The operational risk profile is a picture of the exposure to the operational risk types by a Financial Institution, Line of Business, or Activity. depending on the sufficiency of the available data. The representation of the exposure can vary from the low-resolution picture consisting of, for each loss type, a bar chart of the number of events and the total loss for these events to statistical frequency and loss given event (severity) distributions for each event type.
The historical loss experience of the bank, also known as the internal data is used to construct the op risk profile. Using historical data is a good starting point but if circumstances within or outside the FI have changed the op risk profile constructed from the historical loss experience may not represent the current operational risk exposure. If circumstances have changed, their effect on the exposure needs to be taken into account. How to do this will be explored in a future blog
For now, let's deal with the situation where nothing has changed in the circumstances that materially affect the risk profile. Can we be confident that this risk profile is an accurate representation of the exposure? Before you read on, take a few minutes to write down the arguments that support the view that is accurate and of arguments that invalidate the view.
Perhaps your FI has not experienced any significant losses associated with a particular op risk type. This is often the case when creating a more granular op risk profile such as the op risk profile for one of the lines of business, such as Retail Banking, or for more granular loss types such as Aggressive Selling within Suitability, Disclosure & Fiduciary which in turn is part of Clients, Products, and Business Practices.
So, suppose your FI has not experienced any major losses from Aggressive selling within Retail Banking does that mean that your FI is not or minimally exposed to potential losses from Aggressive Selling? Of course not. It would be like saying that because I have not experienced a car accident yet my risk of a car accident while driving a car is zero.
If you can not rely solely on the Aggressive Selling loss experience of your Retail Bank to create its op risk (exposure) profile, what can you use to supplement its loss experience? Any Ideas? Take a moment to generate a few ideas of what other sources of data can be used to create a more accurate op risk profile for your Retail Bank. Write these down.
Here is what I came up with.
First, we can look within our institution and determine if LOBs have experienced Aggressive Selling losses. If they have, it is very likely that even though not experienced up to now within Retail Banking, these losses can be experienced in the future.
In this situation, you would appropriately include losses from those other LOBs to construct the ORP for Retail Banking.
Suppose after searching for losses associated with Aggressive Selling within all the LOBs within your FI, you can’t find any, can you conclude that your Retail Bank is not exposed to future Aggressive Selling Risk? We can construct arguments for and against, but the only way to substantiate the conclusion is to repeat the process of looking at the loss experience of other LOBs within your FI to looking at the loss experience from Aggressive Selling at other FIs. Go ahead and examine the loss experience of the FI industry for Aggressive Selling.
You should have found many instances of Aggressive Selling Losses at many FIs and within many LOBs. After this, it would be very hard to argue that your Retail Bank is not exposed to future Aggressive Selling losses. This example is for Aggressive Selling but this can be generalized to all loss types and therefore to create an accurate operational risk exposure profile, you would have to add the loss experience of other FIs to the loss experience of your FI.
You could argue that the internal and external circumstances of those other FIs are so different from your FI that, these types of losses, could not occur at your FI or with a certain LOB if the ORP is being created at that level, and therefore should not be included. If that is indeed the case, they should be excluded. But how do you know if that is indeed the case? You the Agile approach to developing stating point answers to this question.
After some iterations, you will probably come to some variation of the following answer. The needs to be a decision tree type structure that excludes events when certain specific conditions are met. For example, we know that not carrying out certain activities within your bank is insufficient to exclude a certain external event, unless the type of loss could only happen in that specific activity. For example, suppose the bank does not offer consumer loan insurance but a bank that does was fined and had to make restitution to clients that were sold the insurance with a disclosure that did not include hidden fees. Not disclosing all fees is a regulatory and client issue that would result in fines and client restitution payments regardless of the product being sold, and therefore this loss is relevant and should not be excluded by your bank even though your bank does not offer loan insurance. However, if the loss was a result of a particular insurance regulation that had no similar regulation applicable to other products, then that loss is not relevant and should be excluded. The same applies to external loss events that happen in counties where your bank does not operate. The external loss is not relevant only if that type of loss could not happen in the justifications where you do operate. This is rarely the case.
Of course, relevancy also applies to internal data. If a certain activity is no longer carried out, then losses associated with that activity may no longer be relevant. And like with external losses, they should not be automatically excluded since relevancy should not be based on the activity itself but on reasons which establish that similar losses could not happen in other activities.
What else do you need to consider besides relevancy when adding external data to internal loss data to create the operational risk profile?
To answer this question, consider what happens in the situation where an external loss occurred in Retail Banking that is 10 times the size of your Retail Banking. If no adjustment for size is factored in, your exposure can be significantly overstated. Sticking with our car example, your exposure to a car accident and therefore your car insurance premium considers not only your historical loss experience but also the relevant loss experience of other drivers and it is scaled by for size such as the cost of your car and how much you drive the car per day. Similarly, external data needs to be scaled appropriately before they are used for creating the operational risk exposure profile for your bank or LOB. How to do the scaling is beyond the scope of this course. However, insurance companies have developed many robust methodologies for combining relevant external and internal loss experience to determine your exposure and resultant premium. Many of these same techniques can be applied to operational risk management.
In short, to construct an (accurate) ORP, relevant internal and external loss data need to be selected from internal and external loss databases which have been cleaned for inconsistencies and inaccuracies, and these losses need to be appropriately scaled for current circumstances.
There are several sources of external operational loss databases.
There are vendor databases where a provider collects loss data for usually publicly available data such as new stories and annual reports. The vendors do some form of data quality control and data enrichment like associating the reported loss to a Basel loss type and an RLOB. These are stored in a database as records with many fields including the FI involved, a brief description of the loss, the amount of the loss, the year of occurrence, and selected financial information related to FI, such as revenues, etc. Access is sold to users, usually on a subscription basis. The SAS OP Risk VaR database is one such external op risk loss database. There are others and if you are interested, google for them. Since most of the loss data information in these vendor databases is from headline news stories, the database does not include non-headlines but important losses. For example, sensational Business Practices such as Money Laundering or deceptive sales practices are much more likely to be reported and therefore included than losses relating to processing errors, or localized system failures. In addition, the quality control associated with these databases can rarely be cost-effectively verified resulting in inaccuracies in the recording of the loss and the data enrichment process. For example, the vendor using its own decision rules may classify the loss into one Basle type but using the decision rules of your bank would classify the same loss into a different Basle type. The vendor may have made errors in the classification while following their decision rules. The relevant external losses would have to be reviewed and corrected for such inconsistencies and errors.
To avoid these and similar issues arising from using vendor external loss databases, FI built consortiums to collect and share anonymized internal data among themselves. ORX (https://managingrisktogether.orx.org/ ), is an example of a private operational risk loss consortium. Sometimes consortiums are built through industry associations such as the American Banking Association and the British Banking Association to name a few. Since each participating member must follow strict data quality rules, there is a significant improvement in accuracy and consistency over vendor databases. However, consortium data contains only the loss data of the member banks and excludes relevant loss data from a nonparticipating bank. As a result, like vendor databases consortium data may be incomplete, and relying on the consortium loss database may either significantly overestimate or underestimate the exposure to operational risk (the ORP)
In summary, internal and external loss databases have to be prepared for consistency, accuracy, relevancy, and appropriately scaled before using them to construct the operational risk exposure profile.
How do banks ensure they capture the most relevant risks, and what factors should be prioritized when structuring their ORP to reflect both current and future exposures?
When incorporating external loss data from external sources, is there a decision rule for balancing the trade-off between completeness and relevance? For example, if external losses are skewed toward events that may not fully align with your institution's risk exposure, what would be an appropriate rule to adjust for such biases without underestimating or overestimating your risk?
When building the ORP using historical internal loss data, i am wondering how does it determine whether the FI has changed enough from inside or outside, and how does the change affect the accuracy of the profile? Besides, what criteria should be used to decide which external loss events are relevant to your FI, especially when external institutions operate under different conditions?
When constructing the ORP, how do you account for lines of business that have little or no historical loss data if there are limited information in the industry? What alternative methods are used to estimate potential exposure?
Should the scaling of the data be based on the market value or other criteria? Would it be realistic to scale based on different risks and departments as this will involve a lot of evaluations and may cost high? Will the benefit of applying external data always be higher than the cost associated with it?