|
Risk and Control Self-Assessments
61
management and continuity planning, own risk and solvency assessment (ORSA) and
capital assessment. They can be run in a related exercise, consistent with the findings
of the RCSAs. Scenario assessment, ORSA and capital assessment are presented in the
next two chapters.
With its left and right borders defined, RCSA positions itself as the happy medium
of risk assessment. Like the tale of Goldilocks, our selections are neither too mild nor
too severe but sit in the middle. And when you focus on “the stuff in the middle,” as a
manager put it one day, with full involvement of business partners, risk conversations
will deliver great business value.
CHAPTER
7
Scenario Assessment
C
hapter 3 listed the seven steps of a scenario analysis process, from preparation
to incorporation into capital, and focused on the first two. This chapter reviews
the next three steps: assessment, validation and management lessons. The final two
steps – aggregation and incorporation into capital – will be covered in the next chapter.
Scenario assessment is probably the most challenging task in the scenario analy-
sis process. Assessing likelihood is tricky, if not illusory in some instances. Assessing
severity needs the rigorous inclusion of business data to avoid exaggerations and dis-
tortions affecting the process. Scenario assessment requires a structured and reasoned
approach, rooted in the business reality. This chapter reviews different methods finan-
cial companies use to assess the likelihood of rare and extreme events impacting their
businesses. These methods will be presented from the least sophisticated to the more
sophisticated, after presenting the principles of severity and frequency assessment.
S E V E R I T Y A S S E S S M E N T
The severity assessment of each scenario is the evaluation of the total negative
impacts, direct and indirect, financial and non-financial, that the scenario would
generate. Non-financial impacts, such as interruption of service, regulatory scrutiny or
customer detriment, need to be assessed and converted in financial terms, to ensure a
comprehensive assessment of the scenario severity. Direct losses may include money
loss, compensation payment, legal expenditures, fines, replacement costs, loss of
resources and write-offs. Indirect impacts may include damage to reputation, resulting
in loss of customers, loss of funding or higher funding costs. The cost of remediation
plans, more intensive regulatory scrutiny and lost or reduced future revenues are other
possible indirect impacts of extreme events.
Total impact to assess is the impact after post-event mitigation but before con-
sidering external insurance policies. Insurance recovery is an important element of
loss mitigation, but it needs to be identified separately. Additionally, insurance poli-
cies need to fit certain criteria in order to be recognized by the regulator as a substitute
for regulatory capital.
63
Operational Risk Management: Best Practices in the Financial Services Industry, First Edition.
Ariane Chapelle.
© 2019 John Wiley & Sons Ltd. Published 2019 by John Wiley & Sons Ltd.
64
RISK ASSESSMENT
Impact assessment must be linked to the business reality and to the loss drivers
in order to be justifiable vis-à-vis both the regulator and management. For instance,
where financial impacts are driven by customer loss, they must include, as a minimum,
an estimation – or a range of estimates – of the percentage of customers who leave in
relation to the range of revenue brought by customers (e.g., from 3% to 10% of cus-
tomers leaving the firm, bringing revenue to the firm of between $1,500 and $5,000 per
year). For a business line serving 100,000 customers, that is a financial impact ranging
from $4.5 million (lowest estimate) to $50 million (highest estimate) in lost revenue.
This would apply to a scenario where incidents damage the trust customers have in a
firm or a product. Different customer value weightings, as well as the likelihood per-
centage range of customers leaving, can be introduced to these types of estimates to
obtain a proper distribution range for possible impacts. This is illustrated in more detail
in case studies and examples further in this chapter.
Peer comparisons from loss data provide benchmarks for severity assessment,
especially for events when the loss drivers are not as straightforward as the example
above, or for events when the firm has no experience of regulatory sanctions or cyber-
attacks. Losses from large institutions can be scaled down to suit smaller businesses
assessing the scenario. External loss databases can also provide useful benchmarks to
assess the frequency – or likelihood – of scenarios.
F R E Q U E N C Y A S S E S S M E N T
Frequency assessment investigates the probability of each scenario happening in the
coming year. The one-year horizon for the forecasts aligns the scenario analysis pro-
cess with the measurement of the economic capital. Probabilities of occurrence can be
expressed either in percentages (%) or in fractions (1/200, 1/400 . . . ).
In workshop-based assessments, participants are asked to assess the chance of each
scenario occurring over the next 12 months, with similar environments for risk condi-
tions. The exercise is updated every year, in light of new events and new experiences,
using the same one-year horizon.
Attributing probabilities to rare events is complex. Traditional sampling and
past statistical observation are insufficient in this context. Additionally, human minds
are not well equipped to distinguish between several low probabilities (1 in 100
can be easily confused with 1 in 500). Therefore, relying on the sole judgment of
the scenario assessment workgroup participants may lead to major discrepancies
between members, let alone potential large divergence from the true probability.
The following subsections are dedicated to techniques to overcome some of these
difficulties.
Scenario probabilities will be based, whenever possible, on external statistics and
quantitative data. Different types of data can be used, depending on the nature of the
scenario. For external events such as natural disasters, pandemics, earthquakes and
Do'stlaringiz bilan baham: |
