On Operational Risk at UBS

GARP Switzerland Chapter Meeting

Dr. Andreas Merbecks, UBS Group Operational Risk
Zurich, December 10, 2008
1
Outline
The strategic importance of Operational
Risk: Why is Operational Risk important (for
UBS)?
The Operational Risk Framework: What is
UBSs Operational Risk Framework (ORF)?
Implications of Basel II: Leveraging the Value
of the ORF fulfilling the Basel II capital charge
calculations with an AMA model
Outlook
SECTION 1
Why is Operational Risk important (for UBS)?
3
Why is Operational Risk particularly important for UBS?
Organizations manage tangible and intangible assets in order to meet
key third party expectations
Shareholders
Clients
Regulators
Employees
In order to meet 3rd party expectations
from
Tangible: Financial, Physical
Intangible: Client Franchise, Human
Capital, Intellectual Capital, Brand
Value, Reputation
Organizations manage tangible &
intangible assets
Applied to UBS:
This involves all types of risks
Credit and market risk tend to focus primarily on tangible assets
But our intangible assets are important to protect as well
The Operational Risk Framework is designed to protect both tangible and intangible
assets
4
What is Operational Risk?
Clear definition of Operational Risk is the basis for the ORF
The risk of loss resulting from inadequate or failed
internal processes, people and systems, or from
external causes (deliberate, accidental or natural).
The losses may be:
Direct financial losses
Indirect financial losses
In the form of revenue forgone as a result
of business suspension
From damage to our reputation and/or
franchise
Operational Risk
Earnings
Protection
Business
Management
Accountability
Independent
Risk Control
Risk
Disclosure
Reputation
Protection
5
The Roles of Risk Management and Risk Control
Risk Management and Risk Control are working in partnership and are
complementing each other
Risk Management assesses risk/reward
tradeoffs in the context of:
Best practice standards
Third party expectations
The banks risk appetite (limit
communication and monitoring)
Risk Control provides a consistent
framework:
Validates Standards and monitors
adherence to them
Escalates issues where the risk
appetite is being exceeded
Leverages the expertise of other
specialists
Management has primary responsi-
bility for protecting the assets of
the organization
Risk Control provides an independent
control over the risk-taking activities
of risk management
SECTION 2
What is UBSs Operational Risk Framework
(ORF)?
7
Overview of the Operational Risk Framework (ORF)
External
- Basel II
- SOX 404
- Other
Internal
- OREX
- Training
- Other
Governance
Policies &
Standards
Data
Collection
Controlling
Identification
Evaluation Reporting
Response
OR
Inventory
O
R
A
P
O
R
A
P
O
R
A
P
O
R
A
P
ORF
External
- Basel II
- SOX 404
- Other
Internal
- OREX
- Training
- Other
Governance
Policies &
Standards
Data
Collection
Controlling
Identification
Evaluation Reporting
Response
OR
Inventory
O
R
A
P
O
R
A
P
O
R
A
P
O
R
A
P
ORF
Based on governance, external, and internal elements, the ORF is a
multi-step, closed loop framework
8
Example of Control Objectives and Standards
Organisation
Regulations
& Risk Authorities
Policies
Technical Standards
- Control plans (& procedures)
- IT Build standards
- Accounting policy / standards
- Operations Standards Matrix (local)
Implemented by
Reflected into
BG Regulations
Implemented by
Control Documentation
- Roles and Responsibilities
- Control Objectives
- Control Standards
- Metrics
The Control Documentation to identify risks is based on Control Objec-
tives, Standards, and Metrics, supplemented by Technical Standards
9
Risk Assessment
Operational Risk Assessment Process
Risk Identifiers
Self-
Certification
Metrics
Non-Financial
/ External
Events
Audit Points
Top-Down
Assessment
Financial
Events
Risk Inventory
005 Confirmations
Risk Identifiers Risk Assessment
Self-Certification Metrics Events Audit Points Objective
Met?
Risk
Inventory
Y AP DR NA R A G Sig Non-Sig R* R A G
1 1 7 N
Assessment
structured around
Control Objectives
The Risk Assessment is based on six Risk Identifiers and its results are
captured in the Risk Inventory
19 2 2 0 0 1 6
>100k 15k-100k <15k
1 5 0 1 1 3
10
Operational Risk Inventories and Reports proceed along defined
escalation routes
Operational Risk Governance Process
Group
Executive Board
Group
Operational
Risk Committee
Risk Inventory /
Risk Reports
Quarterly Risk
Reports
Note: Other Group-level specialized
assessments (e.g. SOX 404) have
their own reporting and
escalation structures
Management /
Executive or
Risk / Control
Committee
Cross Functional
Committees
Individual
Functions
GWMBB
Gl AM
CC
IB
Risk Reports
Risk Inventory
Self-
certification,
event data,
metrics etc.
Group Business Group level
SECTION 3
Leveraging the Value of the ORF fulfilling
the Basel II capital charge requirements
with an AMA model
12
The Operational Risk Framework provides the processes to address each pillar
In addition, there are specific Sound Practices for Operational
Risk management and control that the Swiss Federal
Banking Commission (EBK) has made legally binding.
Basel II and the Operational Risk Framework
The Basel Committee has developed rules in the form of three pillars
for how banks must determine Operational Risk capital requirements
Pillar 1:
Minimum Capital
Requirement for
Operational Risk
losses
Internal loss events and
scenarios are quantified
to provide historical
and forward-looking
views of operational
risk exposures
Pillar 3:
Disclosure on
Operational Risk
Management and
Control
Information collected
during the assessment
process is used for
disclosure
Pillar 2:
Capital Adequacy
Assessment
The qualitative aspects
of the ORF provide a
basis for evaluating the
capital requirement in
light of the current
level of and appetite
for Operational Risk
13
Pillar 1 Capital Calculation of Operational Risk
Methods for determining the minimum capital requirement
Commercial Banking
Agency Services
(Gross Income)
Retail Banking
Retail Brokerage
Asset Management
(Gross Income)
Corporate Finance
Trading and Sales
Payment & Settlement
(Gross Income)
x 12%
x 15%
x 18%
Minimum Capital
Requirement
Internal Model
Operational Risk
Measurement System
Minimum Capital
Requirement
Loss
F
r
e
q
u
e
n
c
y
EL
Basic Indicator
Approach
(BIA)
Standardised
Approach
(SA)
Advanced
Measurement
Approach
(AMA)
Q
u
a
l
i
t
a
t
i
v
e

Q
u
a
l
i
f
y
i
n
g

S
t
a
n
d
a
r
d
s
Average gross Income
of the last 3 years
x 15%
Minimum Capital
Requirement
14
Requirements for an internal model (AMA)
According to the regulations, de minimis an AMA needs to
be based on four elements
*BEICF = Business Environment and Internal Control Factors
Source: Swiss Federal Banking Commission Circular: Capital Adequacy for Operational Risks (Operational Risks) of 29 September 2006
Required
feature
Key themes/examples
Internal loss
data
(Rz 76-85)
A bank must use an internal loss database. When the bank first moves to the
AMA for regulatory purposes, this database must cover at least three years of
historical data. At least two years after the first move to AMA, the time window
covered by the database must permanently be based on a minimum five-year
observation period
Relevant
external loss
data
(Rz 86-88)
A banks Operational Risk measurement system must use relevant external
loss data. This should ensure the consideration of infrequent, potentially severe
loss events. Publicly available and/or pooled loss data can serve as sources for
this relevant information
Scenario
analysis
(Rz 89-91)
The scenario analysis, building on expert opinion in conjunction with external
data, must evaluate the banks exposure to potential high-severity events
BEICF*
(Rz 92-97)
As forward-looking element, a banks AMA must use predictive factors from its
business environment and internal control system. These factors serve the
purpose to specifically reflect the current features of the banks risk profile (e.g.
new activities, new IT solutions, changed processing flows) or changes in its
operating environment (e.g. security situation, changes in courts practice, )
15
Overview on UBSs AMA Model
The UBS ORF facilitated the development of an AMA model with
Historical and Scenario Components
Component
Historical
Component
Forward Looking
Component
(Scenario
Component)
Key input factors
UBS internal loss data captured in
the operational risk event database
History since 2002
Generic scenarios
Relevant external loss data
Business environment and internal
control factors
Expert judgment
Focus on
Expected loss
High frequency /
low impact events
Unexpected loss
Low frequency /
high impact events
16
UBS AMAs Historical Component Key Characteristics
The Historical Component is a retrospective view of Operational Risk losses
based on UBSs actual experience. The intent is to project future total losses
based on historical experience. The key assumption within this component is
that past events form a reasonable proxy for future events.
The model estimates the distribution of aggregated losses over one year.
Therefore it is often referred to as a Loss Distribution Approach (LDA).
The Historical Component is based on internal loss data, which is reconciled to
UBSs General Ledger.
For use in the AMA model the data is modified in accordance with EBK
requirements. Cash flows that relate to the same event are combined. Gains
are excluded.
Since the Historical Component is an LDA approach, both the frequency and
the severity need to be specified.
The Historical Component uses a statistical approach to measure the
Operational Risk capital charge
Capital Management section of UBS Q3 2008 reporting
Source: UBS Financial reporting: Third Quarter 2008. Pages 54 - 55
Q3: CHF 3610 million
Q2: CHF 3472 million
Capital Charge = RWA / 12.5
Outflow of the AMA model in UBS quarterly reporting
18
Ongoing Governance and Review Process
UBS Operational Risk
Event Database records
are used to calculate the
Historical Component of
UBSs AMA Model on a
quarterly basis
Event capturing
procedures have been
audited with no
significant issues
Updates occur quarterly for the Historical Component, and annually
(at minimum) for the Scenario Component
Update Historical
Component
Ad hoc Review
Scenario Component
Regular Review
Scenario Component
A large event, be it
internal or external,
would trigger a review of
the Scenario Component
The review may or may
not lead to a change in
one or more Scenarios
All Scenarios are
reviewed on an annual
basis
Inputs into the review
include new issues
presented in the Group
Risk Report, major
internal losses, external
events captured as well
as any relevant business
environment and internal
control factor changes
19
Example Ad hoc review: Socit Gnrale Rogue Trader
The Bank stated that Jrme Kerviel, a trader within their Global Equity Derivative Solutions (GEDS)
Department:
"combined several fraudulent methods" to cover his tracks, such as falsifying documents and
possessing inappropriate computer access codes, and
bet EUR 50 billion (USD 73.8 billion more than the bank's net worth) on futures contracts of three
European equity indices.
The initial French Finance Ministry report identified the following areas of concern:
Surveillance of gross trading position (vs. net, which only presented a limited market risk)
Follow-up of margin calls, settlement and guaranteed deposits
Follow-up / investigation on the information requests received from Eurex in November 2007
Follow-up on the high number of cancels and amends performed by one operator
Confirmation of operations with all counterparties
Adherence to the Chinese Wall between front office and back office
Security of information systems and protection of passwords
Surveillance of atypical behavior (i.e. lack of block leave)
Sources: - Progress Report of the Special Committee of the Board of Directors of Socit Gnrale, February 2008
- Rapport au Premier ministre concernant les enseignements tirer des vnements rcemment intervenus la Socit Gnrale , January 2008
On 24 January 2008 Socit Gnrale announced a EUR 4.9 billion loss
due to unauthorised trading
20
JKs P&L-Development: Actual and Fictitious Transactions
Official P&L
(= reference)
Actual P&L
(difference from official)
P&L Fictitious
Transactions
Source: Progress Report of the Special Committee of the Board of Directors of Socit Gnrale dated 20 February 2008
The P&L of fictitious transactions offset the actual P&L since April 2007
21
Development of 5 Key Risk Themes
A variety of relevant sources were leveraged to identify a
comprehensive set of 5 Key Risk Themes related to rogue trading
Regulatory Recommendations
i.e. FINRA Sound Practices
5 Key Risk Themes
Risk management & control
Trade data integrity
Profit and loss / valuations
Management supervision
Access controls
Socit Gnrale Event
- Rapport au Premier ministre, Jan 2008
- Progress Report of the Special Committee, Feb 2008
Internal
Reviews
(Further)
External
Sources
Process Review
Scenario Review
22
Challenges for AMA approaches
Various challenges call for more thinking and work
Rapidly changing environment
Very large external (and internal) events
Short data history (5 6 years) to estimate a 99.9% confidence level
(once in 1000 years)
False security when relying (too much) on models (judgment still
integral part of the model process, data limitations).
Business buy-in for to increased use and enhancement of the value
added of an AMA framework
Financial crisis and resulting reorganizations impede a consistent
implementation
Recording of effective dates for loss events due to discrepancy
between event occurrence and settlement date