BCI Symposium Establishing a BCM Awareness Programmel 031008
IRM SIG Quantifying Operational Risk November 2015
1. STRATEGY I INNOVATION I EXPERTISEPRIVATE & CONFIDENTIAL
| WWW.RQIH.COM |
11TH NOVEMBER 2015
1IRM PRESENTATION NOVEMBER 2015
Susan Young
Chief Risk Officer
Randall & Quilter Investment Holdings Ltd.
QUANTIFYING AND MODELLING OPERATIONAL RISK
ERM IN INSURANCE SPECIAL INTEREST GROUP –NOVEMBER 2015
2. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM | 2
DISCLAIMER
The thoughts and opinions expressed in this presentation are my own and do
not represent those of my organisation
3. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM | 3
SESSION OUTLINE
• The Context
• The Problem
• The Solution
• Concluding Remarks
• Questions
4. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM | 4
THE CONTEXT (1)
Operational Risk – why bother? Isn’t Insurance Risk what really matters?
• Operational risk is defined as the risk of loss resulting from inadequate of failed internal
processes, people and systems or from external events.
• Examples include (but are by no means limited to), the following;-
- Product flaws (contractual or otherwise)
- Software failures/systems architecture failings
- Employee fraud
- Money laundering
- Failure to understand/respond to legal/regulatory changes
- Business discontinuity event
- SLA breaches etc. etc………
• The financial impact from some of these an often be difficult to quantify – so how do we
manage it?
Operational Risk is a “broad church” the glue that holds it all together – that’s why we
bother
5. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM |
• Identification and articulation via Risk Register development and maintenance
• Appropriate mitigating internal controls
• Scenario analysis – (more on this later)
• Loss Event/Issues/Weaknesses/Near Misses reporting
• Setting and monitoring of Operational Appetites and Tolerances
• Key Risk Indicators
Quantification and Modelling for capital setting – end of the “food chain”
5
THE CONTEXT (2)
How is Operational Risk Managed
6. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM |
• Lack of historical/empirical data – although subscription databases such as ORIC have helped to a
point although these too have their drawbacks
• Where data has been collated (either internally or via an external database), estimation of the
financial impact often subjective and/or inconsistent, compromising any meaningful comparison
(profitability/cash flow/”top line” etc.)
• Near misses/weaknesses – any estimation can only ever be hypothetical – as it hasn’t happened!!!!
• View that Operational Risk is “not material” anyway .
• Use of Risk Registers as a “blunt proxy” for all things operational
• “Blurred boundaries” - see next slide – most risks have an “operational” element to them – leading
to potential double counting.
The result? Operational Risk calculation often viewed as “too high” – although we don’t know why…. 6
THE PROBLEM (1)
Operational Risk is hard to quantify and model. Why?
7. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM |
Insurance Risk
• Errors made in reserve movement calculations due to failures in the reserving models
• Errors in policy wordings result in inclusion of previously excluded events
• Errors in reserving estimates
Market Risk
• Losses from failure to hedge appropriately against an unanticipated change in interest
rates
Credit Risk
• Losses arising from the failure of security documentation associates with recoveries
from a defaulting counterparty
Other Risk Categories have Operational Risk elements to them
7
THE PROBLEM (2)
Operational Risk pervades…..
8. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM | 8
THE SOLUTION ?(1)
• Stratify and analyse the risks in the Risk Register;-
• Risks which are modelled by means of other data (for example Credit Risk)
should be removed – although this does not solve the issue of the operational
risk elements included.
• Risks which have a limited or negligible impact on the one year SCR – for
example strategic risks
• Hopefully, left with those risks which are purely operational.
• These will be our core risk categories for scenario analysis.
• Remaining Operational Risks can be quantified by means of Scenario Analysis;-
• For each Operational Risk, identify potential scenarios
• Identify a (small) number of potential probabilities/return periods/data points
• Workshop with management – what scenarios are likely to occur with wat
probability?
• Pass results to Capital Modellers – so they can fit a “curve” to.
A suggested approach…...
Contd……
9. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM | 9
THE SOLUTION ?(1)
A suggested approach (contd)…...
• Manageable and meaningful correlation matrix with a smaller number of risks
“XXXX fails to ensure that access to business premises and/or the infrastructure supporting the
processing of business transactions is restricted to authorised staff”
Simplistic – but goes some way to alleviating the identified pitfalls
10. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM |
• This is and will be for the foreseeable future a subjective area.
• Judgement calls will be inevitable until we have a greater body of historical data –even
for scenario analysis.
• Operational Risk elements to other risks – further analysis and granularity around the
root causes/effects to enable segregation of these elements?
• No substitute for experience – we should continue to harvest operational loss data
and range of potential operational losses against which to model.
• Difficulty in quantification does not mean impossibility.
We should persevere – and we will get better at it!
10
CONCLUDING REMARKS
11. STRATEGY I INNOVATION I EXPERTISE
| WWW.RQIH.COM | 11
Thank you for listening!
Any Questions?
AND FINALLY……..
Susan.young@rqih.com
DD +44 (0) 20 7780 5882
www.rqih.com