Viewpoint: Andrew Kuritzkes and Brad Ziff, Operational Risk: New Approaches to Measurement and Modeling

****JavaScript based drop down DHTML menu generated by NavStudio. (OpenCube Inc. - http://www.opencube.com)****

Home About MMC MMC Overview: Our Businesses Board of Directors and Executive Officers International Advisory Board Corporate Governance Code of Business Conduct and Ethics Company History MMC Memorial Site: Remembering Our Colleagues Investors Quarterly Earnings Annual Report and Proxy Statement Current Archive Request for Annual Reports Annual Meeting and Official Business SEC Filings Shareholder Information Stock Price Information News Current MMC News MMC News Archive 2006 2005 2004 MMC Knowledge Center Knowledge Center Home Climate Change Data Theft Doing Business in China Economic Insight and Analysis Global Pandemics Global Risks Report Managing Strategic Risks Mergers and Acquisitions Natural Disasters New Technologies Outsourcing Pension Liabilities Terrorism Archive 2006 2005/2004 2003 Order Viewpoint - The MMC Journal Careers Careers at MMC Careers at MMC and Our Operating Companies Marsh Guy Carpenter Kroll Mercer Human Resource Consulting Mercer Investment Consulting Oliver Wyman NERA Economic Consulting Lippincott Investment Management Putnam Investments Contact Us

MMC Knowledge Center

Knowledge Center Home

Viewpoint - The MMC Journal

Viewpoint Archive

Order Viewpoint

Viewpoint

Operational Risk: New Approaches to Measurement and Modeling

Printer version

PDF

By Andrew Kuritzkes and Brad Ziff

Under the terms of the final framework of the Basel II Capital Accord, approved in June 2004 by regulators from the G-10 countries, banks will, for the first time, be required to set aside capital for the specific purpose of offsetting operational risks. These are defined as nonfinancial risks resulting from the failure of “internal processes, people, or systems, or from external events.” In fact, operational risks, which include everything from property damage to cyber risk to employee fraud, represent a full range of property and casualty risks faced by corporations in every industrial sector.

Within the financial services industry, the new regulatory regime has accelerated the development of tools for quantifying and managing operational risk. In recent decades, that industry has been in the forefront of efforts to quantify both financial and nonfinancial risk. Over time, the industry’s new tools for measuring and managing operational risk are likely to be useful to nonfinancial corporations of many kinds.

The New Regulatory Regime

Basel II introduces a far more sophisticated approach to bank solvency than Basel I, the prior international capital accord dating from 1988. The earlier regime represented little more than a flat tax on banks, which were required to hold capital equal to 8 percent of their assets. The new accord differentiates among risks with far greater precision. In addition to introducing new requirements for rating credit risk, Basel II requires large, internationally active banks to calculate their operational risk capital from the bottom up, using both internal and external loss data.

Banks are, of course, in the business of taking financial risks, such as credit risk and market risk, on terms that they expect will prove profitable. Nonfinancial risk arises because a firm may incur an operating loss due to a nonfinancial cause. Although financial risks currently have far greater importance for banks, operational risks can still be substantial. Under Basel II, for example, more than $50 billion of regulatory capital would be required to protect banks from operational risk in the United States alone. Furthermore, as banks continue to reduce their financial risks through the securitization of assets and other means, operational risks will likely account for a growing share of the overall risks these institutions face.

The Basel II accord covers two types of non-financial risk:

Internal event risk – or losses due to internal failures, such as fraud, operating errors, systems failures, legal liability, and compliance costs.
External event risk – or losses due to uncontrollable external events – for example, earthquakes or other natural catastrophes, terrorism, and acts of God.

Economic Capital

Ultimately, the question of how much capital should be allocated to operational risk is a problem of measurement. Within the banking industry, economic capital has become the accepted standard for measuring the intrinsic capital needed to support risk taking. Economic capital is a tool that can be used within an organization to make decisions, motivate management, and report on risk for purposes of internal risk accounting.

As shown in the graph above, economic capital defines risk in probabilistic terms as a point in a loss distribution. A bank that holds sufficient capital to protect against losses at the 99.9 percent level has a .1 percent risk of default. This is roughly equivalent to the default risk of a single-A rated bond and equivalent to a bank holding capital sufficient to maintain a single-A bond rating. Since different banks have different solvency standards, they need to hold capital sufficient to protect against losses at different levels of confidence. As the graph suggests, an institution with a triple-A rating needs to hold more economic capital than one with the same risk profile but a rating of single-A.

Certain types of operational losses are expected. These are high-frequency/low-severity events – for example, routine processing errors in a high-volume business. Rather than setting aside capital for these losses, a bank can budget for them as an expected cost of doing business. It is only the larger-thanexpected losses that create downside volatility in a bank’s earnings. Economic capital is required as a backstop against these low-frequency/high-severity events – the rare events that threaten the solvency of the institution and contribute to the right-hand “tail” of the graph above.

Overcoming Practical Obstacles

For a bank or nonfinancial corporation to apply the theory of economic capital, it must have a sizable body of reliable data on the risks it faces. Under the impetus of Basel II, large banks have stepped up their efforts to refine the measurement of operational risk. In practice, this can be quite difficult. Internal data is necessarily scarce because, by definition, low-frequency/ high-severity losses seldom occur within any one bank.

At the same time, external data may be difficult to apply because different institutions are not directly comparable. A well-run institution will have excellent business processes, auditing, and controls that reduce significantly the risk of operational losses. If another bank has incurred a large operational loss, the well-run bank will want to know whether the loss resulted from bad luck or poor management. To overcome these obstacles, banks have begun to collect data systematically, both internally and externally, and to experiment with techniques for modeling operational risks.

Having quantified their operational risks, financial institutions are in a better position to select strategies for managing them. Setting aside capital is just one of the possibilities. In fact, an ounce of management prevention may often be worth a pound of capital cure. After quantifying the potential impact of accounting irregularities, IT security breaches, workplace violence, property damage, and other types of operational risk, executives can protect shareholder value by anticipating crisis events before they occur. This may include the analysis of vulnerabilities, the integration of a program across multiple disciplines within the organization, and the testing of the plan. The September 11 terrorist attack brought home the value of such measures: Those institutions that had focused most on preparedness, process, and controls fared best in the crisis.

Today, financial institutions are taking specific steps to improve the management of operational risk, including improvements in organizational alignment, clarification of accountability, increases in control/audit, and greater internal data collection. Some banks are using economic capital measures to strengthen these functions. A number, for example, now tie managers’ annual bonuses to the risk-adjusted performance of their respective business units.

Generating Value Through Insurance

To the extent that operational losses cannot be mitigated by internal processes and controls, they can often be insured by third parties. Basel II offers the most advanced banks an opportunity to reduce the capital they set aside for operational risk by as much as 20 percent through the purchase of insurance.

As discussed above, retaining risk exposes a firm’s capital base to loss. While banks set aside specific capital for this purpose, nonfinancial corporations generally do not. Nonetheless, whether or not retained risk is specifically funded through an accounting accrual, a self-insurance fund, or a captive insurer, a firm’s base of equity and debt capital must respond to a loss. Economic capital analysis is, therefore, applicable to corporations of every type.

Even if no loss has actually occurred, retained risk implies that the firm’s base of capital is working. When a firm chooses to buy insurance, it utilizes insurance industry capital in lieu of its own. From this perspective, the purchase of insurance can be viewed as a value-generating activity.

Traditionally, few, if any, firms have looked at insurance in this way. In the event of a loss, insurance has generally been perceived as merely making a bad circumstance less bad – an otherwise undesirable expense. In fact, insurance is the principal way a firm can regulate the use of its capital to support operational risk.

As risk imposes a cost on an organization, reducing that cost generates value. A decision to retain risk is appropriate when it is rewarded by an adequate economic return. An optimal insurance design generates maximum value for the firm. But to create such a design, a decision maker must be able to distinguish good insurance deals from bad.

How can senior managers act on these concepts? The same computing tools that make it possible to model future outcomes can also be used to allocate economic capital and to identify optimal insurance solutions.

Risk imposes economic costs in the form of expected losses and capital exposure. The modeling process allows these components to be estimated both before (gross) and after (net) insurance. Value is created for the policyholder when insurance reduces these costs to an extent greater than the premium.

Independent of the expected losses, capital exposure, and premium, there is no optimal insurance decision. For example, we cannot say that a firm of a given size will have an ideal retention level. We can say, however, that a firm may have the capacity to retain a certain amount of risk before feeling unacceptable levels of financial pain. And we can determine the desirability of retaining risk only with knowledge about the underlying risk and the opportunities available in the insurance marketplace.

Valuing D&O Insurance

Corporate governance liability is an important subset of insurable operational risks. Mercer Oliver Wyman (MOW), an MMC subsidiary, has used the theoretical principles described above to develop a model of the economics of both buying and underwriting directors and officers liability (D&O) insurance. In 2003, when the market for D&O coverage was particularly hard, we wanted to know: (1) were insurers achieving returns significantly above their cost of risk? and (2) did the purchase of D&O insurance still add value for policyholders?

The modeling work utilized securities class action lawsuit data held by NERA Economic Consulting, another MMC subsidiary. Explicit quantification of D&O loss characteristics enabled us to model the economics of risk transfer from sell-side and buyside perspectives using a simulation-based approach.

Initially, the sell-side perspective was examined to assess whether recent industry-wide premium increases still yielded “economic” returns – i.e., returns at the insurers’ hurdle rate. The insight from this study was that industry-wide premiums were 15 to 30 percent below insurers’ total cost of risk from 1998-2002 and 30 percent above insurers’ total cost of risk in 2003. The latter pricing levels would be “justified” if claims attributable to 2003 ultimately increase by 25 percent over historical trends. Given the degree of uncertainty in the prevailing corporate governance environment, such an increase was a distinct possibility.

The client-specific buy-side modeling used both industry loss distribution data and company-specific data. Despite premium growth that had brought premiums to above-hurdle levels, we found that for our client the various tranches of coverage were actually priced at the lower end of the bid/ask spread. In this instance, we found a total risk transfer benefit of approximately $10 million.

This analysis demonstrates that the purchase of insurance can be a win/win transaction for both buyer and seller. The key factor here is diversification. As indicated in the chart above, the insurer holds a large, well-diversified portfolio of potential losses, but the policyholder enjoys only a limited diversification benefit. Even in a hard market, purchasing insurance can add value. As the insurance market softens and premiums go down, value to the policyholder goes up. Our analysis shows that in the soft market, transferring risk becomes more efficient.

A Perspective on Modeling

The modeling described in this article is not a panacea. Models, by their very nature, simplify reality and sometimes oversimplify it. Risks can and do arise from unforeseeable sources. Furthermore, the output of a model can only be as good as the data fed into it.

Nevertheless, risk modeling of this kind is likely to play a growing and beneficial role in decisions to purchase insurance. In contrast to rules of thumb that have commonly been used in the past – for example, how much insurance did we buy last year? what is the competition doing? – quantitative modeling provides a more objective basis for decisions. Even when it does not result in radically different choices, quantitative modeling can provide statistical validation for decisions that have been made in a largely intuitive way.

Spurred by Basel II, banks can be expected to make increased use of economic capital, quantitative modeling, and other analytical tools for measuring and mitigating operational risk. Over time, many nonfinancial corporations will likely follow suit.

***

Mr. Kuritzkes is a managing director of Mercer Oliver Wyman, and Mr. Ziff is a director at the firm. MOW is a leader in financial services strategy and risk management consulting. For additional information about MOW and its capabilities for helping clients, visit www.mow.com.