Dr Chris Stalvies Director Cognitix Limited The Regulatory

Dr Chris Stalvies Director Cognitix Limited

The Regulatory Time Bomb redefining how people work with risk

Contents Ÿ Ÿ Ÿ Ÿ Ÿ Introduction The problem – examples Why it has become a regulatory hotspot Who is affected How they are affected When they will be affected What customers need to do Problems – data modelling Opportunities

About Cognitix Ÿ What we do – – Cognitix is a risk management and corporate governance company that helps organisations identify rapidly factors that can help predict success or failure. We supply Cognitix Quadrant the most powerful and flexible solution available to help financial services companies satisfy FSA and Basel II operational risk regulatory requirements

About Cognitix Ÿ Where we come from – The background of the founders is operational risk management in the financial services sectors combined with very strong in house development capabilities. We work with companies of all sizes Ÿ Where we are going – We will become the standard for operational risk management

About Cognitix Quadrant Ÿ Ÿ Ÿ Web technology based Multi tiered databases fits any hierarchy End to end risk management process XML output Rules based fuzzy logic engine incorporated Validates collaborative input to assess and predict high impact low frequency events Ÿ Very low integration costs

Cognitix philosophy Ÿ Cognitix Quadrant takes a Bayesian approach to the assessment of High Impact Events. Ÿ This is reinforced by standard statistical analysis so that reliable data is available for further manipulation or for input to risk management processes. Ÿ Application of rules based analysis and fuzzy logic profoundly augments the capabilities of the system in an uncertain environment.

What is Operational Risk Ÿ Risk Management Process – The proactive identification, analysis and control of those risks which threaten the assets or earning capacity of an enterprise (Institute of Risk Management) Ÿ Operational Risk – a relatively new classification – – The risk of direct of indirect loss resulting from inadequate or failed internal processes, people and systems or from external events Traditional banking risks such as Credit and Trading risks do not form part of this Framework. Strategic risk and reputational risk are specifically excluded. Ÿ Measurement or Assessment?

What is happening? Ÿ Regulators all around the world are imposing new regulations on banks and insurance firms to make sure they – – Ÿ Ÿ Can demonstrate they know how to manage operational risks Put aside enough capital to cope with operational risks Deadlines have been set Many firms have not woken up to this need Many thousands of companies are affected Thousands of small intermediaries are not going to make it

Why is it happening Ÿ Major losses and failure in the corporate world over the past years have forced regulators globally to take action to protect the financial system

A few examples Ÿ Ÿ Ÿ Polly Peck Schneider Tyco Atlantic Computers World Com Maxwell BCCI Standard Chartered Bombay Bankers Trust/PG ABN AMRO Chiasso Nat. West Markets Ÿ Ÿ Ÿ Ÿ Ÿ Kidder Peabody Daiwa Bank Metallgesellschhaft Barings Barlow Clowes Pensions mis selling Lloyds re insurance spiral Morgan Grenfell Jardine Fleming Levitt

The Vicious Circle Failure of controls Individual idiosyncrasies Unsustainable product False accounting Overstated security values Fraud

The Vicious Circle - 2 Failure of controls Bankers Trust/PG Kidder Pensions mis-selling Barlow Clowes Metallgesellschaft Individual Unsustainable Barings idiosyncrasies Daiwa product Lloyds Maxwell Levitt Facia Polly Peck Jardine Fleming Atlantic Morgan Grenfell Standard Chartered Computers ABN-AMRO False accounting Wallace Smith Fraud Schneider Nat. West Markets Overstated security values

What is being done about it Ÿ Across the world regulators have intervened e. g. – Basel Committee on Banking Supervision – FSA – CAD 3 – Higgs – Turnbull – Sarbane Oxley – MAS – King Report

The pressure is from……. Operational Risk Ÿ Basel II – – requires all financial institutions to be able to demonstrate that they are maintaining adequate capital to support their operational risks CP 3 Ÿ CAD 3 Ÿ FSA – – CP 142 – applies to both banks and insurance firms equally CP 178 – Lloyds Corporate Governance Ÿ Higgs Ÿ Turnbull Ÿ Sarbanes Oxley Ÿ Institutional Investors

Why is it a hot topic now? Ÿ Regulators globally have been forced to take action to protect the financial system Ÿ The most common cause of loss has been “ Operational” (reminder people, processes and systems and external events) Ÿ Territorial regulators give this the force of law e. g. CAD 3, FSA Ÿ Companies must: – – Have adequate systems in place to be able to manage the risks Have sufficient capital put aside to cover them in the event of these types of loss happening

When is it going to happen Ÿ Global – 2007 but with 3 or 4 years data Ÿ European – Expected Oct 03 for enforcement Ÿ UK – FSA regulated Banks and Insurance Firms – – 2003 FSA publishes final policy for operational risk management systems and controls 2003/4 One year for firms to prepare for implementation of operational risk management systems and controls policy 2004 Operational risk management systems and controls policy takes effect Insurance registration must be completed by 15/1/2005 or drop dead

What needs to be done Ÿ Guidance from Basel Ÿ Guidance from the FSA

Guidance from Basel Likely to become best practice in all sectors Sound Practices paper Basel Committee Feb. 2003 1. The Board exercises oversight responsibility 2. The Board ensures a complete internal audit of ORM but the internal audit function should not be directly responsible for operational risk management 3. Senior management implements the programme 4. Management identifies and assesses OR inherent in all activities 5. Management monitors OR profiles

Basel Sound practices 6. Management creates control policies, processes and procedures 7. Management creates contingency and business continuity plans 8. Bank supervisors require all banks to have an effective framework 9. Supervisors independently evaluate bank practices 10. Banks should make sufficient public disclosure of OR approaches

Guidance from FSA Ÿ The firm will need to document its policy for managing operational risk – its strategy and objectives and the processes that it adopts to achieve; – – Analysis of the firm’s risk profile Which risks are to be accepted How it intends to identify, assess, monitor and control the risks, with an overview of the people, processes and systems to be used Where information is used internally for capital allocation purposes, how that exercise is undertaken.

What the FSA expects to see Ÿ Monthly Operational Risk Pack Ÿ A Risk Map that assesses high frequency losses and low frequency/high impact exposures Ÿ Analysis of the effectiveness of existing controls with action plans for risk reduction Ÿ Improvements made to risk positions through activation of risk controls or improved effectiveness of existing controls Ÿ Aggregate risk accumulations – by actual costs of risk or expected low frequency/high impact exposures

Solutions typical definition of requirements The ability to: Ÿ create risk profiles, not just loss data modelling Ÿ document the controls Ÿ capture loss data Ÿ create action plans with responsibilities and accountability clearly shown Ÿ manipulate data into reports Ÿ flag alerts to the Board by email Ÿ self certification procedures and scenario planning capability Ÿ develop key risk indicators Ÿ Sarbanes Oxley capability (corporate governance) Ÿ Integrate validated external loss databases.

Problems Ÿ Data – – Quality Availability Ÿ Data Models – Based on traditional requirements Ÿ People – Don’t always tell what they know Ÿ Culture/Corporate Governance – Senior management responsibility Ÿ Organisational Change – Need to start with a framework

Opportunities Ÿ Huge new market, wider than just financial services Ÿ Regulatory pressure to buy Ÿ Risk management solutions can be added to any other service Ÿ Genuinely new market with regulatory drivers Ÿ Cognitix Quadrant is different – – – risk analytic models adapted from credit or trading environments are not adequate to deal with the totally different requirements of operational risk assessments. The real value is that it is able to help to predict what might happen, where data is too limited to be statistically modelled by traditional stochastic methods. We provide full support ranging framework design to technical implementation

“Cognitix is the most radical, high impact and cost effective approach available for risk and governance”

© Cognitix Limited 2003 To share opportunities with us please contact chris. stalvies@cognitixglobal. com +44 (0)7980 734875

D E M O N S T R A T I O N Overview of Quadrant

Notes Ÿ This slideshow features Quadrant, showing how the entire risk management process is addressed including: 1. Identification 2. Assessment/Measurement 3. Control Ÿ Only selected parts of the full functionality of Quadrant are shown in the interests of brevity

Contents Ÿ This is a Bank example, for illustration only. 1. Access Sign on screen for multilevel access 2. Responding Respondent screens with and without costing 3. Viewing Client view – hierarchical – select data to view Viewing risk factors – apply weightings – hide non relevant Viewing data outputs – Boston chart example Viewing data outputs – Bar chart example Viewing details – sorting – raising Issues 4. Managing Issues 5. Event logging 6. Applying Risk Appetites

Access to all functions is through this sign on screen The top bar can be changed to reflect Partners own branding From this single screen you have seven levels of access 1. 2. 3. 4. 5. 6. 7. Super Administrator Consultant Client Respondent Manager Resource

This is the first and only screen most users see – they just choose a category and select the appropriate radio button on the range There is no limit on the number or location of respondents Instructions can be provided at any level of detail Include qualitative data for richness Scales are non numeric here, and can be tailored

Users with more in depth knowledge are asked to provide more information about the maximum cost of the risk if it happens, the cost of countermeasures and frequency The first run produces a risk map, the second one is for controls assessment using “Implementation” and “Effectiveness” as measures

Risk assessment questions are structured by Client, and can be viewed hierarchically Questions can be analysed at several levels including scorecards The data can be analysed at any level by clicking this button View risks weighted and un-weighted For each Client the risk questions are organised into Categories

Each question and/or category can be weighted on each scale and can be hidden from selected users if desired Respondents only answer questions relevant to themselves

Data can be viewed in other formats The Boston chart is a simple but effective display of risks ranked by priority. Increasing levels of granularity can be displayed x 2 to x 64 Hover the mouse over a star and details appear – click to drill down for more detail Resize for a better view

Another display is the Bar Chart Colour coding for instant impact Risk scores for individual criteria Risk scores combined

In this view data can be displayed in a number of ways, including the standard deviation of responses, raise Issues and Actions and sort the columns Sort by risk colour code Drill down

Risks can be easily escalated to Issues with action plans, and managers and resources set tasks to mitigate the risks. Tasks are monitored for completion status

Events can be logged and actions assigned This one button produces a consolidated report for FSA Operational Risk compliance Any number of risks can be related to an event

Formulae can be applied to each scale to reflect the risk appetite Risks can be viewed as “appetised” or “un appetised”

© Cognitix Limited 2003 chris. stalvies@cognitixglobal. com “Cognitix is the most radical, high impact and cost effective approach available for risk and governance”