PhD
Almagambetova G.A.
PhD Assylova A.S.
Kazakh economic university, RK
OPERATIONAL RISK MANAGEMENT
DEVELOPMENT AT CITIBANK KAZAKSTAN
Introduction. As a large
financial institution Citibank Kazakhstan is exposed to a variety of risks
including Operational risk. Operational risks are intended to use of processes
and systems as well as interaction with external environment, for example with
customers, suppliers and regulators. Ultimately Operational Risk is about
people. Every one of staff can contribute to reducing Operational losses
through being ‘risk aware’ and acting accordingly.
The definition is
provided by the Basel Committee, who defines operational risk as:
"The risk of loss resulting from
inadequate or failed internal processes, people and systems or from external
events." This
definition includes legal risk, but excludes strategic and reputational risk.
However, the Basel Committee recognizes that operational risk is a term that
has a variety of meanings and therefore, for internal purposes, banks are
permitted to adopt their own definitions of operational risk, provided the
minimum elements in the Committee's definition are included.
Operational
Risk at Citibank Kazakhstan can result in a variety of incidents that can cause
material financial loss, customer dissatisfaction and reputational damage.
Examples include:
-
Processing errors
-
Fraud
-
IT systems failures Terrorists attacks
It is
the responsibility of everyone in the bank to be risk aware and vigilant so
that vulnerabilities or deficiencies are addressed and Operational risk
reduced. Managing operational risk appropriately will also help to be better
prepared to manage incidents if and when occurred.
Concepts
of Operational Risk.
Operational
Risk Events. In its 2003 Sound Practices paper, the Basel Committee
(in conjunction with the banking industry) identified seven loss event
categories that are considered to have the potential to result in substantial
operational losses. It is necessary to point out the Citibank Kazakhstan’s potential risks:
1. Internal Fraud. Internal fraud
refers to unauthorized activity, theft or fraud that involves at
least one internal party. Examples of events that are classified as internal
fraud include: intentional misreporting of positions; unauthorized undertaking
of transactions; deliberate mistaking of positions; insider trading (on an
employee's own account); malicious destruction of assets; theft/robbery/extortion/embezzlement;
bribes/kickbacks; forgery; willful tax evasion.
2. External Fraud. External
fraud refers to theft or fraud carried out by a third party outside the
organization. It includes, for example: theft/robbery; forgery; computer
hacking damage; theft of information; check kiting.
3.
Employment Practices & Workplace Safety. This category
refers to events relating to employee relations, a safe working environment and
diversity/discrimination. Examples of events that could give rise to
operational losses include: employee compensation claims; wrongful termination;
violation of health and safety rules; discrimination claims; harassment; general
liability.
4. Clients, Products &
Business Practices. Operational losses in this category arise from a
failure to meet an obligation to a client, or from the nature or design of a
product. Examples of events in this category include: breaches of fiduciary
duties; suitability/disclosure issues (KYC, and so on); account churning; misuse of confidential
client information; antitrust; money laundering; product defects; exceeding
client exposure limits.
5. Damage to Physical Assets. This
category accounts for losses as a result of disasters and other events. It
therefore includes: natural disasters (earthquakes, fires, floods, and so on);
terrorism; vandalism. Apart from physical assets, human losses from external
sources are also included.
6. Business Disruption & System Failures. Operational
event risks in this category include: hardware and software failures;
telecommunication problems; utility outages/disruptions.
7. Execution, Delivery &
Process Management. This category covers risk events related to
transaction processing or process management, trade counterparties and vendors.
Examples of such events include: miscommunication; data entry errors; missed
deadline or responsibility; model/system disoperation; accounting errors; mandatory
reporting failures; missing or incomplete legal documentation; unapproved access
given to client accounts; non-client counterparty disputes; vendor disputes; outsourcing.
Execution, Delivery & Process Management: Outsourcing. As the number and complexity of
financial products and services expands, financial institutions are
increasingly using outside firms to provide supporting technology and human
resources. Outsourcing offers the advantage of access to
sophisticated and experienced personnel that may not be available internally,
and enables banks to concentrate on their core business and reduce costs.
Outsourcing, however, does not eliminate operational risk. In fact, it may
occasionally increase a bank's exposure to operational risk events such as
fraud, systems failure and legal liability.
Legal Risk. The Basel Committee's definition of operational risk explicitly
includes legal risk. The inclusion of this form of risk under the umbrella of
operational risk, however, has been the subject of much debate, primarily due
to the difficulty in defining what exactly constitutes legal risk . The Basel
Committee does not provide an exact definition of legal risk in Basel II, nor
does it explicitly state where it actually fits in, so it would appear that it
could cut across the various aspects of its definition of operational risk
(inadequate or failed internal processes, people and systems, and external
events. We will define legal risk as the risk of unenforceable contracts (in
whole or in part), lawsuits, adverse judgments or other legal proceedings
disrupting or adversely affecting the operations or condition of a bank. It can
arise due to a variety of issues, from broad legal or jurisdictional issues to
something as simple as a missing provision in an otherwise valid agreement.
Other Types of Operational Risk. You've seen
events that can lead to operational losses, and the situation regarding legal
risk. Now let's look at some of the other risks that are sometimes considered
to be operational risks:
1. Reputational Risk. Reputational risk has not yet been defined by the
Basel Committee and is excluded from its definition of operational risk. For
the purposes of this article, we will refer to it as the possibility that
negative public opinion regarding an institution's practices, whether true or
not, will result in a decline in its customer base, expensive litigation and/or
a fall in revenue. Reputational risk can also cause liquidity difficulties, a
fall in share price and a significant reduction in market capitalization. For example, in 1994, Bankers Trust was accused of
having misled customers by selling them inappropriate derivatives positions.
Its reputation was so badly damaged that it was forced into acquisition. In
1997, NatWest Markets, the corporate and investment banking arm of one of the
UK's largest banks, NatWest, was involved in a scandal involving mismarking of
positions in an attempt to conceal losses. Confidence in NatWest was so
undermined that the bank was eventually sold. More recently, a wave of high profile
corporate failures, such as those at Enron and WorldCom, have shocked the
financial world. When Enron filed for Chapter 11 bankruptcy in December 2001,
it was the largest US corporate bankruptcy in history – until WorldCom
filed for Chapter 11 in July of the following year. With USD 107 billion in
assets and USD 41 billion in debt, the WorldCom bankruptcy was around twice the
size of Enron's. These failures revealed serious issues such as accounting
deception, inappropriate conflicts of interest and fiduciary failures,
resulting in a crisis of confidence in the corporate world in general.
2. Strategic (Business) Risk. The Basel Committee's definition of operational risk also
excludes strategic risk (or business risk). This is another form of risk that
the Committee has yet to define, but it incorporates the risk arising from an
inadequate business strategy or from an adverse shift in the assumptions,
parameters, goals and other features that underpin a strategy. It is therefore
a function of: a bank's strategic goals;
the business strategies
developed to achieve these goals; the resources
deployed in pursuit of these goals; the quality of implementation of these resources. Business risk, however, is
another form of risk that is difficult to assess in practice. It can be
particularly difficult to separate from other forms of risk, such as market
risk. For example, a falling stock market is clearly a market risk, but for a
stockbroker the financial impact might be greater as a result of the threat
posed to its business plan by decreasing transaction volumes.
3. Model Risk. With the
ever-increasing use of sophisticated derivatives pricing and risk measurement
models, banks are becoming more exposed to modeling errors. Model risk can be
defined as the risk of loss arising from the failure of a model to sufficiently
match reality, or to otherwise deliver the required results. It can arise from
a number of issues, including: mathematical errors (for example, in determining
the formulas for valuing more complex financial instruments); the lack of
transparent market prices for some of the more illiquid market factors; invalid
assumptions; inappropriate parameter specification; incorrect programming.
Qualitative Assessment – Barings. Probably the most infamous example of operational risk
mismanagement is the collapse of Barings Bank in 1995. Barings was much
respected as the oldest merchant bank in the UK. The appointment of Nick Leeson
in 1992 as general manager of the bank's subsidiary in Singapore (BFS) set in
motion the chain of events that ultimately led to its demise in February 1995.
1. Lack
of Understanding of Business. The board of directors should be aware of the
major aspects of the bank's operational risks.
2. Lack of Separation of Duties. The Basel
Committee's sound principles require a strong
internal control system for managing operational
risk. This includes ensuring there is appropriate separation
of duties and that personnel are not assigned duties
that may create a conflict of interest, which can enable them to hide losses
and conceal errors or inappropriate actions.
3. Disregard for Auditor's Report. There must be
an effective and comprehensive audit of a
bank's operational risk management framework. The Basel Committee advises that
banks should have adequate internal audit coverage to ensure that policies and
procedures have been implemented effectively.
4. Poor Supervision of Employees. Banks
should have a process in place to regularly
monitor operational risk. The Basel Committee advises that monitoring
should be an integrated part of a bank's activities, and there should be
regular reports to the board and senior management with the results of these
monitoring activities.
Operational Risk Assessment Techniques. The Barings case may be extreme,
but it does highlight the need for banks to assess their operations and
activities for operational risk vulnerabilities. How do banks perform this sort
of assessment? In
practice, this process is internally
driven
and can therefore involve a variety of methods, such as checklists,
questionnaires, workshops and scorecards, to identify potential operational
risks throughout the organization. Operational risk scorecards, which enable qualitative assessments
to be translated into quantitative metrics that rank the different types of
operational risks, are a very popular method of risk assessment. In simple
terms, a scorecard is a list of a bank's assessment of its own risks. Although
the list is subjective, scorecards offer the advantage of flexibility in that
they automatically fit in with the bank's identified risks, and are not reliant
on an external opinion of the risks faced by the bank.
Operational
Risk Scorecards. Scorecards usually display scores for operational risk
in dollar (or other currency) amounts for the potential severity of the loss
and number of occurrences per annum for potential loss frequencies. Citibank Kazakhstan uses this technique and typical operational risk scorecard
looks like this:
Table #1. Operational
risk scorecard.
Key:
|
CAT = Catastrophes |
DIS = Disruption to Business |
|
EMP = Employment Practices |
UNA = Unauthorized Activity |
|
PER = Personnel |
TEC = Technology |
|
UNE = Unintentional Errors |
OUT = Outsourcing |
|
REP = Reporting Errors |
ECA = External Criminal Activity |
The self-assessment for scorecards often comes in the form of a
questionnaire. The design of the questionnaire and the choice of assessors to
fill in the questionnaire are crucial if reliable scores for operational risk
are to be obtained. Scorecards are often designed to relate to specific
processes categorized by product, location or organizational unit. Once the
assessors have completed the questionnaires for all these processes, the
individual scorecards can be aggregated across product, location or
organizational unit.
Operational Risk Indicators. Operational risk indicators are a broad category of
measures that provide an insight into a Citibank Kazakhstan's risk position by
attempting to identify potential losses before they happen [2]. Some
indicators are applicable to specific organizational units (for example,
transaction volumes and processing errors), while others can be applied across
the entire bank (for example, employee turnover, new hires and number of sick
days). Whatever the type of indicator, it must have some frame of reference,
generally referred to as a trigger/ threshold
level or escalation
criterion. These levels represent the acceptable level of performance, related to
the bank's risk appetite or some target level of quality. When a breach occurs,
it serves as an indication that a higher level of management needs to be
informed. Some banks define multiple trigger levels that specify which level of
management should be informed following a breach of one of these levels.
Statistical Approaches. Despite the practical difficulties associated with
quantifying operational risk, the development of operational risk models has
been continuing apace since the late 1990s. What's more, the Advanced
Measurement Approach (AMA) for operational risk in Basel II permits banks to
base their regulatory capital charge on their own internal models. This has
further stimulated efforts in the banking industry to develop models to
quantify operational risk. Statistical approaches to operational risk
measurement generally involve the use of methodologies to quantify operational
risk in dollar, or other currency, amounts (similar to value at risk measures
of market risk). The approaches involve the collection of actual loss data and
the derivation from this data of an empirical statistical distribution. An
unexpected loss amount, against which banks must hold a capital buffer, can
then be calculated from the distribution. In theory, the unexpected loss can be
calculated to any desired target confidence level. In practice, many banks are
working towards measuring operational risk to a 99.9% confidence level. At this
level, they expect to suffer a catastrophic loss event (that is, one that wipes
out a bank's capital), statistically speaking, and once every 1,000 years.
Summary.
The Basel Committee defines operational risk as "the risk of loss
resulting from inadequate or failed internal processes, people and systems or
from external events"[1]. There are seven loss event categories that can
result in substantial operational losses at Citibank Kazakhstan: internal
fraud; external fraud; employment practices and workplace safety; clients, products
and business practices; damage to physical assets; business disruption and
system failures; execution, delivery and process management. The Basel
Committee's definition includes legal risk, which is the risk of unenforceable
contracts, lawsuits, adverse judgments or other legal proceedings disrupting or
adversely affecting the operations of a bank. For internal purposes banks are
permitted to adopt their own definitions of operational risk, provided they
meet the minimum requirements of the Basel definition. The Basel Committee
specifies ten sound principles for the management of operational risk. These principles
indicate the type of qualitative assessment banks should be undertaking, and
banks must show that they have implemented them. The principles cover four
areas: developing an appropriate risk management framework; risk management:
identification, assessment, monitoring and mitigation/control; role of
supervisors; role of disclosure.
The collapse of Barings Bank is the best-known example of operational
risk mismanagement. The mistakes made by management were: lack of understanding
of business; lack of separation of duties; disregard for auditor's report; poor
supervision of employees. Operational risk assessment techniques include
methods such as scorecards and operational risk indicators. The development of
statistical approaches presents challenges such as the collection of sufficient
good quality data. Internal data may not include low frequency, high severity
losses, while external data may not be relevant to the bank. Despite these
difficulties, some banks are developing operational risk models, typically
calculating operational risk at the 99.9% confidence level. In order to
minimize and avoid operational risks at Citibank Kazakhstan management of the company uses
techniques that were explained previously.
In conclusion it is
necessary to point out the fact that the Operational Risk and Internal Control
team of Citibank Kazakhstan is responsible for: operate as the
single point of accountability for establishing an effective framework with the
deployment of an integrated approach to manage operational risk and internal
control.
Literatures
|
1.
|
Comprehensive
online course on Operational Risk
Management |
||
|
2.
|
Worldwide credit and
financial courses for bankers
and investors. |
||
|
3.
|
Configure
Treasury & Risk Mgmt
Screen by Screen Config. guide
|
