|
Regulatory Capital and Modeling
83
and rationales for when to include incidents in the calculation dataset, particularly for
special cases such as near misses, accidental gains and rapidly recovered losses. The
most conservative institutions will include those events both in frequency and in sever-
ity, considering the absolute value or potential loss as the severity. Others will include
them in frequency but with zero severity, and some will simply exclude those records
from the calculations and modeling. Other elements of data quality such as classifica-
tion of events, risk categories, business lines, dates and amounts are obviously critical
for the reliability of the model results.
However, the loss history of a single institution is not sufficient to reflect the full
range of event possibilities and outcomes that might affect the institution; it needs to
be supplemented by external data from incidents at peer organizations or in related
industries.
E x t e r n a l D a t a
Loss data and event details from external parties are sourced from
databases that gather public information on operational incidents, such as IBM Algo
FIRST and Factiva. Industry associations and membership organizations also collect
loss data information from members and share it anonymously with every member.
ORX is the largest and oldest one, established in 2002, and has collected upwards of
600,000 incidents from 12 members initially, to nearly 100 members in 2018 – mostly
international banks and insurance companies. ORIC International, founded in 2005, is
the leading operational risk consortium for the (re)insurance and asset management
sector globally. When choosing external sources to complement internal data, a firm
considers many elements to ensure that the external losses come from comparable
peers. They include geographical distribution of activities; sector or business lines
concentration; length of data series by event type; the data classification and certifi-
cation rule for data quality; the number, types and size of members; and the reporting
threshold for incidents in the database. Information versus abundance is the tradeoff
modelers face when choosing external datasets. Databases collecting publicly known
operational risk events provide full information about the institution involved in each
event, allowing you to compare contexts and judge the relevance of each event for the
modeling firm. But they are less numerous than membership databases, which makes it
statistically harder to model incidents. Although abundant, membership databases are
anonymous and have very little information about each event.
Mixing internal and external loss data, for the calculation dataset that will be used
to calibrate the models, requires several methodological decisions that may signifi-
cantly influence the end results. There is extensive academic literature on this topic,
with detailed discussions that go beyond the scope of this book. However, it is impor-
tant for risk managers to be aware of the following three practices and to be able to
discuss them with modelers:
■
Scaling: the adjustment for the size of losses to the size of the institution, or to other
dimensions. A loss recorded in a large international bank can be scaled down to fit
84
RISK ASSESSMENT
a smaller national bank, for instance proportionally to the size of the institution.
Other types of scaling include the correction for inflation if data span many years.
■
Cut-off mix: refers to the stage at which external data are included in the model;
typically at a severity level where internal data become scarcer and more data
points are needed to estimate a distribution, i.e., for larger losses.
■
Filtering: relates to the type of peer losses that will be filtered in or out of the
calculation set of the modeling institution. Regulators require clear rules to be set
for the selection of data in order to avoid “cherry picking” and manipulation of
results.
S c e n a r i o s
Operational risk disasters, whether due to systems failures or disruptions,
cyber-attacks, physical damage or compliance breaches, have the potential to wipe out
years of revenues, significantly damage reputation and damage the firm’s long-term
earning capabilities. Scenario analysis plays the important role of requiring organiza-
tions to consider the prospect of such disasters, which may never have happened to
them before, or to their peers, and to assess their resilience if such disasters should
occur. For modeling purposes, scenario analysis provides an important input to the tail
of the distribution and an effective benchmark to judge the sufficiency of capital. To
management, it provides information about the organization’s large exposures, possible
vulnerabilities and the necessary level of preventive controls and mitigating measures.
Scenario analysis is detailed in the previous chapter.
B u s i n e s s E n v i r o n m e n t a n d I n t e r n a l C o n t r o l F a c t o r s
Regulators require that
operational risk models include updated BEICF regions/countries of operation, regu-
latory context, changes in the competitive landscape and level of external criminality.
They also require information on the internal control environment, such as the design
and effectiveness of controls, automated versus manual processes, evidence of control
testing, and training and governance. The influence of BEICF is usually included in the
model through RCSA results and scenario analysis. Regrettably, however, the AMA
input still has the least explicit role in operational risk modeling, even though business
environment and internal controls are two of the main drivers of operational risk.
C A S E S T U D Y : M O D E L S T R U C T U R E O F A N A M A B A N K
I N E U R O P E
An AMA bank in Europe has been generous enough to share with me the
details of its operational risk model methodology. Four national regulators have
approved this model where the bank is supervised in Europe and overseas. The
model explicitly includes the four inputs required by AMA, as illustrated in
Figure 8.1. Two different statistical distributions are used to calibrate the body
Do'stlaringiz bilan baham: |
