Risk management's final frontier

What is the use of having state-of-the-art market-risk measurement tools if one rogue trader can bankrupt your institution in a matter of weeks? Why bother with the complexities of modelling credit and counterparty risk if a fund manager at one of your foreign subsidiaries can cost you £200 million in cash, and untold millions in tarnished reputation and credit standing?

While the leading financial institutions can claim to have half-way scientific ways of measuring, monitoring and providing for credit and market risks, most would agree that they struggle even to define potentially the largest and most pernicious class of risks they face ­ operational risks. At the cutting edge, however, banks are now developing methodologies to complete the risk-management triangle. Their ultimate aim is a capital allocation system that takes all risks into account.

The pat definition of operational risk is simply any risk of earnings volatility that is not market or credit related. In this sense it is the set of risks banks share with most other publicly-owned commercial organizations: product liability risk, the risk of fire and explosion, business interruption risk of any kind, image impairment risk, directors' liability, technology risk and so on. Traditionally, these risks fall into two classes ­ insurable and uninsurable. In general companies have simply paid the premium for things like business interruption and directors' liability, and tried to create internal controls and contingency plans to cope with risks the insurance industry would not touch.

More recently, industrial companies have been forced to look again at operational risk. First, there seems to be more of it. Legislation has become more onerous, government and supranational bodies such as the EU have become more demanding and customers generally more litigious. Second, changes in the cost and availability of insurance cover have highlighted the inadequacy of traditional insurance. Years of large claims have pushed premiums up; open-ended cover is difficult to find; exclusion clauses have become more widespread reducing the protection available; insurance pay-outs are typically slow, often involve litigation and do not cover the full cost of lost business; and insurance companies are beginning to insist on insurance audits. So companies have had to find other ways to eliminate risks or ways to evaluate them accurately in order to be able to self-insure. In one of the more public examples of this trend, UK oil giant BP decided that the cost of insuring itself against large catastrophes was more than its expected level of loss. It now insures against smaller more probable risks and self-insures the rest.

But why should banks be interested in the problems their commercial relatives face? The most obvious reason is that the operational risks both sectors share are huge. Operational risks, not the market risk that was superficially responsible, were at the root of the business losses of Barings, Bankers Trust and Daiwa Bank. And even businesses that take neither market nor credit risk ­ such as asset management ­ carry huge potential operational risks, as Deutsche Morgan Grenfell has discovered recently. The best way to assess these risks ­ to separate them from credit and market risk ­ is to look at companies who don't take any of the latter and so whose earnings volatility must be derived solely from operational and business risks.

Also, trends in the non-financial world have been mirrored in banking. Banks' customers have become more litigious, particularly in the derivatives and mutual fund sectors. Financial institutions are now heavily reliant on their technology and face huge consequential liabilities in the event of systems failure. The business of a large cross-border financial institution has become more complex and therefore more vulnerable. And the global payments systems that link these institutions could bring the entire financial system to a halt if even part of them failed. None of these risks is easily evaluated or cost-effectively insured and most aren't covered by the kinds of policies banks usually have: business interruption insurance (which covers physical causes such as storms); a bankers' blanket bond (which covers fraud and negligence); directors' and officers' liability; and so on.

Banks have also found that by themselves credit and market risk don't explain all the earnings volatility they experience and against which they want to allocate capital. Value-at-risk (VAR) and credit risk models tend to look only at principal risks. They do not cover the fee and commission income that is so important to banks these days. The earnings volatility risk attributable to, say, M&A advisory work is not a straightforward function of some observable market price. It is linked more closely to people and reputation ­ which are operational variables. An increasing proportion of this kind of income is earned from so-called structured or tailored products: the complexity and lack of standardization that add value also carry higher operational risk ­ legal, technological and in the back office. Only by understanding these risks, and perhaps allocating capital against them, can banks get a true picture of the value of these revenue streams. As one consultant asks pointedly: "Is it any accident that banks are now looking for growth in areas where they do not directly allocate capital and where risk is difficult to manage, rather than in basic trading and lending where businesses now have to pay their own way?"

It's also in banks' direct financial interest to get to grips with operational risk. The gap between most banks' total capital, and what their models say is required to cover market and credit risk, is very large. Any way of measuring how much of that cushion they need against the remaining risks ­ operational risks ­ offers the hope of discovering an excess. That excess can either be invested profitably in taking more credit or market risk, or be given back to grateful shareholders.

Measuring operational risk may even provide banks with a way to price a new and lucrative source of business. Bankers Trust and its subsidiary the WM Company have already taken over a number of technology-intensive back-office functions for large institutional investors such as Scottish Widows. The bank has also become back office to Abbey National's derivatives operations. Lee Barba, a Bankers Trust managing director in New York, predicts that outsourcing will become one of Banker Trust's largest businesses within the next five years.

Pricing the contracts that underlie these outsourcing ventures depends on being able to specify exactly the services offered and the responsibilities undertaken by each party. Among the many negotiating points: what error rates are acceptable in processing trades or in a global custody outsourcing? And who is responsible for losses incurred by errors? To price the contract the bank offering the outsourcing service must be able to monitor and measure these types of operational risk.

There are two main classes of operational risk ­ confusingly categorized as operations risk and business event risk. Consultants Coopers & Lybrand have produced a useful checklist (see chart, page 76).

Operations risk covers three main areas: transaction risk (processing and settlement risk of various kinds ­ the narrowest version of operational risk), operational control risk (the risk that individuals will break internal or external guidelines and cause losses) and technology systems risk (covering implementation errors, information input/output errors and system failures). These risks are, in general, easier to model and evaluate than business event risk.

Business event risk covers the much broader risks faced by most businesses in their day-to-day operations. These are legal risks, reputation risks, taxation risks, regulation risks and disaster risks. Some of these risks can be both internal and external. In the past they have been mitigated not by capital allocation but by strategic solutions such as better planning, investment in staff and customer care, and so on. These definitions are not fixed: every bank puts different risks into these two broad classes.

At Barclays, operational risk is defined as fraud, failures in controls and the like, while business risk is any other change in revenue that is not matched by a change in costs and thus creates earnings volatility or margin changes. Around 70% of the bank's earnings volatility is due to provisions; the remaining 30% is put down to business and operational risk.

The bank considers operational risk smaller than business risk because it is made up of a large number of very specific risks that (it believes) are not correlated and so tend to cancel each other out. Barclays allocates capital against both business and operational risks. However, quantifying large one-off operational risks is very difficult, which makes them poor candidates for capital allocation. Instead, Barclays believes they are best controlled by better management-and-control infrastructure or by insurance.

Philip Severs, deputy group operational risk director at Barclays, believes these narrowly-defined operational risks have increased, as banks' businesses and organization have changed, although they are not as significant as business risks. "The back office used to be a large number of small units. These functions are now often concentrated in a single processing centre. The impact of a particular event is therefore likely to be greater than before."

Bankers Trust prefers to focus on the major causes of business and operational risks, grouping them under five categories: customer relationships, human resources, technology, the physical environment and assets for which the bank is responsible, and lastly a catch-all, "other external", which includes regulatory risk, fraud and so on. Doug Hoffman, managing director at Bankers Trust, explains: "The main theme [in deriving operational risk categories] is that they are resource based and, like any company operating in a service sector, our major resource is our customer relationships, our people, our systems...having derived these risks from the resource classes, we looked at the functional areas [within the bank] that could be assigned responsibility for them".

So, risks related to personnel start in the human resources department. Risks that spring from problems in customer relationships can be laid at the door of relationship managers, technology risks with the head of information technology and so on.

Processing risks

In this arcane area, which some banks won't venture to quantify, transactions risk is a good starting point. Transaction errors tend to be reasonably frequent, they generate clear cut but small losses and they are recorded. This means that a statistically significant history of losses is sometimes available from which to make valid assumptions about the future. Each process can be broken down into a series of steps. At each step the error history can be used to generate a probability that a particular mistake will be made and the loss history can be used to generate an expected loss for each outcome; and finally a probability tree for the entire process can be constructed to produce a maximum expected loss for that process. Aggregate every process in a department, such as settlements, into a model like this and from the resulting probability tree an overall expected loss can be derived.

Unfortunately, even in back-office environments, loss histories and error databases are usually insufficient by themselves. Instead, methods from a half-forgotten science of the 1970s ­ known as operational research ­ are being resurrected. This is a high-tech version of the time-and-motion study and is more commonly used in industries where the processes being analyzed are purely physical. For example, aviation authorities model the likelihood of failure in any part of an aircraft engine and use the results to draw up regulations that govern how far from an emergency landing site single and twin-engined aircraft may fly. Using tested mean times between failures (MTBF) for each component and testing the effects on an engine of each failure is relatively straightforward for a purely physical process such as an aero engine. Barclays, in its operational risk management analysis, uses a system derived from the aviation model to aggregate mean times between human errors.

Nigel Webb, director of financial systems consulting at Andersen Consulting, has first hand experience of operational risk. He has worked for Drexel Burnham Lambert and Bankers Trust. He explains operational research as follows: "The aim is to approximate the risk characteristics of a particular event. It is not a statistical approach, it is an estimate of the time to failure of a process and then an estimate of how big the resulting loss is, based on how much cash is flowing through the system." The result is not based on statistically valid data sets; it is simply a consistent estimation technique.

But there are problems extending the technique to human processing systems even as narrowly defined as settlements. And even where process evaluation is possible, a number of banks have come to the conclusion that while operations risk may be measurable in areas like settlements, it costs too much to quantify and is not worth eradicating completely anyway.

Trade off

Sharon Larmour, managing director operations at CSFP in London, explains the dilemma: "You have to be careful in settlements that you make the right trade-off between the costs and disadvantages of putting in controls to take care of every eventuality, and the necessity of actually processing the trades you have to. This depends on the type of market you are in. In plain vanilla bond markets where you are working on a delivery-versus-payment basis you have to process a large number of almost identical trades. The main errors will incur the risk that you have to pay a day's interest, so it is an overnight funding risk. In OTC markets like derivatives or, say, in emerging markets debt where the trades are more individual, that overnight risk can become market risk or even the risk of losing the full principal amount. So you need preventative controls in OTC markets and, in more vanilla markets, you need detective controls which pick up errors accurately. But where the cost of preventing the error may be greater than the cost of allowing a certain level of that error to happen, you also have to ask: is it worth doing all the analysis required to quantify the risks or is it better to spend that money on having people understand the risks?"

Her boss, managing director and chief financial officer Chris Martin, is quick to point out that this is not an argument for sloppy settlements. Transaction processing is an area that needs constant monitoring and detective controls are only useful if your systems are already top-notch. CSFP has a lower regulatory capital level imposed on it by the Bank of England than some others, precisely because of the level of control it demonstrates in operational areas. "Acceptable error rates are judged in the light of your track record," says Larmour. "If you constantly make a particular kind or level of errors, then you correct."

She is sceptical of any claims to be able to measure even simple operations risk consistently. "The problem is the number of assumptions you have to make about even very concrete variables," she says. "For example we model capacity for planning purposes. But what if volumes suddenly treble? What if the product mix changes dramatically? And what about the fact that procedures constantly evolve? And what about the correlations between errors in one process with those in another? The maintenance for any model of the probability trees for expected losses of settlement processes would be incredible."

Despite this scepticism, settlements chiefs will increasingly have to be able to measure the residual risks they claim to be happy with, in order to quantify the costs of the error rates they believe acceptable and to measure how much more departments should be charged for complex one-off transactions than for plain vanilla. In transaction processing, operational risk management is definitely coming.

Non-processing risks

Banks that have struggled with the assessment of large, specific operational risks find their biggest problem is lack of data. "Fortunately we don't have enough experience of such losses," jokes Lawrence Dickinson, deputy corporate planning director, at UK clearer Barclays. So researchers have tended to try to plug the data gap by looking outside their own industry. At Bank of America, the Risk & Capital Allocation Analysis Group has spent the last five years developing the bank's economic capital models. Recently, the group has turned its attention to what it calls business risk, defined by director of risk analysis Ed Zaik as "a non-portfolio risk, the kind of risk you'd find in any type of business". Zaik started off by looking at businesses outside the bank and on a sectoral basis looked at the capital structures employed in each business type. "We looked at publicly-traded companies, gauged how closely they were related to our business or a part of our business, and then analyzed how they were capitalized."

How well did it work? "Not that good," says Zaik. "It was difficult to find peer play situations." For example, the bank looked at a number of retail businesses including fast food chains to find a match for its retail banking. In practice it proved difficult to get unit heads to agree with comparisons that likened their businesses to burger bars.

The next step was to focus instead on a set of eight or so key ratios (such as operating expenses to total expenses) as a way of comparing businesses and as a way of comparing individual business units with the whole bank. Business group heads were also asked to fill in surveys on the riskiness of their businesses. "The problem was that, with no benchmarks, everyone put down that they were a medium risk," says Zaik. Finally the bank came up with the methodology it uses today. "We look at the level of fixed costs and non-interest expenses, and set aside a percentage of that against operational risk," explains Zaik. "We take 25% of fixed costs and 50% of non-interest expenses, and multiply by a correlation factor that takes into account that risks [operational, market, credit] are connected. And we are doing work to refine the correlation analysis."

Selling job

This seemingly simplistic approach makes sense if you assume that historical levels of these costs incorporate any payouts for operational losses. In this way they are a reasonable proxy for future levels of operational risk capital requirements. It is also an easy sell to business heads. "Remember we have to sell this at the top level and then have business unit managers push these methods down," says Zaik. "Qualifying operational risk in individual units ­ in the number of geographies and markets we operate in ­ would be impossible. So we try to start off at the macro level, and help senior managers identify and measure risk that way."

Like Bank of America, Barclays decided that the best way to augment meagre internal databases was to look at non-financial companies as their earnings volatility is entirely due to business and operational risks. "We analyze our businesses, breaking them down into a set of activities. We then benchmark those activities against the relevant activities in the non-financial sector," explains Dickinson of Barclays. On this basis a capital allocation is made, expressed as a percentage of costs. Typically the allocation runs at between three and six months' costs.

These rudimentary methodologies are just a first step. They are based on historical proxies for operational risk rather than on any real operational risk data. They tend not to monitor operational risk actively and do not work well in fast-changing environments. And they cannot yet cope with the obvious correlations between operational risks: for example, that settlement failure can cause legal or reputational risk.

The other way to measure operational risk is to borrow from those who are expert at riding out rare but devastating losses: insurance companies.

Insurance is superficially similar to market and credit risk capital allocation in that it seeks to set aside cash against expected losses and to quantify those expected losses by statistical analysis. However, market risk deals with marketable positions whose values can constantly be ascertained and whose future values can be predicted as a function of volatilities.

Credit risk deals with losses from contracts and securities that can be valued either directly or by an accurate proxy, for which there is a large amount of public and internal data, and which are themselves correlated with each other and with economic conditions.

Insurance is concerned with events that are extremely rare, impossible to predict and that often have no bearing on each other. While value-at-risk and credit risk models tie themselves up in ever more complex statistical analysis based on volatility and correlation, insurance remains reliant upon the most basic assumptions of probability theory: lump together enough similar but unconnected events and you will begin to get a half-way decent sample. Derive a best guess margin of error around the mean. Then use that historical data and best guess to determine an expected level of losses. Finally set a premium that will cover all the losses plus your expenses and leave you with a profit.

However hit and miss that sounds ­ the myth of actuarial precision ­ it is essentially how any bank wishing to tackle operational risk management will have to proceed for the very low probability risks. The first thing they will need is a loss database bigger than one they can develop from internal records.

Bankers Trust (BT) appears to be the only bank that has grasped this nettle by investing heavily in an external database of operational loss events. "No firm has enough operational loss experience to be statistically relevant," says Hoffman. "So our database is far broader than Bankers Trust. It looks at all types of banks and corporations. And since we're interested in losses that are neither credit- nor market-related, most of the database is non-BT." Although the bank has been building the database actively for only two years it contains around 10 years of loss experience, mostly clustered in the last five years.

As loss events are captured they are examined for relevance. How much like BT is the corporation involved? How are the circumstances of the loss relevant to the businesses BT is in? Once these questions have been answered ­ somewhat subjectively ­ a weighting is given to each loss in the database.

The database gives BT the same starting point as an insurance company. Says Hoffman: "The huge investment that we have made in the database gives us statistical reliability to look at operational risk to the same 99% confidence level we use in the rest of our Raroc [risk-adjusted return on capital] model [99.73% of the values in a normal distribution fall within three standard deviations of the mean] although the tail [area of very high loss and low probability] is not as well populated as we would like." Unsurprisingly the potential losses shown up by BT's analysis are "large".

At present, the majority of the loss events recorded on the database are legal settlements, as these are the most public and transparent symptoms of operational risk. This skews the database towards risks related to problems in customer relationships that result in product liability suits, legal and medical malpractice suits and the like. Because of this, BT is having to reclassify its risk classes, being concerned that losses previously viewed as causal are in fact symptomatic. The broad definition "customer relationship", with the consequent finger of blame pointed at relationship managers, is too vague.

There are also notable holes in the data. Technology risk is one of the largest operational risks a bank faces, yet companies' reluctance to disclose anything about technology failures and losses creates an almost total blackout in this area.

Having arrived at their quantification of business and operational risk, banks must then decide what to do about it: tighten operational controls to minimize risk, buy insurance against it or allocate capital to it.

At Barclays, capital is allocated against business risks, which are continuous, but not one-off operational risks. "Operational risks are large and one-off. That does not make them very good candidates for capital allocation. Instead we focus on understanding and then measuring these risks," says Severs. "We then try to ensure a consistent and rigorous risk assessment process is applied worldwide and that appropriate management controls are in place."

BT allocates operational risk capital to all types of business and operational risk, though it is in the process of reclassifying these risks because of the problems of separating cause and effect. The number is broken down into three components: a core operational risk number; a surcharge based on an evaluation of controls within a business ­ poor controls means a higher surcharge; and an insurance-related discount.

The core operational number is derived from analysis of the exposure of a business to the database's broad classes of risk ­ technology, people, physical assets, relationships and to factors that intensify or mitigate these risks. So, for example, a department would be judged for its reliance on technology by comparing it with similar businesses in the loss database. The loss experience from the database as well as the department's own history of technology-related losses is then used to derive aggregate loss expectancies. To this would be added scores dependent on the department's perceived inherent riskiness, based on a proprietary business vulnerability index. This includes factors such as product complexity, where a business is in its life cycle (mature or new), the level of automation in a business, market share, documentation volumes, and the level of regulation and litigation associated with that business line.

The control surcharge penalizes businesses for poor internal audit ratings or for having been singled out for control problems by the firm's auditors. The insurance-related discount is a deduction that takes into account the banks' existing insurance policies.

While some bankers judge the exercise to be worthless, because it is so riddled with assumptions, Bankers Trust takes it very seriously. Capital is allocated on this basis and incentive schemes incorporate these capital allocations. Says Hoffman: "This system allows us to develop a capital attribution framework to quantify the operational and event risks of the firm; to create a risk management tool ­ an incentive for business lines to implement where appropriate tighter controls and reduce the risk of operational losses; to identify the operational/event risk dangers of a strategy and suggest invest/disinvest/divest decisions."

Insurance instead

Operational risk management seems so like insurance to some banks that they look for insurance cover instead of developing their own capital allocation systems. In the breathing space afforded by the insurance they can then decide whether to spend the money and time quantifying their risks more exactly or whether to keep paying the premium. A number of insurance companies are reportedly offering policies, though none was willing to discuss them. They are thought to be preoccupied with settlements and payments risks. Says one insurance broker: "Insurance against external payments failures has sort of existed for some time. Organizations such as Swift (Society for Worldwide Interbank Financial Communication) can insure themselves against liabilities arising from these failures and so can banks."

Banks cannot know how much to pay for these policies unless the risks have been evaluated. If they have, then unless insurance is significantly cheaper than an internal capital charge, why buy a policy? In theory banks should favour self-insurance over any off-the-shelf policy. Capital allocations based on a bank's own internal loss histories and position data should be more accurate than the more general picture used by insurance actuaries to calculate premiums.

Barclays is exploring the use of insurance. Says Dickinson: "If you don't wish to hold a large specific risk you may be able to take out insurance. This involves a cost but shares the risk with someone else. You also transfer the problem of calculating that risk correctly. The choice between insurance and capital involves a trade-off between the cost of the insurance and the cost of holding capital against that risk. Banks cannot yet insure against business risk but they can against some forms of operational risk."

Those working on capital allocations insist that insurance is a financing tool not a risk management tool. Says one consultant: "A business-by-business capital allocation system encourages line managers to think about risk and to reduce it where appropriate. Paying a flat premium and charging it as an overhead does not, because it breaks the link between that business group's behaviour and the costs of that behaviour."

This is a science in its earliest days. The insurance/self-insurance trade-off has not been worked out; the huge holes in available databases have not been plugged; no standard definitions or methodologies exist. So it's no surprise that no-one is yet tackling problems such as the correlation between market risk and operational risk, the link between increased operational risk and increased credit risk, and the multiple correlations between the operational risks themselves.

Some bankers may prefer not to play the numbers game to this extent because, they say, it chases symptoms not causes. In their view, legal risk is a symptom of some deeper failing ­ such as a deceitful product salesperson ­ not a cause. The risk of losing an entire trading team, in their book, is linked to staff turnover, which itself is related to levels of pay, training, management failings, culture and workload. But risk managers, now a powerful voice within firms, are constantly pressing for these questions to be weighed and quantified. Businesses that don't take credit and market risk must have capital allocated to them, and the earnings volatility risk that remains when credit and market risk have been stripped out is too large to ignore.

With regulators and rating agencies placing increasing importance on firmwide risk management and capital allocation, and with the issues raised by Barings, Daiwa and now DMG, the quest to quantify risk ever more finely will continue. *