Analysis of BAELL II Recommendations

Analysis of BAELL II Recommendations CHAPTER 1: INTRODUCTION 1.1. Introduction Operational risk is defined as â€Å"the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.† Financial markets in the last two decades have been highlighted by large-scale financial failures due to incompetence and fraud, such as Barings, Daiwa, Allied Irish Banks, Orange County, Enron, along with man-made and natural disasters, such as â€Å"9/11,† Hurricanes Andrew and Katrina. As a consequence, operational risk has been acknowledged to overweigh the importance of credit and market risks. Since 2001, the Basel Committee for the Banking Supervision of the Bank of International Settlements has been requiring banks to set aside regulatory capital amount that would cover potential operational loss. The capital amount must be evaluated on a one-year aggregated basis at a sufficiently high confidence level. Statistical tools are required to accurately assess the frequency and severity distributions. The presence of so-called â€Å"low frequency/ high severity† events poses problems for the modeling of operational risk and calls for models capable of capturing excessive heavy-tailedness in the data. Operational risk is one of the important arms of the risk management triangle the other two being Credit Risk and Market (Treasury) Risk. Any organization, particularly in the banking sector, is squarely exposed to operational risks emanating within or outside the organization. Risk Management Triangle Credit Risk Market (Treasury) Risk. Operational risk Operational risk capital charge is a mandatory requirement in global banking sector. This puts in a lot of stress and strain on a banks management. Operational Risk is also known as Transaction Risk in some countries. In order to efficiently face this new challenge of operational risk in risk management, the prerequisites for efficiently facing the operational risk are enumerated as follows : Ø creation of risk culture ; Ø enterprise wide operational ; Ø risk awareness. Proactive steps at all the levels of operation should operate as a safety valve and in the process, may in turn facilitate lower risk capital charge. 1.2. Background Risk mapping is often mentioned both in describing various approaches to operational risk management and, in an audit context, in formulating the key steps to control self-assessment, as the cornerstone of the risk identification process. Yet there is little published guidance on how to perform it effectively and on how to ensure that the resulting map is indeed complete and consistent. In other words, although the term is widely used by bankers, auditors, regulators and consultants alike, and although all these professionals  may even agree on what constitutes an acceptable final product, they will most likely give widely different explanations on how to get such product, the resources needed and the costs involved. Risk mapping is difficult for a number of reasons, all of which can be summarized by reminding ourselves that ‘the map is not the territory. No matter how accurate and thorough our analysis is, what really goes on in the business is never exactly what is written in the manual. Here are just a few of the key dimensions: People: Processes are affected by people, and people, no matter how formalized the process is, adapt, interpret and improvise in response to circumstances. Specialization: Very few people really understand a specific business process and its interactions with other people and systems within the bank. When one of these people leaves or is just absent for a while, the potential for an operational failure appears. Processes: Processes change all the time and any mapping becomes obsolete almost overnight after being completed. In this research, I describe a methodology for the mapping of operational risk with the objective of identifying the risks inherent in the different steps of a business process, selecting the key risk indicators (KRIs) (Hoffman, 2002; Davis and Haubenstock, 2002) and designing the most appropriate control activities. In my approach, therefore, risk mapping is the basis for all the key components of operational risk management identification, assessment, monitoring/reporting and control/mitigation as defined by the Basel Committee on Banking Supervision (2003). There is more than one way to map risks. The most common technique is probably the mapping on a probability/severity chart (Figure 1) so as to identify the key priorities for management. The result in most cases helps to distinguish between high severity/low frequency and high frequency/ low severity losses, but which in general gives no indication as to what management actions to take in order to change the existing risk profile. Another way is to map the risks to the phases of a business activity where they can occur and identify the key risk factors and drivers in the process. This leads to a somewhat more complex result, rich in qualitative information rather than in quantitative assessment, but giving very clear indications as to which parts of the process should be changed in order to make a difference to the overall risk exposure. It also allows for the identification of the KRIs that are more relevant to each risk exposure. Pursuing the application of KRIs to operational risk assessment is suggested by the need to capture the various issues we find with purely statistical approaches as well as the impact that managerial decisions may have on the operational risk profile. In market and credit risk measurement, the key managerial decisions are taken in deciding portfolio composition, thereby affecting the resulting risk profile directly and in a manner that measurement models have no problem in capturing. In operational risk measurement, on the other hand, managerial decisions may affect the risk profile in a number of different ways (through changes in control procedures, systems, personnel, to name but a few), none of which any measurement model can capture in a simple and direct way. Statistical approaches in particular will be at a loss in taking into account such changes, as historical data will reflect a risk and control environment which by and large no longer exists. The requirement of the new Bas el Accord (Basel Committee on Banking Supervision, 2004) to base risk assessment on 5 years of historical data if taken too literally will have banks generating risk capital charges on the basis of information largely unrelated to the current and, even less, the future risk and control environment. 1.3. Research Question: This work to start with will take a step back and ask the fundamental question of why do banks fail? Further the work shall research the recommendations of BASEL II and will try to seek the answer for: Will the BASEL II requirements make the systematic goals of safety and stability more achievable for banks/FIs? If yes, how? If no, how? 1.4. Motivation: Appropriate â€Å"Organizational structure† is a precondition for orderly management of any activity/ group working within the purview of organizational capabilities. Operational risk management is all pervasive in terms of activities of an organization e.g. if ‘people factor in operational management is poorly managed in a bank, other activities of the bank e.g. credit/market risk management, are likely to suffer . Similarly, legal aspects of any transaction/ function, if loosely dealt with, increases the likelihood of loss to the organization. Organizational structure for operational risk management needs to be compact and broad-based. The structure must be compatible with :- an organizations size; complexity of operations and area of operations; in tune with its risk appetite. The area of operational risk management is a matter of discretion which comes under the purview of regulatory authorities/banks. Through my research I have tried out to make out a clear and concise understanding of BASEL II accord for Banks/FIs in operational risk perspective. The work shall also try to suggest the suitable customization of BASEL II recommendations and implications of the same for effectively managing operational risk. It may also lead to forecasting the emerging trends in operational risk and ways to mitigate the same. 1.5. Chapter Scheme The chapter scheme of my dissertation is as follows: Chapter 2: This chapter describes the literature review and the findings. Chapter 3: This chapter describes research methodology and some of the variables included in empirical analysis. Chapter 4: This chapter provides the basis of qualitative research. Chapter 5: This chapter gives details of case studies analyzed for research purpose. Chapter 6: This chapter discuses the analysis and the findings. Chapter 7: This chapter includes the conclusion. CHAPTER 2: LITERATURE REVIEW 2.1. Introduction Until very recently, it has been believed that banks are exposed to two main risks. In the order of importance they are credit risk (i.e., counterparty failure risk) and market risk (i.e., risk of loss due to changes in market indicators, such as equity prices, interest rates and exchange rates). Operational risk has been regarded as a mere part of â€Å"other† risks. Operational risk is not a new concept for banks: operational losses have been reflected in banks balance sheets for many decades. They occur in the banking industry every day. Operational risk affects the soundness and operating efficiency of all banking activities and all business units. We begin our discussion with an explanation of the notion of risk. 2.2. Risk and Risk Management In the financial context, risk is the fundamental element that affects financial behavior. There is no unique or uniform definition of risk: different financial institutions may define risk slightly differently, depending on the specifics of their banking structure, operations and investment strategies. The definition of risk also depends on the context. In the economics literature, generally risk is not necessarily a negative concept, and is understood as uncertainty about future or the dispersion of actual from expected results. In the context of business investment, risk is the volatility of expected future cash-flows (measured, for example, by the standard deviation), and in the context of the Capital Asset Pricing Model (CAPM) is the risk of asset price volatility due to market-related factors and is captured by ÃŽ ². Such definitions do not exclude the possibility of positive outcomes. Hence, for the operational risk we need a different definition.[1] For the purposes of operational risk modeling and analysis, the definitions from insurance are more appropriate, as the notion of risk in insurance has a negative meaning attached to it. Risk is perceived as the probability and impact of a negative deviation, the probability or potential of sustaining a loss, â€Å"a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected or hoped for† [2], or â€Å"an expression of the danger that the effective future outcome will deviate from the expected or planned outcome in a negative way† [3]. As the next step, we need to distinguish operational risk from other categories of financial risk. A comprehensive framework of risk management is applicable equally to all types of bank (Iqbal and Mirakhor, 2007). The process of risk management is a two (2) step process. The first is to identify the source of the risk, i.e. to identify the leading variables causing the risk. The second is to devise methods to quantify the risk using mathematical models, in order to understand the risk profile of the instrument. Once a general framework of risk identification and management is developed, the techniques can be applied to different situations, products, instruments and institutions. It is crucial for all banks to have comprehensive risk management framework as there is growing realization among IBs that sustainable growth critically depends on the development of a comprehensive risk management framework (Greuning and Iqbal, 2007). A robust risk management framework can help banks to reduce their exposure to risks, and enhance their ability to compete in the market (Iqbal and Mirakhor, 2007). A reduction in each institutions exposure will reduce the systemic risk as well. Hence, it is necessary that banks have in place a comprehensive risk management and reporting process to identify, measure, monitor, manage, report and control different categories of risks. 2.2.1. Understanding Risk and Risk Management It is important for staff of banking institutions to understand the aspect of risk in the banking operations and the risks that are inherent and exposed in their business operations. Better understanding of risk management is also necessary especially in the financial intermediation activities where managing risk is one of the important activities. A study conducted by Boston Consulting Group (2001) found that the sole determining success factors is not the technical development but the ability to understand risk strategically and also the ability to handle and control risk organizationally. Secondly, in order to realize a risk based management philosophy, the attitude and mindset of the employees need to be changed whereby they must be brought to understand that managing risk is crucial for success. This implies that there must be intensive training, clearly defined structures and responsibilities, as well as commitment to change. In addition, it was identified that banks in North A merica and Australia concentrate on risk management primarily to enhance their competitive positions. Meanwhile in Europe, Asia and particularly in South America, risk management is considered primary from the perspective of regulatory requirements. Then, Al-Tamimi and Al-Mazrooei (2007) found that the UAE banks staff have good understanding of risk and risk management, which might give an indication about the ability of these banks to manage risks efficiently in the future. Moreover, understanding risk and risk management had positive effect on risk management practice although it is insignificant. 2.2.2. Requirement for Risk Management Risk management framework is important for banks. The risk management strategy must be integrated with its overall corporate strategies (e.g. Froot and Stein, 2004). In conjunction with the underlying frameworks, basic risk management process that is generally accepted is the practice of identifying, analysing, measuring, and defining the desired risk level through risk control and risk transfer. BCBS (2001) defines financial risk management as a sequence of four (4) processes: (1) the identification of events into one or more broad categories of market, credit, operational and other risks into specific sub-categories; (2) the assessment of risks using data and risk model; (3) the monitoring and reporting of the risk assessments on a timely basis; and (4) the control of these risks by senior management. BCBS (2006), on risk management processes, require supervisors to be satisfied that the banks and their banking groups have in place a comprehensive risk management process. This woul d include the Board and senior management to identify, evaluate, monitor and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. In addition, as suggested by Al-Tamimi (2002), in managing risk, commercial banks can follow comprehensive risk management process which includes eight (8) steps: exposure identification; data gathering and risk quantification; management objectives; product and control guidelines; risk management evaluation; strategy development; implementation; and performance evaluation (e.g. Baldoni, 2008; and Harrington and Niehaus, 2009). 2.2.3. Risk Identification There are few conceptual studies on risk identification of financial institutions (e.g. Kromschroder and Luck, 2008; Luck 2008;; Pausenberger and Nassauer, 2000; Tchankova, 2002; Barton et al. 2002 ) and few empirical studies that include risk identification of banks (e.g. Al-Tamimi, 2002; Al-Tamimi and Al-Mazrooei, 2007). Risk identification is the first stage of risk management (Tchankova, 2002) and a very important step in risk management (Al-Tamimi and Al-Mazrooei, 2007). The first task of the risk management is to classify the corporate risks according to their different types (Pausenberger and Nassauer, 2000). The first step in organizing the implementation of the risk management function is to establish the crucial observation areas inside and outside the corporation (Kromschroder and Luck, 2008). Then, the departments and the employees must be assigned with responsibilities to identify specific risks. For instance, interest rate risks or foreign exchange risks are the main do main of the financial department. It is important to ensure that the risk management function is established throughout the whole corporation; i.e. apart from parent company, the subsidiaries too have to identify risks, analyze risks and so on. Pausenberger and Nassauer (2000) also state that it is advisable for most corporations to implement early warning systems. An early warning system is a special information system enabling the management board to identify risks in time by observing the development of defined indicators (Luck, 2008). Other instruments that could be used to identify risks are checklists of possible disturbances or breakdowns, risk workshops, examination of corporate processes, internal inspections and interviews, loss balance, etc. It is advisable to make use of the knowledge and skill of external experts, for instance, forecasts of banks about the development of interest rates or foreign exchange rates. There are many other approaches for risk identification, for instance, scenario analysis or risk mapping. An organization can identify the frequency and severity of the risks through risk mapping which could assist the organization to stay away from high frequency and low severity risks and instead focu s more on the low frequency and high severity risk. Risk identification process includes risk-ranking components where these ranking are usually based on impact, severity or dollar effects (Barton et al. 2002). According to him, the analysis helps to sort risk according to their importance and assists the management to develop risk management strategy to allocate resources efficiently. 2.3. Operational Risk Operational Risk is one of the important arms of the risk management triangle -the other two being Credit Risk and Market (Treasury) Risk. Any organization, particularly in the banking sector, is squarely exposed to operational risks emanating within or outside the organization (Levine and Hoffman, 2004). There was no precise definition of operational risk until Basel Accord II came into being in June 2004. Furthermore, for the first time in the history of global banking, operational in capital charge has been made a mandatory requirement in banking. This certainly puts in a lot of stress and strain on a banks management. Operational Risk is also known as Transaction Risk in some countries in order to efficiently face this new challenge in risk management, the prerequisites are -creation of risk culture and enterprise wide operational risk awareness. Proactive steps at all the levels of operation will operate as a safety value and in the process, may facilitate lower risk capital charge (Bagchi, 2006). As it has been mentioned that until the release of Basel Accord II in June 2004, there was no universal definition of operational risk in banking (Anna et al., 2007) . It was generally believed that as ‘risk would mean loss in any event or transaction, any risk other than credit risk and market risk would have to be reckoned as an operational risk, without the need of creating any separate identity for such risk. However this way of looking at operational risks is dangerously vague. Prof Hans Geiger, an international authority on risk management, has viewed operational risk from a direct angle and an indirect angle as under: Indirect Angle: â€Å"Operational risks are all those risks which cannot e classified as credit risk or market risk.† Direct Angle: â€Å"Operational risk is an expression of the danger of unexpected direct or indirect losses resulting from inadequate or failed internal processes, people and systems and from external events.† Basel Accord II has laid down the following definition for adoption by the countries and hence this should be treated as a standard definition of operational risk: Operational risk is â€Å"the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputation risk.† (Bagchi, 2006) 2.3.1. Reasons for Increasing Focus on Operational Risk Management * On going spate ( sudden trend flow) of financial deregulation procedures due to globalization. * Influence of technology and automation in managing business with other side effects. * Complex organizational structures arising out of re organization of business enterprises (e.g. merger/ de -merger etc.). * Opportunities for business process outsourcing. * Growing complexity of products/services, as banks now provide total business services and employ CRM (Customer Relationship Management) in their business activities. * With liberalization and globalization, banks compete very hard with each other for business. * Capital allocation for operational risks is a prime requisite for todays business organizations. 2.3.3. Operational Risk Vs Operations Risk Operational Risk has a wider coverage wherein process, people, systems etc. of an organization are also considered. In general while operational risk is analogous to operations risk, in the context of risk management, they are not alike as will be evident from the following table: Table 1: Distinction between Operational Risk and Operations Risk According to the â€Å"Kenneth Swensen of Federal Reserve Bank of Chicago†, there is a clear demarcation between operational risk and operations risk, from the viewpoint of relative risk contents. Operational risk should deserve special attention for an organization so that its procedures become fully Basel Accord II compliant. He remark regarding Basel II is , â€Å"†¦Ã¢â‚¬ ¦ under Basel II, if you are not moving forward, you are losing ground†. The distinctions are clearly mentioned below : Operational Risk Operations Risk 1. Operational Risk encompasses enterprise wide risk of loss arising out of inadequate, failed internal processes, people system or from external events. 1. Operations Risk encompasses risk by loss arising out of back office reconciling processes and does not generally cover front office functions. 2. Integrated risk management is the watch dog of such risk management function in the organization 2. Internal audit Department usually manages such risks. It is the first line of defense. 3. Basel Accord II specifies capital charge computation based on three approaches evolved for the purpose. 3. There is no requirement for any specific capital charge. 4. The organization must prepare and periodically update on operational risk policy mentioning, and should frame a computation method of measurement of operational risk capital. 4. There is no need for any specific policy document since each organization is guided by its manual/ book of instruction. 5. Regulatory Authority under pillar II has the responsibilities to review enterprise wide operational risk management of the organization. 5. Regulatory Authorities do not have any Pillar II responsibility. They may review operation risk as an ingredient of operational risk. 6. Corporate Governance study must take into account operational risk management of an organization especially the effect of any human error/skill deficiency aspects. 6. Corporate Governance angle does no form part of operations risk. 2.3.4. Distinction between Operational Risk and Operational Crisis Operational risk is an all inclusive concept covering :- Ø intra -organizational ( internal ) risks such as those related to people, processes and systems; Ø external events such as natural calamities, terrorism etc. In case of extreme external events such as natural catastrophes, there is no real distinction between operational risk and operations risk since such an event requires crisis management initiative. But a routine operational risk management dose requires operational crisis management to avert serious consequences. The points of distinction are enumerated as under: Operational Risk Operational Crisis 1. Operational Risk includes elements of Expected and unexpected (expected loss such as loss in process errors of say 0.1% of gross income). 1. Operational Crises covers only unexpected loss. 2. The continuity of business is not affected if some operational risk events do not have serious implications on organizations position (say, internal fraud of 0.1% of annual net profit). 2. An organizations continuity may be seriously affected if the crisis event is catastrophic. 3. Operational risk management dose not generally imply disaster recovery. 3. Operational crisis management generally involves disaster recovery. 4. Operational risk factors do not generally trigger off reputational risk (a minor processing error in a customers savings account may not effect the banks reputation). 4. Crisis event may sometimes (e.g. product failure, contamination etc., Union Carbide Gas leak incident in MP) triggers off reputational risk leading to fall in market share, equity share price etc. 5. Operational risk management in generally concerned with two phases: i. incident ii. recovery 5. Operational crisis management generally involves three phase; i. incident ii. recovery iii. continuity 6. Operational risk may not always turn out to be a danger. 6. Operational crisis is generally of a ‘moment of danger. 2.3.5. Effective way of managing Operational Risk Poor operational risk management, especially in the banking sector, may generate serious financial losses caused by Ø external/internal fraud, Ø system failure, Ø and other related operational lapses. Damage to a banks reputation, even if it is a private bank, may also be severe. Ø Effective operational risk management provides boosts sale by taking care of the following: Ø It tends to minimize severity or frequency of operational risk loses. Ø It creates a mechanism to optimize operational effectiveness throughout the bank. Ø Various business portfolios are better managed if the processes, systems and procedures are sound, together with people strength. Ø Strategic decision making by senior management is supported by a robust risk management system. Ø It ensures business continuity, as there are high probabilities of unexpected operational events owing to changing trends and globalization. Ø Capital allocation can be optimally utilized to the advantage of the bank. 2.3.6. Traditional Vs Modern Approach of Operational Risk Management Traditional Operational Risk Management Banks were managing operational risks in a traditional manner, going by the belief that such risks are really ‘residual risks that remain after the dominant risks of credit risk and market risk have been taken care of .Hence meager attention was extended to managing operational risks. Under the traditional approach, routine operational controls in banking were mainly through Ø internal checks, Ø balancing of ledgers, Ø careful recruiting process etc. Ø Audit and compliance aspects. Ø Insurance against risks was resorted to where necessary. Modern Operational Risk Management Operational risk management in banking took the shape of modern approach with the release of Basel Accord II ( recommendations on banking laws and regulations ) in June04. Modern approach of operational risk management aims at creating and maintaining an effective operational risk management strategy. This approach involves the following elements: Ø Realistic measurement framework on operational risk factors as against sole reliance on internal checks, auditors etc. Ø Operational risk losses calculated and summarized on the basis of past loss data and estimate for the future forms the core of strategic decision making especially for developing a new product or for encouraging a new technology. Ø Quantification of various operational risk factors facilitates optimal capital allocation. Ø Staff skill development exercise on an regular basis enables better output with lesser probability of errors and losses. 2.3.7. Operational Risk: A Challenge to Financial Institutions and Regulators Operational Risk exhibits more severity than Credit Risk, Market Risk Liquidity Risk. Global Association of Risk Professionals (GARP) has also undertaken a number of new initiatives to educate the organizations about the Operational risk. Operational Risk is capable of eroding the complete organization and can cause huge loss on the reliability factor of the financial company. As per GARP, Operational risk shall be the single largest risk facing the financial industry the world over by the year 2010. The most difficult part in managing operational risk is the fact that the threats and challenges can originate and spread at the speed of thought in operations of a Bank. The financial industry is growing all over the world in spite of the poor economic indicators forcing stricter regulations, policies and thus prompts greater awareness of the various challenges faced by financial industry. Operational risk ( especially for financial industry )should be placed at the highest level of attention in order to ensure smooth functioning of the organization as it can hamper the organizations future growth. Regulators formulating the policies and regulations for effective management of operational risk are faced by the following challenges :- Ø Ever changing requirements of policies. Ø Policies are expensive to start and implement at the workplace. Ø They also hamper the normal functioning of financial organization and requires trainings across all verticals. Ø Employee and customer participation is difficult to managed. 2.3.8. Operational Risk and Financial Organizations Advent of newer and convenient technology for various processes and tasks has made :- Ø our financial system has become more susceptible to attacks by hackers and viruses. The system needs to quarantined ( detained) for all possible leak holes and if found must be plugged immediately because of the following reasons :- Ø The financial system is the backbone of economy for any country or region. Ø It is the system that makes the economy grow and maintain its track. Ø It is of prime importance that the operational risk at this industry must be managed with utmost care. With increasing level of pilferage at the financial system,