Escolar Documentos
Profissional Documentos
Cultura Documentos
RR08011
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Chartis Research Ltd. The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions and recommendations that Chartis Research delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. Chartis Research accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis.
Page 2
Contents
Executive summary .................................................................................................................................... 5 Market requirements ................................................................................................................................. 8 Framework for evaluating ORM systems ..........................................................................................10 Operational risk and compliance under a common governance umbrella by RiskTech ...................................................................................................................................................12 The cyclicality of operational risk: The tracking phenomenon by Algorithmics ...........................................................................................................................................21 Related Chartis Research ........................................................................................................................
Page
Table 1:
Page
Executive summary
The second wave of expenditure in operational risk management (ORM) systems is now fully visible. Chartis retains its 2007 forecast for the worldwide ORM market to grow to $1.55bn by 2011. This growth has been fuelled by: 1 Many US and European financial institutions continue to replace their first generation ORM systems. This is largely due to inflexible and rigid product design and the ongoing evolvement of ORM methodologies. 2 Some market segments, such as emerging regions (e.g. Middle-East, Asia-Pacific, South America), and vertical sectors (e.g. insurance, asset management) are investing in formal ORM systems for the first time. 3 Average investment in ORM projects is increasing, as more and more financial institutions are seeing ORMs strategic business benefits and not just a tactical tick-inthe-box initiative. Financial institutions working on the demand side of the market are re-examining their approach, culture and systems for managing operational risk. This is as a result of recent high profile losses, rogue trader events , failures in internal controls and processes surrounding the credit crunch. Furthermore, firms have realised that the traditional compliance box-ticking approaches to managing risk do not achieve the desired outcome. Operational risk needs to be treated as an integral part of the overall governance, risk and compliance (GRC) strategy. Meanwhile, on the supply side of the market, Sarbanes-Oxley and Basel II have chewed-up and spat-out many first generation software vendors and products. Amongst the survivors, a hand-full of vendors have managed to emerge from the darkness, and have proved to the market and themselves that the operational risk software business is both a worthwhile and a profitable business to be in. Operational risk management (ORM) software brands such as Horizon, OpRisk Analytics, Raft, Agena, and ORTOS have more or less disappeared from the radar. In most cases, this has been through a trade-sale or a dignified exit. In the meantime, a handful of software vendors have established themselves as clear leaders and form the premier league. These include SAS, OpenPages, RCS, Algorithmics and Reveleus. There is also healthy competition from a chasing pack of second tier vendors who have good niche capabilities or dominate one or two local/national markets, but have not been able to break into the global enterprise solution category. These include LIST, Interexa, Chase Cooper, BWise, Optial, SunGard/Ci3, eFront and Methodware. This has resulted in a highly fragmented market where selecting the right vendor is highly dependent on geography, methodology, experience and the complexity or sophistication of the buying organisation.
Page 5
Premier Division
n SAS n Methodware n Paisley n BWise LIST n SunGard n n Algorithmics Reveleus n n OpenPages n RCS
Low Low
Completeness of offering
High
Page 6
Figure 2 represents Chartis view on the top three vendors to be considered for different selection criteria and buyer characteristics. Figure 2: Framework for navigating through a fragmented ORM software market
Framework for navigating through a fragmented ORM software market Dimensions of Selection
Size of Financial Institution Tier 1 or 2 SAS OpenPages Reveleus Tier 3 or 4 RCS BWise LIST Tier 5 or 6 Methodware ChaseCooper eFront
Sophistication of functional requirements (directly proportional to price) Advanced SAS Algorithmics RCS Intermediate OpenPages BWise Reveleus
Geographical focus Global SAS OpenPages Reveleus Europe SAS RCS SunGard/Ci Americas OpenPages Paisley Algorithmics Asia-Pacific SAS Reveleus Methodware Middle-East & Africa SAS Reveleus ChaseCooper
This report contains key extracts from Chartis Operational Risk Management Systems 2008 Market Analysis report RR08012, published March 2008. Detailed vendor rankings, expenditure data and research can be obtained by accessing this report from www.chartis-research.com
Page 7
Market requirements
Between January and March 2008, Chartis conducted a global survey of banks and insurance companies across the financial services industry. We received 318 responses, which provided the following insights: 42% of respondents expect a decrease in operational risk losses, as a result of enhancements to their ORM systems and procedures in 2007. 68% of respondents expect their ORM budgets, both internal and external expenditure, to increase over the next 12 months. Key areas of expenditure include development of internal reporting processes and systems, and internal training. 52% of respondents are aiming for the Advanced Measurement Approach (AMA) for Basel II compliance by 2011. In Europe, 62% of respondents are applying the Loss Distribution Approach (LDA), 42% are using a COSO-based approach, and 63% are using a combination of both. In North America, 48% of respondents are applying LDA, 67% are using a Coso-based approach, and 63% are using a combination of both. In Asia-Pacific region 44% of respondents are using LDA, 60% are using a Coso-based approach, and 56% are using a combination of both. In terms of data inputs into the ORM system, the following data types are being utilised: 83% of respondents use internal loss data, 72% of respondents use risk/control selfassessment data, 52% of respondents use scenario analysis data, 46% use external loss data, 32% use KRI data and 9% use near-miss data. 68% of respondents expect to increase their ORM technology budget over the next 12 months. In the emerging markets of Middle-East, Africa and Eastern Europe, 71% of respondents are aiming for the Standardized approach within the next two years, and the Advanced Measurement Approach (AMA) in 2010 2011.
Page 8
The figure below represents a framework for an integrated ORM system. Figure : Risk and Compliance Scorecard/Portal
Risk and Compliance Scorecard/Portal
Risk Analytics
Aggregation Engine
OpRisk Data
KRIs
OpRisk Applications/Data
Enterprise Applications
Transaction Systems
Financial Systems
External Loss Data/ Consortium Data Fraud & Anti-Money Laundering System
HR Systems
Scenario Analysis
IT Management Systems
Page 9
Page 10
Page 11
2. GRC drivers
External and internal drivers have contributed to the need for change in a financial institutions approach and processes for meeting GRC requirements. To add to the challenge, these drivers have been constantly changing in scope and impact, very often driven by the ever growing capability of underlying supporting technologies. External drivers include: Pressures on business from the political environment political action in response to events such as 9/11, or issues such as global warming, bring pressure on businesses to comply with government sponsored sanctions and requirements. Corporate scandals, varying from questionable management practices, to outright fraud, have focused both investor and public attention. This in turn has motivated regulatory bodies across the
Page 12
globe to formulate new and improved public initiatives and regulations, such as Anti Money Laundering (AML) and the Sarbanes Oxley Act (SOX). The demand for more ethical business processes and actions during the 1980s and 90s, interest in business ethics accelerated dramatically. Today, most major corporate websites place emphasis on their commitment to promoting non-economic social values under a variety of headings (e.g. ethics codes, social responsibility charters). In some cases, corporations have redefined their core values in the light of business ethical considerations. Swings in the economic environment increase business risk economic downturns are typically the periods when financial institutions experience losses due to credit defaults, litigation around operational practices, and decrease in the value of their investment portfolio. The expansion of the legal and regulatory risk environment the scope and scale of regulatory and legal requirements are continuously growing to meet the load imposed by a world enabled by technology, leading to a move away from a checklist based approach, to one based on risk-based principles and frameworks such as COSO and Basel II. Increasing legal and regulatory liability aggressive action by regulatory bodies leads to increasing litigation, fines, and settlements, and increased scrutiny from rating agencies and listing exchanges.
Internal drivers include The changing scale and scope of business activity globalization has resulted in a trend towards large global financial institutions, as evidenced by recent large scale mergers and acquisitions. The expansion of a financial institutions reach through organic and/or inorganic growth increases the magnitude of this driver in large, complex global banks, the number of dependencies and the severity of losses resulting from breaks in such dependencies is magnified. Geographical distribution and the intricate web of business partner relationships as a financial institution expands, it operates in different geographical and political environments. Going global increases the level of risk, as well as the number of compliance requirements that a financial institution is subject to. Changing and diverse technology environments organizational ability to generate business through technology, coupled with the need to cut costs, has resulted in a patchwork of applications and hardware, sometimes requiring manual intervention in order to achieve what ideally should be a straight through automated process. Limited and scattered siloed approach to risk and compliance traditional siloed approaches to GRC have resulted in redundancy, inconsistency and sub optimal utilization of information across related programs
3. GRC trends
In response to the drivers described above, financial institutions need to first establish a framework that addresses the varying requirements of, not only various internal control and oversight functions, but also those of business, management and external supervisory bodies. This common framework will allow GRC to be adequately measured and monitored on a sustainable, consistent, efficient and transparent basis. The following trends are emerging in response to the drivers described in the previous section: An integrated view of a financial institutions governance framework across risk and compliance the current trend in financial institutions today is towards an enterprise risk management framework and the creation of roles such as the chief risk officer and Chartis Research Ltd 2008 Page 1
chief compliance officer. The role of Finance has also assumed importance in the wake of regulations such as SOX. Integration of GRC with Corporate Social Responsibility (CSR) CSR is a concept whereby financial institutions consider the interests of society by taking responsibility for the impact of their activities on customers, employees, shareholders, communities and the environment, in all aspects of their operations. This obligation is seen to extend beyond the statutory obligation to comply with legislation and sees financial institutions voluntarily taking further steps to improve the quality of life for employees and their families, as well as for the local community and society at large. Internal policies very often are more stringent in scope and requirement than the external requirements that they have been formulated to address. As discussed earlier, the move away from a checklist based approach, to one based on guiding principles, has resulted in those financial institutions with a strong control culture incorporating elements of CSR into the actual GRC program itself. Initiatives such as training, and the active discouragement by management of poor risk management practices and unethical behavior, are some examples of how the trend has developed over the past few years. Move to the formalization of a new products and/or business process methodology financial institutions are moving towards a formalized framework to evaluate the impact of the addition or change to a firms existing product mix or process structure. Under such a framework, relevant departments evaluate the risk impact of the delta required to accommodate either the new product/process or change to the same, identifying risks associated with the proposed change. Only after all relevant departments have provided their analysis will a consensus go/no-go decision be arrived at. These formalized new products and/or business process review mechanisms will replace the traditional practice at some large financial institutions where individual locations or business units independently define or alter corporate policies, procedures, controls, and business practices without any central authority or oversight. This formalized approach will lead to standardized business processes, policies and controls, and the establishment of a single corporate policy portal. Technology changes to accommodate the emerging requirements of GRC technology solutions that address risk and compliance requirements are evolving from stand alone point solutions to a single platform upon which solutions are crafted, utilizing the toolkits that accompany such platforms. The holy grail of GRC technology solutions is to provide a forms-based data capture capability, with flexible workflow and forms definition, overlaying a single enterprise-wide data warehouse to support cross use of information and reporting across multiple solution packs.
Page 1
the frequency and intensity around control assessments required to satisfy the needs of the relevant stakeholders. The figure below depicts the key areas involved in a GRC framework. Figure : Integrated GRC from Ad-hoc to Systematic
Ad-hoc GRC
BDRP IT Security Customer Service
Systematic GRC
Compliance
Legal Facilities
IT Risk Mgt
HR
Corporate Communications
Controllers
Security
Compliance HR
GRC
Legal Audit
Facilities Mgt
LOBs Finance Mgt Security
Insurance
5. Areas of commonality
For the purpose of identifying areas of data overlap and redundancy, we have set out below the key categories for data collection for ORM and Compliance programs. From a data capture and follow-up perspective, ORM requires the following data across the enterprise Operational risk events events arising from failed or inadequate people, processes, systems or the external environment. Such data is historical and backward looking. Risk and Control Assessments the evaluation of the quality of the control environment in mitigating the operational risk exposure of the firm. This process involves risk identification, control identification, control test set-up, control testing, control assessment and risk assessment. Such data provides a current snapshot of the quality of the firms control environment. Key Risk Indicators the capture of metrics related to indicators that could predict operational failure. Such data provides a forward looking view of the firms exposure to operational risk. Issues and Action Planning captures, consolidates and tracks the firms risk mitigation efforts around control weaknesses identified in each of the three data groups above. Such data provides insight into the proactive nature and effectiveness of a firms ORM program. Note: Operational Risk Management Entities In order to associate the data to relevant dimensions, initially, the focal points of operational risk management need to be defined. This critical definition may be achieved through a process mapping exercise, whereby the product and services mix of the firm is matched up against the geographical locations where the firm operates. Once the combination of the organizational unit, product and
Page 15
location is defined, all the necessary processes and support functions required to sustain the chain of origination, execution and settlement may be comprehensively identified. From a Compliance perspective, the following data is required: Policy on-boarding In the event of a new regulation or a change to an existing regulation, the Compliance department is responsible for reviewing the impact; identifying the applicability and setting up of internal deadlines to comply with the change. The result of such analysis will be incorporated into an existing policy repository. Compliance obligations From the policy repository, a list of compliance obligations is extracted. To be kept in mind is the fact that obligations could arise from both external and internal policies. This list details all the compliance obligations that a firm needs to meet in order to be compliant with all the regulations from the multiple jurisdictions that it is subject to. Controls Against each obligation that has been defined, one or more controls with their associated control tests needs to be identified. It is to be noted that the same control may have also been associated with a risk that had been identified in the ORM Risk and Control Assessment process. Issues and actions planning The risk mitigation efforts around any control weaknesses that were identified in meeting the compliance obligations of the firm need to be captured, consolidated and tracked. Note: Compliance Entities as with the definition of Operational Risk Management Entities, Compliance Entities also need to be defined, compliance obligations typically being associated to the product or service being offered by an organization unit in a particular geography. Having completed a comprehensive review of the data requirements of both the ORM and Compliance programs, RiskTech has identified the following two areas with the greatest overlap and duplication, and hence the greatest opportunity for integration: 1. 2. Risk and Control Assessments Issues and Action Planning
Control Assessment is a key area for data re-use and eliminating duplication. This is illustrated in the example Risk and Control Self-Assessment (RCSA) process described in Figure 5.
Page 16
Action 1 Ctrl 1
Action 2 Action N
Proc 1
Risk 2
Control Audit
Independently test the controls defined and evaluated in the RCSA and also evaluate the Control Testing Access (read only) to the entire RCSA and related action planning
Proc N
Page 17
Similarly, the integration of Issues and Action Planning activities across Compliance and ORM programs would provide a significant opportunity to eliminate duplication, reducing the cost and time required to complete associated action plans and increase consistency across the enterprise.
6. Assessment planning
While ORM is still an evolving discipline, financial institutions have always been subject to a multitude of regulations and compliance obligations that are unambiguous, well defined and well understood. The consequences of non compliance are relatively severe while ORM best practice is defined by the firms adherence to a set of prescriptive guidelines, non compliance to a regulation could result in steep regulatory fines or even the closure of the firms operations. The outcome of control testing is utilized ultimately to arrive at an overall Control Assessment of the applicable entity against which the control is associated. Control Testing has two key variables: 1. Control Test Frequency the periodicity of the control test, be it daily, weekly, monthly, quarterly, semi annually or annually. 2. Control Test Intensity the rigor with which the control test is performed. This typically relates to the sample size of control test data which could range from the entire set of transactions that have occurred within the period of the control test to a rule based proportion of such set of transactions within the timeframe of the control test frequency. Control Assessments based on frequent and intense control testing are obviously more reliable than Control Assessments based on less frequent and/or less intense control testing. It is reasonable to assume that, given the consequences of non compliance, the testing and assessment of controls related to key compliance obligations will, while not necessarily more frequent, at least be more intense than the control assessment requirements of an ORM program. A common pain point being experienced by large financial institutions today is the time and effort being consumed in the Risk and Control Assessment process. Control Testing is the area that requires the largest set of resources and time to complete. Very often, a line of business is required to provide evidence to the Compliance program of the quality of controls that have been mapped to a compliance obligation, shortly followed by a similar requirement from the ORM program. This redundancy, and wasted time and effort, may be limited by effective assessment planning that requires the involvement of the stakeholders, supported by the appropriate technology platform. The key elements of effective and efficient assessment planning are: Identification and participation of the stakeholders, such as business lines, ORM, Compliance, other specialist and support departments such as Legal, HR, Finance, Audit, IT, Security, Facilities and Vendor Management, etc. A mapping of the risks that have been identified in the ORM program to the obligations as defined by the compliance program. This mapping could be explicit or implicit via the common control(s) A mapping of the different entities involved, e.g. ORM, Compliance and Audit entities The establishment of trigger conditions for assessments, related messages and notifications including subscriptions, content, and type task or alert The identification of those controls whose assessments could be re-used and the areas that potentially would re-use this information
Page 18
7. Broad functional capability of an integrated operational risk management and compliance platform
The following broad functionality must be available on a technology platform to meet the needs of ORM, Compliance and Audit Definition of entities the capability of combining stand alone hierarchies such as organization unit, product, process, location into individual entities Policy and procedure management serves as a repository for all policies and procedures to be followed across the enterprise. Document management capability is required to track changes to existing policies and procedures. Alternatively, a link to an institutions formal central corporate policy management portal would meet this requirement. Policy repository a repository of the current policies that are being followed across the enterprise Compliance obligations captures the entire set of compliance obligations that an enterprise must meet to satisfy its regulatory requirements Risk the library of risks that have been identified, to be made available across the enterprise. Such risks may be tagged by the appropriate centralized department, as applicable to an entity, or could be used as reference and customized to local conditions. Controls the library of controls (and associated control tests) and made available across the enterprise Key risk indicators collects and collates configurable risk indicator information Event Management collects Loss and Near miss Event data from around the Organization Workflow configurable workflow across data capture modules and related entities Assessments Planning and capturing assessments of controls and risks, including certifications required by certain compliance regulations, e.g. SOX Economic capital the estimation of Operational Risk Capital utilizing the Advanced Measurement Approach Issues and action planning the consolidated capture of Issues arising across programs, and their associated Action Plans. Audit this requirement is focused on Risk-based Audit. Risk-based Audit is a system of random and more frequent audits based on the risk profile of individual business units/support functions/products. The annual audit plan should include the schedule and the rationale for audit work planned. It should also include the areas and their prioritization based on the level and direction of risk. At minimum, an independent area within Assessments and Issues and Action Planning must be provided to support Audits oversight role. New product and process assessment prior to the addition of a new product or process to the firms current mix or a change to an existing process being followed, an assessment of the impact must be performed to support the final decision.
Decreased cost reduced effort in control testing results in cost and time savings Improved reliability the re-use of control assessments based on high control test frequency and intensity to satisfy less demanding requirements results in improved reliability
GRC allows financial institutions to realize sustained benefits from an integrated solution for risk management, internal audit, corporate governance and compliance management. Some of the key value additions are as follows: An integrated and standardised approach to manage risk and compliance from a single platform Ability to leverage common controls and tests for managing complex regulatory requirements as well as risks Enhanced management analytics, reporting and performance metrics Improved overall quality of information and decision-making ability
About RiskTech
RiskTechs (Risk Technology International) mission is to be the worldwide, first-choice resource for all financial institutions involved in implementing and managing risk and compliance technology solutions. Our pool of experts is drawn from leading financial institutions, top four consulting firms and top risk software vendors with real-life, practical experience. With offices in New York, London and Mumbai, RiskTechs global consulting services include: Credit risk management Market risk management Asset & liability management Operational risk management ERM technology selection and implementation Value-based compliance covering: Basel II, Sarbanes-Oxley, Solvency II, AML and MiFID For more information: www.risk-technology.com
Page 20
Introduction
The genesis of this paper came from a simple observation. We noticed that when we plotted out operational risk data, there were spikes in the number and severity of loss events in 1994, 1998, and 2002. This led to more in-depth research, comparing changes in operational risk loss events with a standard measure of volatility. The first thing we noted was that these years were all periods of significant market swings, so we set out to find a measure that we could test against our emerging theory that operational risk events track market volatility. We are familiar with the work others have done on tracking stock prices and shareholder value with operational risk; we supplied loss event data to many of these studies. (See Operational Risk in the Insurance Industry by Ran Wei, http://irm.wharton.upenn.edu/F03-Wei.pdf and Managing Operational Risk in Banking from McKinsey & Co, authored by Robert S. Dunnet, Cindy B. Levy and Antonio Simoes. http://fs.mckinsey.com/Display.aspx?id=66e9b645-704c-4d1f-911d-6c4b38d2015a) This time, we wanted to test our hypothesis against a standard measure of market volatility. This approach was influenced by the events of the summer of 2007, when the stock markets experienced a liquidity crisis on the heels of the discovery of inherent problems in the subprime mortgage sector. At the time, we had no idea that the markets would experience the largest unauthorized trading event in modern banking history, although we had a sense that the environment was conducive to such an occurrence. We set out to pull together analytics to explain what we intuitively felt was a probable occurrence in the near future. We settled upon the Volatility Index, or VIX, from the Chicago Board of Exchange (CBOE) as our standard measure of market volatility. The CBOE defines the VIX as a key measure of market expectations of near-term volatility conveyed by S&P 500 stock index option prices. The CBOE also states that the VIX has come to be known since 1993 as the worlds premier barometer of investor sentiment and market volatility. The VIX index tracks investor sentiment and is reflective of what is happening in the markets. Our supposition, given some unique features of operational risk events, and the lag between begin and end date, was that there are at least certain categories of risk types that might track alongside market volatility.
Page 21
Figure 6: (From the Chicago Board of Exchange and Algo FIRST*): VIX index and large operational risk loss events
CBOE Volatility index (VIX) since 1990 50
WGZ $20m UAT BankBoston $7m fraud
0
20
10
0 1/2/90
12/31/91
12/29/93
12/28/95
12/26/97
12/29/99
1/4/02
1/7/04
1/9/06
1/11/08
Tracking changes: Mapping operational risk loss events against the VIX
The CBOE states that the VIX has come to be known, since 1993, as the worlds premier barometer of investor sentiment and market volatility. The start date for the VIX was ideal for our purposes, as it approximately coincided with the date when we first started collecting loss event data in the early 1990s. An empirical observation of spikes in the VIX corroborated that we were using the right index for our study and that we were onto something (see Figure 6). Both the VIX graph, and that representing loss events in our internal operational risk loss database, represented in the broader sense, the patterns of a Sine Wave, which, if graphed to display the outline of a stone dropped into a still lake, would form waves at the moment of impact. We started thinking of operational risk loss events in this same way: we noticed an increase in the disclosure of operational risk loss events around the same time as the formation of volatility waves in the market and what we came to name the tracking phenomenon. Our next step was to map loss events against the VIX index. We experimented with frequencies and slices of the data, until we were able to present the two data sets in a way that made sense, from both a quantitative, and business perspective. Although we believe that daily data is the best barometer of volatility, for purposes of comparing both data sets, we aggregated the VIX data to an average annual frequency. We continue to investigate the use of daily volatility data in our research work in a mission to uncover a point in time measure that makes sense from the perspective of both the volatility and loss event data sets. It is difficult when dates of occurrence are considered in an examination of operational risk events, because, with a few exceptions, operational risk events do not represent a point in
Page 22
time, but a continuum that encompasses a breakdown of internal controls, and a trigger that leads to the actual loss event. For this reason, we also decided that it made the most sense to use end date or discovery date as an approximation for a point in time when comparing loss data with volatility. Because what we were after was volatility and a measure of change, which is essentially what the VIX measures, we mapped loss events against the volatility measure according to the change in number of total frequency of events. This also allowed us to adjust for a collection bias and the probability that as the disclosure of events becomes more transparent in the industry and media, it is more likely that we have identified a larger collection of losses during later years. When we plot the change in frequency of the total number of loss events against the changes in the average VIX, it becomes evident that changes in the two indexes track each other during key periods of volatility (see Figure 7). Figure 7: Changes in total frequency of operational risk loss events vs. changes in the average VIX.
1.8 1.6 1. 1.2 1.0 0.8 0.6 0. 0.2 0.0 1991 199 1997 2000 200 2006 Changes in Total Frequency Changes in Average VIX
Figure 7, which demonstrates a link between market changes and the change in number of loss events, was a good starting point in our analysis. The graph displays a pattern between the two data sets. They appear to increase and decrease in tandem during our targets periods of market volatility: 1994, 1998, and 2001 2002. Our next task was to split the operational risk loss data into its five risk class components and examine if there was a type of risk that might be more pronounced, either in terms of a point in time action, or discovery during times of volatility. Figure 7 examines all the risk classes aggregated together. We proceeded to compare the VIX data against our five risk classes: people, process, relationship, external, and technology. (See definition of the risk classes in the following discussion.) Our supposition was that when we tested the data against individual risk classes that are more homogenous groups of data, we would discover stronger dependencies between operational risk loss events and volatility. An examination of the VIX shows that times of great volatility tend to last for relatively short, intense periods. This is very different from the profile of large risk events that can continue for years, or in the most extreme examples decades, before they are uncovered or discovered. We track duration of operational risk loss events from the onset of the initial fraud, until its settlement or discovery date. What we have observed is that the point in time when a large
Page 2
fraud or unauthorized trading event is revealed, is often concurrent with market volatility. This is evident in the examples of real loss events that we provide in this paper. The loss data itself and the sample loss events demonstrate that an event may be ongoing for a relatively long period of time, but market volatility increases the probability that it will become discovered. In the case of unauthorized trading events, for instance, as market conditions become more volatile, the rogue trader continues to increase his losses while he tries to trade himself out of an ever-increasing hole. (See Codelco and Kidder Peabody cases discussed in this paper.) It becomes increasingly difficult to hide the accumulating losses until, almost by serendipity, they are uncovered. In addition, times of volatility lead to a tightening of the belt mentality in financial institutions, which also raises the likelihood that a risk event will be discovered. What this means is that contrary to general sentiment, losses do not lag behind market swings and volatility does not necessarily create a more fertile ground for operational risk losses. The rogue individuals and fraudsters are often long at work in perpetrating their misdeeds before the markets turn volatile. Instead, it enhances the severity of such losses and leads to their eventual unravelling. In other words, there is a greater chance that loss events will be ferreted out from the holes in which they have been hiding during market swings. What is interesting is that while the largest operational risk events are uncovered during volatile market conditions (Societe Generale, Enron, Barings, BCCI, Kidder Peabody, Codelco), they were ongoing during times of relative calm and prosperity. We believe this is consistent with the general belief in credit risk,that times of exuberance and positive market conditions can lead to a lax risk culture. This also holds true for operational risk cultures, which might operate under a more fluid control environment during growth periods. When markets start turning downward, both credit and operational risk officers have a tendency to tighten their belts.
Page 2
Page 25
1991
1996
2001
People risk losses: The key to monitoring potential operational risk losses during times of volatility
The tracking phenomenon demonstrated in our people risk category of events, as viewed in Figure 8, suggests the importance of enhancing monitoring of this category of potential events during times of volatility, such as we witnessed in the summer of 2007. We continue to be in the throes of extreme market volatility, but it is apparent that the number and severity of people risk events have increased. We have experienced two notable unauthorized trading events which impacted two French banks: the first $347 million event surfaced during the turbulent 2007 summer. The second significantly larger loss event, valued at an estimated $7.2 billion, was discovered in early 2008. There are a variety of archetypical people risk events that can occur during times of volatility. These include unauthorized trading, front-running, embezzlement, misappropriation of funds, and aiding and abetting. Below, we have provided excerpts from the full case studies in our operational risk database, in order to demonstrate the scope and severity of events that have occurred in the past, during times of market volatility. The following is a list of market events that led to volatility and associated people risk events. Market Event of 1994: The Federal Reserve raises interest rates multiple times The US Federal Reserve raised interest rates several times in 1994, which resulted in substantial losses across the industry for derivative products with underlying securities tied to interest rates. Interest rates had been low for a long time before this period and interestrate derivatives felt like a safe and profitable investment; the markets appeared to forget that rates would start heading upwards at some point. Some managers of conservative mutual funds during this period added derivatives kickers to their portfolios. When rates started being raised month after month by the Federal Reserve, a large number of institutions that had purchased derivatives lost money, including Gibson Greetings, Procter & Gamble, and mutual fund managers. Examples of large people risk events from 1994: The Joseph Jett bond-trading scandal was one of a series of problems that plagued Kidder Peabody and eventually prompted the sale of the once highly profitable and elite firm by parent entity General Electric to PaineWebber in 1994. The SEC alleged that between 1991 and 1994, Joseph Jett faked nearly $350 million in profits in order to hide Chartis Research Ltd 2008 Page 26
$80 million in losses through a complex trading scheme. The SEC ultimately targeted lax controls within the company as a contributing factor to the event and criticized Kidders management for poor supervision and judgment, and for creating an environment where "employees were unwilling to ask tough questions when money was being made." In March 2000, GE agreed to pay $19 million to settle a class action shareholder suit. In a final resolution of the case, the Southern District Court of New York entered a judgment on September 7, 2007 that ordered Jett to repay $8.21 million and a $200,000 fine. In 1994 and in an unauthorized trading case, Corporacion Nacional Del Cobre De Chile (Codelco), the world's largest copper mining company, incurred a $170 million loss from the activities of rogue trader Juan Pablo Davila. During the course of the 1994 copper futures scandal, Codelco discovered Davila, its chief futures trader, had engaged in unauthorized trading activities. Between 1993 and 1994, Mr. Davila was alleged to have made unauthorized trades that cost the company $170 million.
Market Event of 1998: Russia defaults Russia was into its sixth year of economic reform in 1998, and the first one of positive economic growth since the fall of communism, when it failed to meet its debt obligations. Russia was in the process of renegotiating the sovereign debt it had inherited from the former Soviet Union when it defaulted in August 1998. On August 17, 1998, the Russian government floated the exchange rate, devalued the ruble, defaulted on its domestic debt, and restructured its ruble-denominated debt. It also suspended all payments to foreign creditors for 90 days. This led to a collapse in other unrelated sectors of the emerging markets and multi-billion dollar losses at US hedge fund Long Term Capital Management (LTCM). The effect on the market of LTCMs unwinding its position was so enormous that the Federal Reserve Bank, in a historic move, initiated a bailout of the hedge fund. Examples of large people risk events from 1998: On October 23, 1998, Westdeutsche Genossenschafts-Zentralbank eG (WGZ Bank) uncovered a people risk incident that cost the German co-operative bank $230 million. Two currency/FX option traders had manipulated data since the second quarter of 1997, in order to cover up losses they had incurred due to unauthorized trading. The perpetrators worked at WGZ Bank for many years and knew the vulnerabilities in the banks computer system that allowed them to circumvent internal controls. In order to hide their losses from detection by daily market risk control systems, the traders entered incorrect values into a system that calculated dollar exchange rates. In a case of people risk, the former executive at BankBoston's international private bank in New York, Ricardo Carrasco, was charged with defrauding the bank of $73 million. In February 1998, Carrasco disappeared and a month later it was alleged that he had embezzled money by making fraudulent loans. BankBoston filed a $67 million lawsuit in May 1998, alleging that Carrasco had "fraudulently induced" the bank to grant $73 million loans to Argentine businessman Barreiro Laborda and companies controlled by Laborda. The Federal Reserve said that Carrasco opened at least 26 accounts for Laborda over a three year period, beginning in 1994. Market Event of 2001 2002: Spitzer focuses on market practice issues; Enron collapses 2001 and 2002 were years of great change in the financial services industry, as a result of the activist stance of former New York State Attorney General Eliot Spitzer. The former Attorney General changed the rules of the game for what was acceptable on Wall Street when he focused attention on consumer issues and how small investors are impacted by market practices.
Page 27
Regulators of the financial services industry, such as the Securities and Exchange Commission and the Federal Reserve Bank, previously focused on issues of solvency and an institutions ability to preserve capital during times of volatility. This period also saw the dissolution of Enron and Worldcom two of the largest companies in the United States and accounting frauds that surfaced in many other institutions. Eliot Spitzer was later named Man of the Year by the Financial Times, in recognition of the global impact he had on the financial markets. Examples of large people risk events from 2002: In what the Financial Times (2/7/2002) called "another chapter in the cult of the rogue trader," and the largest such case since Nick Leeson managed to topple Barings Bank, Allied Irish, Ireland's largest bank, revealed on February 6, 2002 that a currency trader had disappeared after defrauding a US-based subsidiary of $691.2 million. John Rusnak was identified as the rogue trader who worked at Allied Irishs Maryland-based subsidiary, Allfirst. He initially went into hiding after the event was made public. Mr. Rusnak later surfaced and pled guilty to one count of bank fraud on October 24, 2002. He was sentenced to a prison term of seven and a half years in January 2003. It was later determined that the small Maryland-branch operation did not have the proper controls in place in order to oversee a proprietary trading operation. The US Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) shut down Hamilton Bank N.A. of Miami, on January 11, 2002. Hamilton Bank had about $130 million of potentially uninsured deposits held in approximately 3,600 accounts at the time of its closing. In 2006, Hamilton's chairman, Eduardo Masferrer was sentenced to 30 years and 2 senior officers of the bank drew shorter prison terms. A law firm that represented Hamiltons audit committee also agreed to pay fines in settlements with the OCC and FDIC. Market Events of 2007 & 2008: Crunch in credit markets and subprime blow-up lead to volatile trading conditions Market conditions for all financial institutions and lenders became so precarious during August 2007 that the Federal Reserve stepped in to add liquidity to the markets. The Federal Reserve last provided cash to the banking system in 1998, during the collapse of hedge fund Long-Term Capital Management. When the Federal Reserve moved to cut the discount borrowing rate, it released a statement saying that risk in the markets had increased appreciably. With short-term borrowing all but shut down by an associated freeze in the bank wholesale lending sector, and capital market transactions halted, trading markets drifted wildly between highs and lows. Examples of large people risk events from 2007 and 2008: Credit Agricole released a statement on September 18, 2007 indicating that a large market position on the books of subsidiary Calyons New York-based proprietary trading desk had been uncovered. The position was in unidentified credit market indices that were acquired during the last days of August and in excess of unauthorized internal limits. The bank said that when the cost of unwinding the trade is accounted for it will result in a 250 million ($347 million) loss. The position in question was taken by Calyons proprietary trading desk. An unidentified six traders were allegedly involved in building up the unauthorized position. The accumulation of unauthorized positions occurred in late August 2007 and at the height of the market volatility that was caused by the credit crunch and problems in the subprime mortgage sector. Societe Generale announced a 4.9 billion (USD $7.2 billion) loss on January 24, 2008 as a result of the misdeeds of one rogue trader. The bank characterized the largest rogue trading event to date as the result of elaborate fictitious transactions that allowed the 31-year-old trader to circumvent a series of internal controls. The trades in question
Page 28
involved plain vanilla stock-index futures. The trader previously worked in a back office function for the bank and is believed to have gained knowledge of how to circumvent the banks systems through this prior position. He was characterized by the governor of the Bank of France as a computer genius. SocGen estimated that the value of Kerviels positions was 50 billion euros ($73.26 billion). A recent report published by the French Finance Ministry estimated that Kerviels rogue trades started in 2005.
Page 29
associated losses that surface during this period. This suggests an associated move during such extraordinary times from loss prevention in a stable operating environment to loss control in a more tumultuous one. It may be that we will come to a time when we can more accurately track risk capital to market volatility and adjust the levels as necessary, and according to market demands. It is our belief that market volatility is a powerful indicator of increased frequency of operational risk events and especially in the category of internal fraud. Extreme swings in volatility in a market or sector should serve as a warning that it is no longer a status quo situation. We hope this research will help create a proactive response to operational risk during times of volatility and an opportunity for our clients to approach such times with an all hands on deck attitude. We will continue to track and monitor loss events against volatility measures and deepen our analytical research into the topic. Our continuing effort includes the tracking of operational risk events and the further development of an analytical framework in order to model dependencies between the VIX and possible additional indices and operational risk loss data. Our goal is to eventually develop best practices and business approaches toward the understanding of how volatility impacts the management of operational risk and what specific actions need to be taken, or practices modified, during times of high volatility. *Note: all loss data used in this study is from Algo FIRST, Algorithmics database of external risk loss events.
Page 0
Yakov Lantsman Senior Vice President, Algorithmics Yakov Lantsman is a Senior Vice President at Algorithmics, where he guides the companys quantitative modeling efforts. A twenty-year veteran with vast industry experience in applied mathematics and risk modeling, Yakov is a frequent presenter and author on modeling very complex processes, including fitting distributions, identifying theoretically valid computational short-cuts, and econometric modeling. Prior to joining Algorithmics, Yakov was Senior Vice President at Willis Re, leading the companys Research and Development efforts. This role built on Yakovs experience with Fitch Risk Management Services, where he was Senior Vice President and Head of Quantitative Services, as well as his experience as Assistant Vice President at Guy Carpenter & Company, where he was responsible for research and statistical modeling. Yakov received a PhD in Mathematics from Tashkent Institute of Technology and a MS in Mathematics from Tashkent State University.
Page 1
About Algorithmics
Algorithmics is the worlds leading provider of enterprise risk solutions. Financial organizations from around the world use Algorithmics software, analytics and advisory services to help them make risk-aware business decisions, maximize shareholder value, and meet regulatory requirements. Supported by a global team of risk experts based in all major financial centers, Algorithmics offers proven, award-winning solutions for market, credit and operational risk, as well as collateral and capital management. Algorithmics is a member of the Fitch Group. 2007 Algorithmics Software LLC. All rights reserved. You may not reproduce or transmit any part of this document in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the express written permission of Algorithmics Software LLC or any other member of the Algorithmics group of companies. ALGO, ALGORITHMICS, Ai & design, ALGORITHMICS & Ai & design, KNOW YOUR RISK, MARKTO-FUTURE, RISKWATCH, ALGO RISK SERVICE, ALGO CAPITAL, ALGO COLLATERAL, ALGO CREDIT, ALGO MARKET, ALGO OPVANTAGE, ALGO OPVANTAGE FIRST, ALGO RISK, and ALGO SUITE are trademarks of Algorithmics Trademarks LLC.
Page 2
Page
Chartis Research Europe The City Arc Curtain Court 7 Curtain Road London EC2A LT + (0)207809661 www.chartis-research.com
Chartis Research US Wall Street 12th Floor New York NY 1005 +1 212 61 7127