Presentation on theme: "Content Brief Introduction 1990’s – what was risk management?"— Presentation transcript:
1Operational Risk Management 1990’s to today Invesco Perpetual Gaelle De Sola Head of Risk
2Content Brief Introduction 1990’s – what was risk management? The birth of Operational Risk2000’s – evolution of riskThe death of Lehman Brothers2010’s – introduction of a new type of riskMy current role
4Brief IntroductionGraduated Warwick University 1997 BA hons Economics & PoliticsSummer internship with Ernst & Young 1996 which led to full time contract from 1997 to work in Risk Consultancy untilAug 2002 – Dec 2003: F&C, Senior Risk ManagerDec 2003 – Jan 2010: Jupiter, Head of Operational RiskJan 2010 – Sep 2011: Threadneedle, Head of Operational RiskSep 2011 – today: Invesco, Senior Risk Officer EMEA
5Brief Introduction to Invesco Investment management specialist; Equity, Fixed Income & Money Market, Balanced and AlternativeInvesco has $786.5bn AuMInvesco EMEA has $164.7bn AuMPresence in 20 countries with over 750 investment professionalsMore than 6,000 employeesMore than 1,300 employees in EMEA
7Basel: Cornerstone of Risk Management Basel I established in 1988Applied good practice to Internationally active BanksObjective to ensure banks held enough capital to cover risksRisk types covered:Credit Risk – Focus on risk-weighting of assets for determining capitalMarket Risk - VaR
9How it all started…. Barrings collapse in 1995 Losses of £827m Twice the banks trading capital was lost
10Industry ReactionBasel II was issued by Basel Committee on Banking Supervision (BCBS)BCBS set up by the governors of the central banks of the G10 countries ( IMF member plus Germany and Sweden)Basel II introduced Operational Risk for the first time in an attempt to increase the amount of capital banks heldShortly after, CRD was introduced across the EU and the ICAAP was bornSet up by internationally active banksRecognition that control failures such as in Barings therefore required capital as protectionIrony that Barrings could never have held the amount lost
11Basel II Banking focus (Asset Management went live 2006) One document ICAAP (Internal Capital Adequacy Assessment Process) to be updated annually or more often if neededDocument has 4 key componentsSection NameContentPillar 1: Minimum capitalHigher of FOR or, Market + Credit RiskPillar 2: Risk TypesOperational, Market, Credit, Business, Residual, Insurance, Pension, LiquidityPillar 2: Wind DownHow much will it cost to wind down the business in an orderly mannerPillar 3: DisclosureShort public disclosure outlining a number of limited information
12Operational Risk Quantification Basic: alpha 15% of ave. annual gross income over 3yrsStandard: beta (from 8% to 12%) of ave. annual gross income over 3yrsAdvanced Approach: modellingScenario basedLooking at internal and external lossesClear assumptionsInternal controlsThis led to the belief that banks could now withstand a capital hit in relation to operational control failuresMove from Basic to Standard included a requirement to introduce good risk management governance and processes
13Experience at the Coal Face : Ernst & YoungWorking on PIA fine for Liverpool Victoria, largest fine ever seen at just under £1mExtrapolating Basel II and how it could be changed into a methodologyBayesian belief modellingAll companies increasingly investing in Risk Management;some had been doing it for a long time eg Shell OilMontecarlo simulations on the speed of components impacting profitssome newer eg Time WarnerRisk based internal audits
15How it continued…. Top 3 noughties frauds valued at $22.31bn John Rusnak Allied Irish Bank rogue trading fraud 2002Peter Young Morgan Grenfell rogue trading fraud 1997Did what Leason did...How to get a sex change linked to risk...
16Risk Management Process In the noughties, all financial institutions in the EU region were quantifying operational riskApplication of Basel II started with banks and insurers and then Asset management firms and brokerages‘Size and Complexity’ determined firms approachesRisk management as a subject and department started to grow and styles of approaches began to appear
18Risk Management Requirements: 1 Risk appetite statement:‘How much risk a firm is prepared to accept’Implies quantificationImplies a limitImplies that it applies to everythingHow can risks be quantifiedWhat does a threshold mean? We stop doing something?Can all risks be quantified?When will this be actually used?
19Risk Management Requirements: 2 2. Risk assessment process:Assessment of impact and likelihoodIdentifyAssessManageMonitorHigh medium lowScale 1-5 etcProbable, improbablyNext 3 monthsFREQUENCY – how does this factor in and
20Risk Management Requirements: 2 2. Risk assessment process: DefinitionsWhat is an operational risk?An possible event that has a negative impact on the business achieving its objectiveWhere are risks?Whenever an activity occursWhenever an activity fails to occur as expected ie control is not designed or does not perform as expectedControls would not exist without risk, if they do, then it’s because we either think it’s helping but isn’t, or we enjoy doing it.
21Risk Management Requirements: 2 2. Risk assessment process:Assessment of impact and likelihoodA. Identify risksMap processesWorkshop/InterviewsWhat has happened in the past?Identify objectives and anything that could stop the objectives occurring
22Risk Management Requirements: 2 2. Risk assessment process:Assessment of impact and likelihoodA. IdentifyB. AssessHow do you determined impact?How do you determine likelihood?High medium lowScale 1-5 etcProbable, improbablyNext 3 monthsFREQUENCY – how does this factor in and
23Risk Management Requirements: 2 2. Risk assessment process:Assessment of impact and likelihoodA. IdentifyB. Assess: ChallengesScalabilityAmalgamating RisksAccumulationSmall departments assessing risks alongside large departmentsSame risk across multiple locations – 1 big risk or lots of little ones?Sum all the risks together? How does this work with likelihood?
24Risk Management Requirements: 2 2. Risk assessment process:Assessment of impact and likelihoodA. IdentifyB. AssessC. ManageAre you happy with the level of risk?If not, what controls are you going to improve?Preventative vs detective
25Risk Management Requirements: 2 2. Risk assessment process:Assessment of impact and likelihoodIdentifyAssessManageMonitorHow regular?Reporting – to whom and to do what?
26Risk Management Requirements: 3 3. KRI’sMetric to show if a risk is about to occurForwards lookingChanges in time with the businessIndicator for a risk must have links to controlsData challenges
27Risk Management Requirements: 4 4. Error ManagementLogging of incidents where processes do not operate as they shouldHow to we define the universe of errorsTimelinessReporting – moving sands?How are errors identified?How do we know we have them all?Some firms gather incidents only over a financial threshold, what about near misses…When thinking about the use of external data that needs to be used for modelling operational risk, this starts to become very difficult
28Risk Management Requirements: 5 5. Risk TechnologyRisk Universe of data needs to be housedNo 1 perfect systemMassive investment in time and moneyOngoing performance is always a struggle
29Risk Management Requirements: 6 6. Risk GovernanceThe risk culture of an organisationRisk languageRisk committeesRisk ownershipConsciously owning a risk and being empowered to manage it, if not, adequate escalation to the right groups that instigate action if required
30Risk Management Requirements: 6 6. Risk GovernanceThe risk culture of an organisationRisk languageRisk committeesRisk ownershipDoesn’t matter what processes or systems you have in place, if the people don’t care, it won’t work.Consciously owning a risk and being empowered to manage it, if not, adequate escalation to the right groups that instigate action if required
31Risk Management Departments: Industry Activity Centralised vs decentralised departmentsRisk System industry explodedRegulator putting risk reviews at the top of their ARROW visitsAn entire profession established itselfModelling was rife, big black box and one capital number
32Operational Risk Scenarios Some examples for Asset Management firmsScenarioCapitalLoss of key FMNoTrading errorYesThird party failureYes?Data protection breachIT system failureMarket downturnIncorrect marketing literature
33Experience at the Coal Face : F&C, Jupiter and ThreadneedleSet up Risk Departments for F&C and JupiterManaged relationship with the regulator from a Risk perspectiveUsed a variety of risk systemsStarted to identify risk vs peopleDoes probability matter?If the culture of an organisation is negative, then that in itself is the biggest risk …
35Has risk management helped? Lehmans collapse in 2008Rogue traders carry on...Surely, firms are holding capital so there’s no problem..?
36Reaction Regulatory response EU regulation pushes limits on fund managementIncreased requirements on ensuring modelling is properly understoodContinue to push capital regulations:Basel IIICRD 2 and 3Solvency IIICAAP introduces reverse stress testingBoards and CEO needs to understand how the model works – pushing industry to simplify
37Reverse stress testing defined ‘The point at which the business needs to change its business model in order to survive.’Traditional Stress TestingDetermine Scenario Identify OutcomeReverse Stress TestingDetermine Outcome Identify Scenario
38Reaction Industry response Model simplification in banking Increased risk training everywhereEstablishing parameters on fund behaviours for Asset ManagementEver increasing investment in risk functionsBUT!
39Application of regulation across Financial Services What‘s the link?Fundamental differences between asset management and investment bankingAsset management only invest client money that have strict rules attachedNo trading on our own accountAll investment banks
41New Type of Risk FCA are now focused on behaviour Previous guidance has been broadened forcing firms to focus on the customer outcomeThe umbrella terminology is ‚Conduct Risk‘Conduct Risk = Risk CultureThe objective is to ensure that in everything that we do, we always put our clients firstAll investment banks
42Our Business Principle We are passionate about our clients success We earn trust by acting with integrity People are the foundation of our success Working together, we achieve more We believe in the continuous pursuit of performance excellenceAll investment banks
44Independent risk function Invesco UK Audit & Risk CommitteeInvesco Corporate Risk Management CommitteeCEO EMEAMark ArmourSupport / EMEA KRIs Sheila FerrisDotted Reporting LineHead of Risk Gaelle de SolaGPMR Risk MeasurementLondonHead of Operational RiskAlison FreedmanHead of Operational Risk SystemsStuart KilpatrickHead of Risk GovernanceMarie-Helene BoulangerActing Head of Investment RiskRoss HibberdHead of Investment Risk AdvisoryAbhi ChatterjeeSenior Risk AnalystJonny TaylorOp Risk Team LeaderVikki FyrthRisk AnalystAudrey BarisienSenior Risk AnalystA AnotherAlternative Risk ManagerAlessandro GaravagliaRisk AnalystDilek UluRisk AnalystChristopher NorthOp Risk AnalystVivien FoertzOp Risk AnalystSarah FranklinInvestment 20:20Rob LorickLuxembourgHenley
45Independent Risk Function Investment Risk Team:Independently identify, monitor, quantify and assess all investment-related risks within and across products, including proposed new products.Communicate/heighten awareness and escalate identified risks/risk factors –through the quarterly “risk challenge” sessions with individual fund managers (and where required more frequently).Prepare related monthly/quarterly MI and reports (including input for board packs), e.g. on derivatives exposure or highlights from fund management risk meetings.Oversee derivatives risk managementOversee outsourced risk systems, models and analytics, and any related outsourcing arrangements
46Independent Risk Function Risk Governance Team:Risk Management Policies: Produce and maintain all Risk Management Policies in coordination with the input of relevant stakeholders.Requests for Proposals: Centralise and/or produce responses related to portfolio risks aspects of Invesco funds.Risk Profile & Limit System (RPLS) packs: Produce RPLS packs to support the Investment Risk team in conducting their “risk challenge” sessions with fund managers.Portfolio risk monitoring: Monitor portfolio risk limits (regulatory and internal). If a risk limit breach is genuine, then the case is passed over to the Investment Risk team for escalation and discussion with fund managers.Evaluate risk disclosures and consult with Legal and Compliance to see that issues are appropriately addressedPrepare quarterly report to the Boards responsible for our fund ranges on compliance with the Risk Profile & Limit System
47Independent Risk Function Operational Risk TeamFacilitate and coordinate quarterly risk self-assessment (RSA) process and independently challenge the RSAs completed by each business function on BWise. BWise is the operational risk management system used within EMEA that was implemented in 2011.Actively manage and administrate the Risk Management module of BWiseProvide Operational Risk information for Capital Requirements Directive purposes i.e. ICAAP, ICA, MaRisk; including quantified aggregated inherent impact exposures and viable stress test scenarios.Prepare quarterly MI and reports (including input for board packs) on operational risks for the EMEA Risk Management Committees.Manage the end to end incident reporting structure and reporting