IMT 556 Information and Operational Risk Winter 2015

IMT 556 Information and Operational Risk Winter 2015 Annie Searle

In General • Office hours are Thursdays from 4: 30 -5: 20 pm in MGH Commons or by appointment off campus • Please review syllabus carefully for policies on • Academic Integrity and Proper Citations • Copyright • Privacy • Schedule and Assignments • All assignments are submitted from Canvas. Any announcements and discussions can also be handled from Canvas. Please feel free to post interesting articles that you run across that might be relevant to the “Discussions” section of Canvas. • If you’re ill, please let me know and stay at home if you can…or sit away from other students if a cough is still present. 2

My Background • 15 years President & CEO of Delphi Computers & Peripherals • 10 years at Washington Mutual -- from enterprise architect to divisional executive reporting to both Chief Information Officer and Chief Risk Officer, with oversight for enterprise operational risk services. • Author of one book for general public and publisher of two volumes in the Reflections on Risk series for operational risk executives and managers. • Currently working on a book called Executives and Risk: What Your Teams Don’t Tell You, and the book research informs our discussions. • I choose one news article daily to comment on “Annie’s Take” at www. anniesearle. com that feeds into my Twitter, Linked In and Facebook Business pages.

My Expectations • That you will be present and participate actively. • That you’ll monitor the world over the next 10 weeks and share examples of operational risk you see. • That your papers will not simply be an assemblage of research you have done, but will have your own conclusions, recommendations as well. • That your final written presentation will be of such quality and so polished that it could be published.

Class Format As envisioned, each class will consist of three parts: • Guest Lecture — please see list of speakers and familiarize yourself with their backgrounds and have a question or two ready. (60 minutes) • 10 Minute Break • Two student presentations each week, with an opportunity in Week #1 to select the week and topic you wish to present. (40 minutes) • 10 Minute Break • Lecture/discussion with Annie, moving between principles of operational risk management and analyses of real world cases. (70 minutes)

Presentation Topic Areas ❖ Week 2 (January 15) Risk Exposure Scenarios ❖ Week 3 (January 22) Risk and Uncertainty ❖ Week 4 (January 29) Risk Policies & Procedures ❖ Week 5 (February 5) People & RIsk ❖ Week 6 (February 19) Process & Risk ❖ Week 8 (February 26) Systems & Risk ❖ Week 9 (March 5) External Events & Risk ❖ Week 10 (March 12) Final Presentations

Readings ❖ ❖ Please do all the readings for the week before you come to class. Abkkowitz historical case studies provide useful background for our discussions, and illustrate the types of operational risk. Girling’s book is aimed at the financial sector, but still the best thought out primer on operational risk. I may post additional news stories to Canvas as we go.

“The effect of uncertainty on objectives. “ (ISO) What is Risk? Risks can be positive or negative events, actions, threats, gaps or variability that creates uncertainty for objectives. Risk management is the architecture for managing risks. The risk management process is the active use of the architecture.

Operational Risk Definition ❖ Operational risk defined by Basel financial consortium as “the potential for financial loss through the intersection of people, failed processes, systems or external events. ” ❖ First mandate for leaders to adopt sound risk management and disclosure practices to shareholders came after Enron and Worldcom debacles via Sarbanes-Oxley Act in 2002.

Managing Risk ❖ Tolerate ❖ Treat ❖ Transfer ❖ Terminate ❖ Take Advantage 10

Enterprise = Risk to strategic objectives or multiple levels. Program = Group of related strategic projects managed together to obtain benefits and control. (PMI). Project = Specific to individual projects. Activity = Coordinated, ongoing actions that support programs or projects. Risk lies in stratified levels inside a company.

This is the ISO framework from 2009.

Most critical infrastructure sectors use this model. Risk management as an enabler. Strategic Objectives Risk Managemen t Asset Managemen t Performance Managemen t

Girling starts with Basel definition • What do we mean by operational risk? – Operational risk management had been defined in the past as: • All risk that is not captured in market and credit risk management programs. – The Basel II definition of operational risk is: • Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. » S 644, International Convergence of Capital Measurement and Capital Standards: A Revised Framework, Bank for International Settlements (2004)

Deconstructing the Definition • There must be a risk of loss. • Caused by: (1) Inadequate or failed processes (2) Inadequate or failed people (3) Inadequate or failed systems (4) External events

Recent Examples of Operational Risk in the Headlines • • • Fraud (Madoff, Stanford) Unauthorized trading (Société General and UBS) Insider trading (Raj Rajaratnam, Nomura, SAC Capital) Technological failings (Knight Capital, Nasdaq Facebook IPO, anonymous cyber-attacks) Weather catastrophes (hurricanes, tsunamis, earthquakes, terrorist attacks)

Basel II • International Convergence of Capital Measurement and Capital Standards: A Revised Framework – Published by the Bank for International Settlements in Europe in 2004. • New risk rules for internationally active financial institutions that wished to continue to do business in Europe. The rules: – Included enhanced requirements for management and capital measurement of market and credit risk. – Introduced a new capital requirement for operational risk. – Laid out new qualitative requirements for operational risk management.

Legal Risk • “Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements. ” – Footnote 90, Basel II

Exclusions • “This definition includes legal risk, but excludes strategic and reputational risk. ” – S 644

How Banks Define It • Operational risk is the risk of loss resulting from inadequate or failed processes or systems, human factors, or external events. – JPMorgan Chase & Co. , Annual Report, 2008, p. 117 • Operational risk is the potential for failure (including the legal component) in relation to employees, contractual specifications and documentation, technology, infrastructure and disasters, external influences, and customer relationships. Operational risk excludes business and reputational risk. – Deutsche Bank Financial Report, 2011, p. 110 • Operational risk is the risk of loss resulting from inadequate or failed internal processes, systems, or human factors, or from external events. It includes the reputation and franchise risk associated with business practices or market conduct in which Citi is involved. – Citi Annual Report, 2011, p. 106

Five Key Regulatory Requirements 1. 2. 3. 4. 5. Identifying operational risks Assessing the size of operational risks Monitoring and controlling operational risks Mitigating operational risks Calculating capital to protect from operational risk losses

Seven Categories of Operational Risk • • Internal Fraud – Losses due to acts of a type intended to defraud, misappropriate property, or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party. External Fraud – Losses due to acts of a type intended to defraud, misappropriate property, or circumvent the law, by a third party. Employment Practices and Workplace Safety – Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events. Clients, Products, and Business Practices – Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. Damage to Physical Assets – Losses arising from loss or damage to physical assets from natural disaster or other events. Business Disruption and System Failures – Losses arising from disruption of business or system failures. Execution, Delivery, and Process Management – Losses from failed transaction processing or process management, from relations with trade counterparties and vendors. • Annex 9, International Convergence of Capital Measurement and Capital Standards: A Revised Framework, Bank for International Settlements (2004)

Operational Risk Compared to Market and Credit Risk • Similarities – Should be actively managed because failure to do so can result in a misstatement of an institution’s risk profile and expose it to significant losses. • Differences – Not directly taken in return for an expected reward. – Exists in the natural course of corporate activity.

Drivers of Operational Risk Management • Three main sources: – Regulators – Senior management • Be fully informed of the risks that face the firm, including operational risk exposures. • Avoid bad surprises. • Make strategic business decisions fully informed of the operational risk implications. – Third parties • Ratings agencies, investors, and research analysts. • Often ask for evidence that: – An effective operational risk framework is in place. – Sufficient capital is being held to protect a firm from a catastrophic operational risk event.

The Bank of International Settlements (BIS) • Headquartered in Basel, Switzerland. • Established in 1930. • Mission – BIS is an international organization that fosters international monetary and financial cooperation and serves as a bank for central banks. – The BIS fulfills this mandate by acting as: • A forum to promote discussion and policy analysis among central banks and within the international financial community. • A center for economic and monetary research. • A prime counterparty for central banks in their financial transactions. • Agent or trustee in connection with international financial operations.

27 BIS Participants • Central bank and lead financial regulatory representatives from: – Algeria, Argentina, Australia, Austria, Belgium, Bosnia and Herzegovina, Brazil, Bulgaria, Canada, Chile, China, Croatia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong SAR, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Korea, Latvia, Lithuania, Macedonia (FYR), Malaysia, Mexico, the Netherlands, New Zealand, Norway, the Philippines, Poland, Portugal, Romania, Russia, Saudi Arabia, Serbia, Singapore, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Thailand, Turkey, the United Kingdom, and the United States, plus the European Central Bank.

Basel Accords • BIS Basel Committee on Banking Supervision published the Basel Capital Accords – 1988 Basel I • International Convergence of Capital Measurement and Capital Standards. Bank of International Settlements: – To provide a framework for the consistent and appropriate regulation of capital adequacy and risk management in internationally active banks. • 2004 Basel II – International Convergence of Capital Measurement and Capital Standards, A Revised Framework • Basel Committee has four subcommittees: – The Standards Implementation Group – The Policy Development Group – The Accounting Task Force – The Basel Consultative Group, Each also has its own subcommittees and working groups.

The Rules of the Accords: Basel I • • • Adopted by the G 10 nations. Aim: – “Secure international convergence of supervisory regulations governing the capital adequacy of international banks. ” – Safety and soundness standard: • That would protect banks from insolvency and • The minimum capital requirements provided a standard below which regulators would not permit a bank to continue to conduct business. Four “pillars” (Balin, 2008) – The Constituents of Capital – The Risk Weights • 0%, 10%, 20%, 50% and 100% – A Target Standard Ratio • 8% risk weighted assets (RWA) • Covered by Tier 1 and Tier 2 capital reserves – Transitional and Implementing Agreements

Problems with Basel I • Basel I did not adequately capture the risks of the increasingly complex and changing financial markets. • Banks were able to “game” the system by: – Moving assets off balance sheet. – Manipulating their portfolios to minimize their required capital, while not necessarily minimizing their actual risk exposure.

Basel II • Basel Committee proposed a revised Capital Adequacy Framework in June 1999. – Three pillars: • Pillar 1: Minimum capital requirements • Pillar 2: Supervisory review process • Pillar 3: Market discipline

The Basel II Framework • “Describes a more comprehensive measure and minimum standard for capital adequacy that national supervisory authorities are now working to implement through domestic rule-making and adoption procedures. • It seeks to improve on the existing rules by aligning regulatory capital requirements more closely to the underlying risks that banks face. • In addition, the Basel II Framework is intended to promote a more forward-looking approach to capital supervision, one that encourages banks to identify the risks they may face, today and in the future, and to develop or improve their ability to manage those risks. • As a result, it is intended to be more flexible and better able to evolve with advances in markets and risk management practices. ”

Basel II Major Changes • Pillar 1 – New capital adequacy rules • Must hold capital for assets in the holding company, so as to prevent banks from avoiding capital by moving assets around within its corporate structure. • A bank must hold capital reserves of at least 8% of their total credit, market, and operational risk weighted assets. – Credit risk • Three possible approaches to calculating credit risk: – Standardized approach – Foundation Internal Ratings Based (IRB) approach – Advanced IRB approach – Market risk • Value at risk (Va. R) approach – Operational risk • New category of risk

Basel II Operational Risk • Pillar 1 offers three possible methods to calculate capital for operational risk: – Basic Indicator Approach (BIA) – The Standardized Approach (TSA) – Advanced Measurement Approach (AMA)

Basel II Pillar 2 • “This section discusses the key principles of – supervisory review, – risk management guidance and – supervisory transparency and accountability produced by the Committee – with respect to banking risks, – including guidance relating to, among other things, • the treatment of interest rate risk in the banking book, • credit risk (stress testing, definition of default, residual risk, and credit concentration risk), • operational risk, • enhanced cross-border communication and cooperation, and • securitization. ”

Basel II Pillar 3 • Provides methods for disclosure of risk management practices and capital calculation methods to the public. • The purpose of Pillar 3 is to: – Increase transparency. – Allow investors and shareholders a view into the inner risk practices of the bank.

Adoption of Basel II • • In the European Union – Codified through the European Parliament Capital Requirements Directive • Required member states to enact appropriate local regulations by January 1 st, 2007 with advanced approaches available by January 1, 2008. In the United States – Originally applied to only a handful of banks under SEC rules. – July 20, 2008, the Federal Reserve, OCC, OTS, and FDIC agreed on mandatory Basel II rules for large banks, and opt-in provisions for noncore banks. • The new standards were to be transitioned into over a parallel run period, with Basel I–based capital floors being set for the first three years. • Pillar 2 guidance December 7, 2007, provided for an Internal Capital Adequacy Assessment Process (ICAAP). • The final rules were published in the Federal Register, mostly through amendments to Title 12.

Basel III • • • The impact of the financial crisis – Had Basel II failed? Christopher Cox “in March 2008, I formally requested that the Basel Committee address the inadequacy of the Basel capital and liquidity standards. ” The Group of Twenty (G 20) – A Financial Stability Board (FSB) formed • To make recommendations for change. – Strengthening the Resilience of the Banking Sector and International Framework for Liquidity Risk Measurement, Standards and Monitoring. – An increase in Tier One capital. – Additional capital for derivatives, securities financing and repo markets. – Tighter leverage ratios. – Setting aside revenue during upturns to protect against cyclicality of markets. – Minimum 30 -day liquidity standards – Enhanced corporate governance, risk management, compensation practices, disclosure and board supervision practices.

European Response to the Crisis • The Committee of European Banking Supervisors (CEBS) produced: – “Guidelines on the Management of Operational Risk in Market. Related Activities” in October 2010. • Supplemented earlier “Guidelines on the Scope of Operational Risk and Operational Risk Loss. ” – Emphasis on strong corporate governance.

U. S. Response to the Crisis • End of CSE* status and SEC oversight of Basel II – Of the original five investment banks that had opted for CSE status with the SEC, three no longer existed by 2009: Bear Stearns, Lehman Brothers, and Merrill Lynch. – The remaining two, Goldman Sachs and Morgan Stanley, changed their structures to Bank Holding Companies under Federal Reserve. • June 2011, Interagency Guidance on the Advanced Measurement Approaches for Operational Risk. – – Federal Reserve Federal Deposit Insurance Corporation Office of the Comptroller of the Currency Office of Thrift Supervision • Dodd-Frank Act, 2009. *Consolidated Supervised Entity

The Run-up to Dodd-Frank Act, 2009 • President Barack Obama: A New Foundation: Rebuilding Financial Supervision and Regulation, on June 17, 2009. • Numerous acts were proposed to deal with different aspects of the crisis and its perceived causes. • Restoring American Financial Stability Act of 2009: – Introduced into the Senate by Senator Christopher Dodd (D-CT) and into the House of Representatives by Rep. Barney Frank (D). – Renamed the “Dodd-Frank Wall Street Reform and Consumer Protection Act. ” – President Obama signed the bill into law on July 21, 2010. • An act to promote the financial stability of the United States by improving accountability and transparency in the financial system, to end "too big to fail, ” to protect the American taxpayer by ending bailouts, to protect consumers from abusive financial services practices, and for other purposes.

Dodd-Frank Highlights 1 • • Consumer Protections with Authority and Independence: – “A new independent watchdog, Consumer Financial Protection Bureau, housed at the Federal Reserve, with the authority to ensure American consumers get the clear, accurate information they need to shop for mortgages, credit cards, and other financial products, and protect them from hidden fees, abusive terms, and deceptive practices. ” Ends Too Big to Fail: – “Ends the possibility that taxpayers will be asked to write a check to bail out financial firms that threaten the economy by: creating a safe way to liquidate failed financial firms; imposing tough new capital and leverage requirements that make it undesirable to get too big; updating the Fed’s authority to allow system-wide support but no longer prop up individual firms; and establishing rigorous standards and supervision to protect the economy and American consumers, investors and businesses. ” Advanced Warning System: – “Creates a council to identify and address systemic risks posed by large, complex companies, products, and activities before they threaten the stability of the economy. ” Transparency and Accountability for Exotic Instruments: – “Eliminates loopholes that allow risky and abusive practices to go on unnoticed and unregulated––including loopholes for over-the-counter derivatives, asset-backed securities, hedge funds, mortgage brokers, and payday lenders. ”

Dodd Frank Highlights 2 • Federal Bank Supervision: – “Streamlines bank supervision to create clarity and accountability and protects the dual banking system that supports community banks. ” • Executive Compensation and Corporate Governance: – “Provides shareholders with a say on pay and corporate affairs with a nonbinding vote on executive compensation. ” • Protects Investors: – “Provides tough new rules for transparency and accountability for credit rating agencies to protect investors and businesses. ” • Enforces Regulations on the Books: – “Strengthens oversight and empowers regulators to aggressively pursue financial fraud, conflicts of interest and manipulation of the system that benefit special interests at the expense of American families and businesses. ” Source: Senate Committee on Banking, Housing, and Urban Affairs. (2009). Summary: Restoring American Financial Stability.

OTHER APPROACHES

Jim Collins, How the Mighty Fall • The five stages of decline, reversible right up to the fifth stage. • In this class we are focused on the first three. Hubris Born of Success Undisciplined Pursuit of More Denial of Risk and Peril Grasping for Salvation Capitulation to Irrelevance or Death

Crumbling is not an instant's Act By Emily Dickinson Crumbling is not an instant's Act A fundamental pause Dilapidation's processes Are organized Decays — 'Tis first a Cobweb on the Soul A Cuticle of Dust A Borer in the Axis An Elemental Rust — Ruin is formal — Devil's work Consecutive and slow — Fail in an instant, no man did Slipping — is Crashe's law —

Basel definition has been adopted across other critical infrastructure sectors • In addition to the banking and finance, in this class we will be looking at other sectors in the course of our discussions: – Energy – Public Health – Emergency Services – Communications – IT • We’ll use “Real World” examples to apply the analytical tools that risk management provides.

REAL WORLD: PARIS AND HONDA

Freedom of Expression Terrorism creates operational risk, in this case in the name of the prophet. Let’s discuss the historic role of satire in society, then talk some about religious and cultural tolerance and what either have to do with operational risk.

Honda $70 million regulatory fine National Highway Traffic Safety Administration is assessing two $35 m fines for violation of federal safety reporting requirements. Ø Maximum amounts for each fine. Ø 2003 -2014: failure to report 1, 729 death and injury claims. (Honda previously disclosed the undercount as “misinterpretation of what should be counted. ” ($35 million) Ø Another $35 million for failure to report certain warranty claims and claims under “customer satisfaction campaigns” in which a manufacturer quietly agrees to fix defects outside normal warranty. Regulation is an important component of managing risk, not just in the banking sector (heaviest regulation of any sector). Similar examples to Honda would be fines on General Motors for concealment and failure to report.

Questions? asearle@uw. edu annie@anniesearle. com (206) 465 -7849