Analyzing Operational Risk Failure of Barings Bank - Essay Example

Analysing operational risk failure of Barings bank (Source: Nick Leeson's homepage) Feb 23, 1995: Investors and financial institutions worldwide greeted with shock and panic as one of Britain's most historic banks, Barings, went bankrupt as news of a high-profile scandal echoed across much of print and electronic media. The bank's net liabilities worth 1.3 billion was nearly twice that of its investment capital, a figure large enough to capsize its entire assets, cause job losses to over 1200 employees and subsequently, being overtaken by Dutch giant ING for a measly sum of 1, and exposing the risky environment in which equity corporations scale catastrophic limits in order to make a quick profit. At the heart of the devastating scam was a person with a huge appetite for risk-taking but hardly any accountability towards the bank, Nick Leeson. Overnight, the unscrupulous futures' trader from London who was previously the poster boy for Barings' high-growth earnings from Singapore's premium monetary exchange, SIMEX (In 1993, he documented nearly 10% of the bank's profits in futures' trading), took special advantage of the bank's vulnerability in not being able to hedge the risks that come with dealing in a concern as sensitive as this. This is what happened. Nick Leeson's job as Chief Trader at SIMEX was to buy and sell the simplest kind of derivatives pegged to the Nikkei-225 stock exchange of Japan. This job entails the methodology of a skilled bookie who basically, bets on what people are likely to bet on in the future course. Despite booking profits on various occasions, some of Leeson's predictions proved incorrect. The idea to fool the bank management in covering up details of unsuccessful tradings came from devising an unaudited bank account, called error account 88888, to fix 20,000 goofed up by an inexperienced team member, which was later to serve as Leeson's personal getaway in covering up failed investment strategies. Even as the entire audit team of Barings' was kept in dark about what was the tip of the iceberg then, Leeson managed to document account losses which were initially at 2 million in 1992 to an astronomical figure of 208 million by 1994. The final blow came when Leeson pulled out a short-selling stunt by compromising derivatives at the Japanese and Singapore stock exchanges. An earthquake in Japan in Jan, 1995 upset his apple cart, the Nikkei plummeting by 7.7% overnight, the repercussions being felt across much of the Asian markets. Leeson desperately hoped for a recovery post-quake but, the trouble grew deeper as Barings' liabilities upward of 1 billion came to the fore. Before the bank authorities could take corrective action, the worst had happen, and one of the most glaring financial scams of recent history captured our imagination. Leeson later served a 4-year prison sentence in Singapore, eventually returned to the UK as a "celebrity", and ironically today, is a much sought-after speaker in guiding corporations and banks to manage risk in their financial dealings. While the Barings' episode is painfully over, the chances of another scam of this magnitude should not be ruled out. It is with this objective in mind that we must understand the mechanics of operational-risk management when applied to financial tradings. While analysing the basics of this study, we will simultaneously try to picture what happened in Barings, and what could have been done to arrest the ugly development. To understand the guidelines of operational risk management as applied to finance, it is worthwhile skimming through the recommendations made by the Basle Committee on Banking supervision in September 1998, around 3.5 years following the Barings scandal. The methodology on risk management specified in this paper has been skillfully engineered to prevent another operational failure like Barings, and has been endorsed and upheld by 30 major banks and financial institutions worldwide, including Britain's Financial Services Authority, London. The entire paper can be downloaded from the committee's website. (Source: www.bis.org/publ/bcbs42.pdf) According to the published details, most scams occur because of "breakdown in internal controls and corporate governance", a clear-cut reference to Barings' unqualified practices which resulted in loopholes in the structure. Other aspects of operational risk include failure of information mechanisms and accidents like fire, earthquake, etc., areas of concern we shall keep out of our present scope of discussion. It is important for bank boards and senior management to become aware of operational risk, thereby adopting measures such as allocating separate funds for operational risk management exercises, and providing for operational risk management targets during performance evaluation periods. The Basle Committee feels that big financial institutions have learnt their lesson early and are capable of monitoring their bank capital effectively, but a lot needful is desired from smaller firms who have a lot of catching up to do so. Another area of oversight is the conceptualising of data patterns required for large-scale risk management. Since most banks do not have sufficient experience with big defaults, historical data is absent on many parameters of risk management. While the industry is far from converging on standardised models of risk management, surprisingly, most banks follow similar models. The important parameters to be measured are: volume, turnover or rate of errors, loss of experience and income volatility. Additional recommendations from the committee fall into five categories: management oversight, risk measurement and monitoring, policies and procedures, internal controls and supervisory role. Management oversight For successful corporate-wide risk management initiatives, involvement of senior management in the entire process from learning to final execution is deemed highly "critical". The importance of "watchdog" committees has been emphasised in no less terms, it basically referring to an internal cell that documents lapses made by audit teams and other capital managers. The Financial Controller and the Chief Information Officer (CIO) were identified as potential watchdogs. Further responsibility was delegated to Business Area Managers whose job is to institute operational risk management mechanisms in their own area of authority, thereby ensuring that the entire system percolates to the grassroots of the bank. Several banks have delved on strategies to increase incentives for managers entrusted with the charge of instituting operations risk mechanisms. Risk measurement, monitoring and Management Information Systems The first step in launching risk measurement initiatives begins with a proper definition of "operational risk". It should be capable of encompassing a broad array of functions: human/ technical error, fraudulent recording/ manipulation of information (by geniuses such as Nick Leeson), settlements or payment risk, administrative/ legal risks. Secondly, most banks agree that operational risk evaluation must be done on those "business lines that have high volume, high turnover, high degree of structural change, and complex procedures". Operational risk in trading activities' was seen as most high, a significant fact considering the Barings' meltdown. The operational risk measures are a product of several risk factors: internal audit ratings, volume, turnover, error rates and income volatility, rather than external factors such as market price movements. Measuring operational risk envisages the capability to measure both probability of a loss event in the future, and also the size/magnitude of the loss, i.e. business impact. The measurement criteria is further quantifiable by sizing risk factors, banks utilising risk factors can further use historical loss experiences to come up with suitable measurement methodology. Banks can use different techniques to arrive at an overall operational risk level. Like risk measurement, risk monitoring is also a subject of scrutiny. The major parameters to this effect are: volume, turnover, settlement fails and delays. Several banks monitor these parameters directly, with a review of each failure, and communication done to proper channels at a senior level. Capturing data requires the aid of sophisticated information measuring systems, with the installation of an online data manipulation interface being high on the priority agenda of most concerned banks. Banks also require a variety of tools and techniques to mitigate operational risk, with internal controls and internal audit processes being suitable methodologies for the same. Some banks have decided on pre-fixed operational limits for better functioning of their risk assessment machinery. The management of information systems can be explored by insurance policies. Another concept discussed is reinsurance in the form of owning captive subsidiaries to offset any undesirable changes in business cycle. Policies and procedures The policies and procedures followed by banks, to a greater extent, can affect their real chances of implementing security measures in money transactions. It is important to devote sufficient time, energy and money to revamp and develop new policies and procedures. A large number of banks have pooled their efforts together to standardise policies and procedures across businesses and make them, increasingly user-friendly. These policies may be based on common themes of different businesses, or based on suitable risk factors. Special emphasis was laid out on product review processes involving business, risk management and internal control functions. Internal controls The importance of instituting internal controls in preventing Barings like episodes cannot be undermined, there is a lot of potential in sizing the value of internal controls to reduce or mitigate major risks. What are internal controls, and how may they be classified The Basle Committee's recommendations classify internal controls as "segregation of duties, clear management reporting lines and adequate operating procedures". There is an immediate need to formalise operational risk disciplines and auditing standards. Over the past few years, several banks have formalised these procedures by building self-assessment programmes. These programs are used to evaluate operational risk strategies put in place, along with internal audit ratings and external supervisory audit roles. Two of the participating banks have instituted penalising measures in the discovery of security lapses in the audit phase compared to the self-assessment phase. The activities of internal auditors are also under scrutiny; they have three important roles- to identify potential problems, the independent validation of business management's self-assessments, and to track any volatile situation that would ultimately, lead to a situation full of loopholes of which people can take advantage in the future. Supervisory roles The role of people in supervisory position, would be to mandate guidelines in order to validate measurement techniques and criteria put in place. Thus one of the supervisor's pivotal roles would be to enhance qualitative functions in operational risk management, with a need to raise the level of awareness of overall operational risk. They should be additionally entrusted with the task of recommending "best practices" for such initiatives. According to Basle Committee recommendations, banks are qualified with the task of encouraging their supervisors with identifying, measuring, managing and controlling operational risk. Analytical tools and techniques required for operational risk measurement Before an organisation proceeds on towards risk analysis, it must be able to clearly define any perceived "risk". From a textbook on "Managing Operational Risks" by Christopher Lee Marshall, we can follow the steps very closely for our case study. There are two approaches to target perceived risks; top-down risk model (3.1), and bottom-up risk model (3.2). The basic difference being that top-down models insist on project schedule completion dates by which risks in a project are mitigated, whereas bottom-up models simply add detail into the top-down approach and model the real "work-flow". The Capital Asset Pricing Model (CAPM) used by financial institutions is an example of top-down approach which uses parameters common with the parlance of debt financiers, such as betas, debt leverage, equity prices and benchmarks. There are some hybrid models in use also, but they all have one thing in common; an insistence on statistics and probability distributions, e.g. the famous Weibull distribution used to model operational risk in this case. After mapping the existing processes, it is required to define the firm's risk-management agenda (4.2) and project scope (4.3). After this, the management teams conduct meetings to evolve risk management policies and practices (4.6) to be uniformly adopted by the organisation. Once the risk objectives are established, it is necessary to identify potential risks using the tools discussed above; it all begins with benchmarking internal processes and resources (5.1), culminating into identifying risk factors (5.3) and loss events (5.4). Finally, these have to be categorised (5.5). Once the needful is done, we have to estimate potential loss of data (including historical data), and develop distribution models to fit the data, e.g. the weibull distribution can be used in this case also. A final analysis of all risk procedures ends in a simulation exercise. Here we discuss a very popular analytical tool used for simulation of financial data loss in risk management; it is called the Monte-Carlo simulation method (8.2). What is Monte-Carlo simulation It is a spreadsheet analysis of risk measurement drives, and is somewhat related to the game of dice in bearing the capacity to generate random values (as in 1, 2, 3, 4, 5, 6) to drive simulation tactics. The difference lies in the parameters we want to select as our basis for simulation. For operational risk measurement of finances and equities, we will consider the following parameters: interest rates, stock prices, betas etc. For each unknown variable, we can define a set of possible values with a probability distribution, weibull can be brought in for discussion again. The kind of probability distribution to be chosen depends upon the condition of the variable. What exactly happens during these simulations Like a pair of dice tossed at random, we can generate multiple scenarios of a risk situation (e.g. the possibility of error account 88888 in Nick Leeson's case) from uncertain variables of the probability distribution and calculate its "probability" and "impact" at the target cell. With sophisticated software packages available today, these calculations can proceed at a phenomenal computing speed. Once the simulation exercises comes out perfectly, and to the satisfaction of audit teams, the bank's model develops "capability maturity", and can make the security systems, far more robust to handle any potential breaches from unsuspecting elements. Barings' bank had a lot of odds stacked against its favour; poor management vision led to profiteers like Nick Leeson take undue advantage of loopholes in the processes; risk measurement and monitoring systems were inadequate to capture violations, and these factors contributed to the sensational, avoidable scam in 1995. References Basel Committee. Oct 1998. Basel Committee on Operational risk measurement. Downloaded 16 May 2006 from www.bis.org/publ/bcbs42.htm Marshall, C.L. Measuring and Managing Operational Risks in Financial Institutions: (Tools, Techniques and Other Resources). John Wiley & Sons, Jan 12, 2001. Nick Leeson homepage. 2005. Biography 16 May 2006. http://www.nickleeson.com/biography/full_biography.html Read More