Escolar Documentos
Profissional Documentos
Cultura Documentos
October 2011
1 2 3 4 5
Setting the Scene The Fundamentals An approach to stress testing and scenario analysis Using loss data to challenge stress testing and scenario analysis Working Scenario
Presentation title
in Europe?
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams
The credit risk view: Credit is a system whereby a person who cant pay gets another person who cant pay to guarantee that he can pay Charles Dickens
On a more serious note......key findings from a recent Deloitte survey of ARROW and SREP visits relating to stress testing and scenarios:
The FSA has challenged the both the design and use of stress testing and indicated that often stress testing models and results are not understood by the Board. Key recommendations for Firms include: Establish suitable stress scenarios (both macro-economic and firm specific) which equate to 1 in 25 year events (referencing the FSA anchor scenario where needed); Provide an appropriate level of challenge regarding the key assumptions underpinning the stress scenarios; Ensure the integrity of the models; Obtain a complete and full analysis of the stress testing results, including the validity of management actions. Some Firms are developing formal stress testing policies and scenarios which can be used for a range of purposes including the effect of stress scenarios across funding shortages, capital reductions, reduced profitability and operational risk issues.
The Fundamentals
Presentation title
Stress testing
Identifying how risk profiles respond to shifts in economic variables or risk parameters
Scenario analysis
Assessing the resilience of financial institutions and the financial system to severe but plausible scenarios
Operational risk is subjective! How can we base our capital on something like this? Will the capital numbers ever become stable? Whenever you ask a business questions about their Risk SELF Assessment, the next time you see them, they have changed it Management want the lowest number possible we have the answer before we start and have to retro fit the scenario!
11
2011 Deloitte LLP. Private and confidential.
Complements other risk management techniques Adds a broader perspective to the risk profile Helps management gain a view of the complete risk profile The regulators favour it, and want it to be used to inform business decisions
Stress testing and scenario analysis for operational risk the challenges!
Applying another subjective process to a subjective process! Articulating the value for stakeholders in participating in the exercise can be difficult! People have a perception that they know what the key sources of risk is and can find it hard to change their view without evidence
13
Scenario Design
Scenario Execution
Is coverage complete? Would the controls be effective?
What are the top risks? What are the key controls?
Where have the material losses been occurring? What is happening in the industry? Are the any themes? Where has exposure been deteriorating What are the key measures and limits? What is outside of the Boards Appetite?
What is the loss history? How much has this cost competitors? Is coverage complete? Are triggers set appropriately? Is there adequate predictive KRIs Is there appetite calibrated correctly? Are the limit complete & accurate?
14
15
Presentation title
Work Shop 1
Scenario Creation Scenario Approval Stress Numbers
Work Shop 2
Mgmt Action Review Mgmt Action Numbers
Communication Plan
Base
Comms
Review
Business plan review; Risk Register Review; External Loss Data Review; Large Exposure identification; Reverse stress; FSA requirement review; and Concentration review.
Balance sheet, P&L and Capital Plan review; KRI triggers review; and Mgmt Action validity and impact
Model creation / integration Key financials analysis; Capital Analysis; Risk Appetite and Capacity Review; KRI review; and Report structuring
Internal Communication strategy & plan; External communication strategy & plan; and Ongoing Review requirements
16
The key components of an effective stress testing & scenario analysis framework
Top Down Objectives Stress Testing Toolkit Scenario Design All objectives and outputs agreed and documented with appropriate methodology. Toolkit comprises MYST, RST and sensitivity tests. MYST results used to inform RST scenarios. Multiple scenarios are considered, covering a range of likelihoods; account for current and future business context. Templates Guidelines are in place for collection of quant and qual data, along with documented process and procedures
Governance process is fully Governance documented with clear responsibilities allocated throughout the process Stress testing reporting used to inform potential future performance plans; and supports management actions.
Reporting
includes description regulative and Scenarios competitive environments. Clear list of Description variables quantified. Outputs from models are cross checked from alternative sources; user guidelines have been documented Proactive and reactive mgmt are fully documented; Actions aligned to Recovery and Resolution Plan
All relevant staff trained, all staff Comms and educated about stress testing process; Training outputs are shared across firm. Management actions and future plans rely on stress test output
Models
Use Test
Mgmt Actions
17
Regulatory requirements understood Regulatory and met. Internal experts are identified Compliance who keep abreast of reg changes.
2011 Deloitte LLP. Private and confidential.
The stress testing toolkit Reverse Stress Testing Companies require to have thought through what different scenarios could make their business model unviable including from a reputational perspective and what mgmt actions they could put in place to try and mitigate the impact of the scenario. Use Test The FSA want to see that stress testing is being used by the firm to think about its business strategy; validate the Risk Management Framework; set limits and thresholds for Risk Appetite and KRIs; and integrate with existing models.
18
Multi-year stress tests Firms should consider scenarios that evolve over a few years for example, 35years. This can be achieved through alignment with the Long Term Strategic Plan.
Management Actions Firms need to provide evidence that all management actions, and their impacts, are credible. There should also be evidence of how the management action would be triggered e.g. MI review, KRI breach etc.
2011 Deloitte LLP. Private and confidential.
The 'breaking' point of a firm may also be reached before a firms regulatory capital and liquidity resources are exhausted and therefore a breach in capital or liquidity regulatory limits is not necessarily the only 'fail' point of a firm. Some examples of indicators of a business model failure include:
Counterparties are unwilling to transact with the firm or seek to terminate existing contracts
The customer base no longer exists or is diminished resulting in a key failure of the overall business strategy
Any of these events, stand-alone or in combination, could lead to the overall failure of a business
19
2011 Deloitte LLP. Private and confidential.
Using loss data to challenge stress tests and scenarios establishing fact from fiction
20
Presentation title
The shape of the body of the distribution gives insight in the variability of the yearly volume of operational losses
The tail of the distributions is determined by low frequency high impact losses => The larger percentiles can be benchmarked against large industry loss cases
21
Analysis of external loss data is the starting point for identifying and assessing tail risks through scenario analysis
In June 2004, BNP Paribas, a French bank, reported that was ordered to pay a $46.13M (38.11M EUR) fine in a ruling upheld by France's Cour de cassation to settle charges filed by the Conseil de la concurrence (French Competition Council) that it had participated in an anticompetitive pact with other banks involved in the property loan sector.
In March 2005, ABN AMRO Inc, a US investment bank and subsidiary of ABN AMRO Holding NV, reported that it agreed to pay $278.4M to settle a class action suit related to the company's role in underwriting telecommunications company WorldCom Inc issue of corporate bonds Enron went bankrupt in 2001 and Barclays was accused of contributing to Enron's bankruptcy by helping it hide its true financial condition through financial structures. To settle the litigation, Barclays agreed to pay Enron $144M and in return Enron would allow the bank's $310M of claims to go forward in the bankruptcy case.
22
Example 1: Card services A risk managers perception of the operational risks she is facing
Example 1: Card Services factual data shows an entirely different risk profile
24
Example 1: Card Services A view on the tail risk The risk managers perception Factual data
25
A Working Scenario
26
Presentation title
27
8.33 AM A traders computer was running slowly and called the IT help desk to see if they could help. 8.45 AM - The IT helpdesk checked the traders machine and noticed a series of unusual and suspicious background processes that were utilising a large amount of CPU: covert_data_collect, covert_data_send, cover_tracks. A ticket was left open and the IT helpdesk started to investigate further.......
28
1) Identification and activation: If the user hadnt identified the initial issue how would it have been identified? Once identified, how would the incident be escalated? How and by whom would the incident be investigated? How widespread might this issue be and how do we know? What response plans would be initiated? How could the malicious program have been installed?
2) Access and assessment What methods/access points could be used to facilitate an external security breach? How likely is it that someone would break in this way? Who is responsible for assessment of the risk? How do we differentiate between normal levels of attack and concerted attack? Without considering specific risks, would some methods give greater access than others? Would detection and escalation paths be any different?
29
9.27 AM Internet investigation suggested that several other trading organisations had been targeted by a sophisticated attack that used a cover software program (financial news desktop tool) to install a series of malicious components that were designed to harvest sensitive data and send the information to a remote location. 9.37 AM The IT helpdesk checked the traders computer and found the financial news desktop tool was installed. After checking other traders machines it was found that 80% of machines where infected. 10.44 AM Head of trading reports to Compliance that sensitive competitor trading information has suddenly appeared in their inbox.....
30
2011 Deloitte LLP. Private and confidential.
3) Risks and vulnerability: What information is at risk? What could they find? How secure is this data, and what controls might stop them? What is the likelihood of successful access? What is the immediate impact of this issue? What might the longer term impacts be? Do the regulators need to be informed and if so what is the process for this? Could other operational risks be heightened because of this action? Can we estimate the overall impact to us? Could other operational risks be heightened because of this action?
4) Motivation: What other motivations could lead to someone breaching our information security and how would that change the risks and impact? 5) Actions: How would we react to such an event / what plans are in place / who is responsible? How would we know what had been done? Who undertakes the risk assessment? Who within the organisation needs to be told? Who will manage the internal/external communications? How would we try and mitigate the impact at the time?
31
32
Speaker details
Mick Campbell Director Deloitte LLP Email: micampbell@deloitte.co.uk Tel: 0141 314 5899 Mobile: 07900 607 601
Stephen Boyd Manager Deloitte LLP Email: sboyd@deloitte.co.uk Tel: 0141 304 5613 Mobile: 07827 843444
33
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. 2011 Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. Member of Deloitte Touche Tohmatsu Limited