Operational risk exposures And

(1)

1 Operational risk exposures And

Insurance

Of laws and arms in operational risk at the Commerzbank

By Wilmer Henrik Feringa

The principal foundations that all states have, new ones as well as old or mixed,

are good laws and good arms.

Niccolò Machiavelli, The Prince, 1513

(2)

2

(3)

3 Operational risk exposures And

Insurance

Of laws and arms in operational risk at the Commerzbank

Author:

Wilmer Henrik Feringa Student number: 1139193

Groningen, Frankfurt a. Main September 2004

Supervising Professors:

University of Groningen, Groningen

Dr. W. Westerman Prof. Dr. H.J.J. Bronsema

Supervising Manager:

Commerzbank, Frankfurt am Main

Dr. B. Lenzmann

(4)

4

(5)

5

6

Annexes ... Error! Bookmark not defined.

Annex 1: Capital Charge Calculation... Error! Bookmark not defined.

Annex 2: ORX ... Error! Bookmark not defined.

Annex 3: Insurance Classification ... Error! Bookmark not defined.

Annex 4: Risk event causes and effects... Error! Bookmark not defined.

Annex 5: Model focus ... Error! Bookmark not defined.

Annex 6: Risk events location plus competence breach ... Error! Bookmark not defined.

Annex 7: Risk events……….……..118

(7)

7 Preface

Operational risk insurances and their impact for operational risk mitigation have a very current interest in the financial markets. This risk brings new difficulties as well as opportunities for banks and insurers. New gaps identified in the insurance market, new insurances in development and all under the all seeing eye of Basle II-conform supervisors.

Operational risk with insurances is a very complex and rather difficult subject to investigate, but offers large costs benefit if implemented correctly into the model to calculate the capital charge.

The vast space of insurances in combination with operational risk leaves only a relative small part to be investigated with a single research.

How can we determine the use for insurance, what insurances are available, which insurances to use, how high should the limits be, what effect will it have………

For operational risk other questions are closely related; how much could we loose with a risk event, how can this be reduced, what impact will insurance have on this risk………

This paper will shed some light on the interaction between insurances and operational risk; the impacts on the severity of operational risk and the impact of control forms on the use of insurances as well as exposures. This will be accomplished in the context of a financial firm to finish my study of Financial Value Management as well as IT Technology Management from the faculty Management and Organisation of the University of Groningen.

With this paper I would like to take the opportunity to thank the people that helped me with my work in the Commerzbank. At the first place I would like to thank Dr. B. Lenzmann for hiring me to do this research and guide me through the Commerzbank and the research and I would like to thank Dr. W. Westerman helping me to structure my paper to its present form.

Furthermore I would like to thank the people from operational risk who helped me understand the Commerzbank and the implications of operational risk and their work. Off course I would like to thank Mrs. Mann, who clarified the characteristics of the current insurances of the Commerzbank, and Mr. C. Zevenbergen from AON, who helped me understand insurances in combination with operational risk.

In addition I would like to thank the employees of ZCB who extended information so I could successfully extend and apply my exposure model, and Prof. Dr. H.J.J. Bronsema who made me aware of some structural problems in the initial version of this research.

Last but not least I would like to thank Mr. H. Suelmann, who put me in contact with the relevant people at the Commerzbank and who so kindly helped me with my accommodation in Frankfurt a.

Main.

(8)

8

(9)

9 1 Problem definition and Methodology

1.1 Research topic

Like all commercial banks, the Commerzbank puts forth an effort to maximise profits in the annual report. In order to do this it seems clear that as any organisation it should maximise its revenues and minimise its costs.

Within the banking industry, the capital charge is a very specific kind of cost. Capital charge funds are funds that cannot be used to create a higher return. The money is simply kept in ‘inventory’ as a buffer for the situations wherein some risk events might occur. Risk events that themselves could cause large unexpected losses. These losses are costs that have to be written off directly.

For example: some large loans will or cannot be repaid (credit risk), or the market collapses and all securities are becoming worthless (market risk). The capital charge is meant to keep the bank liquid and helps the bank survive certain risks. If the capital charge is very high in comparison to the risk, the bank has too much security for risk events and is taking an ‘opportunity cost’. But if the bank doesn’t have enough income to compensate these losses and not enough capital charge, bankruptcy will have to be declared. If the regulatory capital is suitable for the amount of risk, the return on investments can be maximised.

Basle Committee

The Basle committee with Basle I, which is an international standardisation of capital charge determination, produced a method to calculate the capital charge. The capital charge would have a numerator representing the capital available to the bank and a denominator that would be a measure of the risks faced by the bank, referred to as "risk-weighted assets". This capital charge should be in the form of equity, reserves and subordinated debt. Under Basle I there was a minimum required ratio of eight percent, which will not change under Basle II.¹ The difference in Basle II is the definition of risk-weighted assets, which are the methods used to measure the

‘riskiness’ of the loans and investments held by the bank. This modified definition of risk-weighted assets would also include an explicit rather than implicit, treatment of “operational risk” ²

Basle and its consequences and implications will be explained further in the next chapter.

Application in Commerzbank

At the moment there is not yet a completed method in use concerning the calculation for the capital charge for operational risk in the Commerzbank. The reason is that in the Basle I accord there was no mention of operational risk. This risk was implicitly included in the credit risk method. Since the introduction of operational risk as a separate risk item in the Basle II accord, the Commerzbank is trying to implement one of the three methods for the calculation of the capital charge.

The choice befell the most sophisticated approach, the ‘Advanced Measurement Approach’

(AMA), because this approach will give a thorough insight in risks and their exposures. These insights will help the bank to take appropriate actions to counter these exposures. But also, the bank chooses for the AMA, because these insights might give the bank the possibility to lower the capital charge (certainly in respect to the other two methods) and therefore the corresponding costs.

With the more precise insight in and calculation of the risk profile of the bank, the capital charge as calculated under either of the other two methods could be incorrect regarding the banks risks.

Especially if the capital charge would be too high, this would mean the bank could, with consent of the regulators (for the Commerzbank this would be Bafin), lower this charge and save costs. If

1 Basel’s New Balance, A new accord may soon help banks lend more for less, R. Myers, CFO Magazine, December 2003

2 Quantifying regulatory capital for operational risk, P. Embrechts, H. Furrer, R. Kaufmann. 2003

(10)

10

the capital charge would seem to be too low, it would mean the bank would not be secure enough and would have to raise their capital charge. In the latter case though, the company has the insight in their risk profile and could take appropriate steps to lower the risks.

The organisation of the Commerzbank will be explained in the next chapter.

Operational risk is a new risk item and as such the Commerzbank (like most banks) doesn’t have much experience with calculating these risks. In order to comply with the requirement of implementing an AMA method, a completely new risk control centre has been established within

‘Zentraler stab RiskControlling’ (ZRC) for operational risk, which has been instructed to construct, maintain and evaluate a risk assessment system for operational risks.³

Since the AMA model allows for a self-developed risk measurement approach, this method allows the use of insurance as risk mitigation up till a certain degree. With this mitigation, many resources could be saved (from the capital charge) and invested into other business opportunities.

1.2 Research

In order to reduce the capital charge and create a larger understanding of risk exposure and their coverage and reduction, this paper will research the mitigating controls and use of insurance products for operational risk.

The research objective of this paper is stated as follows:

Estimate the operational risk exposure and develop a mapping for insurances and operational risk to find the use of risk mitigation on the impact of an operational risk event by insurance

products and controls, for the main business lines and risk events

The research question is stated as follows:

How large are the operational risk exposures in the Commerzbank for the main business lines and risk events? Are these exposures insured? In what manner, by either control or insurance,

can these exposures be reduced?

Boundary settings

This research is focused upon the maximum operational risk losses and the corresponding possible risk mitigation by insurances and the insurance policies in use within Commerzbank Germany. Therefore no analysis will be made about possible operational risk gains. This research will be based upon the classification and current interpretation of the risk event classes in use in the Commerzbank.

Research model

In this part the view upon operational risk in relation to insurance products is given. Operational risk consists of risk events that are the source of loss effects. These events have causes that set the risk event in motion and consequently affect a part or aspect (affected object) of the organisation that is damaged, injured, lost or compromised by it. As a result, this effect could bring a financial loss (gross effect) that could be mitigated by insurance and consequently result in a net effect.

3 http://comnet.intranet.commerzbank.com/include/baum.htm?RLogin=True, Intranet Commerzbank

(11)

11

These insurances are based upon causes and affected objects. Control upon or management of the part and aspects of the organisation involved with the event can limit the probability and severity of the corresponding risk event. The maximum severity (gross effect) corresponds to the exposure. Basle II also has laid restrictions on the use of insurance products, restraining their use on the net effect for regulatory capital calculations. See figure 1.1: Research model.

Following from the research question and the research model, the following sub questions can be derived.

Which insurance has the Commerzbank got?

• Do the insurances of the Commerzbank comply with Basle II requirements?

• Which operational risks are insurable by which insurance products?

• Which objects within the Commerzbank Germany are insured for what risks, taken into account the Basle II requirements for insurance products within the AMA model?

What is the exposure for the main risk events?

• How can the exposure be estimated regarding the control characteristics of the Commerzbank?

• What is the exposure of a single risk event within the Commerzbank for the main business lines of the organization with regard to the main risk events?

Control / Management

Operational Risk Event Cause

Net Effect Affected Object

Gross Effect

Maximum = exposure

Insurance If internal

Basle II

Figure 1.1: Research model

F

(12)

12

Definitions of most important concepts

Operational Risk is ‘the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events". This risk does include legal risk but not

‘strategic and reputational risk. Strategic risk is the risk that the strategic objectives are not fulfilled. Reputational risk is a derivative of credit-, market-, operational- and strategic risk.⁴

Insurance is defined as coverage by contract whereby one party undertakes to indemnify or guarantee another against loss by a specified contingency or peril.⁵

Operational risk exposure is defined as the maximum possible loss arising as a result of an operational risk event where a probability of occurrence exists.

Capital Charge or Regulatory Capital in this paper is defined as the amount of equity, reserves and subordinated debt to be kept in ‘inventory’. The capital charge would have a numerator representing the capital available to the bank and a denominator that would be a measure of the risks faced by the bank, referred to as risk-weighted assets. Capital Charge serves to keep the bank liquid and helps the bank to survive certain risk events.

Research steps

After an introductory to the regulators, the Commerzbank and the operational risk events that serve as a basis for this research and put this research in context, this paper focuses on the research question. Finding answers to the question and its sub questions requires plentiful information sources and work methods for both subtopics (insurance and exposure) as explained in the following separate sub paragraphs (Insurance, exposure and comparison). Both work methods are self-developed.

Insurance

The use of insurances is dependent of approval from the regulators. The first step is to analyse the insurances and the regulators requirements.

Therefore I will analyse the use of the insurances by the Commerzbank according to the requirements of the regulators. The requirements of Basle II will be compared with characteristics of the insurances. A more specific requirement relates to the rating of insurers. This rating I will get from the rating company Standard & Poors.

The characteristics of the insurances are known with the insurance group of the Commerzbank that is responsible for all insurance purchases and managements. Interviews and dialogues with these experts would identify the required information.

The second step involves the specific requirement of Basle II regulators to map the insurances versus operational risks. With this mapping I identified two axes for the mapping: insurances and operational risks. The latter is already grouped and identified according to ORX, which I used as basis for this research (see boundary settings). Insurances are not that well categorised and require further analysis. I searched for basic insurance categories with different insurance brokers, operational risk forums, insurance companies and with governments (institutional bodies/supervisors.) that control these insurers. This type of information is well distributed on the Internet and research papers about insurances and operational risk. Irrelevant insurance categories mentioned by these sources were eliminated from the list and additions made recommendations by insurance experts were added.

The expertise of the insurance group could further aid with the classification of the insurance of the Commerzbank to these categories.

After the categorisation of the insurances, I will link these insurances to operational risk events.

This can be done on basis of characteristics of the risk events and insurances. The most

4 Consultative Package, Bank for International Settlements, January 2001

5 Merriam Webster Dictionary

(13)

13

prominent characteristics are cause and effect as shown in the research model. These causes and events are identified with help of the operational risk definition and theory about services of a bank. Comparing the events and its causes and effects with the descriptions and insured causes and effects of insurances results in a mapping of insurances versus operational risks. Further analysis relating to the requirements of Basle II result in an overview of insured operational risks useful for the capital charge calculation.

This analysis is dominantly built on comparison of causes and effects, and of characteristics with requirements.

Exposure

The first step for exposure estimation is to identify the focus of the research on the main business lines and operational risk events. Determining the main business lines and operational risk categories for exposure is done by historical loss data as a substitute for exposures, based on the present business processes. I analysed the average loss and frequency per risk event and business line to identify the most prominent risk events and the most affected business lines within the Commerzbank. These historical operational loss data are available in an operational loss collection database.

The second step concerns the development of a model to measure exposure. Exposure is the maximum loss possible as defined above. Exposures exist for risk events and business lines. The business processes of the business lines are based on different characteristics. The first is management, where failures are very case specific and difficult to determine and consequently not determinable within this paper. The second is information that result in direct liabilities and are based on the historical legal system of Germany. The third is the business process itself. With a study in operational risk papers I identified control as the most prominent limitation factor on operational risk exposure for the researched risk events regarding business processes.

With an extensive investigation of controls I found different types usable for different situations.

Extensive research of the risk categories and business lines found different situations in which operational risks could occur. The characteristics of the business lines are best found with the business lines managers. By connecting the characteristics of risk categories and business lines to the characteristics of control I found the appropriate form to limit the exposure by control. If controls are not available or the risk event cannot be controlled, historical data seems to be the only alternative to identify the maximum exposure.

Losses to 3^rd parties by either information or the business processes could create liabilities for the bank determinable by law. As such the German liabilities law should be investigated. With a dialogue with the law department and analysis of German law I identified the basics for liabilities.

These liabilities are determined by the legal system that is external to the Commerzbank. By analysing historical cases of liability damages in Germany I found some indications for the height of the exposure of liabilities.

With the third step I used the model about the risk categories on the main business lines. The model developed in the previous step is a source for comparison of the controls in the business lines. Business line managers or the operational risk managers would serve a great information source to determine the control mechanisms in use within the departments.

Where no control comparison is possible, I used historical data about volumes and loss components to determine the exposure. I acquired historical data from the control groups of the relevant departments, the corporate financial control department, the treasury department and accounting department.

Comparison

This step analyses the difference between the found exposure for the risk events and the found coverage by insurances. A comparison will be made between exposures and coverage.

With this analysis I found gaps in insurances regarding the researched risk categories and business lines.

(14)

14 2 Introduction

Understanding this research in light of operational risk requires comprehension of the different aspects on which this research is built. This chapter will first explain the environment in which operational risk is regulated. Followed by an explanation of the Commerzbank and how the different organisational groups manage operational risk as defined by this environment. Thirdly an explanation of the developed model in the Commerzbank to measure operational risk is given and finally an impression is given of the operational risk categories on which this research and operational risk management is founded.

2.1 Regulators

Regulators have always supervised the banking industry. But since 1988 a new trend in standardisation of regulation has had great impacts on this supervision. This standardisation came in the form of the first Accord of the Basle Committee and refers to the calculation of the capital charge.

The Basle Committee was established in 1974 by the central bank governors of the Group of Ten (G10) to formulate broad supervisory standards, guidelines and recommendations of best practice about banking supervision with the expectation that individual authorities will implement them through detailed arrangements (statutory or otherwise) that are most appropriate to their own national systems. The Committee hopes this way to converge towards common standards and approaches in the world.⁶

The essence of Basle I in 1988 was to introduce the notion of quantitative, risk based capital standards. This innovation was based on the theory that bank assets should be analysed on the basis of credit risk, with higher capital charges for riskier assets. The innovation of Basle II is the recognition that other forms of risk should be accounted for in bank capital, among them operational risk.⁷

Basle II is an attempt by the international banking supervisors to update the Basle Capital Accord of 1988 (Basle I). With Basle II, the Basle Committee is trying to develop consistency among international capital regulations, making risk the central factor in determining the capital charge and encouraging advanced risk-management practices among large and internationally active banks.

These objectives consequently make Basle II more complex than Basle I.⁸ First of all; the assessment of risk is very complicated in the existing environment of a growing number of instruments/products and strategies with little differences in risk-reward characteristics. Also, the Basle II change has several other objectives: U.S. supervisors are trying to improve risk measurement and management both domestically and internationally; to connect the amount of required capital to the amount of risk taken; to further focus the supervisor-bank dialogue on the measurement and management of risk and the risk-capital nexus, and to make all of this transparent to the counterparties that ultimately fund these risk positions.

6 http://www.riskglossary.com/articles/basle_committee.htm

7 Capital Charge for Operational Risk Moves Toward Implementation, Dwight C. Smith III, April 2003).

8 http://www.btiworld.com/The_Basle_Accord.htm

(15)

15

2.1.1 Three pillars

To achieve the above objectives, the framework for the Basle II Accord contains three elements, called Pillars 1, 2 and 3. All three pillars work interactively with each other.

Pillar 1 Minimum capital requirement

This pillar consists of rules for a bank to determine her capital ratio (i.e. capital charge) and how the banks supervisor assesses whether this charge is in conformity with the minimum capital threshold regulations.

Pillar 2 Supervisory oversight

This pillar encompasses the notion that a bank should go further than simply comply with minimum capital charge requirements and create a comprehensive evaluation of whether they have sufficient capital to support their risks. Supervisors should with their extensive knowledge of the industry give constructive feedback on these self-evaluation-systems.

Pillar 3 Stronger market discipline

This pillar requires a bank to disclose key measures related to risk and capital positions.

These three pillars all have their impact on operational risk management. In this paper the focus is largely on the first and second. The capital charge will be lessened by insurance mitigation, but is under strong supervisory oversight.

2.1.2 Capital charge calculation

As mentioned above; one of the big differences for the banking organisations lies with the mentioning of Operational Risk as a separate risk item. This risk requires now its own analysis and its own capital charge. Within Basle II there are three methods to calculate this capital charge:⁹ The Basic Indicator Approach, The Standardised Approach, The Advanced Measurement Approach.

The Basic Indicator Approach

The Basic Indicator Approach can be used by a bank to determine the amount of capital that has to be used as a capital charge for operational risk. This amount is equal to a fixed percentage (denoted alpha (alpha = 15% which is set by the Basle Committee, relating the industry wide level of required capital to the industry wide level of the indicator)) of average annual gross income over the previous three years. (For more details about the Basic Indicator Approach, see annex 1:

Capital Charge Calculation.)

The Standardised Approach

In the Standardised Approach are the banks’ activities divided into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage. In each of the business lines, gross income serves as an indicator for the likely operational risk exposure. The capital charge for each business line is calculated by a factor (denoted beta) multiplied with gross income of that business line. Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line. (For more details about the Standardised Approach, see annex1: Capital Charge Calculation.)

The Advanced Measurement Approach (AMA)

With the AMA method, the capital charge should equal the risk measure generated with the bank’s internal operational risk measurement system using the quantitative and qualitative criteria

(16)

16

as mentioned in annex 1: Capital Charge Calculation. Use of AMA is subject to supervisory approval. Banks that want to use the AMA approach will be required to calculate their capital requirement a year prior to implementation of the New Accord (Basle II) at year-end 2006. Once a bank has been approved to use a more sophisticated method for their capital charge method, they may not change to a simpler one without the approval of the regulator. This approval is dependent on inappropriateness of the currently used method.

2.2 The Bank

The financial institution that will serve as a focal point in this paper is the Commerzbank Aktien Gesellschaft (Commerzbank AG, further referred to as Commerzbank or the bank).

The Commerzbank, founded in Hamburg in 1870 and currently based in Frankfurt am Main is a bank with activities in retail banking, wholesale banking and investment banking. It also offers specialised services via a number of subsidiaries, such as leasing, fund management, real estate and equity investment. With consolidated assets around 400 billion, the Commerzbank with roughly 35,000 employees, including 7,600 outside of Germany, is one of Germany’s and Europe’s leading private sector banks. The Commerzbank serves around 6 million customers, most of them nationally, with their network of 700 branches and internationally with a number of participations in institutions worldwide.

2.2.1 Strategy & Goals

In order to serve their customers and continue their operations worldwide, the Commerzbank has stated its strategy and goals as follows¹⁰:

• To be the efficient provider of financial services for demanding private customers in Germany

• To become the number one bank for the successful German Mittelstand and the creative relationship bank for major corporations and institutions in Europe as well as multinationals from all over the world

• To integrate our investment and corporate banking activities more strongly

• To concentrate our range of products

• To allocate equity capital to reflect the growth potential of business areas

• To reduce strategically unnecessary shareholdings 2.2.2 Commerzbank Organisation

The bank is organized as a divisional organization with their main focus on their product lines in each of the markets / divisions. The bank also has large technostructure¹¹ and supporting service departments to control and manage the divisions and support them respectively. This is shown in figure 2.1: Organisational Structure Commerzbank AG.

In order to control risk within the Commerzbank, there is a department specifically for risk control (Zentraler Stab Risiko Controlling). This department can be divided in three major risk categories;

market risk, credit risk and operational risk. Each risk category has its own section(s). Within the

‘operational risk & cross-sectional functions’ section there is an operational risk control group.

This group concerns itself with the identification, assessment & analysis, reporting and monitoring of operational risk within the organization of the Commerzbank, either by qualitative policies and guidelines or quantitative methodologies and tools.

10 Annual Report Commerzbank 2003

11 Technostructure refers to the analysts of an administrative nature that standardise the work processes, as defined by Structures in Fives: Designing effective Organizations, H. Mintzberg, 1983

(17)

17

The newly developed operational risk control group is divided into two teams: Quantitative Modelling and Qualitative Data see figure 2.2: Operational risk organigram. The Qualitative Data team is collecting loss data and self-assessments and coordinates the operational risk of

Figure 2.1: Organisational Structure Commerzbank AG, https://www.commerzbank.com/konzern/struktur/index.html

(18)

18

investment banking. The Quantitative Modelling team is forming this data into quantitative information and calculates the capital charge.¹²

Organisation around operational risk

The operational risk management and control process is first of all determined by the operational risk strategy that is laid upon the Chief Risk Officer (CRO) by the Board of Managing Directors. The CRO communicates this strategy and the course of action to the Risk Committee (RC), who on their turn will communicate the relevant parts to the respective Risk Committees, which, in the case of operational risk, is the Operational Risk Committee. This committee consists of representatives of the Operational Risk Control department (part of ZRC), the operational divisions (which themselves manage their operational risks) and of the units with special operational risk tasks. See figure 2.3: Organisation of operational risk management and control.

The units with special tasks consist of the ZCS (Zentraler stab Compliance und Sicherheit), which is responsible for the security within the organization. ZIT s (Zentraler servicebereich Information Technology Support) is responsible for the IT infrastructure and corresponding systems. ZRA (Zentraler stab Recht) is responsible for controlling and management of the legal risks, which are also a part of operational risk. And finally, ZFO (Zentraler stab Zentrale- und Filialorganisation) is among other things responsible for the purchases of the Commerzbank and thus also for the acquisition of insurance products.

Operational risk strategy

The risk strategy that is given by the Board of Managing Directors can be split into strategies of the different risk types. Operational Risk has its own strategy, which forms a part of the larger operational risk framework. This framework is based upon the following definition: "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events"¹³.

The framework should provide for a precise and structured management of operational risk in all organisation units of the Group. It consists of organisational standards, management tools, methodologies, systems, etc.

The used Framework of operational risk within the Commerzbank has as goal to create a consistent and binding definition of operational risk framework components, as well as additional so-called ‘Sound Practices’. The framework is based on the operational risk strategy. This strategy is the basis for the qualitative policies and guidelines, as well as the quantitative methodologies and tools. These policies, guidelines, methodologies and tools will be used within the earlier mentioned identification, assessment & analysis, reporting and monitoring of operational risk. With the cooperation of all parties involved and within the boundaries of the framework an operational risk culture will evolve, see figure 2.4: Operational Risk Framework.

Operational Risk

Quantative Modelling

Qualitative Data

Figure 2.2: Operational Risk Organigram

(19)

19

The Board of Managing Directors determines the strategy that Commerzbank uses for its operational risk. It is verified periodically and adapted to the overall risk strategy. The Commerzbank’s Operational Risk strategy, according to their risk appetite and risk taking capability, consists of¹⁴:

• The creation of risk transparency,

• To enable the management to manage operational risk,

• To allow market participants to evaluate the Operational Risk Management of the bank,

• The wide minimisation of operational risk in the bank through,

o The establishment of a proactive Operational Risk Controlling and Management as well as

o The active use of techniques and tools to reduce operational risk,

• The calculation of the economic Operational Risk capital for management reasons,

• The use of a capital saving approach (AMA) to calculate the regulatory capital according to Basle II

14 http://comnet.intranet.commerzbank.com/include/baum.htm?RLogin=True, Intranet Commerzbank Assessment

&

Analysis

Identifi- cation

R i s k

C

o n t r o l

P r o c e s s

Board of Managing Directors

Risk manageme

nt units

Reporting Monitoring

Risk- control

unit ZRC

Units with specific OpRisk tasks

ZIT S ZFO

ZCS

ZRA

Division Group Management ZBS, ZCS, ZGT, ZPA, ZRA

Division Retail Banking & Asset Management ZAM, ZPB, ZPK

Division Corporate & Investment Banking

ZCB, ZGS

Division Services ZFO, ZGO IB, ZIT, ZTB

Independent control: Internal Auditing (ZRev)

CR O

R C

OpRiskCo

ORM

Operational Risk Manager

Responsibility for risk

R i s k

M a n a g e m

e n t

P r o c e s s ORC

Operational Risk Controlling

Operational Risk Strategy

Figure 2.3: Organisation of operational risk management and control,

Presentation on ‘Operational Risk - Implementation in Commerzbank’, Dr. Björn Lenzmann

(20)

20

This strategy is with high regard to wide avoidance of high operational risk losses through proactive steps. It should help protect the bank from high significant negative effects and help to achieve a wide risk minimisation through the use of risk reducing steps and contribute significantly to an improvement of the workflow organisation (processes) of the bank.¹⁵

Communication of the strategy and the corresponding framework is of fundamental importance for the achievement of the desired goals. By assisting with operational risk activities inside and outside of the risk management framework, an operational risk aware culture can be shaped¹⁶.

2.3 Operational risk capital charge calculation

Operational risk is difficult to measure directly in monetary worth, because it is a broad and diverse category. For the AMA, the Commerzbank is developing a quantitative model by two statistical distributions: a frequency distribution and a severity distribution, which will be combined to form a loss distribution.¹⁷ This is called the Monte Carlo model within the Value at Risk methodology.¹⁸ The loss distribution will be used to calculate the capital charge by taking a high percentage of this loss distribution that has to be covered with capital.

The business lines as defined by Basle II will determine the basis for the loss distribution.

Furthermore these losses will relate to loss categories as defined in the next paragraph. These are the same that serve as basis for this paper.

The frequency distribution is a distribution of the number of occurrences for a certain risk event in a certain place (usually the business line). On the X-axis it shows the number of events within a certain time period and the Y-axis the likelihood of this number of events within this time period.

These frequencies are based on reported losses into a loss collection database. With these data, also a severity distribution is constructed. This is a distribution about the probability of the

17 Quantification of Operational Risk, M. Brown, J. S. Jordan, and E. S. Rosengren, May 2002

18 http://www.encyclopedia4u.com/v/value-at-risk.html

Figure 2.4: Operational Risk Framework, Intranet Commerzbank

(21)

21

financial size of a single event. Combining these two distributions gives the loss distribution, which tells about the loss in a certain time period. See figure 2.5: Monte Carlo distributions, the first figure relates to the frequency distribution, the second to the severity distribution and the third to the loss distribution.

In order to calculate a capital charge, the bank aggregates level three loss data to level two risk events. This is done for the assurance of data integrity. There are to few third level loss data to calculate a reliable loss distribution.

Off course a bank could take measures against the likelihood and/or exposure of certain risk events. The likelihood could in certain cases be lessened with more control mechanisms; the severity of some risk events could be insured against.

A reduction in impact would mean that the severity of certain risk events would be lessened. And consequently the loss distribution would also be lessened. See figure 2.6: Risk reduction by insurance.

The mean of the losses would most likely be higher (shift to the right) because of the costs of risk mitigation, but the standard deviation would be lessened because of the lessened impact of larger losses.¹⁹

Another advantage of the lessened deviation besides the risk reduction is the reduction in the required capital charge.

Basle II requires banks to have at least 99.9% coverage of the loss distribution in capital.²⁰ If this loss were to be reduced, the capital charge could also be reduced and consequently the corresponding opportunity costs.

Due to insurances the severity of risk events has lessened; a certain part of the loss has been transferred by the risk reduction. If insurance products have been used to reduce the exposure (i.e.

transfer the risk) and the monetary worth of the event was high enough, the loss will have been reduced by the insured amount. Consequently, the possible losses in a certain time period are also reduced by the insured sum.

19 Marshall, C, Measuring and Managing Operational Risks in Financial Institutions, supra note 20, p435

20 The New Basel Capital Accord (April 2003), p126

Figure 2.5: Monte Carlo distributions

Severity distribution Frequency distribution

Loss distribution Probability of occurrenceProbability of occurrenceProbability of occurrence

Frequency / year

Loss / event ( )

Loss / year ( )

Probability of occurrence

Loss / event ( )

Loss / year ( )

Figure 2.6: Risk reduction by insurance Probability of occurrence

99.9% Quantile Severity distribution

Without insurance

With insurance

Loss distribution

99.9% Quantile

Monte Carlo

(22)

22

As an outcome the amount of 99.9% coverage of the risk exposure has also shifted to the left towards a lesser amount that can be used for the capital charge. As such insurance can be seen as a valuable mitigation option of this risk.²¹

2.4 Operational Risk Categories

The risk categories that form the basis for the AMA are based on the categorisation developed by ORX (Operational Riskdata eXchange). (For an explanation on ORX, see annex 2: ORX.) The risk categories can be divided into three levels of abstractness. These are shortly introduced below, for a more detailed explanation, see annex 7: risk events. The first two levels of the risk events are developed by ORX (Operational Riskdata eXchange) and the third by the Commerzbank. The risks have been categorised according to the Basle II accord with some minor adjustments (the developed classification has to be based upon the Basle II accord).²² This categorisation serves as a basis for this research.

1 Internal Fraud

1.1 Internal theft and fraud

1.1.1 Insider trading 1.1.2 Check Fraud

1.1.3 Embezzlement or misappropriation

1.1.4 Fraud in payment transactions or in securities business 1.1.5 Loan fraud

1.1.6 Theft

1.1.7 Industrial espionage 1.1.8 Tax fraud

1.1.9 Money laundering 1.1.10 Bribery and slush money 1.2 Unauthorised activity

1.2.1 Banking secrecy violation

1.2.2 Author, trademark or patent right infringement 1.3 Internal systems security

1.3.1 Unauthorised system access and data misusage 2 External Fraud

2.1 External theft and fraud 2.1.1 Check fraud 2.1.2 Loan fraud

2.1.3 Fraud in payment transactions or in securities business 2.1.4 Theft or burglary

2.1.5 Extortion

2.1.6 Industrial espionage 2.1.7 Bank hold-up

2.1.8 Kidnapping and ransom 2.2 External system security

2.2.1 Unauthorised system access and data misusage 3 Malicious damage

3.1 Wilful damage and terrorism

3.1.1 Wilful damage to physical assets and people 3.1.2 Arson, Collision, Terrorism, Vandalism 3.2 Systems security – wilful damage

3.2.1 Unauthorised system access 4 Employees practices and workplace safety

4.1 Employee relation

4.1.1 Unjustified dismissal 4.1.2 Strike by employees

4.1.3 Other (legal) disputes with employees 4.2 Safe workplace environment

4.2.1 Safe workplace environment 4.3 Employment diversity and discrimination

4.3.1 Discrimination, sexual harassment, unlawful behaviour 5 Clients, products and business practices

5.1 Suitability, disclosure and fiduciary 5.1.1 Brach of fiduciary duty

21 Operational Risk Insurance-Treatment under the New Basle Accord, Prof. H. Scott and Prof. H. Jackson, p11

22 Internal Commerzbank report ‘ORX RC - Coba Mapping English v4’

(23)

23

5.1.2 Inherited liabilities 5.1.3 Lender liabilities 5.1.4 Infringement of due-diligence 5.1.5 Insufficient supervision and controlling 5.1.6 Dealing malpractices regarding legal matters 5.1.7 Transgression of authority

5.1.8 Illicit transactions

5.1.9 Incorrect disclosure and declaration (brochure- liability) 5.2 Improper business or market practices

5.2.1 B each of contract 5.2.2 Antitrust law infraction

5.2.3 Unnecessary portfolio regrouping for commission’s generation 5.2.4 Violation of sales practices

5.2.5 Dumping

5.2.6 Misleading sales practices and concealment of facts 5.2.7 Dealing without license

5.2.8 Unauthorised trading

5.2.9 Law amendment and interpretation rearrangement 5.2.10 Contract disputes with vendors and counter parties 5.3 Product flaws

5.3.1 Defective product 5.3.2 Flawed model 5.4 Advisory activities

5.4.1 Advisory error 5.5 Selection, sponsorship and exposure

5.5.1 Selection, sponsorship and exposure 5.6 Client errors

5.6.1 Mistake by customer 6 Disasters and public safety

6.1 Disasters and other events

6.1.1 Natural catastrophes 6.2 Damage caused by accidents or negligence

6.2.1 Damage caused by accidents or negligence 6.2.2 Architectural defects, physical damages 7 Technology and interface failures

7.1 Technology and interface failures

7.1.1 IT and network infrastructure

7.1.2 Other system breakdowns or malfunction 8 Execution, delivery and process management

8.1 Transaction capture, execution and maintenance 8.1.1 Faulty business processes cycle 8.1.2 Incorrect execution of assignments 8.1.3 Other task misperformance or errors 8.1.4 Value-date differences 8.1.5 Miscommunication

8.1.6 Faulty interface relating to outsourced business processes 8.1.7 Insufficient supervision on service provider

8.2 Customer intake and documentation 8.2.1 Deficient documentation 8.3 Customer and client account management

8.3.1 Customer and client account management 8.4 Monitoring and reporting

8.4.1 Failed mandatory reporting obligation and inaccurate external report

Important with these risk categories is that only what matters is ‘what’ occurred, not ‘why’. ‘Why’ it occurred leads to different risk event classification and therefore would distort the operational risk allocation.²³ The first two levels of this categorisation from ORX are based on the Basle II classification. The Commerzbank developed the third level risk events.

With these risk categories a wide variety of operational risks are catalogued by the definition of operational risk as defined in the first chapter. The AMA is designed to, in due course, operate on second level risk categories.

2.5 Conclusion

23 ORX reporting standards, an ORX Members’ Guide to Operational Risk Event /Loss reporting, February 2004

(24)

24

The Advanced Measurement Approach (AMA) for operational risk capital charge calculation allows insurances as mitigations for risk. The use of insurances in the AMA as mitigation options allows for capital charge reductions and consequently regulatory capital costs. Before insurances are allowed as mitigation for operational risks, they need to comply with Basle II requirements.

Different tasks relevant for operational risk control are organised over different departments.

Insurances are purchased and managed by the insurance group in a different department from the risk department. The operational risk group within the risk department is responsible for the operational risk strategy that expresses itself in policies and guidelines. These policies and guidelines are used for measuring operational risks by methodologies and tools, which result in managing operational risk and an operational risk culture.

The most exemplified model is the operational risk capital charge model, which in the case of the Commerzbank is the AMA model. AMA in the Commerzbank is based on risk categories that involve a wide variety of events. The model itself is designed to ultimately operate on second level risk events.

With active use of insurances, policies and guidelines the operational risk in the bank calculated by the AMA can be minimised.

(25)

25 3 Insurances and their use for Operational Risk

This part will look into the use of insurance products in general and more specifically those in use by the Commerzbank for risk mitigation of operational risk. The questions that will be answered in this part is:

• Do the insurances of the Commerzbank comply with Basle II requirements?

The question relates to the use of insurances already in use by the Commerzbank and the allowed mitigation of risk according to Basle II. The use of insurance as explained in the previous chapter for the AMA model will determine the mitigating effect on the capital charge.

3.1 Basle II requirements

Basle II has clear and large impacts on the regulatory capital of a bank. One of these impacts is the use of insurance products. Insurance can reduce the capital charge by up to 20%, which is the cap set by Basle II.²⁴ But even with this 20% reduction a bank would save a considerable amount on opportunity costs. These funds could be invested in operations with a higher return and simultaneously lowering their required rate of return per investment option.

In order to use the insurance products for risk mitigation and thus the regulatory capital reduction, Basle II has formulated several constraints on its use²⁵:

1. The insurance provider has a minimum claims paying ability rating of A (or equivalent).

2. The insurance policy must have an initial term of no less than one year. For policies with a residual term of less than one year, the bank must make appropriate haircuts reflecting the declining residual term of the policy up to a full 100% haircut for policies with a residual term of 90 days or less.

3. The insurance policy has a minimum notice period for cancellation of 90 days.

4. The insurance policy has no exclusions or limitations triggered by supervisory actions or, in the case of a failed bank, that preclude the bank, receiver, or liquidator from recovering for damages suffered or expenses incurred by the bank, except in respect of events occurring after the initiation of receivership or liquidation proceedings in respect of the bank, provided that the insurance policy may exclude any fine, penalty, or punitive damages resulting from supervisory actions.

5. The risk mitigation calculations must reflect the bank’s insurance coverage in a manner that is transparent in its relationship to, and consistent with, the actual likelihood and impact of loss used in the bank’s overall determination of its operational risk capital.

6. The insurance is provided by a third party entity. In the case of insurance through captives and affiliates, the exposure has to be laid off to an independent third party entity, for example through re-insurance, that meets the eligibility criteria.

7. The framework for recognising insurance is well reasoned and documented.

8. The bank discloses a description of its use of insurance for the purpose of mitigating operational risk.

In order to find whether or not Commerzbank can use its insurance policies, these points need to be investigated before bringing insurance into the equation (i.e. the AMA model).

From these eight points, the first six will be investigated. The seventh concerns the quality from this paper and will therefore be judged by the supervisor of the Commerzbank, BaFin (Federal Financial Supervisory Authority). Point eight concerns the disclosure of the use of insurance

24 International Convergence of Capital Measurement and Capital Standards - A Revised Framework, June 2004

25 International Convergence of Capital Measurement and Capital Standards - A Revised Framework, June 2004 - part 2, Wednesday 7 July 2004

(26)

26

products in the AMA model and is an issue for the Commerzbank to consider when implementing the model.

Point five, formerly stated as²⁶: ‘The insurance coverage has been explicitly mapped to the actual operational risk loss exposure of the institution, contains the mapping that is of great importance for the analysis of the coverage of the exposures’, will be explained in the next chapter. The actual mitigation calculation is dependent on the severity and the likelihood of occurrence, of which the latter will not be researched in this paper.

The insurances of the Commerzbank comply in a certain degree with the Basle II requirements

3.2 Conclusion

Concluded from the requirements stated by Basle II, the insurances could be used to a certain degree for operational risk mitigation.

26 The New Basle Capital Accord, Issued for comment by 31 July 2003, p 129

(27)

27 4 The insurance mapping

This chapter produces a mapping to comply with the Basle II requirement formerly stated as ‘The insurance coverage has been explicitly mapped to the actual operational risk loss exposure of the institution’ in order to help the risk mitigation calculations that reflect the bank’s insurance coverage. Additionally this chapter will form an answer to the following questions.

• Which operational risks are insurable by which insurance products?

• Which objects within the Commerzbank Germany are insured for what risks, taken into account the Basle II requirements for insurance products within the AMA model?

This mapping will serve as a model to identify insurance possibilities for the risk categories and current coverage in qualitative terms of these risks.

First the two axes for the mapping will be identified and categorised, ollowed by an analysis of characteristics of the axes (insurances and operational risk events) in order to be able to make a comparison between the two axes. The third step consists of making a link between these two axes by mapping the operational risks to the insurances by help of the identified characteristics.

Consequently, with this mapping, the insurance coverage can be identified and analysed with possible insurance alternatives. Finally an answer will be formed for the questions stated above.

4.1 Mapping classifications

A model has to be constructed to explicitly map insurance coverage to the actual operational risk loss exposure of the institution to find which operational risks are insured and insurable.

Insurance coverage identifies insurances as one of the axes for the operational risk insurance mapping. Operational risk loss exposure is based on operational risk events. Before mapping the insurances to the operational risk events, these axes need to be categorised.

Insurance Products Categorisation

Insurance policies of the Commerzbank are not categorised. Therefore a list of available insurance types has to be constructed. After aggregating several found lists from insurance acts, insurance experts and with insurance papers,^27,28,29a list of insurance products with their explanations could be created. See table 4.1: Insurances groups and objects allocation. For the entire list of found insurances, see annex 3: Insurance classification.

Risk Events Categorisation

The AMA is developed on level two risk events of the ORX risk classification, as such the charting of insurances to risk events will occur on the same level. The mapping will occur on level two risk events, in order to match the AMA model that will focus on this level. For this categorisation see table 4.3: Risk events and the allocation of objects. For a more detailed list of risk events, see annex 7: Risk events.

4.2 Insurance and operational risk characteristics

Unfortunately, insurance products do not focus upon risk events directly. And thus cannot be compared with the risk events. Where some authors call insurance cause-based³⁰, others

27 http://www.efirm.org

28 http://www.qp.gov.bc.ca/statreg/reg/I/Insurance/337_90.htm

29 Insurance Working Group of the Operational Risk Research Forum (ORRF), Insurance as a Mitigant for Operational Risk, (2001)

30 ‘Operational risk and insurance’, T. M. Leddy in ‘Operational Risk, Regulation, Analysis and Management’, edited by Carol Alexander, 2003 Prentice Hall

(28)

28

complete this statement by stating that insurance products focuses on cause and/or effect of losses³¹. A risk event has a cause and an effect. These causes can either be an object or other events and the effects can also either be objects or other events. These other events, both as cause or effect, correspond to the ‘why’ question of operational risk allocation as explained in chapter two. These will not be researched in this paper.

A cause is the initiator of a risk event. An effect is the associated loss of the event³² through an affected object. The mapped causes are objects that start a risk event. Also external causes that are not related to the bank, like natural catastrophes and the law are included here. The mapped effects are objects that are affected by the occurrence of the risk event. In order to map causes and effects, a categorisation of objects that could function as causes and/or effects should be in place.

4.2.1 Cause and effect objects

Operational risk as defined by the Bank of International Settlements consists of losses within the bank. These losses are derived from what is affected by a risk event. Within the definition of Operational risk, the affected items are defined as the processes, people and systems. An object in this paper is defined as (aspects of) processes, people or systems. External events are taken apart. Identifying the (aspects of) processes, people or systems is done by analysing characteristics of service providers. Services have the following characteristics³³ that with analysis identify the relevant objects for operational risk events. With the bank as a service provider, the analysis of characteristics of service providers will identify the bank’s (aspects of) processes, people and systems.

• Intangible

o As such the product is a concept rather than something concrete. The business processes are based upon this concept. They are designed to produce outcomes according to this concept. This relates to an object ‘product’ and ‘business process’.

• Production and consumption take place simultaneously

o Consequently the business processes (more specifically the production process) cannot afford errors. This is the concept how outcomes are produced. The business processes transfers income into outcome. The incomes and outcomes can either be liquid assets or information. Differences between liquid assets owned by the bank and customers are the terms liquid means and 3^rd party (financial) respectively. These four aspects relate to the four objects ‘business process’; ‘knowledge’; ‘liquid means’ and ‘3^rd party (financial)’.

• Labour and knowledge intensive

o Important objects relate to the employee that performs the labour and has knowledge. This knowledge could also be stored in electronics by software.

Electronics are part of movable assets with which labour is performed.

Knowledge is the evolved form of information and data.³⁴ Information and data are encompassed into knowledge in this paper. Four objects can be identified:

‘employee’, ‘knowledge’, ‘electronic’ and ‘software’.

• Customer Interaction is generally high

o The customer is very important for the business process. This means the ‘3^rd party as object’.

31 Operational Risk Insurance-Treatment under the New Basle Accord, Prof. H. Scott and Prof. H. Jackson, p8

32 ORX REPORTING STANDARDS, An ORX Members’ Guide to Operational Risk Event/Loss Reporting, February 2004

33 Organization theory and design (7^th edition), R. L. Daft, p210

34 De ‘zwarte doos’ in de bedrijfskunde: cognitie in actie. (Inaugural lecture; June 2000; University of Groningen. (The

“black box” in management science: cognition in action), Jorna, R.J., 2000.

Operational risk exposures And

1