Operational Risk Discussion KPMG PDF
Operational Risk Discussion KPMG PDF
Operational Risk Discussion KPMG PDF
g
Business Dialogue
KPMG Luxembourg, 23rd May 2012
Operational
p Risk
Introduction
Regulatory Framework
What is next?
KPMG Solution
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
What did we learn?
Clients, products
and business
practices events
continue to make up
the majority of the
top five losses each
month.
Source: SAS Software
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
Operational risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events.
This definition includes legal risk, but excludes strategic and reputational risk
Fraud
Human error in processing transactions
Missing a control step
Internal Disruption or system failures (hardware, software,
telecommunications) Customers claim
(process, people
Act of sabotage or vandalism from an employee Near misses
and systems)
Not compliance with law and regulatory requirements Forgone Revenue
Di
Dispute
t with
ith employee
l d
due tto di
discrimination
i i ti or h
harassmentt Repurchase of stuff
New service and/or change in the current processes Fine from authority
Fraud
External
Act of terrorism and sabotage
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Agenda
Introduction
Regulatory Framework
What is next?
KPMG Solution
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
Regulatory framework
Three-pillar approach
Pillar 1 Pillar 2 Pillar 3
Quantitative capital Qualitative supervisory Market discipline
requirements review
...
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
Regulatory framework for Banks
sophisticattion
effect of insurance up to 20% can be taken
i t accountt
into
develop a risk management framework:
methods to identify, assess, monitor and
control;
Standard Approach*
Collect internal loss data;
SA use external losses;
Regulatory Capital = GI *BL perform scenario analysis and review
business environment and internal
(between 12% and %) control factors;
validate the model results.
Basic Indicator Approach
board of directors and senior management actively involved;
BIA clear role and responsibilities assigned;
Regulatory Capital = systematic collection of operational risk data, integrated into the processes;
*
Average of last 3 years GI * regular
l reporting
ti and
d good
d documentation;
d t ti
subject to regular review by external auditors and/or supervisors.
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights * ASA alternative SA 2 BLs based on ptf volume instead of GI
reserved.
Operational risk in bank, funds and insurance company
Regulatory framework for AIFM
AIFMs shall
implement Operational Risk
adequate risk
management
systems in AIF AIFM
order to
identify
identify, A failure in operation can impact Potential liability from professional
measure and
the return of AIF
monitor negligence in performing the
appropriately Examples:
all risks activities of AIFM
Failures in trading,
relevant to
settlement and valuation
each AIF services
investment
Internal or external fraud
strategy and Implementation of operational risk
to which each Failure in the reconciliation
processes performed by management framework
AIF is or may
fund administration
be exposed Additional Own Funds
(Directive 2011/61/EU Etc.
art 15) Hold a professional indemnity insurance
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
Regulatory framework for AIFM
Professional
Indemnity Additional Own
Insurance (PII) Funds
0.01% * AuM
QUANT
Can be lowered to 0.008% provided AIFM can demonstrate that liability risk is
adequately captured, based on historical loss data and minimum historical
observation of 3 years
procedures
It shall be performed by an independent function
Record and make use of historical internal loss data, external data, scenario
analysis and factors reflecting internal controls
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
Regulatory framework for Insurance companies
Under Solvency II, there are two ways to calculate the exposure to operational risk
Advantage:
Inconvenients:
Excess of
capital
Capital
Solvency
Margin
Required
((SMR))
ASSETS
In book value In non-life:
SMR Max (18 %. P 50 M 16 %. P 50 M ; 26 %. P 35 M 23 %. P 35 M )
In life:
Technical SMR 4 %. P 2 %. Riskycapit al
Provisions
NO RISK MANAGEMENT
The operational risk had NO impact on the
solvency margin
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Regulatory framework for Insurance companies
The standard formula approach
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the 12
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Regulatory framework for Insurance companies
The standard formula approach
BSCR
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the 13
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Regulatory framework for Insurance companies
The standard formula approach
SCR
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the 14
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Regulatory framework for Insurance companies
The standard formula approach
SCR
In the context of the standard formula, the operational risk is a function of the BSCR:
Operational Risk = Min ( 30% x BSCR ; Op ) + 25% Exp UL
Where:
- Op is a charge for all business other than Unit Linked products (simple formula expressed as
a % of premium and a % of the technical provisions)
- Exp UL represents the expenses incurred the last 12 months in respect with UL products
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Agenda
Introduction
Regulatory Framework
What is next?
KPMG Solution
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
The benefit to implement an operational risk management framework
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational risk in bank, funds and insurance company
Pay attention to the invisible part of the iceberg
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
The Benefit for the institution to implement an operational risk management
Sound evaluation of all the processes
Operational
O ti l Ri
Risk
k
Management function has
a global picture of the risk Operational
profile of the entire Legal Risk Front Office
Function
instit tion
institution.
Complian-ce Accounting
HR, IT,
Facility
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
The Benefit for the institution to implement an operational risk management
Implement an operational risk management framework
To create value for the management of operational risk, the actual risk exposure must
be aligned with the overall risk appetite of the institution
Operational Risk
Management Framework
Strategy &
Strategy
anization
Risk
M
Management t
Identification
Procedures
& Monitoring
P
Governan
Risk Risk
Reporting Assessment
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
The Benefit for the institution to implement an operational risk management
Have a sound view: past + future thinking the unthinkable
Business
External Loss Data Environment (KRI)
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk Management Process
Identification
All risks as well as root causes of losses are identified and mapped
pp to the banks risk classification ((Basel II
Event Type) and the potential impact estimated (how, where, how much)
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk Management Process
Identification
Identify an operational risks means at the same time identify its root cause
Losses arising from loss or damage to physical assets from natural disaster or
Damage to Physical Assets other events (terrorism, vandalism).
Business Disruption and Losses arising from disruption of business or system failures (hardware,
System Failures software, telecommunications)
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk Management Process
Identification
The instruments usually used in order to identify ex ante, and then monitor and
calculate the exposure to operational risk are:
Business
External Loss Data Environment (KRI)
In the regulation these instruments are identified as the key building blocks of risk
!
measurements, BUT it does not elaborate on how to put them together.
I tit ti
Institutions have
h the
th tasks
t k off finding
fi di the
th mostt appropriate
i t way!!
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk Management Process
Assessment
The Operational
p Risk Function assesses the
Ri k Policy
Risk P li &
Strategy risk exposure both in qualitative and
quantitative term.
The assessment of an incident or a potential
Risk risk aims at quantifying the risk in financial
Risk
M
Management t terms using
i either
i h simple
i l or sophisticated
hi i d
Identification
& Monitoring methodologies like simulation using Monte
Carlo approach.
Risk Risk
Reporting Assessment
Think the unthinkable! Integrate the backward-looking view with the forward-looking
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk
Assessment with LDA Model Overview
The most popular method in the industry to satisfy the highest standards is the loss
distribution approach (LDA)
INPUT OUTPUT
Adjustments: KRI,
mitigation factors
(i e insurance
(i.e. insurance, ect)
Body Tail
Monte
Carlo
Internal losses Severity Distribution Simulation
Body
T il
Tail
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Example of internal module simulation
Step 1: Inputs
Convert those events into scenarios:
As the number of losses may remain an insufficient basis, one more scenario deemed relevant can
be added:
*TTerrorism
i attack
tt k
Scenario 5 500 000 10 000 000 1/200
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Example of internal module simulation
Step 2:
We translate the severity information into a scale distribution of severity and we fit the best
parametric distribution
Frequencies
0
Losses (Severity)
Step 3
W suppose than
We th severity
it and
d frequency
f are two
t independent
i d d t random
d variables
i bl and
d we simulate
i l t
them independently
Excel sheet
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk Management Process
Reporting
Operational
O i l Ri
Risk
kMManagement
Function
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk Management Process
Reporting
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
Operational Risk Management Process
Management and Monitoring
TRANSFER AVOID
Limitation or stop of
product / project
severityy
Data integrity:
use of external loss data
data, which require a mapping or scaling to the firms own data
poor-quality of internal loss data creeping into model assumptions
Do not ignore tools like Key Risk Indicators (KRIs) for monitoring operational risk
Standard IT tool to centrally collect all data (for instance internal losses, breaches, external losses,
findings, etc.) and related information (mitigation actions taken, procedures)
Advanced approaches: stress testing & sensitivity analysis in the scope of model validation
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.
What is next?
Ongoing updates: for bank AMA model change Policy (EBA GL 45; CSSF Circular 12/535)
KPMG
Assistance in the
implementation of advance Assistance in operational
models and in obtaining risk modeling
regulatory approval
2012 KPMG Luxembourg S. r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the
KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights
reserved.