1. metric
CHASE COOPER
Operational Risk appetite:
Time to talk some sense?
Tony Blunden, Chase Cooper's Head of Consulting, addresses the
European stress tests confusion that revolves around operational risk appetite and proposes
practical methods of definition.
kicked off
The second round of stress tests for EU A firm's appetite for operational risk has been a subject of debate and confusion ever
banks were initiated in early March when since the Basel Committee on Banking Supervision commented that it believed that the
the EBA released their specified scenarios rigour applied to credit risk and market risk should also be applied to operational risk.
to be used by the banks for checking This has led to many believing that operational risk appetite
on capital and liquid assets should be treated in exactly the same way, i.e. as something
requirements. These scenarios will that can be reduced to a single monetary value. Whilst this is
provide both a baseline and an
possible using statistical theory, it denies the essential nature
adverse macroeconomic situation to
of operational risk. This nature pervades a risk category that
assess the solvency of the banks
involved. The adverse macro‐ can be fundamentally affected by the management and culture
economic scenario, designed by the of a firm, as well as by external macroeconomic factors.
European Central Bank, incorporates
The difficulty was implicitly
a significant deviation from the IN THIS ISSUE OF metric
acknowledged by the Basel SEC on bonus restrictions
baseline forecast and country‐specific Tony Blunden, Chase Cooper
shocks on property prices, interest Committee when it also stated IFRS Indian setback
rates and sovereign situations. that "operational risk is typically not directly taken in return Ackermann warns G-20
for an expected reward, but exists in the natural course of China leverage guidance
The EBA said that the tests were designed
corporate activity". Indeed, it can be argued that there is no
to reassure investors and regulators that
such thing as an appropriate appetite for mis‐selling, system failures, internal fraud or
banks have enough capital and liquid
assets to survive another crisis. After the external fraud. Others argue that a residual level of operational loss is tolerable where,
regulators receive feedback from the for example, the cost of mitigating the remaining risk far outweighs the impact.
industry, the scenario details will be made
Before looking at how operational risk appetite can be stated in practice, it is a good
public this month along with a sample of
idea to examine the governance that should exist around operational risk appetite. This
the banks involved. The EBA will work with
national regulators on the stress test should consider such topics as definition, ownership and accountability, scope, reporting
methodology, making this public in April, and record retention as well as an overview of the operational risk appetite
and it is expected that the banks will take methodology.
until mid May to complete the tests. The
Many firms recognise that a certain level of risk is inherent in any business
plan is that the stress testing results will
2
be made public in June. The next step will and it is the responsibility of the board to consider and approve the
ISSUE
be for the EBA to advise Member EU level of risk acceptable to the firm. The risk appetite defined by a
States and Authorities on the remedial firm should reflect the satisfactory trade‐off between the level of
back stop measures needed. m risk and the likely level of returns or costs. As a consequence,
continued on page 2
2. the typical definition of operational risk appetite is the amount that monetary value
the firm is willing to risk for a given risk‐reward or cost‐benefit is hard to
ratio. This basic statement is then expanded, perhaps using Figure establish (for
1 below as a starting point. example, the
value of system
It should be noted that there is no explicit requirement in Pillar 1
outages).
for an expression of risk appetite but such a statement forms a
natural part of Pillar 2, reflecting clear strategies and oversight by As the firm
the board and senior management and a strong risk and internal develops its
metric
control culture. The ownership of risk appetite therefore sits very operational risk
clearly at board level with senior management implementing risk management, it
appetite at a day‐to‐day business level. can start to use
indicators of its
However, it is instructive to question whose appetite should be
exposure to key
reflected in the detailed implementation of the risk appetite
risks and their controls as indicators of acceptable and
statement. The shareholders' appetite is naturally expressed by the
unacceptable levels of risk. Finally, of course, modelling will
amount of capital that the firm holds and may accommodate
provide a number of opportunities for a firm to consider its
extreme events. In comparison, the managerial appetite will reflect
operational risk appetite.
the corporate attitudes and culture of the board and management
team and is more likely to refer to a business‐as‐usual level that As most firms have an RCA, this is a good place to start considering
includes some scenarios but is generally less extreme than a firm's risk appetite. The likelihood scale of the RCA will give an
shareholders' appetite. This difference inevitably reflects the indication as to whether the RCA has been performed at a
different approaches of the two stakeholders and, in particular, the management level of appetite, a board level or shareholder level.
generally longer‐term objectives of shareholders. The impact scores will give the current appetite level, although on
reflection these may be viewed as inappropriate and in need of
revision.
Alternatively, a very common first expression of appetite is through
heat maps. These are two‐dimensional with likelihood on one axis
and impact on the other axis. Heat maps can be developed with
descriptive words such as low, moderate and critical, relative values
such as a scale of 1 to 25 (see Figure 2, below) as well as monetary
values. The heat map below indicates that relative scores of 16, 20
and 25 are critical scores and therefore unacceptable to the firm, as
a residual risk level.
2
Figure 1: Different levels of the firm view appetite differently
Most firms have a stated appetite for operational risk which is
generally at a high level and gives little business benefit. Some,
however, are using operational risk appetite at a number of levels
within the firm and deriving significant benefit for the business
from this approach.
There are many different ways of measuring operational risk
appetite and capital modelling does not have to be used.
Operational risk appetite can be expressed very simply through the
results of a risk and control assessment ('RCA'), using the exposure
of the firm to high likelihood and high impact events to delineate
Figure 2: Heat map with relative scores
acceptable risk appetite from unacceptable levels. An alternative
simple starting point is the number or value of losses to which the As noted above, when a firm has progressed to identifying
firm is subject in a period. Although the number of incidents to indicators of risks which are key there will be another set of risk
which the firm is exposed may seem a trivial way of stating appetite metrics that can be used. Figure 3 overleaf shows the
appetite, this can be used effectively for incidents where a ranges that might be applicable to a key risk continued on page 3
www.chasecooper.com
3. indicator. In this case, there are bands (red and yellow) above and Indian implementation of IFRS set back
below the area within which the firm is comfortable (the green
The path to an international
band). The limits of these bands are naturally statements of appetite
accounting standard, and
by the firm. The green/yellow boundary is a first lower‐level
with it the reduction of
statement of appetite and the yellow/red boundary is a more
accounting risk, was set back when it appeared that the Indian
extreme level of appetite. implementation of International Financial Reporting Standards (IFRS)
was in danger of being severely delayed or even abandoned by India.
metric
IFRS was due to become a standard for all large Indian firms from
April 1st this year, but local press reports say that this will at best be
delayed and could be made optional. It was planned that IFRS would
be implemented in three phases starting with those companies
valued at over $200M. However there has been a flood of companies
asking for exemptions to this implementation date. In addition there
have been issues regarding tax liability calculations.
IFRS, developed by the International Accounting Standards Board
(IASB), is based on fair or market value accounting, has been standard
in Europe for 5 years and is adopted by over 80 countries worldwide.
The USA has not yet confirmed its adoption but the SEC is expected
to announce a schedule this year with a 2015 date anticipated. China
started to use IFRS in 2007, Canada began implementation last year
metric
and Japan is expected to be compliant next year. m
SEC proposes bonus restrictions
The USA's Securities and Exchange Commission (SEC) has, in a split
vote, proposed rules that restrict bonuses for broker‐dealers and
investment advisors. The proposal now goes for public comments.
New restrictions on bonuses were one of
Figure 3: Key risk indicator as a statement of appetite the mandates of the Dodd‐Frank Act
which requires the SEC and six other US
Ultimately, it is of course possible for operational risk appetite to
federal regulatory agencies to jointly
be expressed as a monetary value if probabilistic modelling is adopt such rules. The FDIC proposed rules
applied to the operational risk data. This can also assist in cost similar to those of the SEC last month.
3
benefit analysis and in business process improvement if parts of the
"It is simply common sense that a
risk profile are beyond acceptable levels.
SEC Commissioner financial institution ‐ and thus its
Elisse B. Walter
How appetite is described therefore depends on the size, complexity shareholders ‐ can be negatively affected
and culture of the firm. It is also important to differentiate between if incentives drive behavior that is not consistent with the
the business‐as‐usual appetite of the management and the higher institution's overall interests," SEC Commissioner Elisse B. Walter
ultimate appetite of the shareholders. Although there are various said in support of the measure.
ways to describe risk appetite, it is important to apply a consistent Firms that are above a $1 billion asset threshold would be
methodology. Measuring risk appetite and benchmarking business required to file annual reports detailing their incentive‐based
performance against an appetite level enables the management compensation. The rules would "prohibit incentive‐based
team to have a clear picture of m compensation arrangements that encourage inappropriate risk‐
taking by providing excessive compensation, or that could lead to
Coming up in Issue 3 of metric material financial loss to the firm".
metric
Nick Gibson, Chase Cooper’s Financial institutions with $50 billion or more in assets face added
Director of Compliance Solutions
discusses: The FSA’s first Retail restrictions, including deferral of at least 50% of executive
Conduct Risk Outlook — emerging bonuses for three years, and board approval of compensation for
risks and potential concerns those who could expose a firm to a substantial amount of risk. m
www.chasecooper.com
4. Regulatory ASYMmetricAL
NEWS The back page, sometimes critical view from the Editor
EBA APPOINTS FIRST EXECUTIVE DIRECTOR A legacy that Victorian Britain left us was the board structure used to govern commercial
The European Banking Authority has named institutions: single tier boards of directors, elected by the shareholders in the case of publically
Adam Farkas, former chairman of the quoted companies, and consisting of executive and non‐executive directors under a board
chairman*. Executive directors ran the company on a day‐to‐day basis, whilst non‐executive
Hungarian Financial Supervisory Authority, as
directors were external appointments of experienced individuals who took a high level view
its first executive director, subject to
and advised the executive directors. These "non‐execs" were selected on their experience and
confirmation by the European parliament.
knowledge of the markets. Many were retired and many held multiple non‐exec roles. The
effort involved was not huge ‐ reading board reports, asking questions and
ACKERMANN WARNS G‐20
sitting in on board meetings. Typically non‐execs put in 2 days of their time a
Dr. Josef Ackermann, Chairman
month and their value was in their advice.
of the Institute of International
All this started to change in the 1980s. The Polly Peck insolvency, which
Finance (IIF), also Chairman of
involved falsification of accounts, led to the Cadbury Review being set up to
Deutsche Bank, has called on look at the governance of companies. Its remit, following the BCCI and Maxwell
the G‐20 to control the scandals, was expanded to cover sign‐off of companies' accounts and non‐exec
fragmented implementation of involvement. This evolved into the Combined Code of Corporate Governance
Basel III and to prevent which, after a series of reviews, all named after their chairmen ‐ Greenbury,
fragmenting the global Hampel, Turnbull, Higgs, Myners, etc ‐ was established as boardroom
financial system. He also stated governance best practices guidance (note guidance in the UK, not regulation)
managed by the Financial Reporting Council. Also around this time non‐
that the current liquidity
executives found themselves in the firing line as investors, and, in the case of
proposals could damage Dr. Josef Ackermann, Chairman of the Equitable Life, depositors, would sue for losses attributed to poor corporate
banks' abilities to provide Institute of International Finance (IIF)
(Photo courtesy World Economic Forum) governance.
credit lines to business.
In 2009, following the collapse of Northern Rock, the Walker Review was commissioned by the
FSA FINE MORTGAGE FAILURES UK Treasury, specifically for the governance of financial institutions, and for the first time risk
The FSA has fined DB Mortgages, part of the management was mentioned. Walker recommended that the governance of risk was a specific
responsibility of the board, including non‐execs, and made many recommendations including:
Deutsche Bank Group, £840,000 for irresponsible
lending practices and unfair treatment of A board risk committee be established to advise the board on risk appetite, tolerance and strategy,
customers in arrears, and has obtained rebates
That the board be served by a chief risk officer who would have a reporting line to the board
for DB Mortgages' customers estimated at £1.5
risk committee ‐ and that there should be a level of protection for this role (the FSA
million. The FSA said that DB Mortgages failed to subsequently made CRO an "approved person" role),
check that customers could still afford mortgages
A separate risk report by the board risk committee to be included in the annual corporate report.
on their retirement, failed to ensure that self‐
certified mortgages produced the best prices, and The role of non‐execs was also defined with the requirements that non‐execs should "satisfy
did not ask customers how they would live if they themselves on the integrity of financial information and that financial controls and
systems of risk management are robust and defensible".
4
had to sell to pay off an interest‐only mortgage.
So the role of a non‐exec has gone from that of an avuncular figure advising the
CHINA ISSUES GUIDELINES ON LEVERAGE executive directors on the basis of years of experience, to a high profile individual who
China's banking regulator, the CBRC, has issued must sign off the accounts, the financial controls and the risk management processes ‐ and
guidelines on the leverage rates of commercial who may be sued if he gets it wrong. The skills required have increased as has the amount of
effort that will have to be put in. This is no longer a couple of days a month effort.
banks which will require banks to keep a
maximum of 4%. These will apply to The question now is how will non‐execs acquire this risk management expertise? Risk
systemically important banks from the end of managers go through years of developing skills and many of the issues are not obvious to a
corporate businessman. Most experienced non‐execs understand corporate accounts and
2013 and for other commercial banks in 2016.
financial reporting, some have experience in financial controls, but there are few who have a
SEC PURSUES INSIDER TRADER risk management background. Risk management is a qualitative and procedural discipline, with
a large amount of complex mathematical processing, particularly in the credit and market risk
The SEC has announced it will proceed with
areas. How will non‐execs acquire and demonstrate these skills?
insider trading charges against Rajat Gupta, a
Goldman Sachs and Procter & Gamble board It could be that risk managers will become non‐execs, but the profession is young and there are few
approaching retirement age. This acquisition of risk management skills by the board, and particularly
member. Gupta, allegedly provided Raj
by non‐execs, is probably the major issue to be resolved if we are to avoid another crisis.
Rajaratnam, the founder of hedge fund Galleon
Management with inside information about the (* Note most European countries have a two tier board system with a management board of
full‐timers running the company, and a supervisory board on
quarterly earnings at both these firms as well as metric is published by
non‐executives in an advisory role. Moving to this structure was Chase Cooper.
an US$5 billion investment that Berkshire
investigated but rejected by the Hempel Report.) m web: www.chasecooper.com
Hathaway was planning to make in Goldmans. email: editor@chasecooper.com