Book 3. Operational Risk

FRM Part 2

OR 7. Integrated Risk Management

Presented by: Sudhanshu

Module 1. Enterprise Risk Management (ERM)

Module 2. Stress Testing

Module 1. Integrated Risk Management

Topic 1. Introduction to ERM

Topic 2. Structure of ERM

Topic 3. Risk Governance: Three Lines of Defense

Topic 4. Risk Appetite

Topic 5. Risk Culture

Topic 6. Capital Elements of the ERM Framework

Topic 7. Capital Elements: Regulatory Capital

Topic 8. Capital Elements: Economic Capital

Topic 9. Capital Elements: RAROC

Topic 10. Capital Elements: Risk Aggregation/ Diversification

Topic 1. Introduction to ERM

• Definition of ERM: The ERM framework encompasses the tools and methods an organization uses to manage various risks impacting business goals.
• The Risk Management Cycle

  • Identification: Recognizing potential risks.

  • Assessment: Evaluating the impact and likelihood of risks.

  • Mitigation: Developing strategies to reduce or control risks.

  • Reporting/Monitoring: Continuous oversight and communication of risk status.

• Risk governance, risk culture, and risk appetite apply across all organizational and financial risks in every organization
• Risk capital and stress testing represent a fourth element
• Regulatory Capital represents the minimum level of long-term stable funding and equity required to protect banks and insurance companies against operational, credit, and market risks
• Banks must maintain both financial resilience (through adequate capital) and operational resilience (through effective risk management) for stability and solvency

Topic 2. Structure of ERM

• ERM priorities are guided by Risk Governance, Risk Culture, and Risk Appetite.
• Risk Governance sets roles and responsibilities through the three lines of defense model and establishes committees for reporting and decision-making.

• Culture relates to the behaviors and values associated with managing risk.

• Appetite helps firms define priorities and the levels of risk exposure they are willing to tolerate.

• First line of defense
  • Business line staff and management
  • Primary decision-making authority, accountability, and responsibility for managing risk
  • Designated risk owners identify, measure, mitigate, and report on respective risks
  • Must balance risks and rewards
• Second line of defense
  • Provides oversight for business line staff, management and risk owners

  • Measure risk types; establish risk tools, methods, and models; and oversee the risk management process throughout the organization.

  • Continuous monitoring needed at this level

  • Includes operational, market, and credit risk management departments for banks. Compliance, legal and IT may also be included
• Third line of defense
  • ​Independent third parties and internal auditors
  • Report independently to the board of directors

• An external audit is often seen as adding a fourth line of defense, while the Risk Committee is tasked with overseeing all risks across an entity.

Topic 3. Risk Governance: Three Lines of Defense

Practice Questions: Q1

Q1. Sovereign Bank has an internal audit department, but the bank CEO hires an external auditor to review their financial statements and assess their internal control system. The audit firm is most likely considered to be which line of defense?

A. First.

B. Second.

C. Third.

D. Fourth.

Practice Questions: Q1 Answer

Explanation: D is correct.

The external audit firm is considered the fourth line of defense, as the first line of defense is the business line staff and management, the second line of defense provides oversight for the first line, and the internal audit department will be the third line of defense.

• Risk culture encompasses the values, behaviors, and beliefs of executives, senior leadership, and employees.

  • Directly impacts preferences and attitudes towards risk management.

  • Risk management index (RMI) is used to measure the independence and strength of risk management functions

  • Banks with higher pre-crisis RMIs outperformed banks with lower pre-crisis RMIs in the areas of operational performance, stock performance, loan performance, and tail risk.

  • Drives ERM effectiveness and links governance and culture to financial/non-financial risk tolerance and appetite.

Topic 4. Risk Culture

• Risk appetite dictates how much risk an organization is willing to take to achieve its objectives.

  • Applies to various risk types: Credit Risk, Market Risk, Liquidity Risk, Operational Risk.

  • Credit risk policies cover maximum loan amounts,minimum ratings for borrowers, acceptable financial ratios, collateral requirements, monitoring metrics, and what constitutes a “watch list” loan.

  • Market risk policies cover exposure limits, trading limits, and metrics monitoring.

• ​​Overarching criteria and statements are used by entities to express their risk appetites. Examples include:

  • Customer service: All negative feedback from customers merits a direct response to each impacted customer.

  • Ethics: Any fraud or misconduct must be addressed immediately with a defined

    timeline and resolutions acceptable to impacted parties.

  • Available capital (over-capitalization): This should be at least 50% above regulatory capital requirements at all times.

Topic 5. Risk Appetite

Topic 6. Capital Elements of the ERM Framework

• Purpose of Capital Elements: Protection against unexpected losses across all risk types, ensuring solvency and sustainability.
• Key elements

  • Regulatory Capital

  • Economic Capital

  • Risk-Adjusted Return on Capital (RAROC)

  • Capital Aggregation/ Diversification

Topic 7. Capital Elements: Regulatory Capital

• Guidance: Provided by the Basel Committee on Banking Supervision (BCBS)
• Objectives of Regulation:  ensuring intermediary solvency and soundness, providing protection to customers, and promoting the competitiveness and efficient performance of financial institutions.

• Basel I (1988): Minimum capital of 8% (Cooke Ratio) of Risk-Weighted Assets (RWA) for credit losses.

• Basel II

  • 1996: Added market risk regulatory capital, retained 8% RWA,

  • 2002: Added regulatory capital for operational risk and refined credit risk capital calculations, retained 8% RWA

• Basel III: Added minimum regulatory ratios for liquidity risk and an incremental 2.5% RWA capital requirement (counter-cyclical buffer).

• The Basel Regulatory Framework: Three Pillars

  • Pillar 1 (Regulatory Capital)

    • Minimum capital levels required to cover market, credit, and operational risks, as well as a minimum liquidity ratio.

  • Pillar 2 (Supervisory Review Process): Adjustments to Pillar 1 requirements based on institution-specific factors.

  • Pillar 3 (Market Discipline): Mandatory information disclosures by financial institutions on risk information and financial situations.

• Definition: The level of funds a bank/insurance company needs to cover any unexpected losses, beyond minimum regulatory requirements.
• Reflection: Most accurately reflects the combination of Pillar 1 and Pillar 2 requirements.
• Role of Credit Rating: Higher economic capital provides more protection, supports higher credit ratings, and translates to lower borrowing costs.

  • Example: AAA rating (0.01% default probability) implies economic capital covers unexpected losses at a 99.99% confidence level.

Topic 8. Capital Elements: Economic Capital

Practice Questions: Q2

Q2. Assume that a credit rating of A has a default probability of 0.07 %, and a credit rating of AA has a default probability of 0.04 %. If a bank is seeking a target rating of A, it will want to ensure that its economic capital will cover unexpected losses at a confidence level of:

A. 93.00 %.

B. 96.00 %.

C. 99.93 %.

D. 99.96 %.

Practice Questions: Q2 Answer

Explanation: C is correct.

With a default probability of 0.07% for an A credit rating, the bank will want to ensure that its economic capital will cover unexpected losses at a confidence interval of 99.93% (= 100% – 0.07%).

• Definition: A risk-adjusted version of Return on Equity (ROE).
• Calculation:
  • ​
  • Numerator adjusts net income for Expected Losses (EL) from activity-related risks.
• Easier with credit risks (due to historical data); EL often set to zero for market risks; generally not used for operational risks.

• Benefits: Quantifies funding costs, manages capital, aligns activities with objectives.

• Flexibility: Calculations can be done at business line, portfolio, client, or transaction levels.​

• Economic capital represents the amount of capital earmarked for specific activities.

• Managers are able to price transactions based on the minimum requirements for RAROC at these various levels.

Topic 9. Capital Elements: RAROC

Practice Questions: Q3

Q3. Which of the following statements about the risk-adjusted return on capital (RAROC) measure is most accurate?

A. The numerator utilizes pretax, risk-adjusted income.

B. Regulatory capital is the denominator of the calculation.

C. Expected losses (EL) are typically set at zero for credit risks.]

D. RAROC is applied more often to credit risks than to operational risks.

Practice Questions: Q3 Answer

Explanation: D is correct.

The RAROC measure is most often applied to credit risks, while it is typically not used for operational risks. The numerator uses after-tax risk-adjusted income, while the denominator is economic capital. Expected losses are typically set at zero for market risks, not credit risks.

• ​Capital Aggregation
  • Necessity: Capital needs for each risk class (market, credit, operational) must be aggregated.
  • Consideration: Not all risks are prevalent at the exact same time.
• Types of Diversification
  • Inter-risk Diversification: Aggregates risks across different risk classes (e.g., market, credit, operational)
  • Intra-risk Diversification: Covers risks within each specific risk class.
• Key Principle: Total aggregated capital will be less than the sum of each individual risk's stand-alone capital due to diversification benefits.
• Operational Risk: Often exists independently of market and credit risk, offering significant diversification benefits due to its low correlation with other financial risks.

Topic 10. Capital Elements: Risk Aggregation/ Diversification

Module 2. Stress Testing

Topic 1. Fundamentals of Stress Testing

Topic 2. Stress Testing Taxonomy

Topic 3. Stress Testing Approaches

Topic 4. Stress Testing Operational Risk

Topic 5. Stress Testing Operational Risk: CCAR

Topic 6. Stress Testing Operational Risk Models

Topic 7. Model Refinement

Topic 1. Fundamentals of Stress Testing

• What is Stress Testing?

  • Purpose: To assess the stability of an entity or system by pushing it beyond its normal operational capacity, potentially to its breaking point.

  • Post-2007/2009 Financial Crisis: Widely deployed to test how entities perform under extreme market and macroeconomic conditions, ensuring they can absorb losses and continue functioning.

  • Basel Committee View: A crucial risk management tool for understanding appropriate capital levels to absorb losses in extreme conditions.

• Evolution of Stress Testing

  • Pre-Crisis: Emphasized quantitative measures.

  • Post-Crisis: Highlighted weaknesses in methodologies, scenario selection, integration with risk governance, and specific risk/product testing.

  • Current Approach: Incorporates both qualitative and quantitative elements.

Topic 1. Fundamentals of Stress Testing

• Stress Testing Taxonomy (Two Dimensions): Analytical approach and types of risk capture
• Quantitative-Qualitative Approach

  • Quantitative: Stress testing model sensitivity to parameter shocks.

  • ​Qualitative: Scenario analysis (e.g., macro stress testing, reverse stress testing); modeling reputational impact.

• Measurable-Immeasurable Risks

  • ​Measurable Risks: Analytical methods with probabilities tied to outcomes (e.g., modifying model parameters for market/credit risk; tail risk modeling for operational risk).

  • Immeasurable Risks (Knightian uncertainty): Analytical methods for "unknown unknowns" that cannot be calculated or estimated.

Topic 2. Stress Testing Taxonomy

1. Parameter (Model) Stress Testing: Changes parameter values to test model robustness.

   • Approaches: Quantitative, measurable risks.

   • Focus: Determine impact of additional stress on the bank, portfolios, or specific models; strategic/business planning.

2. Macroeconomic (Macro) Stress Testing: Uses annual macroeconomic shock scenarios (e.g., GDP swings, unemployment, inflation).

   • Approaches: Holistic (quantitative & qualitative), stressing measurable & immeasurable risks.

   • Focus: Impact of macroeconomic factor changes on model outputs

3. Reverse Stress Testing: Scenario-driven, analyzes immeasurable risks using mostly qualitative approaches.

   • Approaches Start with a specific outcome of institution failure and identify circumstances that could lead to this failure. Examples of Shocks: Major client losses, portfolio losses, credit rating downgrades, loss of major revenue sources.

   • Focus: Operational resilience assessments; determining necessary mitigating controls.

• ​Closure Planning: Resolution planning involves preparing for institutional closure with minimal impacts to financial system and stakeholders
• Risk Assessment: Requires identifying potential closure events through business model review, exposures, vulnerabilities, and resource needs assessment

Topic 3. Three Classification of Stress Testing Approaches

Practice Questions: Q4

Q4. The loss of a major client, downgrades in credit ratings, and significant portfolio losses are examples of shocks used as the starting point for which type of stress testing?

A. Model stress testing.

B. Reverse stress testing.

C. Parameter stress testing.

D. Macroeconomic stress testing.

Practice Questions: Q4 Answer

Explanation: B is correct.

Reverse stress testing is a form of scenario-driven stress testing that is used to analyze immeasurable risks using mostly qualitative approaches. The starting point is a specific outcome (shocks like major client losses and credit rating downgrades) resulting from an institution failure, which is followed by an assessment of what circumstances may lead to this outcome.

Topic 4. Stress Testing Operational Risk

• Crisis-Driven Evolution: 2007-2009 financial crisis and COVID-19 pandemic significantly transformed institutional stress testing approaches
• Enhanced Testing Framework: Current operational risk stress testing incorporates parameter testing and macroeconomic testing beyond Basel II's loss distribution approach (LDA)
• Macroeconomic Integration: Testing now examines how operational risks change under varying macroeconomic conditions for comprehensive impact assessment
• Robust Forecasting Requirements: Institutions must forecast impacts from multiple macroeconomic scenarios using quantitative methods
• Multi-Method Approach: Combines scenario analysis, LDA forecasting, and regression techniques for comprehensive operational risk stress testing

• CCAR Benchmark Framework: U.S. Federal Reserve's Comprehensive Capital Analysis and Review serves as benchmark for operational risk stress testing expectations
  • Institution's risk identification process must align with operational risk capital planning process
  • Forecasts increasingly driven by expert judgment and scenario analysis rather than quantitative modeling alone

• Expected Nonlegal Loss Forecast Module: Quantitative model that estimates a loss forecast for every risk type and expert judgment refinements.

  • ​Quantitative model component: Estimates loss forecasts for every risk type under baseline and adverse macroeconomic scenarios

  • Expert refinement component: Incorporates industry, controls, and entity-specific risk knowledge from subject-matter experts

• Legal Loss Module: A model that forecasts losses for immaterial litigation cases, losses above a threshold for current cases, and future litigation cases.

  • Litigation losses: A significant share of operational risk losses for most banks but should be broken out separately from other operational losses.

  • Challenge: Delay between macroeconomic events and the incurrence of legal losses by an institution. Forecasts should consider this inevitable lag time.​

Topic 5. Stress Testing Operational Risk: CCAR

• Idiosyncratic Scenario Add-on Module: Captures risk exposures unique to each individual bank through extreme event storylines
  • Storylines based on most material risks and tied to specific vulnerabilities of each bank
  • Ensures bank-specific considerations beyond standardized stress testing approaches​
• Ongoing Debate: Considerable debate exists whether operational risk is independent of macroeconomic factors and events
• Regulatory Pressure: Institutions driven by regulatory requirements to establish links between operational risk and macroeconomic conditions

Topic 5. Stress Testing Operational Risk: CCAR

Practice Questions: Q5

Q5. A significant challenge in estimating the legal loss module of an operational risk stress test is that:

A. future litigation cases cannot be estimated.

B. banks are minimally impacted by legal losses.

C. operational risks and legal losses cannot be separated.

D. there is a lag between the macroeconomic event itself and the incurrence of legal losses.

Practice Questions: Q5 Answer

Explanation: D is correct.

Inevitably, there is significant lag time between when a macroeconomic event occurs and when the bank or financial institution actually incurs legal losses. This lag time should be accounted for in the model. Future litigation cases can be
estimated, banks are certainly impacted by legal losses, and legal losses can be separated out from other operational risks.

Practice Questions: Q6

Q6. Risks that are only applicable to each unique bank are best captured using which module in a comprehensive operational risk stress testing framework?

A. Legal loss.

B. Individual risk loss.

C. Idiosyncratic scenario add-on.

D. Expected nonlegal loss forecast.

Practice Questions: Q6 Answer

Explanation: C is correct.

The idiosyncratic scenario add-on module captures risk exposures unique to each individual bank (based on extreme event scenarios). While the legal loss and expected nonlegal loss forecasts are both actual modules, the individual risk loss module is not the name of a module that exists in this framework.

• Modeling Approaches: Banks can model total operational risk losses or individual components (frequency and severity), with separate frequency/severity modeling being the preferred approach
• Regression vs. LDA: Primary approach uses regression models to capture macroeconomic-operational loss dependencies; secondary LDA approach uses Monte Carlo simulations but assumes unchanged risk exposures over time
• Conditional LDA Trade-off: Combines regression-based frequency modeling with constant severity and expert judgment, using Monte Carlo simulations with forecasted frequencies for balanced approach
• Percentile Challenge: Conditional LDA faces difficulty setting appropriate severity percentiles - 99.9th percentile (regulatory capital standard) too high, causing under-capitalization projections without regulatory requirements
• Severity Modeling Complexity: Severity presents greater challenges than frequency due to tail event impacts, limiting usefulness of severity mean data as estimator compared to median loss data
• Macroeconomic Integration: Regression analyses incorporate macroeconomic variables for average loss severity analysis using both simple linear and log-linear models
• Expert Refinement: Model outputs require expert refinement through scenario analysis to ensure material risks are appropriately captured beyond quantitative estimates

Topic 6. Operational Risk Stress Testing Models

• The model refinement element involves the specialist and risk owner reviewing and challenging the following:

  1. ​The process used for the model-based, nonlegal loss forecast

  2. Model inputs and outputs

  3. Historical data used in the model

  4. Approaches selected

  5. Support for the macro-drivers chosen​

  6. Plausibility estimates for losses (frequency, severity, and total) for each risk type​

• Experts must also address any new or potential changes to conditions that could impact future operational risk loss expectations and how they may differ from historical loss results

Topic 7. Model Refinement