|
Principle 1: Operational risk culture
Principle 2: Operational risk management framework
Principle 3: Board of directors
Principle 4: Operational risk appetite and tolerance
Principle 5: Senior management
Principle 6: Risk identification and assessment
Principle 7: Change management
Principle 8: Monitoring and reporting
Principle 9: Control and mitigation
Principle 10: Business resilience and continuity
Principle 11: Role of disclosure
(Table 8.2). For each principle, the supervisory authorities express their expectations
on what represents “good.” The document, free to download from the BIS website, is
recommended reading for all operational risk professionals.
A d v a n c e d M e a s u r e m e n t A p p r o a c h ( A M A )
In advanced measurement approaches for banks and internal modeling approaches
(IMAs) for insurance companies, financial institutions are free to assess their own cap-
ital needs, provided that the regulatory authority of each country in which the firm is
incorporated accepts their model. Using internal models, banks assess the level of cap-
ital sufficient to cover all possible operational losses up to a 99.9% confidence interval
at a one-year horizon. In other words, they should cover for an amount of yearly losses
up to the 999th worst year for losses, out of 1,000 years of simulation.
Internal modeling can result in lower capital requirements for the bank or the
insurance company, compared with the standardized approach. Originally, the Basel
Committee limited the capital reduction to 75% of what the standardized level would
be. However, to my knowledge, no institution ever achieved savings anywhere near
that magnitude; in fact, quite the opposite: many banks calculated higher capital levels
with their own models compared with a standardized approach, which persuaded some
not to apply for AMA. The intended motivation for AMA therefore fell through and it
has never been adopted as widely as the supervisors initially hoped.
Most AMA adoptions came in the early days of the regulation and from Euro-
pean countries: France, Italy, Germany, the Netherlands and Belgium. Obtaining an
82
RISK ASSESSMENT
AMA approval takes on average three years to prepare, requires internal and external
validation by independent parties and the fulfilment of around 30 criteria, both quali-
tative and quantitative. The criteria include:
■
incident reporting history of five years (now ten years in the reform drafts)
■
mapping of risks and losses to regulatory categories
■
independent operational risk management function
■
implication of the senior management in risk management
■
written policies and procedures
■
active day-to-day operational risk management.
Since the first publication of AMA rules by the Basel Committee, regulators
around the world have published guidance documents on the models to be used and
on the implementation of management principles and lessons learned from the models
(use test). Interested readers in the U.S. should consult Fed and OCC publications,
while readers in Europe should refer to the texts of the European Banking Authority
(EBA) and the various national regulators.
The objective of advanced approaches for operational risk capital measurement is
to have regulatory capital that fairly and honestly reflects the risk profile of the financial
institution. Four types of input are required to build a qualifying model:
■
internal loss data (ILD)
■
external data (ED)
■
scenario data (SD)
■
business environment and internal control factors (BEICF).
I n t e r n a l L o s s D a t a
Experience of internal events, incidents, losses and near misses
is at the center of the institutional knowledge of operational risk and is the first step
to improve the status quo. Internal loss data collection is essential because it provides
management with information on past losses and future trends. If repetitive, losses
can indicate control breaches and internal failures that could potentially lead to larger
losses. Repeated losses that are inherently small due to reduced exposure or effec-
tive process controls can be included in pricing as the cost of doing business. From a
statistical standpoint, internal loss recordings provide many data points for modeling
the distribution, especially the “body” of the distribution, where frequency is high and
losses are moderate. Comprehensive incident databases provide useful information on
risk and control environments that can inform causal models, i.e., risk models based
on causes of failures, and deliver parameters for scenario analysis and assessment.
F r o m I n t e r n a l D a t a b a s e t o C a l c u l a t i o n D a t a s e t
There is, however, a difference
between the internal incident database maintained by the risk management depart-
ment and the calculation dataset used by modelers; each institution must establish rules
Do'stlaringiz bilan baham: |
