Risk Management at Operational Management - Coursework Example

Risk Management at Operational Management Name Course Institution Introduction ISO 31000 defines risk as the effect that is resultant of the uncertainty of objectives. The effect is a negative deviation or a positive deviation of the expected. It is for that reason that the function of risk management is essential within all forms of organizations. Risk management describes the methods and coordinated sets of activities that are applied for the direction of an organization and the subsequent control of the risks that have the potential to disrupt the ability of such an organization to achieve its goals. ISO 31000 of 2009 describes it as the architecture used in the management of risk. It discusses the risk management framework and principles, and the operational risk management process [Pra161]. In the context of an organization, risk is the uncertainty that comes in relation to the activities of the organization. That means that risks cause uncertainty and the possibility of unexpected deviances in adversities. The organizations, therefore, put measures in place for risk mitigation because risks have the potential to take a business into losses. Depending on the severity of the risk, the business could lose investors, cease operation, or bounce back into operation. However, bouncing back and surviving the negative impact of risks that blow out of proportion depends on the preparedness of such an organization with regard to such risks[Fim17]. There are various risks faced by organizations such as those related to the operations, strategy, market, business reputation, and finances. This paper focuses on operational risks. Operational risks are those that an organizational faces in its daily activities. They are present unpredicted and unaccounted deviances from the projected risk. In such cases, the actual losses, incurred as a result of a failure in the systems, internal and external events, people, and systems. Such risks include those related to fraud, privacy protection, security, legal issues, and environmental and other physical risks. The results of a blow out of such risks include security breaches and the loss of tangible property or intellectual property. Such losses may cripple the operations of the company and give the competitors an advantage over the company[Rob05]. That is mostly the case of the security breach is done by the competitors and the intellectual property used for their advantage. Others are those caused by legal issues where the company experiences losses in terms of the reputation alongside financial losses. For instance, there is the risk of the failure of the network within an organization which affects the service delivery. The other example is the risk of system failure or human error that causes the application of inaccurate rates in the billing system of the organization[BIS11]. The responsibility of the operational manager in the mitigation of risk is to ensure that the organization is fully informed of the impending risks faced by the organization. The operational risk manager works with all the business units to ensure there is a draft of an operational risk assessment. Other functions include the facilitation of the formulation of a risk assessment framework and ensure the compliance of the organization with the applicable standards in relation to operational risk[BIS01]. Standard Risk Assessment The selected model is the g&h model in the Loss Distribution Approach (LDA) model that focuses on aggregate loss distributions. I prefer it over the AMA approach because of inherent complexity and the difficulty in comparability because of the numerous internal modeling practices proposed in the approach[BIS16]. It uses a bottom-up approach of capital allocation. The business under consideration is a medium-sized banking institution. Using the model, I compute the operational risk on the capital charge. The model calculates the capital charge using the value-at-risk measure approach[Fra01]. Under the LDA approach, there is the calculation of the estimates of the risk type cells, the severity probability distributions, and the frequency of one fiscal year. All the calculations utilize the internal data. After obtaining the two distributions, there is the computation of the aggregate operational loss probability. The value-at-risk capital is, therefore, presented in the total required capital. Operational risk is a significant cause of organizational failure because it is a material risk. It has the potential to destroy the shareholder value and for the business to experience tremendous losses. Risk Assessment of the Bank The Loss Distribution Approach for the Operational Risk I apply the New Basel Capital approach and consider the various lines of business (i) and event types (j). There is the ζ (i, j) that is the representation of the quantity of one loss event as a random variable for the business line and event type. That leaves F i,j as the loss severity distribution. The number of events between the times represented as t and d t + τ is random. There is as the probability function for N (i, j), a corresponding variable. Therefore, there is the distribution of the loss frequency variable as P i,j. P i,j (n)= . The loss for the business line, represented by i and business type j between business times t and d t + τ is fond using the formula: . If G i,j a compound distribution of f ϑ (i, j) is obtained using the given formula: where x>0 for the numerators and x=0 for the denominators. Note: * is the operator of convolution actions and *F the convolution of the n-fold with F itself. The modelling of the distribution of the aggregate loss follows two steps where the determination of the severity loss distribution alongside the loss frequency distribution is determined. After that is the compounding of the two resultant values for the determination of the aggregate loss distribution. Data Analysis The bank presents data 657 events of losses. The data is represented in EUR. From the information, assumptions are drawn. Such include the assumption that the information does not take the impacts of inflammation and exchange rates into consideration. There is the other assumption of the setting of the threshold to a low value. As a result, the analysis avoids the use of corrections for the truncation bias of the left as represented in the data. The data also disregards the impact of insurance. The data represents a relatively high level of the standard deviation. The median values and mean values also have a significant margin. The measure of the skewness also presents the same information. The kurtosis measure also presents data of high value which is interpreted to mean that the extreme observations that are extremely rare are the cause of the high standard deviation. Fig 1: Data Statistics Mean Value Median Value Deviation (Std.) Kurtosis Skewness 41,738 3,114 280,538 225 14 The procedure described earlier is used for the aggregation of the loss severity distribution and the loss frequency. There were prior parameter estimations done using the Carlo simulation method. It represents 50000 trials used in the estimation for the parameters and the aggregate function. The distributions are used in the modelling of the loss severity distribution. The methods used include the empirical methods for sampling, Weibull, lognormal, gamma, exponential, EVT approaches, gamma, and the g&h distributions. Comparison Table: Economic and Regulatory Estimates of the Regulatory Capital Distribution Capital Experiential 2.31% POT – 5% 9.32% BMM – Month 14.95% G&H 4.43% For the LDA approach, only the POTM – maximum of and the BMM methods are used. Risk data is be calculated for the purposes of Base II and be used to test for stress. The LDA framework works in the estimation and depends on the statistics of statistical loss events[BIS01]. It focuses on the historical events to find the capital charges. I first conduct a stress testing analysis for the determination of the capacity of the institution to handle exceptional losses. That is done to ensure that the bank is incapacitated to handle such losses and remain standing[PJo07]. A typical scenario of the bank is selected and it includes all the events with the potential to cause extreme losses on the bank. It also includes the maximum internal losses and external losses and then aggregated with the projected capital estimates. I follow that with the evaluation of all the data. As a result of the need of a hybrid of formulas for accuracy, I apply the POT-max5%, the g&h, and the BMM-max quarter. The g&h less distribution approach requires accurate historical data. Below are representations of the definitions of the historical scenario and the calculated scenario. Historical Scenarios ID Name of Scenario Loss Estimates 9 Unauthorized trading (Kerviel) 112,0002 10 The failure of process management 7,400 11 External fraud 21,080 The generated scenarios are merged with the historical scenarios. The generated scenarios include examples such as fictitious deals and crippling electricity blackouts. The data is enriched with all the loss scenarios accounted for. On the other hand, there is the statistical representation of losses. The worst losses of the worst case scenarios are much more that those shown in the historical losses. There is the use of a hypothetical scenario of employees strike based on a similar actual historical event. The estimate is set at one strike per forty years of operation. There is the consideration of the possible duration and extent of such a strike. The extent means that the strike may occur across all branches in the country or only n a single branch. There is the assumption of the impact of the strike and the distribution of the possible losses as presented in the table. Probability Loss Distribution based on by the Strike Possibility Time Taken Estimate loss in Euros 60% 2 hrs 127, 414 35% 2 days 4,000,000 3% 3-5 days 8,000,100 2% 6 days 19,999,990 Custom Hypothetical Statistics ID Case Extreme scenario Average 10 Employee strike Entire country 19,999,990 Disadvantages The EVT approach used in the stress testing analysis for the determination of the capacity of the institution to handle exceptional losses requires different statistical distributions. As a result, the algorithms used are complex because of the process involved in the generation of the data. Results of the regulatory capital estimates using the g&h model. Test Scenario IDs Scenario IDs G&h Average/Worst case BMM–Max M Average- Worst case POTM – 5% Average -Worst case Original n.a 4.43% 14.99 % 10.55 % Test 1 ID1- 8 11.7%/ 91% 3.9%/245% 4.3%/207% Test II ID1- 8 10%/ 35.7% 4%/136% 5.2%/129% Test III ID3- 5,7-8 8.8%/ 20.4% 4.6%/148% 6.6%/145% Test IV ID9- 12 5.3%/ 21% 8.8%/178% 8.5%/200% Test V ID3- 5,7-12 9%/ 70% 4.8%/199% 5.4%/320% Test6 ID3- 5,7-8 9.3%/ 30% 4.9 %/153% 5.4%/123% The decision to settle for the g&h method in the modeling of operational risk lies in its accuracy as shown in the consistency of the statistical data. The consistency is observed in the data of the worst case scenarios and the custom events of average losses. The other two applicable models are the EVT models (POTM – 5% BMM–Max M). However, they are not suitable in this case because of their sensitivity to the tail observations and the number of the observations. The extreme case projections as the one in ID 9 yield unreasonably high values that even reach the value of the value of all the assets of the bank. In addition to that, the values of the less extreme scenarios provide unreasonably low values. They provide an overestimate and an underestimate of the worst case and less extreme case data. Action Plans for Risk Mitigation According to the analysis, the most potent risks include the risks of unauthorized trading, the failure of process management such as the loss of software, and external fraud. Employee strike is also included as one of the less threatening risks. This is the analysis of the mitigation of the risks for the reduction of the value at stake in case they are experienced. Employee strike requires careful considerations of customer satisfaction and the availability of a complaints platform that is frequently checked and addressed appropriately. i. The risk of unauthorized trading The risk of unauthorized trading can be reduced through regular audits to ensure straight internal governance practices[Fim17]. There is need to review the internal governing principles and the internal control systems. It is for that reason that besides the annual auditing routine by external auditors, the bank also needs internal auditors to conduct audits on a quarterly basis. It seems cumbersome but the more frequent the audits, the greater the understanding of the system by the auditors, and the easier it gets with time[CEB10]. All the managers must undergo the necessary training so that they understand the value of risk management strategies. When the management takes such measures seriously, the information is likely to reach the bottom with the same intensity as that with which it was transmitted from the top[Jim141]. It also must include the prior-approval of products, exception reporting systems that are automated for accuracy, and close supervision during trade operations. According to Deloach (2014), such measures ensure the adherence to the policies of risk control. ii. The failure of process management (loss of software) Banks experience process management failures through cases such as the loss of software as a result of hacks and software attacks through the use of viruses and Trojan horses. There is need for the appointment of an information security officer (ISO) instead of extending the role to the Information and Technology department. In addition to such an appointment, the ISO must give quarterly reports on the status of their department and ensure the security technology evolves with the evolving trends. The information assets also need proper storage where there is limited access to classified data, the disposal of useless data, and the encryption of the regularly accessed data with temporary codes that change weekly[Dee13]. iii. External Fraud In this case, it includes theft of any kind. This describes the need for enhanced physical security of the entity. That is ensured by the use of booth visible and hidden surveillance cameras, the employment of a qualified operator of the security system, and serious rules with regard to surveillance and the surveillance room with automated testing for functionality[PWC14]. There must be no unauthorized access and the upload of the daily tapes of the surveillance for reviews during audit. The nature of the building must be reinforced with physically protective walls, especially the inner rooms of the bank. The automatic doors and locks must be checked on a weekly basis to ensure their functionality and secure encryption. The bank must use pass cards to go through all the doors where the record of entrances and exits is stored on cloud to ensure that backtracking is possible in case of an event of theft[Joa05]. Disaster Recovery Plan Disaster recovery plans are put in place to cushion the bank from the impact of losses incurred from various causes. The recovery plan described is custom to the problems faced by the bank and the data from the risk assessment. The immediate running of backup: This applies to power backup, information backup, and security backup. Information backup requires subscription to the most updated backup strategies to ensure the safety of the backed up data and the speed at which it is accessed. Data losses could occur in instances of security breaches through hacking and the presence of malware. The bank must put in place the preventive, detective, and correlative measures. The preventive measures include informing the employees about safe use of work computers and awareness before opening anonymous attachments onto the computers. There is also the installation of antivirus software for the detection, transmission of information to the ISO, and the automatic elimination of malware. Insurance: Insurance is a great preventive and responsive strategy in reaction to external fraud such as the theft of equipment and money. Insurance is expensive depending on the selected package. The bank in this case needs an average prices insurance cover with consideration of the external threat risk figures from the analysis. That way, the insurance cover helps cover some of the losses experienced in such a scenario. Backup funds: These are essential in cases of fraudulent trading practices. Such are mostly internal and the culprit most likely to face arrest, especially if the fraud involves a significant amount of money. Such funds are projected in the risk assessment and they ensure that the bank keeps running despite the fraudulent event. The backup funds must be put into operation and must be enough to sustain the business operations for a significant amount of time. That way, the necessary investigations are run without hitches in the business[Phi13]. Automated Testing Systems and Audit procedures: Such systems are installed to serve preventive purposes. However, they are also essential in the detection of the exact problem that caused the losses. The results are easily accessible because they are stored on cloud. The audits also pin point the exact areas of financial and malpractice compromises which helps the bank to focus its attention and funds towards the repair of the specific damage instead of a generalized response. References Pra161: , (Praxiom Research Group Limited, 2016), Fim17: , (Fimarkets, 2017), Rob05: , (Robert S. Dunnett, 2005), BIS11: , (BIS, 2011), BIS01: , (BIS, 2001), BIS16: , (BIS, 2016), Fra01: , (A., P., & T., 2001), PJo07: , (Jorion, 2007), CEB10: , (CEBS, 2010), Jim141: , (Deloach, 2014), Dee13: , (Coffman, 2013), PWC14: , (PWC, 2014), Joa05: , (Sammer, 2005), Phi13: , (Girling, 2013), Read More