PwC's Financial RegTech Insights: Dec 2022

Intelligent framework – operational risk management (ORM)

This edition of the newsletter looks at the key trends and challenges that banks experience in ORM, and also presents our point of view on how data and analytics (D&A) can be leveraged to help banks to enhance their existing ORM framework (ORMF)

Classification

The Bank for International Settlements (BIS) defines operational risk as the risk of loss that could result from insufficient or failed internal processes, people and systems, or from external events.¹ This covers legal risk – however, it excludes strategic and reputational risks. To tackle and mitigate operational risk, banks tend to rest on the below mentioned lines of defence:

business unit management
corporate operational risk function (independent unit)
assurance function (independent).

In addition, the Basel Committee on Banking Supervision (BCBS) has released guiding principles to banks for ORM as listed below:

Senior management and board should curate a sound risk management culture and ensure ethical business practices.
Banks must develop, implement and maintain ORMFs that are fully integrated with their overall risk management process.
Banks must ensure strong oversight on the ORMF.
Periodic reviews of risk appetite and tolerance statements must be conducted..
Transparent, consistent implementation of ORM across banks must be enabled.
Operational risks should be identified and thoroughly assessed across banks.
Banks should ensure that their change management process is thorough, well-resourced and clearly communicated among the three lines of defence.
Continuous tracking of operational risk profiles and significant operational exposures must be enabled.
Banks’ environments need to have internal controls in place by means of proper policies, processes and systems, along with risk mitigation and/or transfer strategies.
Banks should establish a reliable security and ICT risk management programme, which aligns with the requirements of their ORMF.
Banks should integrate business continuity plans with their ORMF.
Banks should provide sufficient public disclosures to enable their stakeholders to assess their ORM approach and exposure.

With emerging technologies, increased data availability, new business models and value chains transforming bank operations, it has become imperative for banks to introduce advanced methods for ORM. Furthermore, increasing impetus placed by regulators has added to this need.

Initial recognition and measurement

ORM is a relatively nascent field. While banks have been long aware of the risks connected to daily business and employee activities, the BCBS highlighted the importance of a separate and controllable risk environment and culture through its own mechanism and structure, identified as tools of ORM.

The core identified tools for ORM are loss event database collection, key risk indicators, risk control and self-assessment, scenario or what-if analysis, capital charge computation, and operational risk modelling.

During the first stage of developing ORM capabilities, banks concentrated on governance by establishing fundamental components like loss event reporting and risk and control self-assessments (RCSAs), as well as creating operational risk capital models. The financial crisis of 2008 encouraged changes in the banking law and legislation globally (introduction on Basel II for credit risk and inclusion on operational risk). This triggered many operational risk events, which sparked a surge of regulatory penalties and imposed actions on various financial crimes and collusions like the London interbank offered rate (LIBOR) fixing and manipulations in foreign currency markets, mortgage-foreclosure practices, and misselling. These incidents exposed significant flaws in earlier risk management techniques as they propagated through the banking sector.
In response, banking institutions increased their investments in ORM tools and capabilities.

Building up risk taxonomies beyond the suggested BCBS categories, designing and implementing new risk identification and assessment processes, and creating extensive controls and control-testing processes were some of the steps taken by banks to strengthen their ORM process.

Even though the banking industry has succeeded in reducing regulatory fines, operational risk losses remain high

Evolution of operational risks

The Basel framework provides three methods to measure the capital charge for operational risks.

The basic indicator approach (BIA) is a simple method that calculates capital charge as a percentage (alpha) of gross income (GI), which is a proxy for operational risk exposure.

Being the most basic approach, its adoption and implementation do not require prior supervisory approval.

The second approach, advanced measurement approach (AMA), is a step above the basic approach that allows banks to calculate their capital requirements through internal models. Adoption of the AMA requires prior supervisory approval and involves implementation of a rigorous risk management framework.

The third approach, the standardised approach (TSA), is positioned as an intermediate approach between the BIA and AMA. The total GI of banks must be divided into eight business lines, and the capital requirements must be calculated as the sum of the GI products attributable to each business line and the unique regulatory coefficients (betas) allocated to each line. As this method prerequisites compliance with qualitative criteria associated with operational risk system, banks will require supervisory approvals before implementing any new approaches.

A variant of the TSA, the alternative standardised approach (ASA), allows banks with high interest margins to calculate their operational risk capital requirements by replacing the GI for two business lines – retail and commercial banking – with a fixed percentage of their loans and advances. Adoption of the ASA is allowed by the respective supervisory authorities at their national discretion.

Operational risk – standardised approach

A new standardised approach to calculate operational risk capital charge was introduced by the BCBS in December 2017. This approach supersedes all operational risk approaches under Basel II.

Disclosure and implementation timelines

Each sub-item for business indicators (BI) for the three years of the BI calculation window must be disclosed by banks. Further, banks that use internal loss data to determine operational risk capital, or whose BI exceeds EUR 1 billion, are required to report their annual loss data for each of the ten years in the internal loss multiplier calculation window.

In line with all Basel committee standards, this new approach is applicable for all internationally active banks, on a consolidated basis. National supervisors can also apply the framework to non-internationally active banks.

The new standardised approach (Basel III) for operational risk was supposed to be implemented by 1 January 2022. However, the RBI implementation dates are in March 2023.

Key challenges for ORM

Intangible nature of operational risks

The major challenge faced by banks in ORM is the tracking of operational risks due to their intangible nature. Unlike financial risks, where data is readily available for scrutiny from various sources like financial documents, publications and regulatory bodies, the data for operational risks needs to be generated by banks. This can be done by monitoring internal processes and operational activities. For seamless tracking and analysis, it is important that proper systems are established to enable this data generation.

Enterprise-wide scrutiny

Monitoring required for managing operational risks is not limited to a particular organisational division. It rather extends to enterprise-wise activities and processes, and requires transparency at each stage and management level.

Complexity and diversity

Operational risk has a wide spectrum of different risks under its umbrella, with no distinct roles defined for operation risk function groups, making it even more difficult to manage.

Managing emerging risks

Newer areas of risks arising from the increasing use of social media platforms – like Facebook and Twitter – have only added to the complexity of operational risks. This has emphasised the need to implement innovative and data-driven approaches to manage operational risks.

Traditional operational risk detection tools

Many banks still use traditional operational risk detection tools based on RCSA data and rule-based engines. While these tools are effective to some extent, they are inadequate in detecting events that fall under the criteria of high-severity low-frequency frauds or cybercrimes. The use of these tools involves a considerable number of manual tasks and also tends to trigger a high ratio of false positives in some cases.

Importance of D&A in ORM

Few use cases of how D&A can help in ORM for banks are listed below.²

Anti-money laundering and sanctions screening
Fraud detection
Know your customer (KYC)
Regulatory compliance automation
Managing third-party risk
Cyber risk

Anti-money laundering and sanctions screening

Increased digitisation has led to an exponential increase in the transaction volume. Moreover, traditional rule-based engines often give a high ratio of false positives, ultimately leading to high operational costs on account of the investigations involved. Machine learning (ML) models can help to reduce these false positives, and risk monitoring teams can thus focus and invest their time and efforts on valid alerts.

Fraud detection

Fraudsters come up with innovative scams that take advantage of loopholes in organisational security and processes. Examples of frauds in a bank scenario can include an unusually large amount of waived fees by a branch or an employee, customer account takeover and credit card skimming – to name a few. ML methods accompanied by predictive analysis, help to proactively identify and warn against anomaly transactions and fraudulent behaviour, as these models evolve with new fraud patterns.

Know your customer (KYC)

D&A can help in better customer profiling, assessment and risk scoring. Today, social media platforms can provide a lot of information about a customer’s background to provide a holistic view during due diligence activity for loan assessment and nonperforming assets (NPA) review.

Regulatory compliance automation

Natural language processing models can help capture compliance updates from regulatory bodies and ensure timely action, thus reducing non-compliance fines and improving operational performance.

Managing third-party risk

Managing third-party risks is challenging and, in some cases, there are hidden fourth parties involved. Thus, D&A models can be developed to provide a risk-based approach for vendor assessment and selection.

Cyber risk

Although cybersecurity is important for any organisation, it is crucial for the banking sector, owing to the increasing volume of financial transactions in recent years via internet and mobile banking. Past examples of cyberattacks include the hacking of Canara ATM servers in 2018 and the infamous WannaCry ransomware attack using advanced AI technology in 2017. Artificial intelligence (AI) and ML algorithms, coupled with predictive analysis models, can detect malicious URLs, emails, compromised networks, abnormal network traffic, unusual user/employee activities, etc., thus safeguarding banks from a variety of cybercrimes.

Way forward and conclusion

With the exponential increase in data volumes in banks and regulators emphasising the need for implementing stricter measures to manage operational risks, it is evident that future strategies around ORMFs will have D&A at their core. This is an evolving technology with a wide scope in ORM. Adapting to the correct combination of technology available, quality data recording bank-wide, D&A models, expertise and comprehensive experience of risk function groups can help in effectively reducing operational costs by increasing the forecasting accuracy. This will reduce the overall operational capital requirement for the bank.

However, to enable this, banks need to effectively plan the transition from traditional systems and models which are currently in use to newer, innovative AI/ML models. This needs to be done while keeping in mind the balance between the expenses incurred versus benefits reaped. Although at the outset, this may seem like a huge change, it can be adopted in a phased manner by implementing simpler but scalable models, one at a time. Moreover, integrated systems that can generate accurate and actionable insights suitable to an organisation can contribute towards the effective management of operational risks.

Sources

Acknowledgements: This newsletter has been researched and authored by Disha Gosar and Kunal Potdar