM) to the rating process?
14.8 Do you use models to quantify operational risk and capital adequacy?
14.9 Models that use market data are claimed by some to be better predictors than
traditional credit rating agency methods.
14.10 What level of loss or risk would trigger a downgrade?
14.11 What analysis is done into the reasons for default, and what does this analysis
show?
14.12 Should credit rating agency analysts be given smaller portfolios in order for
them to devote more time to the analysis of each company, or would the costs be
prohibitive?
14.13 Should specialists be employed to carry out more forensic analysis and, if so,
what specialists are required?
14.14 The rating agencies are in a privileged position in that they receive
confidential information about a firm, which has the effect of adding credibility to their
ratings and statements.
14.15 Is it possible for the rating agencies to highlight concerns about a particular
firm, to the market, without precipitating a crisis?
14.16 Should the rating agencies be given the opportunity, or indeed be required, to
discuss in confidence any concerns they may have about a particular firm with the
regulators?
14.17 Is litigation likely to become an increasing problem, with the possibility of
investors suing where information later proves to be inaccurate and misleading?
14.18 Do you think that greater transparency, as proposed by the third pillar of Basel
II, will bring the benefits envisaged by the regulators, or is transparency somewhat of an
illusory concept?
14.19 A fundamental requirement of externally audited accounts is to provide
shareholders with a “true and fair view.” However, banks have been deliberately
concealing important information affecting the levels of risk faced. This has brought into
question the value of their audited accounts, the integrity of external auditors (who are
in fact paid by the bank being audited), the appropriateness of practices such as the use
of off-balance-sheet activities, and the relevance of mark-to-market (“fair value”)
valuations in a time of high market uncertainty.
14.20 What further changes do you think are necessary to improve the stability and
credibility of the financial system?
14.21 What are the major challenges currently facing the sector? What changes do you
think are necessary and what is preventing them?
15 Summary, Conclusions, and Recommendations.
15.1 Introduction.
15.2 Institutional Shareholder-Investors.
15.3 Regulators, Legislators, and Central Banks.
15.4 Accountants, Auditors, and Financial Reporting Bodies.
15.5 Rating Agencies.
15.6 Insurance Companies.
15.7 Banks.
PART II QUANTIFICATION.
16 Introduction to Quantification.
16.1 Objectives.
16.2 Measuring the Unmeasurable.
16.3 Loss Data Analysis: Regulatory Requirements under Basel II.
16.4 What Comes Next?
17 Loss Data.
17.1 Data Classification.
17.2 Database Creation.
17.3 Use of Questionnaires.
17.4 Illustrative Examples of Data Sets.
17.5 Summarizing Data Sets with a Proportion Plot or Histogram Plot.
17.6 Summarizing Data Sets with Sample Moment Statistics.
17.7 Summarizing Data Sets with Sample Quantile Statistics.
17.8 Checking Data Quality.
17.9 Difficulties Arising in OR Modeling.
18 Introductory Statistical Theory.
18.1 Discrete Probability Models.
18.2 Continuous Probability Models.
18.3 Introductory Statistical Methods.
18.4 Regression Analysis.
18.5 Validation: Testing Model Fit.
18.6 Subjective Probability and Bayesian Statistics.
19 Frequency Models.
19.1 Bernoulli Distribution, Bernoulli (?).
19.2 Binomial Distribution, Binomial (n,?).
19.3 Geometric Distribution, Geometric (?).
19.4 Hypergeometric Distribution, Hypergeometric (N, M, n).
19.5 Negative Binomial Distribution, Negative Binomial (?, ?).
19.6 Poisson Distribution, Poisson (?).
19.7 (Discrete) Uniform Distribution, (Discrete) Uniform (k).
19.8 Mixture Models.
20 Continuous Probability Distributions.
20.1 Beta Distribution, Beta (?, ß).
20.2 Burr Distribution, Burr (?, ß).
20.3 Cauchy Distribution.
20.4 Exponential Distribution, Exponential (?).
20.5 Fréchet Distribution, Fréchet (?, µ, ?).
20.6 Gamma Distribution, Gamma (?, ?).
20.7 Generalized Extreme Value Distribution, GEV (?, µ, ?).
20.8 Generalized Pareto Distribution, GPD.
20.9 Gumbel Distribution, Gumbel (µ, ?).
20.10 Logistic Distribution.
20.11 Normal Distribution, N (µ, ?2).
20.12 Lognormal Distribution, Lognormal (µ, ?2).
20.13 Pareto Distribution, Pareto (?, µ, ?).
20.14 Power Function Distribution, Power (?).
20.15 Tukey's g-and-h Distributions.
20.16 Tukey's Lambda Distributions.
20.17 Uniform Distribution, Uniform (?, ß).
20.18 Weibull Distribution, Weibull (?, ?).
21 What is Risk and How Do We Measure It?
21.1 Return Values.
21.2 Quantile Functions.
21.3 Simulation Data from Continuous Distributions.
21.4 Quantile Regression.
21.5 Quantile Functions for Extreme Value Models.
22 Frequency Modeling from Small Data Sets.
22.1 Introduction.
22.2 Assessing the Quality of Fit: Model Selection Uncertainty.
22.3 Simulating Frequency Distributions.
23 Severity Modeling.
23.1 Which Severity Model Should We Use?
23.2 Extreme Value Theory.
23.3 Modeling Excesses.
23.4 Estimating the Tail Shape Parameter from the Largest Order Statistics.
23.5 Goodness-of-Fit Tests.
23.6 Fitting a GPD Tail to a GEV.
24 Case Studies.
24.1 Case Study: Fitting a Loss Data Set.
24.2 Case Study: Fitting Sequential Loss Data.
25 Combining Frequency and Severity Data.
25.1 Aggregating Losses.
25.2 Simulating Aggregated Losses.
25.3 Aggregation with Thresholds.
25.4 Aggregation Incorporating External Data.
26 Brief Notes.
26.1 What is VaR?
26.2 Coherent Risk Measures.
26.3 Dynamic Financial Analysis.
26.4 Bayes Belief Networks (BBN).
26.5 Credibility Theory.
26.6 Resampling Methods.
26.7 Data Mining.
26.8 Linear Discriminant Analysis.
26.9 Copulas.
26.10 Quality Control and Risk Management.
Bibliography.
Index.
456 pages, Hardcover