<v>GARP

FRM Financial Risk Manager

Operational Risk and Resiliency

Pearson
Copyright © 2022, 2021 by the Global Association of Risk Professionals All rights reserved.
This copyright covers material written expressly for this volume by the editor/s as well as the compilation itself. It does not cover the individual
selections herein that first appeared elsewhere. Permission to reprint these has been obtained by Pearson Education, Inc. for this edition only. Further
reproduction by any means, electronic or mechanical, including photocopying and recording, or by any information storage or retrieval system, must
be arranged with the individual copyright holders noted.
Grateful acknowledgment is made to the following sources for
permission to reprint material copyrighted or controlled by them:
"Principles for the Sound Management of Operational Risk," by Basel
Committee on Banking Supervision, June 2011, by permission of the Bank
for International Settlements. Information retrieved from the Bank for
International Settlements is freely available at their website: www.bis.org.
"Enterprise Risk Management: Theory and Practice," by Brian W. Nocco
and Rene M. Stulz, reprinted from Journal o f Applied Corporate Finance,
vol. 18, no. 4, Fall 2006, by permission of John Wiley & Sons, Inc. All
rights reserved. Used under license from John Wiley & Sons, Inc.
"What is ERM?," by James Lam, reprinted from Enterprise Risk
Management: From Incentives to Controls, Second Edition (2014), by
permission of John Wiley & Sons, Inc. All rights reserved. Used under
license from John Wiley & Sons, Inc.
"Implementing Robust Risk Appetite Frameworks to Strengthen Financial
Institutions," June 2011, by permission of the Institute of International
Finance.
"Banking Conduct and Culture: A Permanent Mindset Change," by
the G30 Working Group, 2018, by permission of the Group of 30
Consultative Group on International Economic and Monetary Affairs, Inc.
"Risk Culture," by Alessandro Carretta and Paola Schwizer, reprinted
from Risk Culture in Banking by Alessandro Carretta, Franco Fiordelisi
and Paola Schwizer (2017), by permission of Palgrave Macmillan.
"OpRisk Data and Governance," by Marcelo G Cruz, Gareth W Peters
and Pavel V Shevchenko, reprinted from Fundamental Aspects of
Operational Risk and Insurance Analytics: A Handbook of Operational
Risk (2015), by permission of John Wiley & Sons, Inc. All rights reserved.
Used under license from John Wiley & Sons, Inc.
"Adoption of Supervisory Guidance on Model Risk Management,"
reprinted from Financial Institution Letter FIL-22-2017, June 2017,
published by the Federal Deposit Insurance Corporation.
"Information Risk and Data Quality Management," by David Loshin,
reprinted from Risk Management in Finance: Six Sigma and Other
Next-Generation Techniques, edited by Anthony Tarantino and Deborah
Cernauskas (2009), by permission of John Wiley & Sons, Inc. All rights
reserved. Used under license from John Wiley & Sons, Inc.
"Validating Rating Models," by Giacomo De Laurentis, Renato Maino,
and Luca Molteni, reprinted from Developing, Validating and Using
Internal Ratings (2010), by permission of John Wiley & Sons, Inc. All
rights reserved. Used under license from John Wiley & Sons, Inc.
"Assessing the Quality of Risk Measures," by Allan M Malz, reprinted
from Financial Risk Management: Models, History, and Institutions (2011),
by permission of John Wiley & Sons, Inc. All rights reserved. Used under
license from John Wiley & Sons, Inc.
"Risk Capital Attribution and Risk-Adjusted Performance Measurement,"
by Michel Crouhy, Dan Galai and Robert Mark, reprinted from The
Essentials of Risk Management, 2nd Edition (2014), by permission of the
McGraw-Hill Companies, Inc.
"Range of Practices and Issues in Economic Capital Frameworks," by
Basel Committee on Banking Supervision, March 2009, by permission of
the Basel Committee on Banking Supervision.
"Capital Planning at Large Bank Holding Companies: Supervisory
Expectations and Range of Current Practice," August 2013, by the Board
of Governors of the Federal Reserve System.
Pearson
"Stress Testing Banks," by Til Schuermann, reprinted from the International
Journal of Forecasting 30, no. 3, (2014) pp. 717-728, by permission of
Elsevier BV.
"Guidance on Managing Outsourcing Risk," Supervisory Letter SR 13-19/
CA13-21, December 2013, by the Board of Governors of the Federal
Reserve System.
"Management of Risks Associated with Money Laundering and Financing
of Terrorism," by Mark Carey, February 2019, the GARP Risk Institute.
"Regulation of the OTC Derivatives Market," by John C Hull, reprinted
from Risk Management and Financial Institutions, 5th edition (2018), by
permission of John Wiley & Sons, Inc. All rights reserved. Used under
license from John Wiley & Sons, Inc.
"Capital Regulation Before the Global Financial Crisis," by Mark Carey,
April 2019, the GARP Risk Institute.
"Solvency, Liquidity and Other Regulation After the Global Financial
Crisis," by Mark Carey, April 2019, the GARP Risk Institute.
"High-Level Summary of Basel III Reforms," by Basel Committee on
Banking Supervision, December 2017, by permission of the Bank for
International Settlements. Information retrieved from the Bank for
International Settlements is freely available at their website: www.bis.org.
"Basel III: Finalising Post-Crisis Reforms," by Basel Committee on
Banking Supervision, December 2017, by permission of the Bank for
International Settlements. Information retrieved from the Bank for
International Settlements is freely available at their website: www.bis.org.
"The Cyber-Resilient Organization," by Andrew Coburn, Eireann Leverett,
and Gordon Woo, reprinted from Solving Cyber Risk: Protecting Your
Company and Society (2019), by permission of John Wiley & Sons, Inc. All
rights reserved. Used under license from John Wiley & Sons, Inc.
"Cyber-Resilience: Range of Practices," by Basel Committee on Banking
Supervision, December 2018, by permission of the Bank for International
Settlements. Information retrieved from the Bank for International
Settlements is freely available at their website: www.bis.org.
"Operational Resilience: Impact Tolerances for Important Business
Services" © 2021 Financial Conduct Authority and © 2021 Bank of
England. Reproduced with permission.
"Principles for Operational Resilience," by Basel Committee on Banking
Supervision, March 2021, by permission of the Basel Committee on
Banking Supervision.
"Striving for Operational Resilience: The Questions Boards and Senior
Management Should Ask," by Rico Brandenburg, Tom Ivell, Evan Sekeris,
Matthew Gruber and Paul Lewis, 2019, by permission of Oliver Wyman.
Learning Objectives provided by the Global Association of Risk
Professionals.
All trademarks, service marks, registered trademarks, and registered
service marks are the property of their respective owners and are used
herein for identification purposes only.
Pearson Education, Inc., 330 Hudson Street, New York, New York 10013
A Pearson Education Company
www.pearsoned.com
Printed in the United States of America
ScoutAutomatedPrintCode
00011693-00000004 / A103000278802
EEB/MB
ISBN 10: 0137686595
ISBN 13: 9780137686599
Chapter 1 Revisions to the Chapter 2 Enterprise Risk
Principles for the Management:
Sound Management Theory and
of Operational Risk 1 Practice 15

1.1 Introduction 2 2.1 How Does ERM Create

1.2 Components of Operational Shareholder Value? 16
Risk Management 2 The Macro Benefits of Risk
M anagem ent 16
1.3 Operational Risk Management 2 The Micro Benefits of ERM 17
1.4 Principles for the Sound 2.2 Determining the Right
Management of Operational Risk 5 Amount of Risk 18
G overnance 6
Risk M anagem ent Environm ent 8 2.3 Implementing ERM 22
Monitoring and Reporting 10 Inventory of Risks 22
Control and M itigation 11 Econom ic Value versus Accounting
Information and Com m unication Perform ance 23
Technology 12 Aggregating Risks 24
Business Continuity Planning 13 M easuring Risks 26
Role of Disclosure 14 Regulatory versus Econom ic Capital 26
Role of Supervisors 14

in
 Using Econom ic Capital to Section 2 - Key Outstanding
Make Decisions 27 Challenges in Implementing
The G overnance of ERM 28 Risk Appetite Frameworks 43
Conclusion 28 Section 3 - Emerging Sound
Practices in Overcoming
the Challenges 45
3.1 Risk A p p etite and Risk Culture 46
Chapter 3 What Is ERM? 29 3.2 "D riving Down" the Risk A p p etite
into the Businesses 47
3.3 Capturing Different Risk Types 49
3.1 ERM Definitions 30 3.4 The Benefits of Risk A p p etite
as a Dynam ic Tool 50
3.2 The Benefits of ERM 31
3.5 The Link with the Strategy
O rganizational Effectiveness 31
and Business Planning Process 51
Risk Reporting 31
3.6 The Role of Stress Testing
Business Perform ance 32 within an RAF 54
3.3 The Chief Risk Officer 33 Section 4 - Recommendations
3.4 Components of ERM 35 for Firms 57
C orporate G overnance 35 Recom m endations for Board D irectors 57
Line M anagem ent 35 Recom m endations for Senior
Portfolio M anagem ent 36 M anagem ent 59

Risk Transfer 36 Recom m endations for Risk M anagem ent 60

Risk Analytics 36 Annex I: Case Studies 61

Data and Technology Resources 37 Developing a Risk A p p etite Fram ew ork
Stakeholder M anagem ent 37 at RBC May 2011 61
Risk A p p etite within National Australia
Bank: an Ongoing Jo u rney 64
Sco tiabank-A Canadian Experience

Chapter 4 Implementing in Setting Risk A p p etite May 2011 70

Risk A p p etite Fram ew ork Developm ent
Robust Risk at the Com m onwealth Bank of Australia 73
Appetite
Frameworks to
Strengthen
Financial Chapter 5 Banking Conduct
Institutions 39 and Culture 79

Introduction 40 Introduction 80
Section 1 - Principal Findings Section 1. Assessment
from the Investigation 41 of Industry Progress 88

iv ■ Contents
 M indset of Culture 90 External Frauds 122
Senior Accountability and G overnance 91 Internal Fraud 122
Perform ance M anagem ent Em ploym ent Practices and W orkplace
and Incentives 93 Safety 122
Staff Developm ent and Promotions 94 Dam age to Physical A ssets 123
An Effective Three Lines of Defense 96 7.3 The Elements of the OpRisk
Regulators, Supervisors, Enforcem ent Framework 123
A uthorities, and Industry Standards 97
Internal Loss Data 123
Section 2. Lessons Learned 100 Setting a Collection Threshold
and Possible Impacts 123
Com pleteness of Database
(Under-Reporting Events) 124
Chapter 6 Risk Culture 107 Recoveries and Near M isses 124
Tim e Period for Resolution
of O perational Losses 125
6.1 Introduction 108
1

Adding Costs to Losses 125

6.2 What Corporate Culture Provisioning Treatm ent of Expected
Is and Why It Matters? 108 O perational Losses 125

6.3 Risk Culture: Scope 7.4 Business Environment

and Definition 110 and Internal Control Environment
Factors (BEICFs) 125
6.4 Risk Culture: Drivers
Risk Control Self-Assessm ent (RCSA) 126
and Effects 111
Key Risk Indicators 127
6.5 Change and Challenge:
J

Deploying an Effective 7.5 External Databases 128

Risk Culture 112 7.6 Scenario Analysis 129
Conclusions 115 7.7 Oprisk Profile in Different
Bibliography 115 Financial Sectors 131
Trading and Sales 131
Corporate Finance 131
Retail Banking 131
Chapter 7 OpRisk Data Insurance 132
and Governance 117 A sset M anagem ent 133
Retail Brokerage 134

7.8 Risk Organization

7.1 Introduction 118
and Governance 135
7.2 OpRisk Taxonomy 118 O rganization of Risk D epartm ents 135
Execution, D elivery, and Process Structuring a Firm W ide Policy:
M anagem ent 119 Exam ple of an O pRisk Policy 136
Clients, Products, and Business Practices 120 Governance 136
Business Disruption and System Failures 121

Contents ■ v
Chapter 8 Supervisory Chapter 9 Information Risk
Guidance on and Data Quality
Model Risk Management 153
Management 139
9.1 Organizational Risk, Business
8.1 Introduction 140 Impacts, and Data Quality 154
Business Impacts of Poor Data Q uality 154
8.2 Purpose and Scope 140
Information Flaw s 155
8.3 Overview of Model Risk
9.2 Examples 155
Management 140
Em ployee Fraud and A buse 155
8.4 Model Development, Underbilling and Revenue Assurance 155
Implementation, and Use 142 Credit Risk 155
Model D evelopm ent and Insurance Exposure 156
Im plem entation 142
Developm ent Risk 156
Model Use 143
Com pliance Risk 156
8.5 Model Validation 144
9.3 Data Quality Expectations 156
Key Elem ents of Com prehensive
A ccuracy 156
Validation 145
Validation of Vendor and O ther Com pleteness 156
Third-Party Products 148 Consistency 156
Reasonableness 157
8.6 Governance, Policies,
Currency 157
and Controls 148
Uniqueness 157
Board of Directors and Senior
M anagem ent 149 O ther Dim ensions of Data Q uality 157
Policies and Procedures 149 9.4 Mapping Business Policies
Roles and Responsibilities 149 to Data Rules 157
Internal Audit 150
9.5 Data Quality Inspection,
External Resources 150 Control, and Oversight:
Model Inventory 151 Operational Data Governance 157
Docum entation 151
9.6 Managing Information
Conclusion 151 Risk Via a Data Quality Scorecard 158
Data Q uality Issues View 158
Business Process View 159
Business Impact View 159
Managing Scorecard View s 159

Summary 159

vi ■ Contents
 12.3 RAROC: Risk-Adjusted Return
Chapter 10 Validating on Capital 186
Rating Models 161 12.4 RAROC for Capital Budgeting 187
12.5 RAROC for Performance
10.1 Validation Profiles 162 Measurement 188
R A R O C Horizon 188
10.2 Roles of Internal Validation
Default Probabilities: Point-in-Time
Units 163
(PIT) vs. Through-the-Cycle (TTC) 190
10.3 Qualitative and Confidence Level 190
Quantitative Validation 164 Hurdle Rate and Capital Budgeting
Q ualitative Validation 164 Decision Rule 190
Q uantitative Validation 168 Diversification and Risk Capital 191

12.6 RAROC in Practice 192

Conclusion 194
Chapter 11 Assessing the
Quality of Risk
Measures 175 Chapter 13 Range of
Practices and
11.1 Model Risk 176 Issues in
Valuation Risk 176 Economic
Variability of VaR Estim ates 177 Capital
Mapping Issues 178 Frameworks 195
Case Study: The 2005 Credit
Correlation Episode 178
Case Study: Subprim e Default M odels 182 13.1 Executive Summary 196
Use of Econom ic Capital and
G overnance 196

Chapter 12 Risk Capital Risk M easures 196

Risk Aggregation 197
Attribution and
Validation 197
Risk-Adjusted D ependency Modelling in Credit Risk 197
Performance Counterparty C redit Risk 198
Measurement 183 Interest Rate Risk in the Banking Book 198
Sum m ary 198

12.1 What Purpose Does Risk 13.2 Recommendations 198

Capital Serve? 184 13.3 Introduction 200
12.2 Emerging Uses of Risk 13.4 Use of Economic Capital
Capital Numbers 184 Measures and Governance 201

Contents ■ vii
 Business-Level Use 201 13.10 Annex 3: Interest Rate
Enterprise-W ide or Group-Level Use 202 Risk in the Banking Book 229
G overnance 204 Sources of Interest Rate Risk 229
Supervisory Concerns Relating to Use Interest Rate M easurem ent
of Econom ic Capital and G overnance 205 Techniques and Indicators 230

13.5 Risk Measures 207 Modelling Issues 231

D esirable C haracteristics of Risk Main Challenges for the

M easures 207 M easurem ent of Interest Rate
Risk in the Banking Book 231
Types of Risk M easures 208
Calculation of Risk M easures 209 References 235
Supervisory Concerns Relating
to Risk M easures 210

13.6 Risk Aggregation 210

Aggregation Fram ew ork 210
Chapter 14 Capital Planning
Aggregation M ethodologies 211
at Large Bank
Range of Practices in the Choice of Holding
Aggregation M ethodology 214 Companies 237
Supervisory Concerns Relating
to Risk Aggregation 215

13.7 Validation of Internal 14.1 Introduction 238

Economic Capital Models 216 14.2 Foundational Risk
W hat Validation Processes Management 240
A re in Use? 217 Risk Identification 240
W hat A sp ects of M odels Does
Validation C o ver? 220 14.3 Internal Controls 241
Supervisory Concerns Relating Scope of Internal Controls 241
to Validation 220 Internal A udit 241
Independent Model Review and
13.8 Annex 1: Dependency
Validation 242
Modelling in Credit Risk Models 220
Policies and Procedures 242
Types of M odels 221
Ensuring Integrity of Results 243
Supervisory Concerns Relating to
Currently Used C redit Portfolio Docum entation 243
Models 223 14.4 Governance 243
13.9 Annex 2: Counterparty Board of D irectors 243
Credit Risk 225 Board Reporting 244
Counterparty C redit Risk Challenges 225 Senior M anagem ent 244
Range of Practices 227 Docum enting Decisions 245

•••
VIII ■ Contents
 14.5 Capital Policy 245 Modeling Losses 275
Capital Goals and Targets 246 Modeling Revenues 276
Capital Contingency Plan 246 Modeling the Balance Sheet 277

14.6 BHC Scenario Design 247 15.5 Stress Testing Disclosure 277
Scenario Design and Severity 247 Conclusion 280
Variable C overage 248
Acknowledgments 280
C lear N arratives 248
References 280
14.7 Estimation Methodologies
for Losses, Revenues, and
Expenses 248
General Expectations 248 Chapter 16 Guidance
Loss-Estim ation M ethodologies 251 on Managing
PPN R Projection M ethodologies 259 Outsourcing
14.8 Assessing Capital Risk 283
Adequacy Impact 263
Balance Sheet and RW As 263
A llow ance for Loan and Lease 16.1 Purpose 284
Losses (A LLL) 264
16.2 Risks from the Use
A ggregation of Projections 264
of Service Providers 284
14.9 Concluding Observations 265
16.3 Board of Directors
and Senior Management
Responsibilities 284
Chapter 15 Stress Testing 16.4 Service Provider Risk
Banks 267 Management Programs 284
A . Risk A ssessm ents 285
B. Due Diligence and Selection
Abstract 268 of Service Providers 285
C. Contract Provisions and
15.1 Introduction 268
Considerations 286
15.2 Stress Testing in the D. Incentive Com pensation Review 288
Literature 272 E. O versight and Monitoring
of Service Providers 288
15.3 Stress Testing Design 273
F. Business Continuity
15.4 Executing the Stress and Contingency Considerations 289
Scenario: Losses and Revenues 274 G . Additional Risk Considerations 289

Contents ■ ix
 18.2 Post-Crisis Regulatory
Chapter 17 Management of Changes 299
Risks Associated Uncleared Trades 299
with Money Determ ination of Initial Margin: SIMM 300
Laundering and 18.3 Impact of the Changes 301
Financing of Liquidity 301
Terrorism 291 Rehypothecation 302
The Convergence of O T C and
Exchange-Traded M arkets 302
17.1 Background 292 18.4 CCPS and Bankruptcy 302
17.2 Application of Standard Summary 303
Practices 292
Further Reading 303
17.3 Risk Assessment 293
17.4 Customer Due Diligence
and Acceptance 293
Chapter 19 Capital
17.5 Transaction and Other Regulation
Monitoring and Reporting 293
Before the
17.6 Correspondent Banking 293 Global
17.7 Wire Transfers 294 Financial
17.8 International Scope 294 Crisis 305
References 294
19.1 The Basel Accord:
Basel I Variant 306
Chapter 18 Regulation The Risk-Based Capital Ratio 307
of the OTC 19.2 The Basel Accord:
Derivatives Basel II Variant 311
Market 295 Capital for C redit Risk 312
Retail Exposures Under IRB 314
Credit M itigants O ther Than Collateral 315
18.1 Clearing in OTC Markets 296 Capital for O perational Risk 315
Margin 296 Solvency II 316
Central Clearing 297
Summary 317
Bilateral Clearing 298
Netting 298
References 317
Events of Default 298

x ■ Contents
Chapter 20 Solvency, Liquidity, Chapter 21 High-Level
and Other Summary of
Regulation Basel III
After the Reforms 329
Global
Financial Crisis 319
Standardised Approach for
Credit Risk 330
20.1 The Financial Stability Internal Ratings-Based
Board 320 Approaches for Credit Risk 333
Removing the Use of the Advanced IRB
20.2 Basel 2.5 320
Approach for Certain A sset Classes 333
Stressed VaR 320
Specification of Input Floors 334
Increm ental Risk Charge 320
Additional Enhancem ents 334
Correlations and the Com prehensive
Risk M easure 321 CVA Risk Framework 334
20.3 Basel 3 321 Operational Risk Framework 335
The Definition of Capital 322 Leverage Ratio Framework 335
Leverage Ratio Capital Requirem ents 323
Buffer for Global System ically
System ically Im portant Financial Im portant Banks 335
Institutions 323
Refinem ents to the Leverage Ratio
Buffers 323 Exposure M easure 336
Liquidity Requirem ents 325
Output Floor 336
D erivatives Counterparty
C redit Risk 326 Transitional Arrangements 337
20.4 Resolution Planning and
Preparation 326
Chapter 22 Basel III: Finalising
CoCos 326
Living W ills 327
Post-Crisis
Reforms 339
20.5 Stress Testing and Other
Local Applications of Basel 327
20.6 Other Reforms 328 22.1 Introduction 340
References 328 22.2 The Standardised Approach 340

Contents ■ xi
 The Business Indicator 340
The Business Indicator Com ponent 340 Chapter 23 The Cyber-Resilient
The Internal Loss M ultiplier 340 Organization 347
The Standardised Approach
O perational Risk Capital
Requirem ent 341 23.1 Changing Approaches
22.3 Application of the to Risk Management 348
Standardised Approach within Identify, Protect, D etect, Respond,
Recover 348
a Group 341
Threat Analysis 348
22.4 Minimum Standards for
the Use of Loss Data Under 23.2 Incident Response
the Standardised Approach 341 and Crisis Management 348
Real-Time Crisis M anagem ent:
22.5 General Criteria on Loss How Fighter Pilots Do It 348
Data Identification, Collection Rapid Adaptation to Changing
and Treatment 342 Conditions 349
22.6 Specific Criteria on Loss C yber Risk Aw areness in Staff 349
Data Identification, Collection Business Continuity Planning
and Treatment 342 and Staff Engagem ent 349

Building of the Standardised Approach Gam ing and Exercises 350

Loss Data Set 342 Nudging Behavior 350
G ross Loss, Net Loss, and Recovery 23.3 Resilience Engineering 350
Definitions 342
Safety M anagem ent 350
22.7 Exclusion of Losses from Hotel Keycard Failure Exam ple 351
the Loss Component 343
23.4 Attributes of a
22.8 Exclusions of Divested Cyber-Resilient Organization 351
Activities from the Business A nticipate, W ithstand, Recover,
Indicator 344 and Evolve 351

22.9 Inclusion of Losses and N egative A ttrib u tes 352

Bl Items Related to Mergers Six Positive A ttrib u tes for Resilience 352
and Acquisitions 344 C yber Resilience O bjectives 352

22.10 Disclosure 344 23.5 Incident Response Planning 353

Forensic Investigation 353
22.11 Annex: Definition of
Initial Breach Diagnosis 354
Business Indicator Components 344

xii ■ Contents
 23.6 Resilient Security Solutions 354 Cyber-Security Strategy Is Expected
Resilient Softw are 354 But Not Required 366

D etection, Containm ent, and M anagem ent Roles and

Control 354 Responsibilities 367

Minimize Intrusion Dwell Tim e 355 Cyber-Risk A w areness Culture 367

Anom aly Detection Algorithm s 355 Architecture and Standards 368

Penetration Testing 356 Cyber-Security W orkforce 368

The Risk-Return Trade-O ff 356 24.4 Approaches to Risk

23.7 Financial Resilience 357 Management, Testing and
Incident Response and Recovery 369
Financial Consequences of a
C yb er A ttack 357 M ethods for Supervising Cyber-Resilience 370

Financial Risk A ssessm ent 357 Information Security Controls Testing and
Independent Assurance 370
Reverse Stress Testing 357
Response and Recovery Testing and
D efense in Depth 358
Exercising 371
Enterprise Risk M anagem ent 358
Cyber-Security and Resilience M etrics 372
C yb er Value at Risk 358
Re-Simulations of Historical Events 359 24.5 Communication and Sharing
Counterfactual Analysis 359
of Information 373
O verview of Information-Sharing
Building Back Better 359
Fram ew orks A cross Jurisdictions 373
Events Drive Change 360
Sharing Am ong Banks 375
Education for C yb er Resilience 360
Sharing from Banks to Regulators 375
Improving the C yb er Profession 361
Sharing Am ong Regulators 376
Sharing from Regulators to Banks 377
Sharing with Security A gencies 377
Chapter 24 Cyber-Resilience: 24.6 Interconnections with
Range of Third Parties 379
Practices 363 G overnance of Third-Party Connections 379
Business Continuity and Availability 381
Information Confidentiality and Integrity 382
24.1 Introduction 364 Specific Expectations and Practices with
24.2 Cyber-Resilience Standards Regard to the Visibility of Third-Party
Connections 383
and Guidelines 365
Auditing and Testing 383
24.3 Cyber-Governance 365 Resources and Skills 384

•••
Contents ■ XIII
 A2.2 Important Business Services 394
Chapter 25 Operational
A2.3 Impact Tolerances 395
Resilience: Impact
Setting an Impact Tolerance 395
Tolerance for Impact Tolerance M etrics 396
Important Business
A2.4 Actions to Remain Within
Service 385 Impact Tolerance 397
Policy Im plem entation 398

25.1 Introduction 386 A2.5 Mapping 399

25.2 Important Business Services 387 A2.6 Scenario Testing 399
O verview 387 A2.7 Governance 401
Internal Services 387 Board Responsibilities 401
Definitions 387 M anagem ent Responsibilities 401
25.3 Impact Tolerances 388 A2.8 Self-Assessment 401
O verview 388
A2.9 Groups 402
Impact Tolerances for PRA -FC A
Dual-Regulated Firms 388 Appendix 3 403
Disruption to M ultiple Business Services 389
A3.1 Introduction 403
Measuring Impact Tolerances 389
Definition of Impact Tolerances Betw een
A3.2 The Relationship Between
Supervisory A uthorities 389 Operational Resilience and
Governance 404
25.4 Implementation Timeline 390
Interaction with O ther Board
25.5 Delivering Operational Responsibilities 404
Resilience 391 Interaction with O ther M anagem ent
O verview 391 Responsibilities 404
Mapping 391 A3.3 The Relationship Between
Scenario Testing for PRA -FC A Operational Resilience and
Dual-Regulated Firms 391 Operational Risk Policy 405
Severe/Extrem e But Plausible Definition 391 Risk A p p etite and Impact Tolerances 405
Review of Testing 392 Financial Resilience 405
Self-Assessment Templates and Guidance Incident M anagem ent 406
for PRA-FCA Dual-Regulated Firms 392
O utsourcing and the Use of Third Parties 392
A3.4 The Relationship Between
Operational Resilience and Business
25.6 International Alignment 393 Continuity Planning (BCP) 406
25.7 Conclusion 393 A3.5 The Relationship Between
Appendix 2 393 Operational Resilience and
Outsourcing 406
A2.1 Introduction 393

xiv ■ Contents
Chapter 26 Principles for Chapter 27 Striving for
Operational Operational
Resilience 407 Resilience 413

26.1 Introduction 408 Executive Summary 414

26.2 An Evolving Operational Risk 27.1 Why Now?: Need for
Landscape 408 Operational Resilience 414
26.3 Essential Elements of 27.2 Bend, But Don't Break:
Operational Resilience 408 Operational Resilience Approach 414
26.4 Definition of Operational 27.3 Has the Organization Got It?:
Resilience 409 Important Questions to Ask
26.5 Operational Resilience About Operational Resilience 417
Principles 410 27.4 Improving Resilience:
G overnance 410 Getting Started 417
O perational Risk M anagem ent 410 Bibliography 421
Business Continuity Planning and Testing 411
In
1 n d y
IIUuA J
Mapping Interconnections and
Interdependencies 411
Third-Party D ependency M anagem ent 411
Incident M anagem ent 412
let Including C yb er Security 412

Contents ■ xv
On behalf of our Board of Trustees, GARP's staff, and particu­
larly its certification and educational programs teams, I would
like to thank you for your interest in and support of our Financial
Risk Manager (FRM®) program.
The past couple of years have been difficult due to COVID-19.
And in that regard, our sincere sympathies go out to anyone
who was ill or suffered a loss due to the pandemic.
The FRM program also experienced many virus-related chal­
lenges. Because we always place candidate safety first, we
cancelled the May 2020 FRM exam offering and deferred all can­
didates to October, while reserving an optional date in January
2021 for candidates not able to sit for the examination in October.
A change like this has never happened before. Ultimately, we
were able to offer the FRM exam to all 2020 registered candidates
who wanted to sit for it during the year and were not constrained
by COVID-related restrictions, which was most of our registrants.
Since its inception in 1997, the FRM program has been the
global industry benchmark for risk-management professionals
wanting to demonstrate objectively their knowledge of financial
risk-management concepts and approaches. Having FRM hold­
ers on staff also tells companies' that their risk-management
professionals have achieved a demonstrated and globally
adopted level of expertise.
In a world where risks are becoming more complex daily due to
any number of technological, capital, governmental, geopoliti­
cal, or other factors, companies know that FRM holders possess
the skills to understand and adapt to a dynamic and rapidly
changing financial environment.
xvi ■ Preface
The FRM program addresses the financial risks faced by both
non-financial firms and those in the highly interconnected and
sophisticated financial services industry, because its coverage is
not static, but vibrant and forward looking.
The FRM curriculum is regularly reviewed by an oversight com­
mittee of highly qualified and experienced risk-management
professionals from around the globe. These professionals con­
sist of senior bank and consulting practitioners, government
regulators, asset managers, insurance risk professionals, and
academics. Their mission is to ensure the FRM program remains
current and its content addresses not only standard credit and
market risk issues, but also emerging issues and trends, ensur­
ing FRM candidates are aware of what is or is expected to be
important in the near future. We're committed to offering a pro­
gram that reflects the dynamic and sophisticated nature of the
risk-management profession and those who are making it
a career.
We wish you the very best as you study for the FRM exams, and
in your career as a risk-management professional.
Yours truly,
Richard Apostolik
President & C EO
FRM

Chairperson
Michelle McCarthy Beck
Former GARP Board Member

Members
Richard Apostolik Dr. Attilio Meucci, CFA
President and C E O , Global Association of Risk Professionals Founder, ARPM

Richard Brandt Dr. Victor Ng

MD Operational Risk Management, Citigroup MD Head of Risk Architecture, Goldman Sachs

Julian Chen, FRM, SVP Dr. Matthew Pritsker

FRM Program Manager, Global Association of Risk Professionals
Dr. Christopher Donohue, MD
GARP Benchmarking Initiative, Global Association of Risk
Professionals
Senior Financial Economist and Policy Advisor / Supervision,
Regulation, and Credit, Federal Reserve Bank of Boston
Dr. Samantha Roberts, FRM
SVP Balance Sheet Analytics & Modeling, PNC Bank

Donald Edgar, FRM Dr. Til Schuermann

MD Risk & Quantitative Analysis, BlackRock Partner, Oliver Wyman

Herve Geny Nick Strange

Former Group Head of Internal Audit, London Stock Exchange Senior Technical Advisor, Operational Risk & Resilience,
Group and former CRO , ICAP Supervisory Risk Specialists, Prudential Regulation Authority,
Bank of England
Keith Isaac, FRM
VP Capital Markets Risk Management, TD Bank Group Dr. Sverrir Porvaldsson, FRM
Senior Quant, SEB
William May, SVP
Global Head of Certifications and Educational Programs, Global
Association of Risk Professionals

FRM® Committee ■ x v ii
Revisions to the
Principles for the
Sound Management
of Operational Risk
Learning Objectives
After completing this reading you should be able to:

Describe the three lines of defense in the Basel model Describe tools and processes that can be used to identify
for operational risk governance. and assess operational risk.

Summarize the fundamental principles of operational risk
management as suggested by the Basel Committee.
Explain guidelines for strong governance of operational
risk and evaluate the role of the board of directors, senior
management, and supervisors in implementing an
effective operational risk framework.
Describe features of an effective control environment and
identify specific controls that should be in place to address
operational risk.
Explain the Basel Committee's suggestions for managing
technology risk and outsourcing risk.

Excerp t is reprinted with perm ission o f the Bank for International Settlem ents. The full publication is available on the BIS w ebsite free
o f charge: w w w .bis.org.

1
1.1 INTRODUCTION
The Basel Committee on Banking Supervision ("the Committee")
introduced its Principles for the Sound Management of O pera­
tional Risk ("the Principles") in 2003, and subsequently revised
them in 2011 to incorporate the lessons from the Great Financial
Crisis of 2007-09. In 2014, the Committee conducted a review
of the implementation of the Principles.1 The purpose of this
review was to (i) assess the extent to which banks had imple­
mented the Principles; (ii) identify significant gaps in implemen­
tation; and (iii) highlight emerging and noteworthy operational
risk management practices at banks not currently addressed by
the Principles.
The 2014 review identified that several principles had not
been adequately implemented, and further guidance would
be needed to facilitate their implementation in the following
areas:
a. Risk identification and assessment tools, including risk
and control self-assessments (RCSAs), key risk indicators,
external loss data, business process mapping, comparative
analysis, and the monitoring of action plans generated from
various operational risk management tools.
b. Change management programmes and processes (and their
effective monitoring).
c. Implementation of the three lines of defence, especially by
refining the assignment of roles and responsibilities.
d. Board of directors and senior management oversight.
e. Articulation of operational risk appetite and tolerance
statements.
f. Risk disclosures.
The Committee also recognised that the 2011 Principles did not
sufficiently capture certain important sources of operational risk,
such as those arising from information and communication tech­
nology (ICT) risk,1
2 thus warranting the introduction of a specific
principle on ICT risk management. Other revisions were made to
ensure consistency with the new operational risk framework in
the Basel III reforms.3
1 BCBS, Review of the Principles for Sound Management of Operational
Risk, October 2014, www.bis.org/publ/bcbs292.pdf.
2 Conduct and legal risks (including risks associated with money laun­
dering or terrorist financing) remain important concerns. In this context,
financial institutions should continue to improve their ability to manage
operational risk.
3 BCBS, Basel III: finalising post-crisis reforms, December 2017, www.bis.
org/bcbs/publ/d424.pdf.
2 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Recognising the increased potential for significant disruptions to
bank operations from pandemics, natural disasters, destructive
cyber security incidents or technology failures, the Committee
has also developed principles for operational resilience,4 which
reflect several of the principles contained in this document.
1.2 COMPONENTS OF OPERATIONAL
RISK MANAGEMENT
The Principles in this document for banks cover governance; the
risk management environment; information and communication
technology; business continuity planning; and the role of disclo­
sure. These elements should not be viewed in isolation; rather,
they are integrated components of the operational risk man­
agement framework (ORMF) and the overall risk management
framework (including operational resilience) of the group.
Through the publication of this document, the Committee
desires to promote the effectiveness of operational risk manage­
ment throughout the banking system. The Committee believes
that the Principles reflect sound practices relevant to all banks.
Nonetheless, the Committee recommends that banks should
take account of the nature, size, complexity and risk profile of
their activities when implementing the Principles.
1.3 OPERATIONAL RISK
MANAGEMENT
1. Operational risk is defined in the capital framework as the risk
of loss resulting from inadequate or failed internal processes,
people and systems or from external events. This definition
includes legal risk, but excludes strategic and reputational risk.
2. Operational risk is inherent in all banking products, activities,
processes and systems, and the effective management of opera­
tional risk is a fundamental element of a bank's risk management
programme. Sound operational risk management is a reflection of
the effectiveness of the board of directors and senior management
4 "Operational resilience" is defined as the ability of a bank to deliver
critical operations through disruption. This ability enables a bank to
identify and protect itself from threats and potential failures, respond
and adapt to, as well as recover and learn from disruptive events in
order to minimise their impact on the delivery of critical operations
through disruption. In considering its operational resilience, a bank
should assume that disruptions will occur, and take into account its
overall risk appetite and tolerance for disruption. In the context of
operational resilience, the Committee defines "tolerance for disruption"
as the level of disruption from any type of operational risk a bank is
willing to accept given a range of severe but plausible scenarios. For
more details, refer to BCBS, Principles for operational resilience,
March 2021, www.bis.org/bcbs/publ/d516.htm.
in administering their portfolio of products, activities, processes and the risk profile of a bank's activities, the degree of
and systems. Where appropriate, strategic and reputational risks formality of how these three lines of defence are implemented
should be considered by banks' operational risk management. will vary.

3. Although operational risk management and operational resil­
ience address different goals, they are closely interconnected.
An effective operational risk management system and a robust
level of operational resilience work together to reduce the fre­
7. Banks should ensure that each line of defence:
a. is adequately resourced in terms of budget, tools and staff;
b. has clearly defined roles and responsibilities;

quency and the impact of operational risk events. c. is continuously and adequately trained;

4. Sound risk management allows the bank to better under­
stand and mitigate its risk profile. Risk management encom­
passes identifying risks to the bank; measuring and assessing
exposures to those risks (where possible); monitoring exposures
and corresponding capital needs on an ongoing basis; taking
steps to control or mitigate exposures; and reporting to senior
management and the board of directors on the bank's risk
exposures and capital positions. Internal controls are typically
embedded in a bank's day-to-day business and are designed
to ensure, to the extent possible, that the bank's activities are
efficient and effective; that information is reliable, timely and
com plete; and that the bank is compliant with applicable laws
and regulations.
5. Sound internal governance forms the foundation of an effec­
tive ORMF. Governance of operational risk management has
similarities but also differences relative to the management of
credit or market risk. Banks' operational risk governance func­
tion should be fully integrated into their overall risk manage­
ment governance structure.
6. Banks commonly rely on three lines of defence: (i) business
unit m anagem ent;5 (ii) an independent corporate operational
risk management function (C O R F);6 and (iii) independent assur­
ance.7 Depending on the bank's nature, size and com plexity,
d. promotes a sound risk management culture across the
organisation; and
e. communicates with the other lines of defence to reinforce
the ORMF.
If in one business unit there are functions of both the first and
second line of defence, then banks should document and dis­
tinguish the responsibilities of such functions in the first and
second line of defence, emphasising the independence of the
second line of defence.
8. The Committee has highlighted that, despite the three lines
of defence model being widely adopted by banks, confu­
sion around roles and responsibilities sometimes hampers its
effectiveness.8 Thus, the review of the Principles is also the
opportunity to stress that this model should be adequately and
proportionally used by financial institutions to manage every
kind of operational risk subcategory, including ICT risk.
9. In industry practice, the first line of defence is business unit
management. Sound operational risk governance recognises
that business unit management is responsible for identifying and
managing the risks inherent in the products, activities, processes
and systems for which it is accountable. Banks should have a
policy that defines clear roles and responsibilities in relevant
business units.9 The responsibilities of an effective first line of
defence in promoting a sound operational risk management cul­
ture should include:

a. identifying and assessing the materiality of operational risks

5 The term "business unit" is meant broadly to include all associated
inherent in their respective business units through the use
support, corporate and/or shared service functions, eg Finance, Human
Resources, and Operations and Technology. Risk Management and of operational risk management tools;
Internal Audit are not included unless otherwise specifically indicated.
b. establishing appropriate controls to mitigate inherent oper­
6 In addition to an independent Operational Risk Management function,
ational risks, and assessing the design and effectiveness of
the second line of defense also typically includes a Compliance function.
these controls through the use of the operational risk man­
7 Independent assurance includes verification and validation: verification
agement tools;
of the ORMF is done on a periodic basis and is typically conducted by
the bank's internal and/or external audit, but may involve other suitably
qualified independent third parties from external sources. Verification
activities test the effectiveness of the overall ORMF, consistent with
policies approved by the board of directors, and also test validation
processes to ensure they are independent and implemented in a man­
8 See BCBS, Cyber resilience: range of practices, December 2018,
ner consistent with established bank policies. Validation ensures that the
https://www.bis.org/bcbs/publ/d454.pdf,
quantification systems used by the bank are sufficiently robust and pro­
vide assurance of the integrity of inputs, assumptions, methodologies, 9 In complex banking structures, " relevant business units" are likely to
processes and outputs. Validation is critical for a well functioning ORMF. include support functions such as information systems departments.

Chapter 1 Revisions to the Principles for the Sound Management of Operational Risk ■ 3
 c. reporting whether the business units lack adequate
resources, tools and training to ensure identification and
assessment of operational risks;
d. monitorinq and reportinq the business units' operational
risk profiles,10*and ensuring their adherence to the
established operational risk appetite and tolerance
statement; and
e. reporting residual operational risks not mitigated by con­
trols, including operational loss events, control deficiencies,
process inadequacies, and non-compliance with operational
risk tolerances.
10. A functionally independent C O RF is typically the second line
of defence. The responsibilities of an effective second line of
defence should include:
a. developing an independent view regarding business units'
(i) identified material operational risks, (ii) design and effec­
tiveness of key controls, and (iii) risk tolerance;
b. challenging the relevance and consistency of the business
unit's implementation of the operational risk management
tools, measurement activities and reporting systems, and
providing evidence of this effective challenge;
c. developing and maintaining operational risk management
and measurement policies, standards and guidelines;
d. reviewing and contributing to the monitoring and reporting
of the operational risk profile; and
e. designing and providing operational risk training and instill­
ing risk awareness.
11. The degree of independence of the C O RF may differ among
banks. A t small banks, independence may be achieved through
separation of duties and independent review of processes and
functions. In larger banks, the C O R F should have a reporting
structure independent of the risk-generating business units
and be responsible for the design, maintenance and ongoing
development of the O RM F within the bank. The C O R F typi­
cally engages relevant corporate control groups (eg Com pli­
ance, Legal, Finance and IT) to support its assessment of the
operational risks and controls. Banks should have a policy which
defines clear roles and responsibilities of the CORF, reflective of
the size and complexity of the organisation.
10 Operational risk profiles describe the operational risk exposures and
control environment assessments of business units and consider the
range of potential impacts that could arise from estimates of expected
to severe losses. Profiles generally provide management and the board
of directors with a representation of operational risk exposures at a level
which supports their decision-making and oversight responsibilities.
4 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
12. The third line of defence provides independent assurance
to the board of the appropriateness of the bank's ORMF. This
function's staff should not be involved in the developm ent,
implementation and operation of operational risk m anage­
ment processes by the other two lines of defence. The third
line of defence reviews generally are conducted by the bank's
internal and/or external audit, but may also involve other
suitably qualified independent third parties. The scope and
frequency of reviews should be sufficient to cover all activities
and legal entities of a bank. An effective independent review
should:
a. review the design and implementation of the operational
risk management systems and associated governance pro­
cesses through the first and second lines of defence (includ­
ing the independence of the second line of defence);
b. review validation processes to ensure they are independent
and implemented in a manner consistent with established
bank policies;
c. ensure that the quantification systems used by the bank are
sufficiently robust as (i) they provide assurance of the integ­
rity of inputs, assumptions, processes and methodology
and (ii) result in assessments of operational risk that credibly
reflect the operational risk profile of the bank;
d. ensure that business units' management promptly, accu­
rately and adequately responds to the issues raised, and
regularly reports to the board of directors or its relevant
committees on pending and closed issues; and
e. opine on the overall appropriateness and adequacy of
the O RM F and the associated governance processes
across the bank. Beyond checking compliance with poli­
cies and procedures approved by the board of directors,
the independent review should also assess whether the
O RM F meets organisational needs and expectations (such
as respect of the corporate risk appetite and tolerance,
and adjustment of the fram ework to changing operating
circumstances) and complies with statutory and legislative
provisions, contractual arrangements, internal rules and
ethical conduct.
13. Because operational risk management is evolving and the
business environment is constantly changing, senior manage­
ment should ensure that the ORMF's policies, processes and
systems remain sufficiently robust to manage and ensure that
operational losses are adequately addressed in a timely manner.
Improvements in operational risk management depend heavily
on senior management's willingness to be proactive and also act
promptly and appropriately to address operational risk managers'
concerns.
1.4 PRINCIPLES FOR THE SOUND
MANAGEMENT OF OPERATIONAL RISK
Principle 1: The board of directors should take the lead in
establishing a strong risk management culture, implemented
by senior management.11 The board of directors and senior
management should establish a corporate culture guided by
strong risk management, set standards and incentives for
professional and responsible behaviour, and ensure that staff
receives appropriate risk management and ethics training.
14. Banks with a strong culture of risk management and ethical
business practices are less likely to experience damaging opera­
tional risk events and are better placed to effectively deal with
those events that occur. The actions of the board of directors
and senior management as well as the bank's risk management
policies, processes and systems provide the foundation for a
sound risk management culture.
15. The board of directors should establish a code of conduct
or an ethics policy to address conduct risk. This code or policy
should be applicable to both staff and board members, set
clear expectations for integrity and ethical values of the highest
standard, identify acceptable business practices, and prohibit
conflicts of interest or the inappropriate provision of financial
services (whether wilful or negligent). The code or policy should
be regularly reviewed and approved by the board of direc­
tors and attested by employees; its implementation should be
overseen by a senior ethics committee, or another board-level
committee, and should be publicly available (eg on the bank's
website). A separate code of conduct may be established
for specific positions in the bank (eg treasury dealers, senior
management).
16. Management should set clear expectations and accountabili­
ties to ensure bank staff understands their roles and responsibili­
ties for risk management, as well as their authority to act.
11 This paper refers to a management structure composed of a board of
directors and senior management. The Committee is aware that there
are significant differences in legislative and regulatory frameworks across
countries regarding the functions of the board of directors and senior
management. In some countries, the board has the main, if not exclu­
sive, function of supervising the executive body (senior management,
general management) so as to ensure that the latter fulfils its tasks.
For this reason, in some cases, it is known as a supervisory board. This
means that the board has no executive functions. In other countries, the
board has a broader competence in that it lays down the general frame­
work for the management of the bank. Owing to these differences, the
terms "board of directors" and "senior management" are used in this
paper not to identify legal constructs but rather to label two decision­
making functions within a bank.
Chapter 1 Revisions to the Principles for the Sound Management of Operational Risk
17. Compensation policies should be aligned to the bank's
statement of risk appetite and tolerance as well as overall safety
and soundness, and appropriately balance risk and reward.12*
18. Senior management should ensure that an appropriate level
of operational risk training is available at all levels throughout
the organisation, such as heads of business units, heads of
internal controls and senior managers. Training provided should
reflect the seniority, role and responsibilities of the individuals
for whom it is intended.
19. Strong and consistent board of directors and senior man­
agement support for operational risk management and ethical
behaviour convincingly reinforces codes of conduct and ethics,
compensation strategies, and training programmes.
Principle 2: Banks should develop, implement and maintain
an operational risk management framework that is fully inte­
grated into the bank's overall risk management processes.
The ORM F adopted by an individual bank will depend on a
range of factors, including the bank's nature, size, complex­
ity and risk profile.
20. The board of directors and bank management should
understand the nature and complexity of the risks inherent in
the portfolio of bank products, services, activities, and systems,
which is a fundamental premise of sound risk management. This
is particularly important for operational risk, given operational
risk is inherent in all business products, activities, processes and
systems.
21. The components of the O RM F should be fully integrated
into the overall risk management processes of the bank by the
first line of defence, adequately reviewed and challenged by
the second line of defence, and independently reviewed by the
third line of defence. The ORM F should be embedded across all
levels of the organisation including group and business units as
well as new business initiatives' products, activities, processes
and systems. In addition, results of the bank's operational risk
assessment should be incorporated into the bank's overall busi­
ness strategy development process.
22. The ORM F should be comprehensively and appropriately doc­
umented in board of directors approved policies and include defi­
nitions of operational risk and operational loss. Banks that do not
adequately describe and classify operational risk and loss expo­
sure may significantly reduce the effectiveness of their ORMF.
12 See also BCBS, Report on the range o f methodologies for the risk and
performance alignment o f remuneration, May 2011; Financial Stability
Forum, Principles for sound compensation practices, April 2009; Finan­
cial Stability Board, FSB principles for sound compensation practices -
implementation standards, September 2009; and the Financial Stability
Board's toolkit Strengthening Governance Frameworks to Mitigate
Misconduct Risk, April 2018.
■ 5
23. O RM F documentation should clearly:
a. identify the governance structures used to manage opera­
tional risk, including reporting lines and accountabilities,
and the mandates and membership of the operational risk
governance committees;
b. reference the relevant operational risk management policies
and procedures;
c. describe the tools for risk and control identification and
assessment and the role and responsibilities of the three
lines of defence in using them;
d. describe the bank's accepted operational risk appetite and
tolerance; the thresholds, material activity triggers or limits
for inherent and residual risk; and the approved risk mitiga­
tion strategies and instruments;
e. describe the bank's approach to ensure controls are
designed, implemented and operating effectively;
f. describe the bank's approach to establishing and moni­
toring thresholds or limits for inherent and residual risk
exposure;
g. inventory risks and controls implemented by all business
units (eg in a control library);
h. establish risk reporting and management information sys­
tems (MIS) producing timely, and accurate data;
i. provide for a common taxonomy of operational risk terms
to ensure consistency of risk identification, exposure rating
and risk management objectives across all business units.13
The taxonomy can distinguish operational risk exposures by
event types, causes, materiality and business units where
they occur; it can also flag those operational exposures that
partially or entirely represent legal, conduct, model and ICT
(including cyber) risks as well as exposures in the credit or
market risk boundary;
j. provide for appropriate independent review and challenge
of the outcomes of the risk management process; and
k. require the policies to be reviewed and revised as appropri­
ate based on continued assessment of the quality of the
control environment addressing internal and external envi­
ronmental changes or whenever a material change in the
operational risk profile of the bank occurs.
13 An inconsistent taxonomy of operational risk terms may increase the
likelihood of failure to identify and categorise risks, or failure to allocate
responsibility for the assessment, monitoring, control and mitigation of
risks. For the particular case of cyber risk, the Financial Stability Board's
Cyber Lexicon, published in November 2018, should be used as a
starting point.
6 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Governance14
Board o f Directors
Principle 3: The board of directors should approve and peri­
odically review the operational risk management framework,
and ensure that senior management implements the policies,
processes and systems of the operational risk management
framework effectively at all decision levels.
24. The board of directors should:
a. establish a risk management culture and ensure that the
bank has adequate processes for understanding the nature
and scope of the operational risk inherent in the bank's cur­
rent and planned strategies and activities;
b. ensure that the operational risk management processes are
subject to comprehensive and dynamic oversight and are
fully integrated into, or coordinated with, the overall fram e­
work for managing all risks across the enterprise;
c. provide senior management with clear guidance regarding
the principles underlying the ORMF, and approve the cor­
responding policies developed by senior management to
align with these principles;
d. regularly review and evaluate the effectiveness of, and
approve the O RM F to ensure the bank has identified and is
managing the operational risk arising from external market
changes and other environmental factors, as well as those
operational risks associated with new products, activities,
processes or systems, including changes in risk profiles and
priorities (eg changing business volumes);
e. ensure that the bank's ORM F is subject to effective inde­
pendent review by a third line of defence (audit or other
appropriately trained independent third parties from exter­
nal sources); and
f. ensure that, as best practice evolves, management is avail­
ing themselves of these advances.15
25. Strong internal controls are a critical aspect of operational
risk management. The board of directors should establish
clear lines of management responsibility and accountability for
implementing a strong control environment. Controls should be
regularly reviewed, monitored, and tested to ensure ongoing
effectiveness. The control environment should provide appropri­
ate independence/separation of duties between operational risk
management functions, business units and support functions.
14 See also BCBS, Principles for enhancing corporate governance,
October 2010.
15 See the Committee's 2006 International Convergence of Capital Mea­
surement and Capital Standards: A Revised Framework - Comprehensive
Version; paragraph 718(xci).
Principle 4: The board of directors should approve and
periodically review a risk appetite and tolerance statem ent16
for operational risk that articulates the nature, types and
levels of operational risk the bank is willing to assume.
26. The risk appetite and tolerance statement for operational
risk should be developed under the authority of the board of
directors and linked to the bank's short- and long-term stra­
tegic and financial plans. Taking into account the interests of
the bank's customers and shareholders as well as regulatory
requirements, an effective risk appetite and tolerance statement
should:
a. be easy to communicate and therefore easy for all stake­
holders to understand;
b. include key background information and assumptions
that informed the bank's business plans at the time it was
approved;
c. include statements that clearly articulate the motivations
for taking on or avoiding certain types of risk, and establish
boundaries or indicators (which may be quantitative or not)
to enable monitoring of these risks;
d. ensure that the strategy and risk limits of business units
and legal entities, as relevant, align with the bank-wide risk
appetite statement; and
e. be forward-looking and, where applicable, subject to sce­
nario and stress testing to ensure that the bank understands
what events might push it outside its risk appetite and toler­
ance statement.
27. The board of directors should approve and regularly review
the appropriateness of limits and the overall operational risk
appetite and tolerance statement. This review should consider
current and expected changes in the external environment
(including the regulatory context across all jurisdictions where
the institution provides services); ongoing or forthcoming mate­
rial increases in business or activity volumes; the quality of the
control environment; the effectiveness of risk management or
mitigation strategies; loss experience; and the frequency, vol­
ume or nature of limit breaches. The board of directors should
monitor management adherence to the risk appetite and toler­
ance statement and provide for timely detection and remedia­
tion of breaches.
16 See the Committee's 2015 Corporate governance guidelines, which
use the FSB's 2013 Principles for an effective risk appetite framework
definition of risk appetite: the aggregate level and types of risk a bank
is willing to assume, decided in advance and within its risk capacity, to
achieve its strategic objectives and business plan. "Risk tolerance" is the
variation around the prescribed risk appetite that the bank is willing to
tolerate.
Chapter 1 Revisions to the Principles for the Sound Management of Operational Risk
Senior Management
Principle 5: Senior management should develop for approval
by the board of directors a clear, effective and robust
governance structure with well-defined, transparent and
consistent lines of responsibility. Senior management is
responsible for consistently implementing and maintaining
throughout the organisation policies, processes and systems
for managing operational risk in all of the bank's material
products, activities, processes and systems consistent with
the bank's risk appetite and tolerance statement.
28. Senior management is responsible for establishing and main­
taining robust challenge mechanisms and effective issue resolu­
tion processes. These should include systems to report, track
and, when necessary, escalate issues to ensure resolution. Banks
should be able to demonstrate that the three-lines-of-defence
approach is operating satisfactorily and to explain how the
board of directors, independent audit committee of the board,
and senior management ensure that this approach is imple­
mented and operating in an appropriate manner.
29. Senior management should translate the O RM F approved
by the board of directors into specific policies and procedures
that can be implemented and verified within the different busi­
ness units. Senior management should clearly assign authority,
responsibility and reporting relationships to encourage and
maintain accountability, and to ensure the necessary resources
are available to manage operational risk in line with the bank's
risk appetite and tolerance statement. Moreover, senior man­
agement should ensure that the management oversight process
is appropriate for the risks inherent in a business unit's activity.
30. Senior management should ensure that staff responsible for
managing operational risk coordinate and communicate effec­
tively with staff responsible for managing credit, market, and
other risks, as well as with those in the bank who are responsible
for the procurement of external services such as insurance risk
transfer and other third-party arrangements (including outsourc­
ing). Failure to do so could result in significant gaps or overlaps
in a bank's overall risk management programme.
31. The managers of the C O RF should be of sufficient stature
within the bank to perform their duties effectively, ideally evi­
denced by a title that is commensurate with other risk manage­
ment functions such as credit, market and liquidity risk.
32. Senior management should ensure that bank activities are
conducted by staff with the necessary experience, technical
capabilities and access to resources. Staff responsible for moni­
toring and enforcing compliance with the institution's risk policy
should have authority independent from the units they oversee.
33. A bank's governance structure should be commensurate
with the nature, size, complexity and risk profile of its activities.
■ 7
When designing the operational risk governance structure, a
bank should take the following into consideration:
a. Committee structure - Sound industry practice is for larger
and more complex organisations with a central group func­
tion and separate business units to utilise a board-created
enterprise-level risk committee for overseeing all risks,
to which a management level operational risk committee
reports. Depending on the nature, size and complexity of the
bank, the enterprise-level risk committee may receive input
from operational risk committees by country, business or func­
tional area. Smaller and less complex organisations may utilise
a flatter organisational structure that oversees operational risk
directly within the board's risk management committee.
b. Committee composition - Sound industry practice is for
operational risk committees (or the risk committee in
smaller banks) to include members with a variety of exper­
tise, which should cover expertise in business activities,
financial activities, legal, technological and regulatory mat­
ters, and independent risk m anagem ent.17
c. Committee operation - Committee meetings should be
held at appropriate frequencies with adequate time and
resources to permit productive discussion and decision-mak­
ing. Records of committee operations should be adequate
to permit review and evaluation of committee effectiveness.
Risk Management Environment
Identification and Assessment
Principle 6: Senior management should ensure the compre­
hensive identification and assessment of the operational risk
inherent in all material products, activities, processes and
systems to make sure the inherent risks and incentives are
well understood.
34. Risk identification and assessment are fundamental charac­
teristics of an effective operational risk management system,
and directly contribute to operational resilience capabilities.
Effective risk identification considers both internal factors and
external factors. Sound risk assessment allows the bank to bet­
ter understand its risk profile and allocate risk management
resources and strategies most effectively.
35. Examples of tools used for identifying and assessing opera­
tional risk are:18
17 See the Committee's 2015 Corporate governance principles for banks
for additional requirements on the Committee composition.
18 This list is not comprehensive and does not reflect the full diversity of
sophistication of possible analyses. It should be seen as indicative (and
not limitative).
8 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
a. Event management - When banks experience an opera­
tional risk event, the process of identification, analysis,
end-to-end management and reporting of the event follows
a predetermined set of protocols. A sound event manage­
ment approach typically includes analysis of events to iden­
tify new operational risks, understanding the underlying
causes and control weaknesses, and formulating an appro­
priate response to prevent recurrence of similar events. This
information is an input to the self-assessment and, in par­
ticular, to the assessment of control effectiveness.
b. Operational risk event data - Banks often maintain a com­
prehensive operational risk event dataset that collects all
material events experienced by the bank and serves as basis
for operational risk assessments. The event dataset typically
includes internal loss data, near misses, and, when feasible,
external operational loss event data (as external data is
informative of risks that common across the industry). Event
data is typically classified according to a taxonomy defined
in the O RM F policies and consistently applied across the
bank. Event data typically include the date of the event
(occurrence date, discovery date and accounting date) and,
in the case of loss events, financial impact. When other
root cause information for events is available, ideally it can
also be included in the operational risk dataset. When fea­
sible, banks are encouraged to also seek to gather external
operational risk event data and use this data in their internal
analysis, as it is often informative of risks that are common
across the industry.
c. Self-assessments - Banks often perform self-assessments
of their operational risks and controls on various different
levels. The assessments typically evaluate inherent risk (the
risk before controls are considered), the effectiveness of
the control environment, and residual risk (the risk exposure
after controls are considered) and contain both quantitative
and qualitative elements. The qualitative element reflects
consideration of both the likelihood and consequence of
the risk event in the bank's determination of its inherent
and residual risk ratings. The assessments may utilise busi­
ness process mapping to identify key steps in business
processes, activities, and organisational functions, as well
as the associated risks and areas of control weakness. The
assessments contain sufficiently detailed information on the
business environment, operational risks, underlying causes,
controls and evaluation of control effectiveness to enable an
independent reviewer to determine how the bank reached
its ratings. A risk register can be maintained to collate this
information to form a meaningful view of the overall effec­
tiveness of controls and facilitate oversight by senior man­
agement, risk committees, and the board of directors.
d. Control monitoring and assurance framework - Incorporat­
ing an appropriate control monitoring and assurance fram e­
work facilitates a structured approach to the evaluation,
review and ongoing monitoring and testing of key controls.
The analysis of controls ensures these are suitably designed
for the identified risks and operating effectively. The analy­
sis should also consider the sufficiency of control coverage,
including adequate prevention, detection and response
strategies. The control monitoring and testing should be
appropriate for the different operational risks and key con­
trols across business areas.
e. Metrics - Using operational risk event data and risk and
control assessments, banks often develop metrics to assess
and monitor their operational risk exposure. These metrics
may be simple indicators, such as event counts, or result
from more sophisticated exposure models when appropri­
ate. Metrics provide early warning information to moni­
tor ongoing performance of the business and the control
environment, and to report the operational risk profile.
Effective metrics clearly link to the associated operational
risks and controls. Monitoring metrics and related trends
through time against agreed thresholds or limits provides
valuable information for risk management and reporting
purposes.
f. Scenario analysis - Scenario analysis is a method to iden­
tify, analyse and measure a range of scenarios, including
low probability and high severity events, some of which
could result in severe operational risk losses. Scenario
analysis typically involves workshop meetings of subject
matter experts including senior management, business
management and senior operational risk staff and other
functional areas such as com pliance, human resources and
IT risk management, to develop and analyse the drivers
and range of consequences of potential events. Inputs
to the scenario analysis would typically include relevant
internal and external loss data, information from self-
assessm ents, the control monitoring and assurance fram e­
work, forward-looking metrics, root-cause analyses and
the process fram ework, where used. The scenario analysis
process could be used to develop a range of conse­
quences of potential events, including impact assessments
for risk management purposes, supplementing other tools
based on historical data or current risk assessm ents. It
could also be integrated with disaster recovery and busi­
ness continuity plans, for use within testing of operational
resilience. Given the subjectivity of the scenario process, a
robust governance fram ework and independent review are
important to ensure the integrity and consistency of the
process.
Chapter 1 Revisions to the Principles for the Sound Management of Operational Risk
g. Benchmarking and comparative analysis - Benchmarking and
comparative analysis are comparisons of the outcomes of
different risk measurement and management tools deployed
within the bank, as well as comparisons of metrics from the
bank to other firms in the industry. Such comparisons can be
performed to enhance understanding of the bank's opera­
tional risk profile. For example, comparing the frequency
and severity of internal losses with self-assessments can help
the bank determine whether its self-assessment processes
are functioning effectively. Scenario data can be compared
to internal and external loss data to gain a better under­
standing of the severity of the bank's exposure to potential
risk events.
36. Banks should ensure that the operational risk assessment
tools' outputs are:
a. based on accurate data, whose integrity is ensured by
strong governance and robust verification and validation
procedures;
b. adequately taken into account in the internal pricing and
performance measurement mechanisms as well as for busi­
ness opportunities assessments; and
c. subject to CORF-monitored action plans or remediation
plans when necessary.
37. These operational risk assessment tools can also directly
contribute to a bank's operational resilience approach, in par­
ticular event management, self assessment and scenario analysis
procedures, as they allow banks to identify and monitor threats
and vulnerabilities to their critical operations. Banks should use
the outputs of these tools to improve their operational resilience
controls and procedures, as identified in the Committee's
Principles for operational resilience.19*
Principle 7: Senior management should ensure that the
bank's change management process is comprehensive,
appropriately resourced and adequately articulated between
the relevant lines of defence.
38. In general, a bank's operational risk exposure evolves when
a bank initiates change, such as engaging in new activities or
developing new products or services; entering into unfamiliar
markets or jurisdictions; implementing new or modifying busi­
ness processes or technology systems; and/or engaging in
businesses that are geographically distant from the head office.
Change management should assess the evolution of associated
19 These controls and procedures should be consistent with and con­
ducted alongside the identification of threats and vulnerabilities as part
of a bank's operational resilience approach as articulated in Principle 2 in
the Committee's Principles for operational resilience, March 2021.
■ 9
risks across time, from inception to termination (eg throughout
the full life cycle of a product).20
39. A bank should have policies and procedures defining the
process for identifying, managing, challenging, approving and
monitoring change on the basis of agreed objective criteria.
Change implementation should be monitored by specific over­
sight controls. Change management policies and procedures
should be subject to independent and regular review and
update, and clearly allocate roles and responsibilities in accor­
dance with the three-lines-of-defence model, in particular:
a. The first line of defence should perform operational risk and
control assessments of new products, activities, processes
and systems, including the identification and evaluation of
the required change through the decision-making and plan­
ning phases to the implementation and post-implementa­
tion review.
b. The second line of defence (CORF) should challenge the
operational risk and control assessments of first line of
defence, as well as monitor the implementation of appropri­
ate controls or remediation actions. C O RF should cover all
phases of this process. In addition, C O RF should ensure that
all relevant control groups (eg finance, compliance, legal,
business, ICT, risk management) are involved as appropriate.
40. A bank should have policies and procedures for the review
and approval of new products, activities, processes and systems.
The review and approval process should consider:
a. Inherent risks - including legal, ICT and model risks - in
the launch of new products, services, activities, and opera­
tions in unfamiliar markets, and in the implementation
of new processes, people and systems (especially when
outsourced).
b. Changes to the bank's operational risk profile, appetite and
tolerance, including changes to the risk of existing products
or activities.
c. The necessary controls, risk management processes, and
risk mitigation strategies.
d. The residual risk.
e. Changes to relevant risk thresholds or limits.
f. The procedures and metrics to assess, monitor, and manage
the risk of new products, services, activities, markets, juris­
dictions, processes and systems.
20 The life cycle of a product or service encompasses various stages
from the development, ongoing changes, grandfathering and closure.
Indeed, the level of risk may escalate for example when new products,
activities, processes, or systems transition from an introductory level to
a level that represents material sources of revenue or business-critical
operations.
10 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
41. The review and approval process should include ensur­
ing that appropriate investment has been made for human
resources and technology infrastructure before changes are
introduced. Changes should be monitored, during and after
their implementation, to identify any material differences to the
expected operational risk profile and manage any unexpected
risks.
42. Banks should maintain a central record of their products and
services to the extent possible (including the outsourced ones)
to facilitate the monitoring of changes.
Monitoring and Reporting
Principle 8: Senior management should implement a process
to regularly monitor operational risk profiles and material
operational exposures. Appropriate reporting mechanisms
should be in place at the board of directors, senior manage­
ment, and business unit levels to support proactive manage­
ment of operational risk.
43. A bank should ensure that its reports are comprehensive,
accurate, consistent and actionable across business units and
products. To this end, the first line of defence should ensure
reporting on any residual operational risks, including operational
risk events, control deficiencies, process inadequacies, and non-
compliance with operational risk tolerances. Reports should be
manageable in scope and volume by providing an outlook on
the bank's operational risk profile and adherence to the opera­
tional risk appetite and tolerance statement; effective decision­
making is impeded by both excessive amounts and paucity of
data.
44. Reporting should be timely and a bank should be able to
produce reports in both normal and stressed market condi­
tions.21* The frequency of reporting should reflect the risks
involved and the pace and nature of changes in the operating
environment. The results of monitoring activities should be
included in regular management and board reports, as should
assessments of the ORM F performed by the internal/external
audit and/or risk management functions. Reports generated
by or for supervisory authorities should also be reported inter­
nally to senior management and the board of directors, where
appropriate.
45. Operational risk reports should describe the operational risk
profile of the bank by providing internal financial, operational,
21 Reporting should be consistent with the Committee's Principles for
effective risk data aggregation and risk reporting (https://www.bis.org/
publ/bcbs239.pdf).
and compliance indicators, as well as external market or environ­
mental information about events and conditions that are rele­
vant to decision making. Operational risk reports should include:
a. Breaches of the bank's risk appetite and tolerance
statement, as well as thresholds, limits or qualitative
requirements.
b. A discussion and assessment of key and emerging risks.
c. Details of recent significant internal operational risk events
and losses (including root cause analysis).
d. Relevant external events or regulatory changes and any
potential impact on the bank.
46. Data capture and risk reporting processes should be anal­
ysed periodically with the goal of enhancing risk management
performance as well as advancing risk management policies,
procedures and practices.
Control and Mitigation
Principle 9: Banks should have a strong control environment
that utilises policies, processes and systems; appropriate
internal controls; and appropriate risk mitigation and/or
transfer strategies.
47. Internal controls should be designed to provide reasonable
assurance that a bank will have efficient and effective opera­
tions; safeguard its assets; produce reliable financial reports;
and comply with applicable laws and regulations. A sound
internal control programme consists of four components that
are integral to the risk management process: risk assessment,
control activities, information and communication, and monitor­
ing activities.22
48. Control processes and procedures should include a system
for ensuring compliance with policies, regulations and laws.
Examples of principle elements of a policy compliance assess­
ment are:
a. Top-level reviews of progress towards stated objectives.
b. Verification of compliance with management controls.
c. Review of the treatment and resolution of instances of
non-compliance.
d. Evaluation of the required approvals and authorisa­
tions to ensure accountability to an appropriate level of
management.
22 The Committee's paper Framework for Internal Control Systems in
Banking Organisations, September 1998, discusses internal controls in
greater detail.
Chapter 1 Revisions to the Principles for the Sound Management of Operational Risk
e. Tracking of reports for approved exceptions to thresholds
or limits, management overrides and other deviations from
policy, regulations and laws.
49. Controls processes and procedures should address how the
bank ensures operational resilience is maintained in both normal
circumstances and in the event of disruption, reflecting respec­
tive functions' due diligence, consistent with the bank's opera­
tional resilience approach.
50. An effective control environment also requires appropriate
segregation of duties. Assignments that establish conflicting
duties for individuals or a team, without dual controls (eg a pro­
cess that uses two or more separate entities (usually persons)
operating in concert to protect sensitive functions or informa­
tion) or other countermeasures, may result in concealment of
losses, errors or other inappropriate actions. Therefore, areas
where conflicts of interest may arise should be identified, mini­
mised, and be subject to careful independent monitoring and
review.
51. In addition to segregation of duties and dual controls, banks
should ensure that other traditional internal controls are in
place, as appropriate, to address operational risk. Examples of
these controls are:
a. Clearly established authorities and/or processes for
approval.
b. Close monitoring of adherence to assigned risk thresholds
or limits.
c. Safeguards for access to, and use of, bank assets and
records.
d. Appropriateness of staffing level and training to maintain
technical expertise.
e. Ongoing processes to identify business units or products
where returns appear to be out of line with reasonable
expectations.23*
f. Regular verification and reconciliation of transactions and
accounts.
g. Vacation policy that provides for officers and employees
being absent from their duties for a period of not less than
two consecutive weeks.
52. Effective use and sound implementation of technology
can contribute to the control environment. For example, auto­
mated processes are less prone to error than manual processes.
However, automated processes introduce risks that must be
23 For example, where a supposedly low risk, low margin trading activity
generates high returns that could call into question whether such returns
have been achieved as a result of an internal control breach.
■ 11
addressed through sound technology governance and infra­
structure risk management programmes.
53. The use of technology related products, activities, processes
and delivery channels exposes a bank to operational risk and the
possibility of material financial loss. Consequently, a bank should
have an integrated approach to identifying, measuring, monitor­
ing and managing technology risks along the same precepts as
operational risk management.
54. While recourse to entities such as, but not limited to
third-party service providers can help manage costs, provide
expertise, expand product offerings, and improve services, it
also introduces risks that management should address. The
board of directors and senior management are responsible for
understanding the operational risks associated with outsourcing
arrangements and ensuring that effective risk management poli­
cies and practices are in place to manage the risk in outsourcing
activities. Amongst others, the concentration of risk and the
complexity of outsourcing should be taken into account. Third-
party risk policies (as a part of the ORM F's policies) and risk
management activities24 should encompass:
a. Procedures for determining whether and how activities can
be outsourced.
b. Processes for conducting due diligence in the selection of
potential service providers.
c. Sound structuring of the outsourcing arrangement, includ­
ing ownership and confidentiality of data, as well as term i­
nation rights.
d. Programmes for managing and monitoring the risks associ­
ated with the outsourcing arrangement, including the finan­
cial condition of the service provider.
e. Establishment of an effective control environment at the
bank and the service provider, that should include a register
of outsourced activities and metrics and reporting to facili-
ate oversight of the service provider.
f. Development of viable contingency plans.
g. Execution of comprehensive contracts and/or service
level agreements with a clear allocation of responsibilities
between the outsourcing provider and the bank.
h. Banks' supervisory and resolution authorities' access to third
parties.
24 These risk policies and risk management activities should be consis­
tent with and conducted alongside the critical operations management
and dependency management for operational resilience. Basel Commit­
tee on Banking Supervision, Principles for operational resilience, March
2021.
12 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
55. In those circumstances where internal controls do not
adequately address risk and exiting the risk is not a reasonable
option, management can complement controls by seeking to
transfer the risk to another party such as through insurance. The
board of directors should determine the maximum loss exposure
the bank is willing and has the financial capacity to assume, and
should perform an annual review of the bank's risk and insurance
management programme. While the specific insurance or risk
transfer needs of a bank should be determined on an individual
basis, many jurisdictions have regulatory requirements that must
be considered.
56. Because risk transfer is an imperfect substitute for sound
controls and risk management programmes, banks should view
risk transfer tools as complementary to, rather than a replace­
ment for, thorough internal operational risk control. Having
mechanisms in place to quickly identify, recognise and rectify
distinct operational risk errors - or specific legal risk exposure -
can greatly reduce exposures. Careful consideration also needs
to be given to the extent to which risk mitigation tools such as
insurance truly reduce risk, transfer the risk to another business
sector or area, or create a new risk (eg counterparty risk).
57. Banks should have unified classification, methodology, and
procedures of operational risk management established by the
CORF.
Information and Communication
Technology
Principle 10: Banks should implement a robust ICT25 risk
management programme in alignment with their operational
risk management framework.
58. Effective ICT performance and security are paramount for
a bank to conduct its business properly. The appropriate use
and implementation of sound ICT risk management contributes
to the effectiveness of the control environment and is funda­
mental to the achievement of a bank's strategic objectives. A
bank's ICT risk assessment should ensure that its ICT fully sup­
ports and facilitates its operations. ICT risk management should
reduce a bank's operational risk exposure to direct losses,
legal claims, reputational damage, ICT disruption and misuse
of technology in alignment with its risk appetite and tolerance
statement.
25 "Information and communication technology" refers to the underlying
physical and logical design of information technology and communica­
tion systems, the individual hardware and software components, data,
and the operating environments.
59. ICT risk management includes:
a. ICT risk identification and assessment.
b. ICT risk mitigation measures consistent with the assessed
risk level (eg cybersecurity, response and recovery pro­
grammes, ICT change management processes, ICT incident
management processes, including relevant information
transmission to users on a timely basis).
c. Monitoring of these mitigation measures (including regular
tests).
60. To ensure data and systems' confidentiality, integrity and
availability, the board of directors should regularly oversee the
effectiveness of the bank's ICT risk management and senior
management should routinely evaluate the design, implementa­
tion and effectiveness of the bank's ICT risk management. This
requires regular alignment of the business, risk management and
ICT strategies to be consistent with the bank's risk appetite and
tolerance statement as well as with privacy and other applicable
laws. Banks should continuously monitor its ICT and regularly
report to senior management on ICT risks, controls and events.
61. ICT risk management together with complementing pro­
cesses set by the banks should:
a. be reviewed on a regular basis for completeness against rel­
evant industry standards and best practices as well as against
evolving threats (eg cyber) and evolving or new technologies;
b. be regularly tested as part of a programme to identify
gaps against stated risk tolerance objectives and facilitate
improvement of the ICT risk identification, protection,
detection and event management; and
c. make use of actionable intelligence to continuously enhance
their situational awareness of vulnerabilities to ICT systems,
networks and applications and facilitate effective decision
making in risk or change management.
62. Banks should develop approaches to ICT readiness for
stressed scenarios from disruptive external events, such as the
need to facilitate the implementation of wide-scale remote-
access, rapid deployment of physical assets and/or significant
expansion of bandwidth to support remote user connections
and customer data protection. Banks should ensure that:
a. appropriate risk mitigation strategies are developed for
potential risks associated with a disruption or compromise
of ICT systems, networks and applications. Banks should
evaluate whether the risks, taken together with these strate­
gies, fall within the bank's risk appetite and risk tolerance;
b. well defined processes for the management of privileged
users and application development are in place; and
c. regular updates are made to ICT including cyber security in
order to maintain an appropriate security posture.
Chapter 1 Revisions to the Principles for the Sound Management of Operational Risk
Business Continuity Planning
Principle 11: Banks should have business continuity plans in
place to ensure their ability to operate on an ongoing basis
and limit losses in the event of a severe business disrup­
tion.26 Business continuity plans should be linked to the
bank's operational risk management framework.
63. Sound and effective governance of banks' business continu­
ity policy27*requires:
a. Regular review and approval by the board of directors.
b. The strong involvement of the senior management and
business units leaders in its implementation.
c. The commitment of the first and second lines of defence to
its design.
d. Regular review by the third line of defence.
64. Banks should prepare forward-looking business continu­
ity plans (BCP) with scenario analyses associated with relevant
impact assessments and recovery procedures:
a. A bank should ground its business continuity policy on
scenario analyses of potential disruptions that identify and
categorise critical business operations and key internal or
external dependencies. In doing so, banks should cover all
their business units as well as critical providers and major
third parties (eg central banks, clearing house).
b. Each scenario should be subject to a quantitative and quali­
tative impact assessment or business impact analysis (BIA)
with regards to its financial, operational, legal and reputa­
tional consequences.
c. Disruption scenarios should be subject to thresholds or
limits (such as maximum tolerable outage) for the activation
of a business continuity procedure. The procedure should
address resumption aspects, set recovery time objectives
(RTO) and recovery point objectives (RPO) as well as commu­
nication guidelines for informing management, employees,
regulatory authorities, customers, suppliers, and - where
appropriate - civil authorities.
65. A bank should periodically review its business continuity
plans and policies to ensure that contingency strategies remain
consistent with current operations, risks and threats. Training
and awareness programmes should be customised based on
26 The Committee's paper High-level principles for business continuity,
August 2006, discusses sound continuity principles in greater detail.
27 Business continuity planning should be consistent with and conducted
alongside the business continuity planning and testing of critical opera­
tions as specified in the principles for operational resilience. BCBS,
Principles for operational resilience, March 2021.
■ 13
specific roles to ensure that staff can effectively execute contin­
gency plans. Business continuity procedures should be tested
periodically to ensure that recovery and resumption objectives
and timeframes can be met. Where possible, a bank should
participate in business continuity testing with key service pro­
viders. Results of formal testing and review activities should be
reported to senior management and the board of directors.
Role of Disclosure
Principle 12: A bank's public disclosures should allow stake­
holders to assess its approach to operational risk manage­
ment and its operational risk exposure.
66. A bank's public disclosure of relevant operational risk man­
agement information can lead to transparency and the develop­
ment of better industry practice through market discipline. The
amount and type of disclosure should be commensurate with
the size, risk profile and complexity of a bank's operations, and
evolving industry practice.
67. Banks should disclose relevant operational risk exposure
information to their stakeholders (including significant opera­
tional loss events), while not creating operational risk through
this disclosure (eg description of unaddressed control vulner­
abilities).28,29 A bank should disclose its ORM F in a manner
that allows stakeholders to determine whether the bank identi­
fies, assesses, monitors and controls/mitigates operational risk
effectively.
68. Banks should have a formal disclosure policy that is subject
to regular and independent review and approval by the senior
management and the board of directors. The policy should
address the bank's approach for determining what operational
risk disclosures it will make and the internal controls over the
disclosure process. In addition, banks should implement a
Internationally active banks are required to comply with the Basel III
Pillar 3 operational risk disclosure requirements.
29 The recommendation to disclose significant operational loss events
does not include disclosure of confidential and proprietary information,
including information about legal reserves.
14 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
process for assessing the appropriateness of their disclosures
and disclosure policy.
Role of Supervisors
69. Supervisors should regularly assess banks' O RM F by evalu­
ating banks' policies, processes and systems related to opera­
tional risk. Supervisors should ensure that there are appropriate
mechanisms in place allowing them to remain apprised of banks'
operational risk developments.
70. Supervisory evaluations of operational risk should include
all areas described in the Principles for the sound management
of operational risk. Where banks are part of a financial group,
supervisors should ensure that there are processes in place to
ensure that operational risk is managed in an appropriate and
integrated manner across the group. In assessing banks' ORMF,
cooperation and exchange of information with other supervi­
sors, in accordance with established procedures, may be neces­
sary.30 In certain circumstances, supervisors may choose to use
external auditors in these assessment processes.31
71. Supervisors should take steps to ensure that banks address
deficiencies identified through the supervisory review of banks'
ORMF. Supervisors should use the tools most suited to the par­
ticular circumstances of banks and their operating environment.
To ensure that supervisors receive current information on opera­
tional risk, supervisors may wish to establish reporting mecha­
nisms directly with banks and external auditors (eg internal bank
management reports on operational risk could be made rou­
tinely available to supervisors).
72. Supervisors should encourage banks' ongoing internal
development efforts by monitoring, comparing and evaluat­
ing banks' recent improvements and plans for prospective
developments.
30 Refer to the Committee's papers High-level principles for the cross-
border implementation of the New Accord, August 2003, and Principles
for home-host supervisory cooperation and allocation mechanisms in
the context of Advanced Measurement Approaches (AMA), November
2007.
31 For further discussion, see the Committee's paper The relationship
between banking supervisors and bank's external auditors, January
2002.
 Learning Objectives
After completing this reading you should be able to:

Define enterprise risk management (ERM) and explain Describe the role of and issues with correlation in risk
how implementing ERM practices and policies can create aggregation and describe typical properties of a firm's
shareholder value, at both the macro and the micro level. market risk, credit risk, and operational risk distributions.

Explain how a company can determine its optimal amount Distinguish between regulatory and economic capital
of risk through the use of credit rating targets. and explain the use of economic capital in the corporate
decision-making process.
Describe the development and implementation of an ERM
system, as well as challenges to the implementation of an
ERM system.

E x c e rp t is from Journal of Applied Corporate Finance 18, No. 4 (2006), by Brian W. N o cco and R ene M. S tu lz *

* We are grateful for comments from Don Chew, Michael Hofmann, Joanne Lamm-Tennant, Tom O'Brien, Jerome Taillard, and William Wilt.

15
The past two decades have seen a dramatic change in the role
of risk management in corporations. Twenty years ago, the job
of the corporate risk manager— typically, a low-level position in
the corporate treasury— involved mainly the purchase of insur­
ance. At the same time, treasurers were responsible for the
hedging of interest rate and foreign exchange exposures. Over
the last ten years, however, corporate risk management has
expanded well beyond insurance and the hedging of financial
exposures to include a variety of other kinds of risk— notably
operational risk, reputational risk, and, most recently, strategic
risk. What's more, at a large and growing number of companies,
the risk management function is directed by a senior executive
with the title of chief risk officer (CRO) and overseen by a board
of directors charged with monitoring risk measures and setting
limits for these measures.
A corporation can manage risks in one of two fundamentally
different ways: (1) one risk at a time, on a largely compart­
mentalized and decentralized basis; or (2) all risks viewed
together within a coordinated and strategic framework. The
latter approach is often called "enterprise risk management,"
or "ER M " for short. In this article, we suggest that companies
that succeed in creating an effective ERM have a long-run com­
petitive advantage over those that manage and monitor risks
individually. Our argument in brief is that, by measuring and
managing its risks consistently and systematically, and by giving
its business managers the information and incentives to optimize
the trade-off between risk and return, a company strengthens its
ability to carry out its strategic plan.
In the pages that follow, we start by explaining how ERM can
give companies a competitive advantage and add value for
shareholders. Next we describe the process and challenges
involved in implementing ERM. We begin by discussing how a
company should assess its risk "appetite," an assessment that
should guide management's decision about how much and
which risks to retain and which to lay off. Then we show how
companies should measure their risks. Third, we discuss various
means of laying off "non-core" risks, which, as we argue below,
increases the firm's capacity for bearing those "core" risks the
firm chooses to retain. Though ERM is conceptually straightfor­
ward, its implementation is not. And in the last— and longest—
section of the chapter, we provide an extensive guide to the
major difficulties that arise in practice when implementing ERM.
2.1 HOW DOES ERM CREATE
SHAREHOLDER VALUE?
ERM creates value through its effects on companies at both a
"macro" or company-wide level and a "micro" or business-unit
16 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
level. At the macro level, ERM creates value by enabling senior
management to quantify and manage the risk-return trade-off
that faces the entire firm. By adopting this perspective, ERM
helps the firm maintain access to the capital markets and other
resources necessary to implement its strategy and business plan.
At the micro level, ERM becomes a way of life for managers and
employees at all levels of the company. Though the academic
literature has concentrated mainly on the macro-level benefits of
ERM, the micro-level benefits are extremely important in prac­
tice. As we argue below, a well-designed ERM system ensures
that all material risks are "ow ned," and risk-return trade-offs
carefully evaluated, by operating managers and employees
throughout the firm.
The Macro Benefits of Risk Management
Students in the first finance course of an MBA program often
come away with the "perfect markets" view that since share­
holders can diversify their own portfolios, the value of a firm
does not depend on its "total" risk. In this view, a company's
cost of capital, which is a critical determinant of its P/E ratio,
depends mainly on the "system atic" or "nondiversifiable
component of that risk (as typically measured by a company's
"beta"). And this in turn implies that efforts to manage total risk
are a waste of corporate resources.
But in the real world, where investors' information is far from
complete and financial troubles can disrupt a company's opera­
tions, a bad outcome resulting from a "diversifiable" risk— say,
an unexpected spike in a currency or commodity price— can
have costs that go well beyond the immediate hit to cash flow
and earnings. In the language of economists, such risks can have
large "deadweight" costs.1
To illustrate, if a company expects operating cash flow of $200
million for the year and instead reports a loss of $50 million, a
cash shortfall of this size can be far more costly to the firm than
just the missing $250 million. First of all, to the extent it affects
the market's expectation of future cash flows and earnings, such
a shortfall will generally be associated with a reduction in firm
value of much more than $250 million— a reduction that reflects
the market's expectation of lower growth. And even if operating
cash flow rebounds quickly, there could be other, longer-lasting
effects. For example, assume the company has a number of
strategic investment opportunities that require im m ediate fund­
ing. Unless the firm has considerable excess cash or unused1
1 There is a large academic literature that investigates how firm value
depends on total risk. For a review of that literature, see Rene Stulz, Risk
Management and Derivatives, Southwestern Publishing, 2002.
debt capacity, it may be faced with the tough choice of cutting
back on planned investments or raising equity in difficult cir­
cumstances and on expensive terms. If the cost of issuing equity
is high enough, management may have little choice but to cut
investment. And unlike the adjustment of market expectations
in response to what proves to be a temporary cash shortfall, the
loss in value from the firm having to pass up positive-NPV proj­
ects represents a perm anent reduction in value.
For most companies, guarding against this corporate "underin­
vestment problem" is likely to be the most important reason to
manage risk. By hedging or otherwise managing risk, a firm can
limit (to an agreed-upon level) the probability that a large cash
shortfall will lead to valuedestroying cutbacks in investment.
And it is in this sense that the main function of corporate risk
management can be seen as protecting a company's ability to
carry out its business plan.
But which risks should a company lay off and which should it
retain? Corporate exposures to changes in currencies, interest
rates, and commodity prices can often be hedged fairly inex­
pensively using derivatives such as forwards, futures, swaps,
and options. For instance, a foreign exchange hedging program
using forward contracts typically has very low transaction costs;
and when the transfer of risk is inexpensive, there is a strong
case for laying off economic risks that could otherwise under­
mine a company's ability to execute its strategic plan.
On the other hand, companies in the course of their normal
activities take many strategic or business risks that they can­
not profitably lay off in capital markets or other developed risk
transfer markets. For instance, a company with a promising
plan to expand its business typically cannot find an economic
hedge— if indeed there is any hedge at all—for the business
risks associated with pursuing such growth. The company's
management presumably understands the risks of such expan­
sion better than any insurance or derivatives provider— if they
don't, the company probably shouldn't be undertaking the
project. If the company were to seek a counterparty to bear
such business risks, the costs of transferring such risks would
likely be prohibitively high, since they would have to be high
enough to compensate the counterparty for transacting with
a better informed party and for constructing models to evalu­
ate the risks they're being asked to hedge. For this reason, we
should not be surprised that insurance companies do not offer
insurance contracts that provide complete coverage for earn­
ings shortfalls or that there is no market for derivatives for which
the underlying is a company's earnings. The insured companies
would be in a position not only to know more than the insurers
about the distribution of their future earnings, but to manipulate
that distribution to increase the payoffs from such insurance
policies. A firm that entered into a derivatives contract with its
Chapter 2 Enterprise Risk Management: Theory and
earnings as the underlying would have a similar advantage over
a derivatives dealer.
More generally, in making decisions whether to retain or trans­
fer risks, companies should be guided by the principle of com ­
parative advantage in risk-bearing.2 A company that has no
special ability to forecast market variables has no comparative
advantage in bearing the risk associated with those variables. In
contrast, the same company should have a comparative advan­
tage in bearing information-intensive, firm-specific business risks
because it knows more about these risks than anybody else. For
example, at Nationwide Insurance, exposures to changes in
interest rates and equity markets are managed in strict ranges,
with excess exposures reduced through asset repositioning or
hedging. At the same time, Nationwide retains the vast majority
of its insurance risks, a decision that reflects the firm's advantage
relative to any potential risk transfer counterparty in terms of
experience with and knowledge of such risks.
One important benefit of thinking in terms of comparative
advantage is to reinforce the message that companies are in
business to take stra teg ic and business risks. The recognition
that there are no economical ways of transferring risks that are
unique to a company's business operations can serve to under­
score the potential value of reducing the firm's exposure to
other, "non-core" risks.3 Once management has decided that
the firm has a comparative advantage in taking certain business
risks, it should use risk management to help the firm make the
most of this advantage. Which brings us to a paradox of risk
management: By reducing non-core exposures, ERM effectively
enables companies to take more strategic business risk— and
greater advantage of the opportunities in their core business.
The Micro Benefits of ERM
As discussed above, an increase in total risk can end up reduc­
ing value by causing companies to pass up valuable projects or
otherwise disrupting the normal operations of the firm. These
costs associated with total risk should be accounted for when
assessing the risk-return trade-off in all major new investments.
If the company takes on a project that increases the firm's total
risk, the project should be sufficiently profitable to provide an
adequate return on capital after compensating for the costs
associated with the increase in risk. This risk-return trade-off
2 For an extended treatment of this concept, see Rene Stulz, "Rethink­
ing Risk Management," Journal o f Applied Corporate Finance, Vol. 9
No. 3, Fall 1996.
3 For a discussion of core and non-core risks, see Robert Merton,
"You Have More Capital Than You Think," Harvard Business Review
(November, 2005).
■ 17
must be evaluated for all corporate decisions that are expected
to have a material impact on total risk.
Thus, a major challenge for a company implementing ERM is
to ensure that decision-making not just by senior management,
but by business managers throughout the firm, takes proper
account of the risk-return trade-off. To make this happen, the
risk evaluations of new projects must be performed, at least
initially, on a decentralized basis by the project planners in the
business units. A completely centralized evaluation of the risk-
return trade-off of individual projects would lead to corporate
gridlock. Take the extreme case of a trader. Centralized evalu­
ation would require the CRO's approval of each of the trader's
decisions with a potentially material impact on the firm's risk.
But in a decentralized evaluation of the risk-return trade-off,
each unit in the corporation evaluates this trade-off in its deci­
sion making. An important part of senior management's and the
CRO's job is to provide the information and incentives for each
unit to make these trade-offs in ways that serve the interests of
the shareholders.
There are two main components of decentralizing the risk-return
trade-off in a company:
a. First, managers proposing new projects should be required
to evaluate all major risks in the context of the marginal
impact of the projects on the firm's total risk. The com­
pany's decision-making framework should require the busi­
ness managers to evaluate project returns in relation to the
marginal increases in firm-wide risk to achieve the optimal
amount of risk at the corporate level.
b. Second, to help ensure that managers do a good job of
assessing the risk-return trade-off, the periodic performance
evaluations of the business units must take account of the
contributions of each of the units to the total risk of the
firm. As we will see later, this can be done by assigning
a level of additional "im puted" capital to the project to
reflect such incremental risk— capital on which the project
manager will be expected to earn an adequate return. By so
doing, the corporation not only measures its true economic
performance, but also creates incentives for managers to
manage the risk-return trade-off effectively by refusing to
accept risks that are not economically attractive.
With the help of these two mechanisms that are essential to
the management of firm-wide risk, a company that implements
ERM can transform its culture. Without these means, risk will be
accounted for in an ad hoc, subjective way, or ignored. In the
former case, promising projects could be rejected when risks
are overstated. In the latter case, systems that ignore risk will
end up encouraging high-risk projects, in many cases without
the returns to justify them. Perhaps even more troubling, one
division could take a project that another would reject based on
a different assessment of the project's risk and associated costs.
With the above capital allocation and performance evaluation
system mechanisms put in place when ERM is implemented,
business managers are forced to consider the impact of all
material risks in their investment and operating decisions. In
short, every risk is "owned" since it affects someone's perfor­
mance evaluation.
Spreading risk ownership throughout the company has become
more important as the scope of risk management has expanded
to include operating and reputational risks. Ten or 20 years ago,
when risk management focused mainly on financial risks, compa­
nies could centrally measure and manage their exposures to mar­
ket rates. But operational risks typically cannot be hedged. Some
of these risks can be insured, but companies often choose to
reduce their exposure to such risks by changing procedures and
technologies. The individuals who are closest to these risks are
generally in the best position to assess what steps should be taken
to reduce the firm's exposure to them. So, for example, decisions
to manage operating risks are often entrusted to line managers
whose decisions are based on their knowledge of the business,
and supplemented by technical experts where appropriate.
Nationwide has developed a "factor-based" capital allocation
approach for its management accounting and performance
evaluation system. Capital factors are assigned to products
based on the perceived risk of such products. For example, the
risk associated with, and capital allocated to, insuring a home in
a hurricane- or earthquake-prone area is greater than that for a
home in a non-catastrophe exposed region.
One of the most important purposes of such a risk-based capital
allocation system is to provide business managers with more
information about how their own investment and operating
decisions are likely to affect both corporate-wide performance
and the measures by which their performance will be evaluated.
When combined with a performance evaluation system in this
way, a risk-based capital allocation approach effectively forces
the business managers to consider risk in their decision-making.
Nationwide's risk factors are updated annually as part of the
strategic and operational planning process, reflecting changes in
risk and diversification. Decision-making authority is delegated
by means of a risk limit structure that is consistent with Nation­
wide's risk appetite framework.
2.2 DETERMINING THE RIGHT
AMOUNT OF RISK*
How should a company determine the optimal amount of total
risk to bear? To answer this question, it's important to start by

18 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
recognizing that the costs associated with the cash shortfalls we
discussed earlier would not exist if the firm had a larger buffer
stock of equity capital invested in liquid assets. But carrying
excess equity also, of course, has costs. For example, a recent
study concludes that, for some companies (typically larger,
mature companies), the last dollar of "excess" cash is valued by
the market at as little as 60 cents.4
By reducing risk, a company can reduce the amount of expen­
sive equity capital needed to support its operating risks. In this
sense, risk management can be viewed as a substitute for equity
capital, and an important part of the job of the CRO and top
management is to evaluate the trade-off between more active
risk management and holding a larger buffer stock of cash
and equity.
As we saw earlier, for companies without a large buffer of excess
equity, a sharp drop in cash flow and value can lead to financial
distress and a further (permanent) loss of value from underin­
vestment. Let's define "financial distress" to be any situation
where a company is likely to feel compelled to pass up positive
net present value (NPV) activities.
Many companies identify a level of earnings or cash flow that
they want to maintain under almost all circumstances (i.e.,
with an agreed-upon level of statistical confidence, say 95%,
over a one-year period) and then design their risk manage­
ment programs to ensure the firm achieves that minimum. For
example, in the case described earlier of the firm with a $250
million shortfall, management may want to explore steps that
would ensure that the firm almost never loses more than, say,
$100 million in a year, since that may be the point where man­
agement begins to feel pressure to cut projects. But, as the
mention of statistical confidence intervals suggests, a company
cannot— nor should it attempt to — guarantee that its cash and
earnings will never fall below the level it's aiming to protect. As
long as a company operates in a business that promises more
than the risk-free rate, there will be some risk of falling into
financial distress.
What management can accomplish through an ERM program,
then, is not to minimize or eliminate, but rather to limit, the
probability of distress to a level that management and the board
agrees is likely to maximize firm value. Minim izing the prob­
ability of distress, which could be achieved by investing most of
the firm's capital in Treasury bills, is clearly not in the interests of
shareholders. Management's job is rather to optim ize the firm's
4 By contrast, for riskier companies with lots of growth opportunities,
the same dollar can be worth as much as $1.50. See Lee Pinkowitz and
Rohan Williamson, "What Is the Market Value of a Dollar of Cash Hold­
ings?," Georgetown University working paper.
Chapter 2 Enterprise Risk Management: Theory and
risk portfolio by trading off the probability of large shortfalls
and the associated costs with the expected gains from taking or
retaining risks.
Let's refer to this targeted minimal level of resources (which can
be formulated in terms of cash flow, capital, or market value) as
the company's financial distress "threshold." Many companies
use bond ratings to define this threshold. For example, manage­
ment may conclude that the firm would have to start giving up
valuable projects if its rating falls to Baa. In that case, it would
adopt a financial and risk management policy that aims to limit
to an acceptably low level the probability that the firm's rating
will fall to Baa or lower. Given a firm's current rating— and let's
assume it is Aa— it is straightforward to use data supplied by the
rating agencies to estimate the average probability that the
firm's rating will fall to Baa or lower. A study by Moody's using
data from 1920 to 2005 shows that the probability of a company
with an Aa rating having its rating drop to Baa or lower within a
year's time is 1.05%, on average.5
W hether such a probability is acceptable is for top management
and the board to decide. For a company with many valuable
growth opportunities, even just a 1% chance of having to forgo
such investments may be too risky. By contrast, a basic manufac­
turing firm with few growth opportunities is likely to be better
off making aggressive use of leverage, maximizing the tax ben­
efits of debt, and returning excess funds to shareholders. For
such a firm, the costs associated with financial trouble would be
relatively low, at least as a percentage of total value.
For financial companies like Nationwide, however, there is
another important consideration when evaluating the costs of
financial distress that is specific to financial institutions: financial
trouble has an adverse impact on liabilities like bank deposits
and insurance contracts that constitute an important source of
the value of banks and insurance companies.6 Because such lia­
bilities are very credit-sensitive, these financial institutions gen­
erally aim to maximize their value by targeting a much lower
probability of distress than the typical industrial firm.
Let's suppose for the moment that a rating is a completely reli­
able and sufficient measure of the probability that a company
will default— an assumption we will reexamine later. And let's
consider a company that would have to start giving up valuable
5 Moody's Default and Recovery Rates of Corporate Bond Issuers,
1920-2005, March 2006. We compute probabilities that assume that the
rating is not withdrawn.
6 See Merton, Robert C., 1993, "Operation and Regulation in Financial
Intermediation: A Functional Perspective," in Operation and Regulation
of Financial Markets, edited by P. Englund. Stockholm: The Economic
Council.
■ 19
Table 2.1 Transition M atrix from M oody's

Rating To:

Rating From: Aaa Aa A Baa Ba B Caa-C Default

Aaa 91.75% 7.26% 0.79% 0.17% 0.02% 0.00% 0.00% 0.00%

Aa 1.32% 90.71% 6.92% 0.75% 0.19% 0.04% 0.01% 0.06%

A 0.08% 3.02% 90.24% 5.67% 0.76% 0.12% 0.03% 0.08%

Baa 0.05% 0.33% 5.05% 87.50% 5.72% 0.86% 0.18% 0.31%

Ba 0.01% 0.09% 0.59% 6.70% 82.58% 7.83% 0.72% 1.48%

B 0.00% 0.07% 0.20% 0.80% 7.29% 80.62% 6.23% 4.78%

Caa-C 0.00% 0.03% 0.06% 0.23% 1.07% 7.69% 75.24% 15.69%

Average one-year rating transition matrix, 1920-2005, conditional upon no rating withdrawal.
Source: Moody's Default and Recovery Rates of Corporate Bond Issuers, 1920-2005, March 2006.

projects if its rating fell to Baa or below (that is, Baa would
serve as its financial distress threshold). Assume also that man­
agement and the board have determined that, for this kind of
business, the optimal level of risk is one where the probability
of encountering financial distress is 7% over a one-year period.
Such an optimal level of risk would be determined by compar­
ing the costs associated with financial distress and the benefits
of having a more levered capital structure and taking on riskier
projects.
To the extent that ratings are reliable proxies for financial health,
companies can use a rating agency "transition matrix" to esti­
mate the amount of capital necessary to support a given level of
risk. The transition matrix shown in Table 2.1 can be used to
identify the frequency with which companies moved from one
rating to another over a certain period (in this case, 1920 to
2005).7 For any rating at the beginning of the year (listed in the
left-hand column of the table), the column of numbers running
down from the heading "Baa" tells us the probability that a
company will end up with a Baa rating at the end of the year.
Again, let's assume management wants the probability of its rat­
ing falling to Baa or lower over the next year to average around
7%. To determine the probability of a downgrade to or lower
than Baa for a given initial rating, we add up the probabilities of
ending with a rating equal to or lower than Baa along the row
that corresponds to the initial rating. The row where the prob­
abilities of ending at Baa or lower is closest to 7% is the one
corresponding to an A rating. Consequently, by targeting an A
rating, management would achieve the probability of financial
distress that is optimal for the firm.
7 See footnote 2.
In practice, however, the process of determining a target rating
can involve more considerations, which makes it more compli­
cated. For example, Nationwide analyzes and manages both
its probability of default and its probability of downgrade, and
it does so in separate but related frameworks. The company's
optimal probability of default is anchored to its target Aa ratings
and reflects the default history of Aa-rated bonds. By contrast,
the probability of downgrade to Baa or below is assumed to be
affected by, and is accordingly managed by limiting, risk con­
centrations such as those arising from natural catastrophes and
equity markets.
In the example above, the company is assumed to maximize
value by targeting a rating of A. As we noted earlier, equity
capital provides a buffer or shock absorber that helps the firm to
avoid default. For a given firm, a different probability of default
corresponds to each level of equity, so that by choosing a given
level of equity, management is also effectively choosing a prob­
ability of default that it believes to be optimal.
As can be seen in Table 2.1, an A rating is associated with a
probability of default of 0.08% over a one-year period. Thus,
to achieve an A rating, the company in our example must have
the level of (equity) capital that makes its probability of default
equal to 0.08%. If we make the assumption that the value of a
company's equity falls to a level not materially different from
zero in the event of default, we can use the probability of
default to "back out" the amount of equity the firm needs to
support its current level of risk.
Although the probability of default is in fact a complicated func­
tion of a number of firm characteristics, not just the amount of
equity, the analytical process that leads from the probability of
default to the required amount of capital is straightforward.

20 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
To see this, suppose that the company
becomes bankrupt if firm value at the
end of the fiscal year falls below a
default threshold level, which is a
function of the composition and
amount of the firm's debt.8 Given this
assumption, the firm needs the
amount of equity capital that will
make the probability of its value fall­
ing below the default threshold level
equal to 0.08% (or alternatively, the
amount that will ensure that its value
will not fall below the default thresh­
old level with a probability of 99.92%).

A company can also assess its costs

of financial distress by using criteria
other than ratings and ratings thresh­
olds. For instance, in addition to a rat­
ing downgrade, Nationwide Insurance
identifies a number of other scenarios
that it views as imposing large costs
on the company. Chief among them
Fiq u re 2.1 R eq u ired eq u ity capital to a ch ie v e a ta rg e t p ro b ab ility of d efau lt
are high levels of volatility in earnings
a function of firm vo latility or VaR.
and capital that, while not alone suf­
ficient to cause a rating downgrade,
could contribute to an increase in overall risk and hence the an amount of equity equal to its firm-wide one-year VaR deter­
required level of capital. For each of these critical variables and mined at a probability level of 0.08%.
scenarios, Nationwide sets target probability levels and accept­
For some companies, VaR conveys the same information as the
able tolerances that enable the firm to limit its volatility risk
volatility of its stock price or market value, which would allow
within those targeted levels.
the firm using VaR to focus on these more direct measures of
When thinking about acceptable levels of volatility, and the volatility of its value.9 But for those companies for which the dis­
equity capital needed to support them, many financial com­ tribution of firm value changes is not "normal" or symmetric, the
panies use a risk measure called value-at-risk, or VaR for short. analysis of risk provided by VaR can be quite different from the
VaR is the amount of the loss that is expected, with some pre­ information provided by volatility— and in such cases, VaR must
specified probability level, to be reached or exceeded during a be estimated directly.
defined time period. For instance, if a portfolio of securities has
But whether management uses VaR or volatility, given a tar­
a one-year VaR at the 5% probability level of $20 million, there
geted probability of default or financial distress, the company
is a 5% chance the portfolio will have a loss that exceeds $20
faces a trade-off, as illustrated in Figure 2.1, between its level of
million in the next year. VaR can also be computed for an entire
VaR or volatility and the size of its buffer stock of equity capital.
company by assessing the distribution of firm value. When the
As VaR or volatility increase, the firm requires more capital to
determination of the buffer stock of equity proceeds along the
achieve the same probability of default. And as can also be seen
lines described so far, the company in our example must have
in the upward shift from line x to line y in Figure 2.1, this trade­
off becomes steeper if management chooses to reduce the tar­
geted probability of default.
8 If all debt were due at the end of the year, the default threshold level
would be the principal amount of debt outstanding plus interest due.
However, if debt matures later, firm value could fall below the principal
amount of debt outstanding without triggering a default. So, the default
threshold level is lower than the principal amount of debt outstanding 9 In particular, VaR is a multiple of volatility when the variable for which
when the firm has long-term debt. VaR is estimated has a normal distribution.

Chapter 2 Enterprise Risk Management: Theory and ■ 21

Now suppose that based on its estimate of volatility, manage­
ment concludes that the firm needs $5 billion of equity capital
to achieve its target probability of default. As noted earlier, the
company can reduce its required level of equity by using risk
management to reduce the probability of default, which would
make sense if that option were deemed less costly than holding
the $5 billion of equity. In making this trade-off between manag­
ing risk and holding more equity, the company should aim to
position itself "at the margin" where it is indifferent between
decreasing risk and increasing capital. Management can satisfy
itself that it has achieved this position if, after having decided
on a certain combination of risk management and capital, it
can show that, for example, spending another $10 million to
decrease risk by 1% will save the firm roughly $10 million in
equity capital costs. In this event, it has achieved the optimal
amount of risk.
Using this approach, the company can evaluate the marginal
impact of a project on both its risk of default and its risk of
financial distress. As total risk increases, the firm requires more
capital to support that risk. Moreover, the cost of the additional
capital provides a useful measure of the cost of the project's
contribution to the firm's total risk. The project is worth under­
taking only if its NPV is large enough to cover that additional
cost. Similarly, when evaluating the performance of a unit within
the firm, the unit contributes to shareholder wealth only insofar
as its economic value added exceeds the cost of its contribu­
tion to the risk of the firm. In this way, then, the capital required
to support the contribution of an activity to the total risk of the
firm becomes itself a measure of risk— a measure that, because
of its simplicity, can easily be added up across different activities
or risks.
The conceptual framework of ERM can thus be summarized as
follows:
1. Management begins by determining the firm's risk appetite,
a key part of which is choosing the probability of financial
distress that is expected to maximize firm value. When
credit ratings are used as the primary indicator of financial
risk, the firm determines an optimal or target rating based
on its risk appetite and the cost of reducing its probability
of financial distress.
2. Given the firm's target rating, management estimates the
amount of capital it requires to support the risk of its opera­
tions. In so doing, management should consider the prob­
ability of default.
3. Management determines the optimal combination of capi­
tal and risk that is expected to yield its target rating. For
a given amount of capital, management can alter its risk
through hedging and project selection. Alternatively, for
22 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
a given amount of total risk, the company can increase its
capital to achieve its target rating. At the margin, the firm
should be indifferent between changing its capital and
changing its risk.
4. Top management decentralizes the risk-capital trade-off
with the help of a capital allocation and performance evalu­
ation system that motivates managers throughout the orga­
nization to make investment and operating decisions that
optimize this trade-off.
2.3 IMPLEMENTING ERM
But if ERM is conceptually straightforward, its implementation is
challenging. For a company to succeed in implementing ERM,
it is critical that people throughout the organization understand
how it can create value. Managers must understand that it is not
an academic exercise but a critical tool for executing the firm's
strategy. Thus ERM must be "sold" to and "bought into" by
all levels of the organization. For the whole organization to get
behind it, considerable thought must be devoted to the design
of managerial performance evaluation and incentives. We now
consider the main challenges involved in making ERM work.
Inventory of Risks
The first step in operationalizing ERM is to identify the risks to
which the company is exposed. A common approach is to iden­
tify the types of risks that will be measured. In the early days of
corporate risk management, financial institutions focused mainly
on market and credit risks. Eventually operational risk was
added. As a result, a common practice for banks is to classify all
risks into one of three categories: market, credit, and opera­
tional. But for such an approach to capture all the risks the firm
is exposed to, operational risk has to be a catch-all category
that includes all risks that are not market and credit risks.101
Many companies have gone beyond measuring market, credit,
and operational risks. In recent years, some firms have also
attempted to measure liquidity, reputational, and strategic
risks. Further, the three-party typology used in banking often
does not correspond well to the risks faced in other industries.
For example, because insurance companies have risks on their
asset side— that is, the risks associated with their investment
10 For banks, the definition of operational risk that prevails in the Basel
11accord is much narrower; for instance, it ignores the reputational risks
that are today a major concern of many financial institutions. As a result,
for banks, there will be a tension between the measurement of opera­
tional risk for regulatory purposes and from the perspective of ERM.
portfolio— as well as their liability side, such companies gener­
ally use a different typology. Nationwide Insurance regularly
measures and monitors its asset, liability, operating, liquidity,
and strategic risks— and it considers reputational risks in the
context of each of these risks and of its overall business. (Market
and credit risks are both treated as parts of asset risks.)
Having identified all of the company's major risks, management
must then find a consistent way to measure the firm's exposure
to these risks— a common approach that can be used to identify
and quantify all the firm's significant exposures. Without such a
method, exposure to the same risk could have different effects
on the performance evaluation and decision-making of differ­
ent business units and activities. The resulting possibility that
identically risky activities would be allocated different amounts
of capital would almost certainly create tension within the firm.
Furthermore, risk would gradually migrate within the organiza­
tion to those parts of the firm where it received the lowest risk
rating and smallest capital allocation.
For an inventory of risks to be useful, the information pos­
sessed by people within the organization must be collected,
made comparable, and continuously updated. Organizations
that have grown through acquisitions or without centralized IT
departments typically face the problem of incompatible com­
puter systems. Companies must be able to aggregate common
risks across all of their businesses to analyze and manage those
risks effectively.
Nationwide employs both a top-down and a bottom-up pro­
cess of risk identification. From a top-down perspective, the
company's ERM leadership and corporate level risk committee
have identified all risks that are large enough in aggregate to
threaten the firm with financial distress in an adverse environ­
ment. The bottom-up process involves individual business units
and functional areas conducting risk-control self assessments
designed to identify all material local-level risks. The goal is to
identify all important risks, quantify them using a consistent
approach, and then aggregate individual risk exposures across
the entire organization to produce a firm-wide risk profile that
takes account of correlations among risk. For example, Nation­
wide analyzes and establishes aggregate limits for the equity
risk stemming from three main sources: (1) the stock holdings
in its property and casualty insurance investment portfolio;
(2) the fee levels that are tied to equity values in the variable
annuity and insurance contracts of its life insurance business;
and (3) the asset management fees that are tied to equity
values in its investment management business.
Corporate failures to conduct thorough "inventories" of their
risks on a regular basis have been responsible for a striking num­
ber of major corporate disasters over the last 20 years. Business
Chapter 2 Enterprise Risk Management: Theory and
units often resist such monitoring efforts because they are time-
consuming and distract from other activities. A well-known
example of such resistance that ultimately created massive prob­
lems for the old UBS took place when the firm attempted to
include its equity derivatives desk into its risk measurement sys­
tem. Because the equity derivatives desk used a different com­
puter system, such an undertaking would have required major
changes in the way the desk did its business. But since the desk
was highly profitable, it was allowed to stay outside the system.
Eventually, the operation incurred massive losses that funda­
mentally weakened the bank and led it to seek a merger.11
Economic Value versus Accounting
Performance
Although credit ratings are a useful device for helping a com­
pany think about its risk appetite, management should also
recognize the limitations of ratings as a guide to a value-maxi­
mizing risk management and capital structure policy. Because
of the extent of their reliance on "accounting" ratios as well as
analysts' subjective judgment, credit ratings are often not the
most reliable estimates of a firm's probability of default. For
example, a company might feel confident that the underlying
economics of its risk management and capital structure give
it a probability of default that warrants an A rating, but find
itself assigned a Baa rating— perhaps because of a mechanical
application of misleading accounting-based criteria— by the
agencies. In such cases, management should rely on its own
economics-based analysis, while making every effort to share its
thinking with the agencies.
But having said this, if maintaining a certain rating is deemed to
be critical to the success of the organization, then setting capital
at a level that achieves the probability of default of the targeted
rating may not be enough. Management may also have to tar­
get some accounting-based ratios that are important determi­
nants of ratings as well.
This question of economic or value-based management vs.
accounting-based decision-making raises a fundamental ques­
tion of risk management: What is the shortfall that manage­
ment should be concerned about? Is it a shortfall in cash flow
or in earnings? Is it a drop in a company's G A A P net worth or a
market-based measure of firm value?
If the company is managing its probability of default, it should
obviously focus on the measure that is most directly linked to
that outcome. For example, an unexpected drop in this year's
cash flow may not be a problem for a company if its future cash1
11 See Dirk Schutz, La Chute de I'UBS, Bilan, 1998.
■ 23
flows are clearly unaffected. If the firm finds it easy to borrow
against its future cash flows or tangible assets, a shortfall in this
year's cash flow is unlikely to lead the firm to default. But those
companies that cannot borrow against future cash flows, per­
haps because they are too speculative and have few tangible
assets, may be affected much more adversely. In such cases, the
shortfall in cash flow, by triggering financing constraints, could
push the firm into financial distress. It is these kinds of compa­
nies that are likely to focus their risk management efforts on
measures of cash flow volatility.
But if a company is more likely to experience financial distress
because the p re se n t value of future cash flows is low than
because of a drop in cash flow, management must model the
risk of changes in firm value, which reflects the present value
of expected future cash flows, rather than the risk of changes
in cash flows. There are a number of topdown approaches that
provide estimates of total risk based on industry benchmarks
that are cheap and easy to implement. Unfortunately, such
approaches are not useful for managing risk within a com­
pany because they do not make it possible to relate corporate
actions to firm-wide risk. For instance, management could
obtain an estimate of the volatility of firm value or cash flows by
looking at the distribution of the value or cash flows of compa­
rable companies. But such an approach would provide manage­
ment with little understanding of how specific risk management
policies, including changes in capital structure, would affect
this estimate.
Thus, a management intent on implementing ERM must esti­
mate the expected distribution of changes in firm value from
the bottom up. When, as is typical, a company's value is best
estimated as the present value of its expected future cash flows,
management should "build" its estimates of firm value by mod­
eling the distribution of future cash flows. As a fundamental
part of its ERM program, Nationwide has developed stochastic
models that generate multi-year cash flow distributions for its
main businesses.
The Accounting Problem
By focusing on cash flows, then, a company focuses on its eco­
nomic value. But while helping the firm achieve its target prob­
ability of default, such an approach could also result in more
volatile accounting earnings. For example, under the current
accounting treatment of derivatives, if a company uses deriva­
tives to hedge an economic exposure but fails to qualify for
hedge accounting, the derivatives hedge can reduce the volatil­
ity of firm value while at the same time increasing the volatility
of accounting earnings. And thus a company that implements
ERM could end up with higher earnings volatility than a compa­
rable firm that does not.
24 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
While companies should pursue economic outcomes whenever
possible, there will clearly be situations where they need to
limit the volatility of reported accounting earnings. Companies
with debt covenants that specify minimal levels of earnings and
net worth are one example. Another is provided by companies
that face regulatory requirements to maintain minimal levels
of "statutory" capital, which is typically defined in standard
accounting terms. Yet another are companies whose ability to
attract customers depends in part on credit ratings, which in
turn can be affected by earnings volatility. Nationwide Insur­
ance, for example, operates in many businesses that are highly
sensitive to credit ratings. And to the extent its ratings could be
affected by high (or unexplained) levels of accounting volatility,
management's decision-making must clearly take such volatility
into account. In such cases, the challenge of an ERM system is
to meet the lenders' and regulators' accounting requirements
while still attempting to manage risk from the perspective of
economic value. Nationwide's approach is to make economically
based decisions to maximize value while treating its targeted
"A a" ratings vulnerability as a "constraint." A significant amount
of effort is devoted to minimizing the effect of this constraint
through disclosure and communication with the rating agencies.
Aggregating Risks
A firm that uses the three-part typology of market, credit, and
operational risk mentioned earlier generally begins by measur­
ing each of these risks individually. If the firm uses VaR, it will
have three separate VaR measures, one each for market risk, for
credit risk, and for operational risk. These three VaRs are then
used to produce a firm-wide VaR.
As shown in Figure 2.2, these three types of risks have dramati­
cally different distributions.12 Market risk behaves very much like
the returns on a portfolio of securities, which have a "norm al" or
symmetric distribution. In contrast, both credit and operational
risk have asymmetric distributions. With credit risk, either a
creditor pays in full what is owed or it does not. In general, most
creditors pay in full, but some do not— and when a creditor
defaults, the loss can be large. With operational risk, there tends
to be large numbers of small losses, so that small operational
losses are almost predictable. There is also, however, some
chance of large losses, so that the distribution of operational
losses has a "long tail." Statisticians describe distributions as
having "fat tails" when the probability of extreme losses is
higher than can be described by the normal distribution. While
many use the normal distribution to estimate the VaR of market
12 This is also the case when risks are divided into asset risks, operational
risks, and liability risks.
 Market Risk

2 4 6 8 10
Loss

Operational Risk

F ig u re 2 .2 Typical m arket, cred it, and o p eratio n al risk d istrib utio n s.

risk, such an approach is not appropriate for credit and opera­
tional risks because these risks have fat tails.
When aggregating the risks, one must also estimate their cor­
relations. The probability of experiencing simultaneously highly
adverse market, credit, and operational outcomes is typically
very low. This means that there is diversification across risk cat­
egories, and that the firm-wide VaR is thus less than the sum
of the market risk, credit risk, and operational risk VaRs. How
much less depends on the correlation between these risks. The
estimation of the correlations between certain types of risks is at
present more art than science. For this reason, many companies
choose to use averages of correlations used by other firms in
their industry rather than relying on their own estim ates.13 But
13 For data on correlations used in practice for financial institutions, see
Andrew Kuritzkes, Til Schuermann, and Scott M. Weiner, "Risk Measure­
ment, Risk Management and Capital Adequacy in Financial Conglomer­
ates," Brookings-Wharton Papers on Financial Services, 2003, pp. 141-193.
regardless of whether they use their own or other firms' correla­
tion measures, companies should keep in mind the tendency for
correlations to increase in highly stressed environments.
One important issue in estimating correlations across types of
risks is the importance of recognizing that such correlations
depend to some extent on the actions of the company. For
example, the total risk of an insurance company depends on the
correlation between its asset risk and its liability risk. By chang­
ing its asset allocations, the company can modify the correlation
between its asset risk and its liability risk. As a consequence, an
insurance company's asset portfolio allocations can be an essen­
tial part of its risk management effort. For example, Nationwide
Insurance uses a sophisticated asset/liability model to create an
efficient frontier of investment portfolios. The actual target port­
folio selected takes into consideration the firm's tolerance for
interest rate, equity market, and other risks as well as the oppor­
tunity for expected economic value creation.

Chapter 2 Enterprise Risk Management: Theory and Practice ■ 25

Measuring Risks
Some companies focus mostly on tail risk—the low-probability,
large-loss outcomes. As a result, when they measure the risk of
changes in the present value of cash flows, they use a measure
like VaR at a probability level that corresponds to a default
threshold. Some of these companies also complement their VaR
estimates with stress tests in which they investigate the impact
on firm value of rare events (such as the crisis period of August
and September 1998 that followed Russia's default on some of
its debt).
Though VaR is widely used, it is important to understand its
limitations and to complement its use with other risk measures.
Perhaps the main problem is that while VaR measures the loss
that is expected to be exceeded with a specified probability,
it says nothing about the expected size of the loss in the event
that VaR is exceeded. Some have argued that companies should
instead focus on the expected loss if VaR is exceeded. But
focusing on this risk measure, which is often called conditional
VaR, instead of focusing on VaR has little economic justification
in the context of firmwide risk management. Setting the compa­
ny's capital at a level equal to the conditional VaR would provide
the firm with a lower probability of default than the targeted
level, leading to an excessively conservative capital structure.
But a more important reason for companies to look beyond a
VaR measure estimated at the probability level corresponding
to a default threshold is that ERM adds value by optimizing the
probability and expected costs of financial distress. It is therefore
critical for companies to make sure that the equity capital set
based on a VaR estimate leads to the targeted optimal probabil­
ity of financial distress. Such an effort requires a broader under­
standing of the distribution of firm value than is provided by a
VaR estimate for a given probability of default. Further, since dif­
ferent levels of financial distress have different costs, a company
can take these different costs into account and focus on the
probability distribution of different levels of financial distress.
To compound the problem, when a company has a high rating
target, the estimation of VaR becomes more of an art as the esti­
mated VaR corresponds to an extremely low probability level.
To see this, consider a company that has determined that an A
rating is optimal. Since the probability of default for an A-rated
company is only 0.08% over a one-year period, to estimate
its optimal amount of capital the firm must therefore estimate
the loss in value that is exceeded with a probability of 0.08%.
The problem, however, is that few A-rated companies have any
experience of losses that come anywhere near that level. And
without any historical experience of such losses, it is difficult for
management to estimate the VaR at that probability level and
then evaluate the result.
26 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
For most investment grade companies, then, it is much easier
to evaluate the distribution of changes in firm value over the
range of changes that encompasses not default, but just a rat­
ings downgrade. For example, using the Moody's transition
matrix data (Table 2.1), one can say with some confidence that
an A-rated firm has a 5.67% chance on average of being down­
graded to a Baa rating over a one-year period; in other words,
such an event is expected to happen in more than one year out
of 20. (In contrast, default is expected to happen in approxi­
mately one year out of 1,000.) Because of the abundance of
data on downgrades as opposed to defaults for A-rated compa­
nies, the distribution of changes in firm value that corresponds
to a downgrade to Baa can be estimated more precisely. Over
that much narrower range of possible outcomes, the prob­
lems created by "asymmetries" in the distribution of firm value
changes and the so-called "fat tail" problems (where extreme
negative outcomes are more likely than predicted by common
statistical distributions) are not likely to be as severe. In such
cases, management may have greater confidence in its esti­
mates of the distribution of value changes corresponding to a
downgrade rather than a default and will be justified in focusing
on managing the probability of a downgrade.
As discussed previously, it is also important to understand and
take account of risk correlations when analyzing and manag­
ing default and distress probabilities. Nationwide Insurance
incorporates in its economic capital model a correlation matrix
that reflects sensitivity-tested stress correlations. It is also now
in the process of exploring event-driven correlation analysis
for scenarios that include terrorist attacks, mega hurricanes,
and pandemics.
Regulatory versus Economic Capital
The amount of equity capital required for the company to
achieve its optimal rating may bear little relation to the amount
of capital regulators would require it to hold. A firm that
practices ERM may therefore have an amount of capital that
substantially exceeds its regulatory requirements because it
maximizes shareholder wealth by doing so. In this case, the
regulatory requirements are not binding and would not affect
the firm's decisions.
The company would be in a more difficult situation if its required
regulatory capital exceeded the amount of capital it should hold
to maximize shareholder wealth. Nationwide Insurance refers to
this excess as "stranded capital." To the extent that economic
and regulatory capital are subject to different drivers, the dif­
ference between the two can be arbitraged to some degree to
minimize the level of stranded capital. Nationwide allocates any
residual stranded capital to its businesses and products. If all the
potential competitors of the firm face the same onerous regula­
tory capital requirements, the capital the firm has to hold that
is not justified on economic grounds is simply a regulatory tax.
If some potential competitors could provide the firm's products
without being subjected to the same regulatory capital, these
less regulated competitors could offer the products at a lower
price and the firm would risk losing business to them. In this
case, the firm would have to factor in the cost of regulatory cap­
ital of its various activities and would want to grow its portfolio
of activities in a way that requires less regulatory capital.
Regulatory capital is generally defined in terms of regulatory
accounting. For purposes of an ERM system, companies focus
on G A AP and economic capital. An exclusive focus on account­
ing capital is mistaken when accounting capital does not accu­
rately reflect the buffer stock of equity available to the firm.
The firm may have valuable assets that, although not marked to
market on its books, could be sold or borrowed against. In such
cases, the firm's book equity capital understates the buffer stock
available to it that could be used to avoid default.
Thus, in assessing the level of a company's buffer of capital, this
suggests that the amount of its G A AP equity capital is only part
of the story. The composition and liquidity of the assets matters
as well. If the firm incurs a large loss and has no liquid assets it
can use to "finance" it, the fact that it has a large buffer stock of
book equity will not be very helpful. For this reason, many com­
panies now do separate evaluations of their liquidity and the
amount of equity capital they require. As the practice of ERM
evolves, we would expect such companies to pay more atten­
tion to the relation between the optimal amount of equity and
the liquidity of their assets.
Using Economic Capital to Make Decisions
As we saw earlier, if companies could simply stockpile equity
capital at no cost, there would be no deadweight costs associ­
ated with adverse outcomes. Management could use its liquid
assets to finance the losses, and the bad outcome would have
no effect on the firm's investment policy. But in the real world,
there are significant costs associated with carrying too much
equity. If the market perceives that a company has more equity
than it needs to support the risk of the business, it will reduce
the firm's value to reflect management's failure to earn the cost
of capital on that excess capital.
When a company undertakes a new risky activity, the probability
that it will experience financial distress increases, thus raising
the expected costs of financial distress. One way to avoid these
additional costs is by raising enough additional capital so that
taking on the new risky activity has no effect on the probability
of financial distress. Consequently, the most straightforward
Chapter 2 Enterprise Risk Management: Theory and
way to estimate the cost of the impact of a new risky activity on
the firm's total risk is to evaluate how much incremental capital
would be necessary to ensure that the new risky activity has no
impact on the firm's probability of financial distress.
To illustrate, suppose that before the company takes on the new
activity, the VaR estimate used to set the firm's capital is $5 bil­
lion. Now, with the new activity, this VaR estimate increases
to $5.1 billion. Thus, for the firm to have the same probability
of financial distress as it had before it undertook the new risky
activity, it would need to raise capital of $100 million. Moreover,
this capital would have to be invested in such a way that the
investment does not increase the risk of the firm, since otherwise
the VaR of the firm would further increase. If the risky new activ­
ity is expected to last one year, and the cost to the firm of having
this additional $100 million available for one year is estimated to
be $8 million, then the economic value added of the new activ­
ity should be reduced by $8 million. If the firm ignores this cost,
it effectively subsidizes the new risky activity. To the extent that
riskier activities have higher expected payoffs before taking into
account their contribution to the firm's probability of financial
distress, a firm that ignores the impact of project risks on firm­
wide risk ends up favoring riskier projects over less risky ones.
Though the example just discussed is straightforward, the
implementation of this idea in practice faces several difficulties.
A company is a collection of risky projects. At any time, a proj­
ect's contribution to the firm's total risk depends on the risk of
the other projects and their correlations. When business units
are asked to make decisions that take into account the contri­
bution of a project to firm-wide risk, they must have enough
information when making the decision to know how to evaluate
that contribution. They cannot be told that the contribution will
depend on everything else that is going to happen within the
firm over the next year, and then have a risk charge assigned to
their unit after the fact.
Many companies sidestep this issue and ignore correlations alto­
gether when they set capital. In that case, the capital required
to support a project would be set so that the project receives
no benefit from diversification, and the contribution of the
project to firm-wide risk would then be the VaR of the project
itself. To account for diversification benefits under this system,
the firm would reduce the cost of equity. But when evaluating
the performance of a business unit, the VaR of the business
unit would be used to assess the contribution of the unit to
the firm's risk and the units would effectively get no credit for
diversification benefits.
When decentralizing the risk-return trade-off, the company has
to enable the managers of its business units to determine the
capital that has to be allocated to a project to keep the risk of
■ 27
the firm constant with the relatively simple information that is
readily available to them. Nationwide's factor-based capital allo­
cation and performance evaluation system is an example of such
an approach. The company allocates diversification benefits
within major business units, but not across them. This means
that a project whose returns have a low correlation with the
other activities within its unit will receive "credit" for such diver­
sification benefits in the form of a lower capital allocation for the
unit. But investments of a business unit that have low correla­
tions with activities of other major business units are not cred­
ited with firm-wide diversification benefits. The rationale for this
policy is that it enables Nationwide's top management to take
account of the effects of new investments on risk at the corpo­
rate level while at the same time holding the business managers
who make those decisions accountable for earning returns con­
sistent with their competitive operating environment.
The Governance of ERM
How does a company know that its ERM is succeeding? While
one outcome of effective ERM should be a better estimate of
expected value and better understanding of unexpected losses,
ERM does not eliminate risk. Thus, extreme negative outcomes
are still a possibility, and the effectiveness of ERM cannot be
judged on whether such outcomes materialize. The role of ERM
is to limit the probability of such outcomes to an agreed-upon,
value-maximizing, level. But what if the probability of default
is set at one in 1,000 years? Quite apart from whether this is
indeed the value-maximizing choice, such a low probability
means that there will be no obvious way to judge whether the
CRO succeeded in managing risk so as to give the firm its target
probability of default.
To evaluate the job of a CRO , the board and the C EO must
attempt to determine how well the company's risk is understood
and managed. A company where risk is well understood and
well managed is one that can command the resources required
to invest in the valuable projects available to it because it is
28 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
trusted by investors. In such cases, investors will be able to
distinguish bad outcomes that are the result of bad luck rather
than bad management, and that should give them confidence to
keep investing in the firm.
CONCLUSION
In this chapter, we have discussed how enterprise risk manage­
ment creates value for shareholders and examined the practical
issues that arise in the implementation of enterprise risk man­
agement. Although the key principles that underlie the theory
of ERM are well-established, it should be clear from this article
that additional research is needed to help with the implemen­
tation of ERM. In particular, while much attention has been
paid to measures of tail risk like VaR, it has become clear from
attempts to implement ERM that a more complete understand­
ing of the distribution of firm value is required. Though correla­
tions between different types of risks are essential in measuring
firm-wide risk, existing research provides little help in how to
estimate these correlations. Companies also find that some of
their most troubling risks— notably, reputational and strategic
risks— are the most difficult to quantify. A t this point, there is
little research that helps practitioners in assessing these risks,
but much to gain from having a better understanding of these
risks even if they cannot be quantified reliably.
In sum, there has been considerable progress in the implemen­
tation of ERM, with the promise of major benefits for corporate
shareholders. And, as this implementation improves with the
help of academic research, these benefits can only be expected
to grow.
Brian Nocco is the Chief Risk Officer of Nationwide Insurance.
Rene Stulz is the Reese Chair of Banking and Monetary Economics at
Ohio State University's Fisher School of Business and a research fellow
at the NBER and at the European Corporate Governance Institute. He is
also a member of the executive committee of the Global Association of
Risk Professionals (GARP).
What Is ERM?
Learning Objectives
After completing this reading you should be able to:

Describe enterprise risk management (ERM) and compare
and contrast differing definitions of ERM.
Compare the benefits and costs of ERM and describe the
motivations for a firm to adopt an ERM initiative.
Describe the role and responsibilities of a chief risk officer
(CRO) and assess how the CRO should interact with other
senior management.
Describe the key components of an ERM program.

E x c e rp t is C h a p ter 4 o f Enterprise Risk Management: From Incentives to Controls, S e co n d Edition, b y Ja m e s Lam.

29
Earlier, we reviewed the concepts and processes applicable to
almost all of the risks that a company will face. We also argued
that all risks can be thought of as a bell curve. Certainly, it is a
prerequisite that a company develop an effective process for
each of its significant risks. But it is not enough to build a sepa­
rate process for each risk in isolation.
Risks are by their very nature dynamic, fluid, and highly inter­
dependent. As such, they cannot be broken into separate com­
ponents and managed independently. Enterprises operating in
today's volatile environment require a much more integrated
approach to managing their portfolio of risks.
This has not always been recognized. Traditionally, companies
managed risk in organizational silos. Market, credit, and opera­
tional risks were treated separately and often dealt with by dif­
ferent individuals or functions within an institution. For example,
credit experts evaluated the risk of default, mortgage specialists
analyzed prepayment risk, traders were responsible for mar­
ket risks, and actuaries handled liability, mortality, and other
insurance-related risks. Corporate functions such as finance and
audit handled other operational risks, and senior line managers
addressed business risks.
However, it has become increasingly apparent that such a
fragmented approach simply doesn't work, because risks are
highly interdependent and cannot be segmented and managed
by entirely independent units. The risks associated with most
businesses are not one-to-one matches for the primary risks
(market, credit, operational, and insurance) implied by most tra­
ditional organizational structures. Attempting to manage them
as if they are is likely to prove inefficient and potentially danger­
ous. Risks can fall through the cracks, risk inter-dependencies
and portfolio effects may not be captured, and organizational
gaps and redundancies can result in suboptimal performance.
For exam ple, imagine that a company is about to launch a
new product or business in a foreign country. Such an initiative
would require:
• The business unit to establish the right pricing and market-
entry strategies;
• The treasury function to provide funding and protection
against interest rate and foreign-exchange (FX) risks;
• The Information Technology (IT) and operations function to
support the business; and
• The legal and insurance functions to address regulatory and
liability issues.
It is not difficult to see how an integrated approach could more
effectively manage these risks. An enterprise risk management
(ERM) function would be responsible for establishing firm-wide
policies and standards, coordinate risk management activities
30 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
across business units and functions, and provide overall risk
monitoring for senior management and the board.
Nor is risk monitoring any more efficient under the silo
approach. The problem is that individual risk functions measure
and report their specific risks using different methodologies
and formats. For example, the treasury function might report
on interest rate and FX risk exposures, and use value-at-risk as
its core risk measurement methodology. On the other hand,
the credit function would report delinquencies and outstand­
ing credit exposures, and measure such exposures in terms of
outstanding balances, while the audit function would report out­
standing audit items and assign some sort of audit score, and
so on.
Senior management and the board get pieces of the puzzle,
but not the whole picture. In many companies, the risk func­
tions produce literally hundreds of pages of risk reports, month
after month. Yet, oftentimes, they still don't manage to provide
management and the board with useful risk information. A good
acid test is to ask if the senior management knows the answers
to the following basic questions:
• What are the company's top 10 risks?
• Are any of our business objectives at risk?
• Do we have key risk indicators that track our critical risk
exposures against risk tolerance levels?
• What were the company's actual losses and incidents, and did
we identify these risks in previous risk assessment reports?
• Are we in compliance with laws, regulations, and corporate
risk policies?
If a company is uncertain about the answers to any of these
questions, then it is likely to benefit from a more integrated
approach to handling all aspects of risk— enterprise risk man­
agement (ERM ).1
3.1 ERM DEFINITIONS
Since the practice of ERM is still relatively new, there have yet
to be any widely accepted industry standards with regard to the
definition of ERM. As such, a multitude of different definitions is
available, all of which highlight and prioritize different aspects of
ERM. Consider, for example, a definition provided by the Com ­
mittee of Sponsoring Organizations of the Treadway Commis­
sion (CO SO ) in 2004:
1 Other popular terms used to describe enterprise risk management
include firm-wide risk management, integrated risk management, and
holistic risk management.
 "ERM is a process, effected by an entity's board of
directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and
manage risk to be within its appetite, to provide rea­
sonable assurance regarding the achievement of entity
objectives."
Another definition was established by the International Organi­
zation of Standardization (ISO 31000):
Risk is the "effect of uncertainty on objectives" and risk
management refers to "coordinated activities to direct
and control an organization with regard to risk."
While the CO SO and ISO definitions provide useful concepts
(e.g., linkage to objectives), I think it is important that ERM is
defined as a value added function. Therefore, I would suggest
the following definition:
Risk is a variable that can cause deviation from an
expected outcome. ERM is a comprehensive and inte­
grated framework for managing key risks in order to
achieve business objectives, minimize unexpected earn­
ings volatility, and maximize firm value.
The lack of a standard ERM definition can cause confusion for a
company looking to set up an ERM framework. No ERM defini­
tion is perfect or applicable to every organization. My general
advice is for each organization to adopt an ERM definition and
framework that best fit their business scope and complexity.
3.2 THE BENEFITS OF ERM
ERM is all about integration, in three ways.
First, enterprise risk management requires an integrated risk
organization. This most often means a centralized risk manage­
ment unit reporting to the C EO and the Board in support of
their corporate- and board-level risk oversight responsibilities.
A growing number of companies now have a Chief Risk Officer
(CRO) who is responsible for overseeing all aspects of risk within
the organization— we'll consider this development later.
Second, enterprise risk management requires the integration
of risk transfer strategies. Under the silo approach, risk transfer
strategies were executed at a transactional or individual risk
level. For example, financial derivatives were used to hedge
market risk and insurance to transfer out operational risk. How­
ever, this approach doesn't incorporate diversification within or
across the risk types in a portfolio, and thus tends to result in
over-hedging and excessive insurance cover. An ERM approach,
by contrast, takes a portfolio view of all types of risk within a
company and rationalizes the use of derivatives, insurance, and
alternative risk transfer products to hedge only the residual risk
deemed undesirable by management.
Third, enterprise risk management requires the integration of
risk management into the business processes of a company.
Rather than the defensive or control-oriented approaches used
to manage downside risk and earnings volatility, enterprise risk
management optimizes business performance by supporting
and influencing pricing, resource allocation, and other business
decisions. It is during this stage that risk management becomes
an offensive weapon for management.
All this integration is not easy. For most companies, the implemen­
tation of ERM implies a multi-year initiative that requires ongoing
senior management sponsorship and sustained investments in
human and technological resources. Ironically, the amount of time
and resources dedicated to risk management is not necessarily
very different for leading and lagging organizations.
The most crucial difference is this: leading organizations make
rational investments in risk management and are proactive, opti­
mizing their risk profiles. Lagging organizations, on the other
hand, make disconnected investments and are reactive, fighting
one crisis after another. The investments of the leading compa­
nies in risk management are more than offset by improved effi­
ciency and reduced losses.
Let's discuss the three major benefits to ERM: increased organi­
zational effectiveness, better risk reporting, and improved busi­
ness performance.
Organizational Effectiveness
Most companies already have risk management and corporate-
oversight functions, such as finance/insurance, audit and compli­
ance. In addition, there may be specialist risk units: for example,
investment banks usually have market risk management units,
while energy companies have commodity risk managers.
The appointment of a chief risk officer and the establishment of
an enterprise risk function provide the top-down coordination
necessary to make these various functions work cohesively and
efficiently. An integrated team can better address not only the
individual risks facing the company, but also the interdependen­
cies between these risks.
Risk Reporting
As previously noted, one of the key requirements of risk man­
agement is that it should produce timely and relevant risk
reporting for the senior management and board of directors.
As we also noted, however, this is frequently not the case. In a
Chapter 3 What Is ERM? ■ 31
silo framework, either no one takes responsibility for overall risk
reporting, and/or every risk-related unit supplies inconsistent
and sometimes contradictory reports.
An enterprise risk function can prioritize the level and content
of risk reporting that should go to senior management and the
board: an enterprise-wide perspective on aggregate losses, pol­
icy exceptions, risk incidents, key exposures, and early-warning
indicators. This might take the form of a risk dashboard that
includes timely and concise information on the company's key
risks. O f course, this goes beyond the senior management level;
the objective of ERM reporting is by its nature to increase risk
transparency throughout an organization.
Business Performance
Companies that adopt an ERM approach have experienced
significant improvements in business performance. Figure 3.1
provides examples of reported benefits of ERM from a cross-
section of companies. ERM supports key management decisions
such as capital allocation, product development and pricing, and
mergers and acquisitions. This leads to improvements such as
reduced losses, lower earnings volatility, increased earnings, and
improved shareholder value.
These improvements result from taking a portfolio view of all
risks; managing the linkages between risk, capital, and profit­
ability; and rationalizing the company's risk transfer strategies.
The result is not just outright risk reduction: companies that
understand the true risk/return economics of a business can take
more of the profitable risks that make sense for the company
and less of the ones that don't.
Despite all these benefits, many companies would balk at
the prospect of a full-blown ERM initiative were it not for the
Benefit Company
Market value improvement Top money center bank
Early warning of risks Large commercial bank
Loss reduction Top asset-management
company
Regulatory capital relief Large international commercial
and investment bank
Risk transfer rationalization Large property and casualty
insurance company
Insurance premium reduction Large manufacturing company
F ig u re 3.1 ER M b en efits.
32 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
existence of heavy internal and external pressures. In the busi­
ness world, managers are often galvanized into action after a
near miss— either a disaster averted within their own organiza­
tion or an actual crisis at a similar organization.
In response, the board and senior management are likely to
question the effectiveness of the control environment and
the adequacy of risk reporting within their company. To put it
another way, they will begin to question how well they really
know the organization's major risk exposures.
Such incidents are also often followed by critical assessments
from auditors and regulators— both groups which are constitu­
tionally concerned with the effectiveness of risk management.
Consequently, regulators focus on all aspects of risk during
examinations, setting risk-based capital and compliance require­
ments, and reinforcing key roles for the board and senior man­
agement in the risk management process.
This introspection often leads to the emergence of a risk cham­
pion among the senior executives who will sponsor a major
program to establish an enterprise risk management approach.
As noted above, this risk champion is increasingly becoming a
formalized senior management position— the chief risk officer,
or CRO .
Aside from this, direct pressure also comes from influential
stakeholders such as shareholders, employees, ratings agencies,
and analysts. Not only do such stakeholders expect more earn­
ings predictability, management have fewer excuses today for
not providing it. Over the past few years, volatility-based mod­
els such as value-at-risk (VaR) and risk-adjusted return on capital
(RAROC) have been applied to measure all types of market risk
within an organization; their use is now spreading to credit risk,
and even to operational risk. The increasing availability and
liquidity of alternative risk transfer products— such as credit
Actual Results
Outperformed S&P 500 banks by 58% in stock price
performance
Assessment of top risks identified over 80% of future losses;
global risk limits cut by one-third prior to Russian crisis
30% reduction in the loss ratio enterprise-wide; up to 80%
reduction in losses at specific business units
$1 Billion reduction of regulatory capital requirements, or
about 8-10%
$40 million in cost savings, or 13% of annual reinsurance
premium
20-25% reduction in annual insurance premium
derivatives and catastrophe bonds— also means that companies
are no longer stuck with many of the unpalatable risks they
previously had no choice but to hold. Overall, the availability of
such tools makes it more difficult and less acceptable for com­
panies to carry on with more primitive and inefficient alterna­
tives. Managing risk is management's job.
3.3 THE CHIEF RISK OFFICER
The role of a chief risk officer has received a lot of attention
within the risk management community, as well as from the
finance and general management audiences. Articles on chief
risk officers and ERM appear frequently in trade publications
such as Risk M agazine and Risk and Insurance, but have also
been covered in general publications such as C FO magazine,
the Wall S tre e t Journal, and even USA Today.
• • •
Today, the role of the CRO has been widely adopted in risk­
intensive businesses such as financial institutions, energy firms,
and non-financial corporations with significant investment activities
and/or foreign operations. Today, I would estimate that as many
as up to 80% of the biggest U.S. financial institutions have CROs.
The recent financial and economic meltdowns have increased
the demand for comprehensive ERM frameworks. As an indica­
tion of this increased demand, executive management training
programs in ERM are increasingly offered by leading business
schools. For example, in November 2010, Harvard Business
School implemented a five-day program designed to train
C EO s, C O O s, and CRO s in managing risk as corporate leaders:
there have been two other sessions to date, one in February
2012, and one just recently, in February 2013.2
Typical reports to the CRO are the heads of credit risk, mar­
ket risk, operational risk, insurance, and portfolio manage­
ment. Other functions that the CRO is commonly responsible
for include risk policy, capital management, risk analytics and
reporting, and risk management within individual business units.
In general, the office of the CRO is directly responsible for:
• Providing the overall leadership, vision, and direction for
enterprise risk management;
• Establishing an integrated risk management framework for all
aspects of risks across the organization;
• Developing risk management policies, including the quantifi­
cation of the firm's risk appetite through specific risk limits;
2 Winokur, L.A. "The Rise of the Risk Leader: A Reappraisal," Risk Pro­
fessional, April 2012, 20.
• Implementing a set of risk indicators and reports, including
losses and incidents, key risk exposures, and early warning
indicators;
• Allocating economic capital to business activities based on
risk, and optimizing the company's risk portfolio through
business activities and risk transfer strategies;
• Communicating the company's risk profile to key stakehold­
ers such as the board of directors, regulators, stock analysts,
rating agencies, and business partners; and
• Developing the analytical, systems, and data management
capabilities to support the risk management program
Still, given that enterprise risk management is still a relatively
new field, many of the kinks have yet to be smoothed out of the
Chief Risk Officer role. For example, there are still substantial
amounts of ambiguity with regard to where the CRO stands in
the hierarchy between the board of directors and other C-level
positions, such as C EO s, C FO s, and CO O s.
In many instances, the CRO reports to the C FO or C E O — but
this can make firms vulnerable to internal friction when serious
clashes of interest occur between corporate leaders. For exam­
ple, when Paul Moore, former head of regulatory risk at HBOS,
claimed that he had been "fired . . . for warning about reckless
lending," the resulting investigations led to the resignation of
HBOS' chief executive, Sir Jam es Crosby, as the deputy chair­
man of the Financial Services Authority.*•3
One organizational solution is to establish a dotted-line report­
ing relationship between the chief risk officer and the board or
board risk committee. Under extreme circumstances (e.g., C EO /
C FO fraud, major reputational or regulatory issues, excessive
risk taking beyond risk appetite tolerances), that dotted line may
convert to a solid line so that the chief risk officer can go directly
to the board without fear for his or her job security or compen­
sation. Ultimately, to be effective, risk management must have
an independent voice. A direct communication channel to the
board is one way to ensure that this voice is heard.4
For these dotted-line reporting structures between the CRO
and the board (and between the business line risk officers and
the CRO), it is critical that an organization clearly establish and
document the ground rules. Basic ground rules include risk
escalation and communication protocols, and the role of the
board or CRO in hiring/firing, annual goal setting, and compen­
sation decisions of risk and compliance professions who report
to them.
3 Davy, Peter. "Cinderella Moment," Wall Street Journal, October 5, 2010.
4 Lam, James. "Structuring for Accountability," Risk Progressional, June
2009, 44.
Chapter 3 What Is ERM? ■ 33
Another board risk oversight option is to alter existing audit
committees to incorporate risk management. In a survey of the
S&P 500, "58% of respondents said that their audit committees
were responsible for risk m anagem ent."5 However, this presents
problems of its own; oftentimes, audit committees are already
working at maximum capacity just handling audit matters, and
are unable to properly oversee ERM as well. Henry Ristuccia, of
Deloitte, affirms that unless the "audit committee [can improve]
its grasp of risk m anagem ent. . . a separate risk committee
needs to be form ed."6
The lack of an ERM standard is also a significant barrier to the
positive development of the CRO role. Mona Leung, C FO
of Alliant Credit Union, says that "we have too many varying
definitions" of enterprise risk management, with the result
that ERM means something different to every company, and
is implemented in different ways. O f course, firms from differ­
ent industries should (and must) tailor their approaches to risk
management in order to meet the requirements of their specific
business models and regulatory frameworks, but nonetheless, it
is important to have a general ERM standard.
Despite the remaining ambivalences in the structure of the
CRO role, I believe that it has elevated the risk management
profession in some important ways. First and foremost, the
appointment of executive managers whose primary focus is
risk management has improved the visibility and organizational
effectiveness of that function at many companies. The successes
of these appointments have only increased the recognition and
acceptance for the CRO position.
Second, the CRO position provides an attractive career path for
risk professionals who want to take a broader view of risk and
business management. In the past, risk professionals could only
aspire to become the head of a narrowly focused risk function
such as credit or audit. Nearly 70 percent of the 175 participants
in one online seminar that I gave on September 13, 2000, said
they aspired to become CRO s.
Today, CRO s have begun to move even further up the corpo­
rate ladder by becoming serious contenders for the positions
of C E O and C FO . For exam ple, Matthew Feldm an, form erly
CRO of the Federal Home Loan Bank of Chicago, was
appointed its C E O and President in May of 2008. Likewise,
Deutsche Bank CRO Hugo Banziger was a candidate for UBS
C E O . Kevin Buehler, of M cKinsey & Co.'s, affirms that the
gradual movement of CRO s from control functions to more
5 Banham, Russ. "Disaster Averted," CFO Magazine, April 1, 2011,2.
6 Ibid.
34 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
strategic roles is the primary contributing factor to their suc­
cess, and that with the coming years, this progress is only
likely to accelerate.7
• • •
Some argue that a company shouldn't have a CRO because that
job is already fulfilled by the C EO or the C FO . Supporting this
argument is the fact that the C E O is always going to be ulti­
mately responsible for the risk (and return) performance of the
company, and that many risk departments are part of the CFO 's
organization. So why create another C-level position of CRO and
detract from the CEO 's or CFO 's responsibilities?
The answer is the same reason that companies create roles for
other C-level positions, such as chief information officers or
chief marketing officers. These roles are defined because they
represent a core competency that is critical to the success for
the company—the C EO needs the experience and technical
skills that these seasoned professionals bring. Perhaps not every
company should have a full-time CRO , but the role should be an
explicit one and not simply one implied for the C EO or C FO .
For companies operating in the financial or energy markets, or
other industries where risk management represents a core com­
petency, the CRO position should be considered a serious pos­
sibility. A CRO would also benefit companies in which the full
breadth of risk management experience does not exist within
the senior management team, or if the build-up of required risk
management infrastructure requires the full-time attention of an
experienced risk professional.
What should a company look for in a CRO ? An ideal CRO would
have superb skills in five areas. The first would be the leadership
skills to hire and retain talented risk professionals and establish
the overall vision for ERM. The second would be the evangeli­
cal skills to convert skeptics into believers, particularly when it
comes to overcoming natural resistance from the business units.
Third would be the stewardship to safeguard the company's
financial and reputational assets. Fourth would be to have the
technical skills in strategic, business, credit, market, and opera­
tional risks. And, last but not least, fifth would be to have con­
sulting skills in educating the board and senior management,
as well as helping business units implement risk management
at the enterprise level. While it is unlikely that any single indi­
vidual would possess all of these skills, it is important that these
competencies exist either in the CRO or elsewhere within his or
her organization.
7 Winokur, L. A. "The Rise of the Risk Leader: A Reappraisal," Risk
Professional, April 2012, 17.
3.4 COMPONENTS OF ERM
A successful ERM program can be broken down into seven key
components (see Figure 3.2). Each of these components must
be developed and linked to work as an integrated whole. The
seven components include:
1. Corporate governance to ensure that the board of directors
and management have established the appropriate organi­
zational processes and corporate controls to measure and
manage risk across the company.
2. Line management to integrate risk management into the
revenue-generating activities of the company (including
business development, product and relationship manage­
ment, pricing, and so on).
Corporate Governance
Corporate governance ensures that the board of directors and
management have established the appropriate organizational
processes and corporate controls to measure and manage risk
across the company. The mandate for effective corporate gov­
ernance has been brought to the forefront by regulatory and
industry initiatives around the world. These initiates include the
Treadway Report from the United States, the Turnbull Report
from the UK, and the Dey Report from Canada. All of these
made recommendations for establishing corporate controls
and emphasized the responsibilities of the board of directors
and senior management. Additionally, the Sarbanes-Oxley Act
provides both specific requirements and severe penalties for
non-compliance.

3. Portfolio management to aggregate risk exposures, incor­ From an ERM perspective, the responsibilities of the board of
porate diversification effects, and monitor risk concentra­ directors and senior management include:
tions against established risk limits.
• Defining the organization's risk appetite in terms of risk poli­
4. Risk transfer to mitigate risk exposures that are deemed too cies, loss tolerance, risk-to-capital leverage, and target debt
high, or are more cost-effective to transfer out to a third rating.
party than to hold in the company's risk portfolio.
• Ensuring that the organization has the risk management skills
5. Risk analytics to provide the risk measurement, analysis, and and risk absorption capability to support its business strategy.
reporting tools to quantify the company's risk exposures as • Establishing the organizational structure of the ERM fram e­
well as track external drivers. work and defining the roles and responsibilities for risk man­
6 . Data and technology resources to support the analytics and agement, including the role of chief risk officer.
reporting processes. • Implementing an integrated risk measurement and manage­
ment framework for strategic, business, operational, financial,
7. Stakeholder management to communicate and report the
and compliance risks.
company's risk information to its key stakeholders.
• Establishing risk assessment and audit processes, as well
Let's consider these in turn.
as benchmarking company practices against industry best
practices.
• Shaping the organization's risk culture by setting the tone
from the top not only through words but also through
1. Corporate Governance
Establish top-down risk management actions, and reinforcing that commitment through incentives.
• Providing appropriate opportunities for organizational learn­
3. Portfolio 4. Risk Transfer ing, including lessons learned from previous problems, as
2. Line Management
Management Transfer out well as ongoing training and development.
Business strategy
Think and act like a concentrated or
alignment
"fund manager" inefficient risks

6. Data and Technology

Line Management
5. Risk Analytics
Resources
Develop advanced Perhaps the most important phase in the assessment and pricing
Integrated data and
analytical tools of risk is at its inception. Line management must align business
system capabilities
strategy with corporate risk policy when pursuing new business
7. Stakeholders Management and growth opportunities. The risks of business transactions
Improve risk transparency for key stakeholders
should be fully assessed and incorporated into pricing and prof­
F ia u re 3 .2 S even co m p o n en ts of ER M . itability targets in the execution of business strategy.

Chapter 3 What Is ERM? ■ 35

Specifically, expected losses and the cost of risk capital should
be included in the pricing of a product or the required return of
an investment project. In business development, risk acceptance
criteria should be established to ensure that risk management
issues are considered in new product and market opportuni­
ties. Transaction and business review processes should be
developed to ensure the appropriate due diligence. Efficient
and transparent review processes will allow line managers to
develop a better understanding of those risks that they can
accept independently and those that require corporate approval
or management.
Portfolio Management
The overall risk portfolio of an organization should not just
happen—that is, it should not just be the cumulative effect of
business transactions conducted entirely independently. Rather,
management should act like a fund manager and set portfolio
targets and risk limits to ensure appropriate diversification and
optimal portfolio returns.
The concept of active portfolio management can be applied
to all the risks within an organization. Diversification effects
from natural hedges can only be fully captured if an orga­
nization's risks are viewed as a whole, in a portfolio. More
importantly, the portfolio management function provides
a direct link between risk management and shareholder
value maximization.
For example, a key barrier for many insurance companies in
implementing ERM is that each of the financial risks within the
overall business portfolio is managed independently. The actu­
arial function is responsible for estimating liability risks arising
for the company's insurance policies; the investment group
invests the company's cash flows in fixed-income and equity
investments. The interest rate risk function hedges mismatches
between assets and liabilities. However, an insurance company
which has implemented ERM would manage all of its liabil­
ity, investment, interest rate, and other risks as an integrated
whole in order to optimize overall risk/return. The integration
of financial risks is one step in the ERM process, while strategic,
business, and operational risks must also be considered in the
overall ERM framework.
Risk Transfer
Portfolio management objectives are supported by risk transfer
strategies that lower the cost of transferring out undesirable
risks, and also increase the organization's capacity to originate
36 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
desirable but concentrated risks. To reduce undesirable risks,
management should evaluate derivatives, insurance, and hybrid
products on a consistent basis and select the most cost-effective
alternative. For example, corporations such as Honeywell and
Mead have used alternative risk transfer (ART) products that
combine traditional insurance protection with financial risk pro­
tection. By bundling various risks, risk managers have achieved
estimated savings of 20 to 30% in the cost of risk transfer.
A company can dramatically reduce its hedging and insurance
costs— even without third-party protection— by incorporat­
ing the natural hedges that exist in any risk portfolio. In the
course of doing business, companies naturally develop risk
concentrations in their areas of specialization. The good news
is that they should be very capable of analyzing, structuring,
and pricing those risks. The bad news is that any risk concentra­
tion can be dangerous. By transferring undesirable risks to the
secondary market—through credit derivatives or securitization,
for example— an organization can increase its risk origination
capacity and revenue without accumulating highly concentrated
risk positions.
Finally, management can purchase desirable risks that they
cannot directly originate on a timely basis, or swap undesir­
able risk exposures for desirable risk exposures through a
derivative contract.
Risk Analytics
The development of advanced risk analytics has supported
efforts to quantify and manage credit, market, and operational
risks on a more consistent basis. The same techniques that allow
for the quantification of risk exposures and risk-adjusted profit­
ability can be used to evaluate risk transfer products such as
derivatives, insurance, and hybrid products. For example, man­
agement can increase shareholder value through risk transfer
provided that the cost of risk transfer is lower than the cost of
risk retention for a given risk exposure (e.g., 12% all-in cost of
risk transfer versus 15% cost of risk capital).
Alternatively, if management wants to reduce its risk exposure,
risk analytics can be used to determine the most cost-effective
way to accomplish that objective. In addition to risk mitiga­
tion, advanced risk analytics can also be used to significantly
improve net present value (NPV)- or economic value added
(EVA)-based decision tools. The use of scenario analyses and
dynamic simulations, for exam ple, can support strategic plan­
ning by analyzing the probabilities and outcomes of different
business strategies as well as the potential impact on share­
holder value.
Data and Technology Resources
One of the greatest challenges for enterprise risk management
is the aggregation of underlying business and market data. Busi­
ness data includes transactional and risk positions captured in
different front- and back-office systems; market data includes
prices, volatilities, and correlations. In addition to data aggrega­
tion, standards and processes must be established to improve
the quality of data that is fed into the risk systems.
As far as risk technology goes, there is no single vendor soft­
ware package that provides a total solution for enterprise risk
management. Organizations still have to either build, buy, and
customize or outsource the required functionality. Despite the
data and system challenges, companies should not wait for
a perfect system solution to become available before estab­
lishing an enterprise risk management program. Rather, they
should make the best use of what is available and at the same
time apply rapid prototyping techniques to drive the systems-
development process. Additionally, companies should consider
tapping into the power of the Internet/lntranet in the design of
an enterprise risk technology platform.
Stakeholder Management
Risk management is not just an internal management process. It
should also be used to improve risk transparency in a firm's rela­
tionship with key stakeholders. The board of directors, for exam­
ple, needs periodic reports and updates on the major risks faced
by the organization in order to review and approve risk man­
agement policies for controlling those risks. Regulators need to
be assured that sound business practices are in place, and that
business operations are in compliance with regulatory require­
ments. Equity analysts and rating agencies need risk information
to develop their investment and credit opinions.
An important objective for management in communicating
and reporting to these key stakeholders is an assurance that
appropriate risk management strategies are in effect. O ther­
wise, the company (and its stock price) will not get full credit,
since interested parties will see the risks but may not see the
controls. The increasing emphasis of analyst presentations
and annual reports on a company's risk management capabili­
ties is evidence of the importance now placed on stakeholder
communication . . . .
Chapter 3 What Is ERM? ■ 37
 A
Implementing
Robust Risk Appetite
Frameworks to
Strengthen Financial
Institutions
Learning Objectives
After completing this reading you should be able to

Describe best practices for the implementation and Assess the role of stress testing within an RAF and
communication of a risk appetite framework (RAF) at describe challenges in aggregating firm-wide risk
a firm. exposures.

Explain key challenges to the implementation of an RAF Explain lessons learned in the implementation of an
and describe how a firm can overcome each challenge. RAF through the presented case studies.

E x c e rp t is rep rin ted with perm ission of the Institute o f International Finance.

39
INTRODUCTION
1. One of the key lessons of the financial crisis was that some
firms took more risk in aggregate than they were able to
bear given their capital, liquidity, and risk management
capabilities, and some took risks that their manage­
ment and Boards did not properly understand or control.
Indeed, in its October 2009 report, Risk M anagem ent L e s­
son s from the G lobal Banking Crisis o f 2008, the Senior
Supervisors Group (SSG) highlighted major governance
challenges at the 20 largest banks in the most-affected
jurisdictions, in particular "the unwillingness or inability
of Boards of Directors and senior managers to articulate,
measure and adhere to a level of risk acceptable to the
firm ." The SSG concluded that "a key weakness in gov­
ernance stemmed from . . . a disparity between the risks
that their firms took and those that their Boards of Direc­
tors perceived the firms to be taking." Put simply, Boards
did not understand well enough, or properly control in
advance, the risks that their firms were taking. These con­
clusions are not disputed by the Industry.
2. Three years after the crisis, largely as a consequence of
these conclusions, there is now consensus between super­
visors and the Industry that a clearly articulated statement
of risk appetite and the use of a well-designed risk appe­
tite framework to underpin decision-making are essential
to the successful management of risk. Taken together,
such a statement and framework provide clear direction
for the enterprise and ensure alignment of expectations
among the Board, senior management, the risk manage­
ment function, supervisory bodies, and shareholders. In
combination with a strong risk culture, they provide the
cornerstone for building the effective enterprise-wide risk
management framework that is essential to the long-term
stability of a firm.
3. In 2008 the Institute of International Finance formed a
high-level Committee on Market Best Practices (CMBP) to
draw key lessons for the financial services industry from
the global financial crisis that was unfolding at that time.
The CM BP issued a report containing a number of key
principles and recommendations for the Industry, focusing
on areas such as governance, risk management, and trans­
parency. The core purpose of these recommendations was
to promote much more robust risk management and gov­
ernance frameworks in financial institutions.
4. Early in the discussion and analytical process that led to
the final CM BP report, IIF members identified risk appetite
as being of fundamental importance. The CM BP report
defined risk appetite as "a firm's view on how strategic risk
40 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
taking can help achieve business objectives while respect­
ing constraints to which the organization is subject." A key
finding of the CM BP was that putting in place a robust risk
appetite framework constitutes an essential component
of adequate risk management. The CM BP elaborated on
a number of aspects regarding risk appetite, including the
high-level governance aspects of defining and implement­
ing a risk appetite framework.
5. In 2009 the IIF, recognizing the need to actively promote
the implementation of the CM BP recommendations,
established a Steering Committee on Implementation
(SCI). This committee was charged with steering the EF's
efforts on further analysis of key risk management implica­
tions of the crisis as well as tracking EF members' efforts
in revising their practices and implementing Industry
practices recommendations. In December 2009 the SCI
issued its report, Reform in the Financial S e rvices Industry:
Stren gth en in g Practices fo r a M ore Stable System , which
assessed the progress made by the Industry in implement­
ing and embedding revised risk management and gover­
nance practices.
6. Among other issues, the 2009 SCI report focused once
again on risk appetite, further developing and discussing
the concept and a number of related issues. The report
also provided an augmented definition of risk appetite
as being "the amount and type of risk that a company is
able and willing to accept in pursuit of its business objec­
tives." The statement of risk appetite balances the needs
of all stakeholders by acting both as a governor of risk
and a driver of current and future business activity. It is
expressed in both quantifiable and qualitative terms and
covers all risks." In particular, the 2009 report set out an
analytical framework for risk appetite and outlined a num­
ber of key issues in regard to the practical implementation
of the concept by financial firms.
7. Risk appetite has also received a great deal of atten­
tion from the regulatory community. In particular, the
SSG— which has been the public sector group most
deeply involved in the analysis of the risk management
implications of the crisis— has focused extensively on risk
appetite issues and related supervisory implications. Spe­
cifically, the SSG's 2009 report, Risk M anagem ent Lesson s
from the G lobal Banking Crisis o f 2008, identified risk
appetite as a crucial element of robust risk management.
The SSG identified a number of deficiencies in the way the
Industry was approaching risk appetite issues, observing,
for example, that much more evidence was needed of
Board involvement in setting and monitoring adherence
to firms' risk appetite, and that the Industry needed to
 continue working to make risk appetite statements much
more robust to encompass a suitably wide range of mea­
sures and actionable elements.
8. In December 2010, the SSG issued another report, O b se r­
vations on D evelo p m en ts in Risk A p p e tite Fram ew orks
and IT Infrastructure, which elaborated on this subject. In
particular, the SSG highlighted the importance of Board
and senior management involvement in the articulation
and implementation of the risk appetite framework and
emphasized the need to embed revised practices within
firms so that such practices can be sufficiently resilient in
an increasingly competitive environment.
9. While there is clearly a substantial amount of ongoing
work by both the Industry and the regulatory community
in the area of risk appetite frameworks, it is widely recog­
nized that additional guidance would be helpful as firms
continue refining their practices and methodologies. The
reports by the 11F and the SSG, together with the substan­
tial experience gained by firms in the last several years,
constitute a fertile ground in which to continue developing
guidance as to how management and Boards should con­
front and resolve difficult, basic issues linked to the design
and implementation of a risk appetite framework.
10. As fi rms, in response to the crisis, continue to make
progress in improving their risk appetite processes, pri­
marily in pursuit of stronger risk management but also
to meet evolving supervisory expectations, additional
guidance should draw on lessons from firms' experience
and from the successful practices that are being devel­
oped globally by many in the Industry. This can, in turn,
form the basis for a constructive dialogue with the global
supervisory community.
11. In order to organize the in-depth analysis and discus­
sion of risk appetite issues, assess the Industry's state of
practice on the subject, and learn by leveraging the expe­
rience and expertise of a broad range of market partici­
pants, the IIF SCI established the Working Group on Risk
Appetite (W GRA). The W G RA and the present report have
the following key objectives:
• To assess and evaluate current Industry practices in the
area of risk appetite.
• To identify the key stages and the technical and cultural
challenges in the journey toward setting— and moni­
toring adherence to— appropriate boundaries for risk,
within a sound risk appetite framework.
• To bring Industry expertise and sound practices to
bear on examining how these challenges have been
addressed, including the analysis of real-life case studies.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
• To develop specific practical recommendations for
firms to address the challenges of implementing a
robust and meaningful risk appetite framework.
12. The W G RA has carried out an Industry survey, group dis­
cussions, interviews, and case studies involving a diverse
sample of participants globally. As detailed in Annex II,
respondents to the survey represented a cross-section of
geography and institutional size, all at various stages of
the implementation journey. The survey was sent to 79
firms; 73 responses were received from 40 firms. Although
the survey responses received were rich and comprehen­
sive, in order to get behind them to understand at a prac­
tical level how challenges were overcome to enable the
sharing of good practices, multiple thematic conference
calls, as well as bilateral in-depth discussions, were held
with Industry participants in several continents, covering
the key topics and challenges considered in Section 2. The
survey responses, conference calls, extensive bilateral dis­
cussions, and the four case studies supplied have provided
the background for our in-depth analysis of the current
challenges facing the Industry and a practical set of rec­
ommendations to move forward.
13. Annex I presents four highly detailed case studies which
were generously provided, upon request, by Common­
wealth Bank of Australia, National Australia Bank, Royal
Bank of Canada, and Scotiabank. These case studies are
intended to complement the evidence gathered through
the survey and the W G RA discussions and to provide valu­
able insights and "real-life" examples of the approaches
that large firms have taken to overcoming the challenges
involved in establishing a risk appetite framework (RAF).
The case studies represent an integral part of this report
and are recommended reading as they contain a wealth of
detailed information regarding the diversity of approaches
taken, the role of leadership and collaboration, the itera­
tive nature of RAF development and the influence of cul­
ture in the risk appetite process.
SECTION 1 - PRINCIPAL FINDINGS
FROM THE INVESTIGATION
14. Th is section outlines a number of key findings of our
work on risk appetite, the extent to which the Industry
is embracing it, and the principal impediments to imple­
mentation. It outlines a number of practical steps that
firms have taken to overcome the principal challenges and
which form the basis of emerging Industry sound practices
in this evolving area. In some instances the findings of
■ 41
 this report are not new. The survey highlights, reinforces,
or otherwise clarifies issues that the Industry continues
to struggle with and that at times have been commented
on elsewhere. The report does, however, aim to offer
19.
valuable insights on how many of these challenges are
being overcome.
15. It is clear from the responses to the survey and from the
discussions that followed that developing a risk appetite
framework is a journey on which the Industry finds itself
in the early stages. Although the cultural, organizational,
and technical challenges are formidable and the major­
ity of firms are not yet where they either need or want to
be, our investigation has shown that a number of leading
firms in the Industry are making good progress. Evidence
suggests that there has been more progress in designing,
implementing, and embedding risk appetite frameworks—
at least in participating firms—than has been generally
realized until now.
16. The aggregate risk profiles of large financial institutions
are complex, multidimensional, and, even where risk IT is
well developed, relatively opaque.1 Consequently, devel­
oping a risk appetite framework requires time and signifi­
cant intellectual and financial resources. Not surprisingly,
the degree of progress varies across participating banks,
and a substantial gap is likely to remain for some time
between leading-edge practices and what is "typical."
One very striking feature of the results of this investiga­
tion, however, is the widespread recognition of the intrin­
sic importance of risk appetite to good risk management
and the motivation to get this right.
17. Where progress has been made to date, it has been
driven principally by a recognition by the firms' leadership
of the need to strengthen risk management and gover­
nance arrangements. It has not typically been solely, or
even primarily, a response to specific regulatory or super­
visory requirements.
18. Not only are firms at different stages of development
of their RAFs, they are also adopting a wide range of
approaches, as can be clearly seen from the important
and detailed case studies supplied in Annex I. This reflects
differing business models, structures, and degrees of
complexity. Thus, an important finding of our work is
that one size does not fit all. While some convergence of
practices can be expected to emerge over time, diversity
of approach is inevitable and should not be discouraged.1
1 The identification of sound industry practices for risk IT is the subject
of a parallel IIF report: Risk IT and Operations: Strengthening Capabili­
ties, June 2011.
42 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Supervisors need to be alert to this and avoid insist­
ing on formulaic solutions that may not be aligned with
business needs.
Despite the different stages of development of firms'
RAFs and the multiplicity of approaches being taken, our
investigation has shown that there is some convergence
of thought and experience around the implementation,
design, and impact of an effective risk appetite fram e­
work. These areas of convergence include:
a. Successful implementation is highly dependent on
effective interactions among all key stakeholders,
including Board members, senior management, the
risk management function, and the operating busi­
nesses. In a large majority of firms, defining or setting
the risk appetite is initiated by senior management
and, after an effective challenge process, is approved
by the Board. In all cases the "tone from the top" was
essential to driving the process. It is clear that where
there is visible and continuous support of the risk
appetite concept from the Board and senior m anage­
ment, the developm ent and implementation of the
risk appetite fram ework was much more effective in
all respects.
b. The in-depth discussion around the survey results
indicates quite clearly that putting in place an effec­
tive risk appetite fram ework is inextricably linked
to the risk culture of a firm. To be fully effective, the
risk appetite fram ework, together with an apprecia­
tion of its benefits, needs to be disseminated through­
out the institution. Done properly, implementation
of a risk appetite fram ework can act as a powerful
reinforcement to a strong risk culture in providing
a coherent rationale and consistent fram ework for
understanding risk at all levels. It can never substitute
for proper system s, controls, and limits, but instead
supplem ents and motivates these and may even
increase compliance. Firms with strong risk cultures
that provide staff with guidance for their own behavior
and what to look for and challenge in others are much
more effective in the implementation process. This is
especially important when developing appetite state­
ments around those risks that are less quantifiable
(e.g ., operational risk, risks of legal or regulatory non-
com pliance, and reputational risk). It is also clear that
risks cannot be com pletely avoided, and aspirational
statem ents relating to "zero tolerance" of certain
types of risk are less useful than detailed guidance to
the businesses about how such risks should be viewed
and managed.
c. While implementing an RAF is challenging, those
firms that have made progress are clear that they see
tangible benefits resulting from their risk appetite
process. While these benefits are not always apparent
at the start, there is a high degree of consensus among
such firms that the RAF is allowing the Board and the
senior management to have a more informed discus­
sion of the risks in the business plan and strategy. Firms
reporting the most progress have also established
strong linkages between risk issues and strategy, plan­
ning, and finance— the last two of these being areas
in which risk was often not formally considered in the
past. These linkages have been put in place at both
the enterprise-wide and business unit (BU) levels. Such
processes may, at least initially, make the resource
planning cycle longer and more complicated, but this is
a price well worth paying in return for fostering a more
robust risk culture and a stronger awareness through­
out the organization. Firms at a more advanced stage
also highlight the benefits deriving from a stronger
integration of risk considerations into the strategic and
business plans and more effective risk/reward decision­
making across the organization. These benefits can be
clearly seen in the case studies attached in Annex I.
d. There is a high degree of commonality around the most
relevant inputs driving the shaping of a firm's risk
appetite. Most often used is capital capacity, followed
by budget targets, liquidity, and other market con­
straints and stress test results. Although not captured in
the survey data, several firms emphasized that a firm's
overall strategy and financial objectives should be con­
sidered as a key input.
e. Limits and controls have a central role in any well-run
organization, but an excessively narrow emphasis on
granular limits (or too many of them) can provide false
comfort to management and supervisors; lead to a
mechanical, "tick-box" (or compliance-type) approach;
and detract from or undermine this crucial dialogue. A
strong RAF is much more powerful than limits alone:
staff at all levels with any significant responsibility
should know what they need to do and why, rather
than merely follow instructions. The overwhelmingly
important conclusion from firms' experiences in this
area is that developing an RAF is not about putting in
place "tablets of stone" and creating and implement­
ing a structure of many hundreds of highly granular
limits. It is important that stakeholders, including super­
visors, should recognize this when assessing progress in
this area.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
f. The survey shows that a large majority of firms (70%)
are taking a comprehensive view of all risks across
the firm, not merely focusing on those risks that can be
easily measured, and are using a combination of quan­
titative and qualitative metrics in expressing risk appe­
tite. This reinforces the point that risk appetite does
not mean the creation of a complex, highly granular
set of limits. That said, at this stage in the journey the
most common transmission mechanism for communi­
cating Board-level risk appetite statements throughout
the enterprise is the translation into limits. This in part
reflects the quantifiable nature of some risks and pro­
vides for clear, recognizable boundaries.
g. Stress testing and stress metrics play a role in the
risk appetite framework of almost all respondents
(only one firm stated that they are not used). The use
of stress tests varies, with some banks putting them at
the center of the risk appetite setting process, whereas
others use stress tests primarily to "sense-check"
their appetite.
h. A large majority of those responding indicated that
risk appetite is monitored on an ongoing basis at the
group level and that a contingency plan or escalation
procedure is triggered when a risk appetite metric
is exceeded.
20. As noted above, the case studies in Annex I are an essen­
tial part of this report and clearly illustrate many of the
points listed above.
SECTION 2 - KEY OUTSTANDING
CHALLENGES IN IMPLEMENTING
RISK APPETITE FRAMEWORKS
21. Despite the visible progress being made by many in the
Industry in the implementation of effective risk appetite
frameworks, more needs to be done. The survey and
discussion reveal there is a degree of commonality in the
hurdles firms are facing and the need for proven practi­
cal solutions to these issues. Section 3 provides a number
of examples of emerging Industry sound practices in
addressing these. This section outlines the largest chal­
lenges that are proving most difficult to overcome. The
chart below shows the most relevant survey results in
this context.
22. The link with the wider risk culture is of central impor­
tance but is also problematic in some firms. Broad
discussion among firms reinforces the point that without
a strong risk culture success on the risk appetite journey
■ 43
 is extremely difficult, if not impossible, while it is easiest
to implement an effective RAF where there is already a
strong culture around risk. However, a number of respon­
dents cited culture and its link to risk appetite as being an
important and difficult issue. A strong culture implies that
staff understand what is required of them with respect to
risk and why, and where such a strong risk culture exists it
may be possible for firms to place less reliance on narrow
compliance with limits and processes. Nevertheless, even
the strongest culture needs to be supported with good
systems, controls, and limits. It is also necessary to estab­
lish a strong link between risk appetite and compensation.
At the simplest level this can be an assessment of whether
business results and key performance indicators (KPIs)
have been achieved by operating within limits and in
accordance with the behaviors and culture described and
embedded within the risk appetite. Where this is not the
case remuneration incentive awards should be moderated
or adjusted accordingly.
23. Effectively cascading the risk appetite framework
throughout the firm and embedding and integrating it
into the operational decision-making process is clearly
the largest challenge for almost all firms. While most firms
have risk policies and risk measures in the form of limits
that can easily be cascaded through the organization,
other guidance on risk tends to be more general and at a
higher level. The linkage between high-level risk appetite
principles and the risk policies and metrics guiding day-
to-day decision-making needs further development. As
0 5
Effectively cascading the risk appetite statement through the operational levels
1 10
of the organization and embedding it into operational decision making processes
How to best express risk appetite for different risk types,
some of which can be quantified in generally accepted ways,
and some of which cannot be easily quantified
Using the risk appetite framework as a dynamic tool for managing risk rather than
another way of setting limits or strengthening compliance
Using the risk appetite framework as a driver of strategy and business decisions
Achieving sufficient clarity around the concept of risk appetite and some of the
terminology used (e.g. difference between risk appetite and risk limits)
How to effectively relate risk appetite to risk culture
How to make best use of stress-testing in the risk appetite process
How to most effectively aggregate risks from different business units and/or
different risk types, for risk appetite purposes
44 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
noted, firms that have been most successful in creating
an RAF to date have recognized that it needs to pervade
the organization in the sense that risk concepts are fully
understood by staff at a range of levels and influence
behavior as a result of being internalized. The benefits of a
risk appetite framework are often much more apparent to
Board members and senior management than they are to
mid-level staff. This raises questions of how best to train
and educate staff to enable them to perceive the benefits
of the new approach and also touches upon the desired
responsibilities of management in such training and the
way in which the new approaches can or should be sup­
plemented with formal controls and limits.
24. The best way of expressing risk appetite in a way that
covers all relevant risks is also proving a challenge for
firms. This is particularly true in respect to risks that are
less quantifiable and require a more qualitative approach.
Once the process moves beyond traditional credit
and market risks— where historical data is abundantly
available—to focus on reputational, strategic, and opera­
tional risks, significant challenges remain. However, it is
widely recognized that an RAF cannot be confined to risks
that can be easily measured. To be meaningful, risk appe­
tite needs to take a comprehensive view across a firm,
and risk appetite statements need to capture and include
those risks that cannot be easily quantified. The identifi­
cation and effective mitigation of such risks is a difficult
challenge that is not, of course, confined to risk appetite.
While some firms are comfortable tracking these risks with
1f 6
■ 1
■ 2
■3
 qualitative indicators, most are making significant efforts
to quantify such risks, through, for example, proxy mea­
sures and use a combination of qualitative and detailed
quantitative elements in their risk appetite statements.
25. Some respondents are finding it difficult to shift the
perception that risk appetite is primarily about set­
ting limits. While limits and risk policies are important
components of an effective risk appetite framework, the
more dynamic nature of risk appetite and its role in man­
aging risk, driving strategy, and optimizing return on a
much broader basis needs to be ingrained throughout
the organization. Ensuring that the RAF is positioned and
perceived internally as a dynamic tool for shaping the risk
profile of the institution, rather than as merely a dressed-
up, "grander" process for setting limits and additional
business constraints is also an important challenge. In real­
ity, it is necessary to strike the right balance between a
framework on the one hand which is so rigid, constraining
and inflexible over time as to be unable to sensibly and
prudently accommodate the evolution of the businesses
and group strategy in a timely fashion, having due regard
to the risk implications, and one on the other hand which
is excessively flexible and too easily substantially changed
from one period to the next (perhaps in response to any
number of proposed growth initiatives), and consequently
imposes insufficient discipline on the businesses, lacks
continuity, and is difficult for all employees to understand
and embrace. Striking this balance correctly requires care­
ful judgment by Boards and senior management.
26. Many firms have difficulty forging the necessary links
between risk appetite and the strategic and busi­
ness planning processes, though leading firms have
done this successfully. It is relatively straightforward to
establish an RAF in the sense of the Board setting out
a statement of risk preferences that the business then
seeks to translate into a range of limits. There is a growing
recognition, however, that this is a very narrow concept
of risk appetite and that the establishment of actionable
guidance at the business unit level is crucial. The tradi­
tional approach of making high-level statements and then
seeking to turn these into a plethora of granular and not
well-understood limits has been shown to have serious
limitations, as it tends to result in risk appetite being seen
within the businesses as a remote and sometimes irrele­
vant part of the risk management apparatus. As explained
further below, risk appetite needs to be an integral part of
a business. Its effects need to be pervasive throughout the
organization, and there needs to be a clear link between
the RAF and business decisions.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
27. Stress testing, and how it should be effectively incor­
porated into the risk appetite framework, remains an
area of uncertainty and evolving practice in the Industry.
While it is widely accepted as being a component of an
effective risk appetite framework, there is less consensus
about exactly how stress testing should be incorporated
into a framework. The use of stress tests varies widely,
with some banks putting them at the center of the risk
appetite— setting process, even as others use stress tests
primarily to sense-check their appetite. As a general obser­
vation, the firms that were most affected by the financial
crisis appear to be more advanced in this area, but further
guidance is required for the majority. While an important
focus of an RAF will be the level of risk with which the Board
and senior management are comfortable during "business
as usual" conditions, it is equally important to understand
and consider the implications of extreme but plausible sce­
narios on the risk profile. The technical and methodological
challenges of stress and scenario testing are well known. In
the RAF context, Boards, senior management, and business
units need to ask how the results of stress tests should be
interpreted and what they mean for risk profiles and prefer­
ences. One particularly important question in this context is
the extent to which Board members and risk professionals
are equipped a) to make sense of scenarios that have poten­
tially very substantial impacts but low probability and b) to
push back against the pressures from the business that are
curtailing apparently profitable lines of business.
28. A related issue is how to achieve an appropriate aggre­
gation at the group level of the levels of risks for the
different individual businesses and how to establish rela­
tionships between these. Individual business units need to
have a consistent framework for setting their own toler­
ances for risk, and these need to be consistent with the
overall enterprise-wide risk appetite, both individually and
in aggregate. Although progress has been made in this
area by a number of firms, no single approach is dominant
today. There is currently no uniform process for translating
high-level risk appetite indicators into more specific mea­
sures, such as risk limits and tolerances, and further work
is needed in the area of risk aggregation.
SECTION 3 - EMERGING SOUND
PRACTICES IN OVERCOMING THE
CHALLENGES
29. The objective of this section is to draw on the survey and
the case studies, as well as discussions with firms to iden­
tify ways in which the principal challenges identified in the
■ 45
 previous section might be overcome. The point needs to be
made at the outset that the Industry is still some distance
from an identifiable body of sound practices in most of
these areas. What follows, however, is intended to form the
basis of emerging good practices.
3.1 Risk Appetite and Risk Culture
A crucial challenge is building a strong link and an effective
interaction between culture and the RAF. Risk culture can
be defined as the norm s and traditions o f behavior o f indi­
viduals and o f g ro u p s within an organization that d e te r­
mine the way in which they identify, understand, discuss,
and act on the risks the organization confronts and the
risks it takes.2 It is widely recognized that a strong (or
weak) risk culture manifestly and directly impacts the risk
appetite process.
Firms that had made the most progress in establishing a
risk appetite framework report that there is a close and
indissoluble link between risk appetite and culture.
Risk appetite is about the organization being clear, and
making clear to others its desired level of risk. This in turn
informs the planning and risk taking decisions of the busi­
ness units. Decision-makers, while continuing to be bound
by policies and limits, have a clearer understanding of why
the policies and limits are as they are. And to the extent
that they have the discretion and scope to exercise judg­
ment, the risk appetite will provide them with a lodestone
that helps to inform them in doing so.
32. Some firms have found that internal "values" statements
can be of some use in reinforcing culture. If these are seen
as self-serving and isolated examples of "management-
speak," such statements are likely to be counterpro­
ductive; however, if they are part of a consistent set of
messages and behaviors that provide staff members with
a guide to their own behavior, they can be the basis on
which staff can feel able to constructively challenge behav­
iors or decisions of others, and they can be of real benefit.
33. The link with culture is therefore potentially self-reinforcing:
firms with a strong risk culture find it relatively more straight­
forward than others to implement a risk appetite framework.
At the same time, an effective risk appetite framework can
consolidate and reinforce an effective risk culture with indi­
viduals and business heads feeling reinforced about doing
the right thing. National traditions play a part in this. Some
2 Appendix III of the December 2009 11F report, "Reform in the Financial
Services Industry: Strengthening Practices for a More Stable System,"
provides a background discussion around the concept, importance, and
key impacts of risk culture.
46 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
This self-reinforcing link is exp la in ed by one firm in the fol­
lowing way: " The adoption o f a Risk A p p e tite Fram ew ork
d id not en co u n ter m ajor resistance from the organization.
This is likely due to (a) the Bank's existin g stron g risk man­
a g em en t culture and (b) the fact that the sp e cific m etrics
in the 'm easures' co m p o n e n t o f the Risk A p p e tite Fram e­
w ork w ere key existing m etrics that already had buy-in
across the organization. In many re sp e cts, the adoption
o f a form al Risk A p p e tite Fram ew ork co d ifie d existing risk
culture, principles, o b je ctive s, and m ea su res."
A n o th e r firm highlighted that "the risk a p p e tite fram ew ork
plays a crucial role in establishing the d e sire d risk culture
across the organization. The discussions o f risk a p p etite
across the G roup as well as the sp e cific con ten t o f the
B oard-ow ned Risk A p p e tite Sta tem en t have p ro m o te d a
stron g risk culture, which is key to su ccess. Business Units
understan d what is o u tsid e a p p e tite and th erefo re do n ot
pursue th ese opportu n ities. The Risk A p p e tite Sta tem en t
contains a key sectio n outlining the principles o f the risk
culture that the G roup se e k s to a c h ie v e ."
firms from financial centers where there is traditionally a less
direct link between profit/return and remuneration report
that risk appetite may be an easier "sell" to staff and busi­
ness heads.
34. G iven these close links, the practical steps for getting the
culture of risk appetite right are similar to those for get­
ting overall risk culture right. Overall, firms report that
they know when they are making progress when refer­
ences to risk and risk appetite become a normal part of
day-to-day discourse about the business.
Overall Lessons:
• There needs to be a demonstrable commitment to
explaining— through training and day-to-day experience—
the importance the institution attaches to risk appetite.
This needs to have the consistent support of the highest
level of management.
• Many staff for whom the benefits of an effective RAF are
not immediately apparent are unlikely to undergo an instant
conversion. Even after training and assimilation are in place,
it is necessary to operate rigorous controls and limits.
• It is important to develop measurable indicators of
compliance with risk management norms that can form
a robust basis for promotion and remuneration. This
should include not only compliance with hard limits but
also with clearly stated behavioral expectations. Com pli­
ance with these more qualitative criteria can be more
difficult to assess objectively but is critical in establish­
ing the desired risk culture and is integral to making
risk appetite effective. Rigorous application of such
 guidelines is consistent with cultivating a strong risk cul­
ture, provided it is consistent and relatively transparent.
• Clear communication of risk appetite parameters and
preferences is a prerequisite for developing the appro­
priate culture. Individuals need to feel incentivized to
comply with these and confident in doing so. There can
be no hidden agendas or revealed preferences on the
part of management.
• Consistency of messages and consistency of senior
behaviors with these messages, rewards and sanctions
that are demonstrably consistent with the messages, and
the absence of barriers to bad news travelling upward
are essential components of a strong culture.
• There is value in measures such as the creation of a
meaningful and non-public statement of values codify­
ing this. But culture is determined ultimately by what the
leadership does rather than by what it says.
3.2 "Driving Down" the Risk Appetite into
the Businesses
35. Effective internal communication that makes risk appetite
directly relevant to employees in the business units is seen
as a major challenge by all participating banks. A variety of
approaches have been taken, but no clear consensus has yet
emerged about how to do this most effectively. This remains
very much work in progress, even for the leading banks.
A cornerstone in the architecture of an R A F and a key ste p in
its internal communication is the articulation of a risk appetite
statement. Som e firm -specific exam ples are p ro vid ed below : •
• One firm explains that its risk a p p etite sta tem en t is cur­
rently a mix o f quantitative lim its/m etrics and qualitative
g u id elin es:
i) Lim its and m etrics con sisten tly m on itored include: R O E :
Stress te sts: RW A limits; Capital m arket m easures (e.g.
VaR, trading limits): Liquidity ratios: Single-N am e C o n ­
centration: Industry con cen tration ; and C ountry e n v e ­
lo p es. These lim its/m etrics co rre sp o n d to the Target
Rating s e t for the Bank.
ii) Q ualitative g uidelin es mainly stem from a co m p re­
hensive s e t o f Risk forum s at the E xe cu tive M an age­
m ent level (e .g ., Portfolio d ecisio n s: Risk C om m ittee,
Stra teg ic Risk Forum s on C ountries, Industry/Product/
S e cto rs, as well as on Capital M arket activities. Key
Individual d ecisio n s: Risk co m m ittees on one sp e cific
transaction/counterparty; Excep tio n a l Transaction and
N ew A ctivity Validation C om m ittees. Them atic trans­
versal p o licies: C red it policies).
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
36. Two points, however, emerged very clearly in this regard:
• An effective risk appetite framework should be perva­
sive throughout the organization in that all staff with
any significant decision-making authority should under­
stand the institution's stance toward risk and what it
means for them.
• Yet the benefits of an effective risk appetite framework,
while very real, are often not apparent to more junior
staff and, indeed, there may be some initial resistance
or skepticism among these groups.
37. For this reason, communication and training are essential
starting points. The C EO needs to be personally involved
in promulgating the message about the risk appetite
framework and what it means. There needs to be com­
plete agreement within the Board and management on a
meaningful and comprehensive definition of risk appetite,
and the concepts need to be communicated in a straight­
forward way without jargon. There also needs to be clarity
in communications about where risk appetite fits alongside
risk capacity or tolerance, that is, how much risk it is techni­
cally possible to take, and the current level of risk being
taken. Finally, there needs to be clarity regarding the own­
ership of risk. The risk function should own the overall risk
framework and the interface with the Board on risk appe­
tite. However, responsibility for risk within the business
units and for achieving consistency with the enterprise­
wide risk stance rests squarely with business unit heads.
• A n o th e r firm has a rather d e ta ile d sta tem en t coverin g
the follow ing qualitative and quantitative elem en ts: 1. To
g en e ra te sustainable eco n o m ic p ro fit com m ensurate
with the risks taken; capital liquidity & im pairm ents &
e x p e c te d loss; 2. To b e well capitalised on a regulatory
basis and maintain a long-term d e b t rating o f X ; 3. To
maintain a stron g Tier 1 ratio co m p rise d o f a large core
Tier 1 p ro p o rtio n ; 4. To maintain a w ell-diversified funding
stru ctu re; 5. To k e e p o ff the balance sh e e t vehicles non­
m aterial in size relative to the size o f the balance sh e e t;
6. Risk m anagem ent to ensure im pairm ents and losses
are m anaged within the g ro u p 's to lera n ce; 7. To m anage
all risk ca te g o rie s within its a p p e tite ; 8. To harness b e n ­
efits from business diversification to g en e ra te nonvolatile
and sustainable earnings; 9. To co m p e te in b u sin esses
with international cu sto m ers w here m arket con n ectivity
is critical, b u sin esses with local cu sto m ers w here w e have
local scale and p ro d u cts w here global scale is critical to
e ffe ctiv e n e ss; 10. To use ro b u st and appropriate scen ario
stress testin g to a ssess the p o ten tia l im pact o f the chosen
scenario on the G roup's capital a d eq u a cy and stra teg ic
plans.
■ 47
38. Limits are a necessary part of driving risk appetite into
the businesses. Effective limits are an essential part of
any risk framework, whether or not the firm embraces a
full RAF. Financial institutions have operated with limits
(e.g., for lending or market transactions) for many years,
without necessarily effectively controlling aggregate risks
within acceptable levels. The establishment of an effective
framework goes far beyond the simple setting of limits,
however. There is a strong consensus that it is very impor­
tant for staff who are subject to limits to understand both
the context and rationale for these and their implications
for revenue, customer service/satisfaction, and aggregate
risks. The objective is to foster an effective, ongoing dia­
logue about the boundaries of acceptable risks and the
implications of these boundaries, including for the optimal
allocation of scarce resources within the firm.
39. In this context, a strong culture of responsibility for, and
open dialogue about, risks in the businesses is seen as fun­
damentally important in effectively embedding risk appetite
in the business lines. Business unit leaders have a strong
leadership role to play in this. Firms that have made the
most progress in implementing risk appetite have put in
place processes designed to ensure the broad congruence
of business and risk decisions and the overall enterprise­
wide risk appetite. In these firms, business heads are
required to have visible ownership of risk in their areas
and to incorporate risk explicitly in their business planning.
Processes then need to be put into place to check the con­
sistency of these— both individually and in aggregate— with
In som e banks the business unit leaders are req u ired to have
prim ary' accountability fo r preparin g and interpreting their
own risk a p p e tite sta tem en ts to ensure that they are both
p ro p e rly aligned with the g rou p risk a p p etite statem en ts
and also w ell-d esig n ed and effective in com m unicating to
the sta ff in their own bu sin esses. Fo r instance, in one firm
the "line o f Business (LO B) m anagem ent is resp o n sib le for
execu tin g the stra teg ic and financial operatin g plans o f the
business, optim izing the risk and rew ard o f the business
within limits esta b lish ed by execu tive m anagem ent, and
ensuring internal controls are appropriate. A dditionally, each
LO B d e v e lo p s a Line o f Business Risk A p p e tite which further
drives the en terp rise Risk A p p e tite into the individual Lines
o f Business. Every em p lo yee understands that it is his or her
respon sibility to im plem ent and adhere to the Risk A p p e tite
while m aking daily business d e c isio n s."
In addition, other banks seem to rely on an appropriate inter­
action am ong risk culture, awareness, and policies and p ro ce ­
dures. A s explained by one bank participating in our survey:
"The link is b a sed on an awareness o f the qualitative aspects,
o f e x p e c te d norm s and behaviors and how decisions im pact
48 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the overall risk appetite. Business unit heads are responsible
for formulating these local plans. They also have a respon­
sibility to explain the importance of risk appetite concepts
and boundaries within their business units. Illustrating the
links between specific business initiatives and day-to-day
transactions and the broader risk appetite helps to make
these processes come alive for staff within the businesses.
Some firms have also found value in a "thematic" approach
to risk, placing a specific focus on aspects of risk— such as
reputation risk— for a specific period.
40. Similarly, staff on risk committees or those who are involved
in the approval of transactions can link risk appetite con­
cepts to individual policies and transaction approvals,
thereby raising awareness and understanding of the bound­
aries and importance of risk appetite facilitating dialogue
within the businesses about these boundaries and limits.
41. When this dialogue within and across business units and
with risk and senior management works well, it facilitates
both intelligent challenges to the risk appetite boundaries
and their evolution over time. In this way, the risk appetite
framework is made dynamic and is able to sensibly accom­
modate new business opportunities and changes to the risk/
reward relationships between different parts of the business.
42. The Iink between risk appetite as expressed by the Board
and the behavior of mid-level staff empowered to make
local decision is also facilitated by the integration of the
RAF into the business planning, as further explained in
section 3.5.
the operational groups/enterprise risk appetite. This awareness
is created through learning program s ta rg eted at mid-level
m anagem ent. M id-level m anagem ent in front-line opera­
tions is g u id e d in part by the sim plified statem ents created
by the enterprise. Both qualitative and quantitative aspects
are reflected through policies and pro cedu res that govern
the activities o f m id-level staff. These policies and procedu res
provide m ore detail to the high-level statem ents o f the risk
appetite, including business practices for exam ple, reputa­
tional risk, regulatory and legal requirem ents), risk transparency
requirem ents for exam ple, new products and initiatives) as well
as detailed limit fram eworks (market risk, liquidity and funding,
credit risk) that are se t at various levels o f the organization."
A fe w banks highlight a link with business planning: "The
integration o f the risk a p p e tite sta tem en t produ ction into the
fram ew ork o f the business planning p ro ce ss g ives a linkage
o f the Board's risk a p p etite to the decision s and stra teg ies
m ade by business at that tim e. This is also e x p re sse d via the
Board's capital plan, w here return requirem ents, capitaliza­
tion targets, and capital allocation resolutions com bine with
business volum e ta rg e ts."
Overall Lessons:
• Communication and education on the benefits of a risk
appetite framework are essential. Members of senior
management need to be visibly and consistently associ­
ated with these.
• Limit setting is a key part of risk management, whether
or not it is part of a wider risk appetite framework. Busi­
ness unit and risk management heads should use the risk
appetite framework as the context for explaining and
promulgating limits and risk policies.
• Business unit heads must own local business plans, which
in turn must pay proper regard to risk. This, including the
link to the wider risk appetite, should be clearly and con­
sistently communicated to staff.
• Continuous and open dialogue about risks is seen as
fundamentally important in effectively embedding risk
appetite in the business lines. Business unit leaders have a
strong leadership role to play in this. When this dialogue
about risks—within and across business units and with
risk and senior management— works well, it facilitates
both intelligent challenges to the risk appetite boundaries
and their evolution over time. In this way, the risk appe­
tite framework is made dynamic and is able to sensibly
accommodate new business opportunities over time.
3.3 Capturing Different Risk Types
43. Incorporating different risk types into the risk appetite
framework and, more specifically, capturing risks that can­
not easily be quantified, is a challenging task. There is wide
agreement that the RAF should capture and include all
material risks, including those that are not easily quanti­
fied, such as operational and reputational risks. However,
although 70 percent of the participating firms stated that
their RAF covers all risks, no real consensus was seen
One institution n o te d that, w h erever p o ssib le , estim ates are
m ade o f the poten tia l im pact o f crystallized risks on future
earnings capacity. Exam ples o f this w ould b e the e ffe ct o f
regulatory changes or sanctions on the revenue from individ­
ual busin ess lines. A n e ffo rt is then m ade to com pare th ese
im pacts with th o se o f o th er risks. H ow ever, "this is re c o g ­
nized as bein g very su b je c tiv e " and o f very lim ited value with
re sp e c t to non-linear tail risks such as litigation or serious
reputational dam age.
A n o th e r bank d o e s not g o as far in seekin g to quantify
risks b u t d o e s try to estim ate the poten tial im pact o f risks
on future earnings capacity for each risk with the o b je c t o f
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
among the participants about how the risks that cannot be
easily quantified (if at all) should be captured in the RAF.
44. Some firms report that an effective first stage in the iden­
tification of risk appetite has been a free-ranging and
sometimes quite qualitative discussion of risk with the
Board. It is reported that this can be helpful in avoiding
becoming bogged down either in issues of definition or
quantification. The Board's preferences are then subse­
quently turned into a quantified framework.
45. In some banks there is a clear link between elements of
the RAF and operational risk management. To the extent
that operational risk management seeks to identify, quan­
tify, and control less intrinsically quantifiable aspects of
risk, the methodologies developed can be a useful input
to a broader RAF framework. Some firms indicated that
a range of indicators is reported to the Board as part of
regular reporting on compliance with the risk appetite
framework. Many banks involved in the study were seek­
ing proxies to help them to understand the manner in
which risks (both internal and external) are evolving, at
least directionally. In this context, defining risk appetite
was described as "an art around the science." There was
agreement that around any set of similar metrics one
needs to overlay a good measure of interpretation.
46. However, some clear examples were given that resulted
in a significant change to the risk appetite for certain busi­
nesses. One high-profile example of this is material changes
to the regulatory landscape (e.g., Lehman minibonds in
Hong Kong). These kinds of changes in the regulatory (and
political) environment fundamentally change the level of risk
associated with certain businesses and, subsequently, the
risk/reward of the business proposition significantly.
47. Committee structures, if thoughtfully designed, can provide
an opportunity to draw on experienced judgment and over­
sight in areas in which quantification is inherently weak.
arriving at an overall indication o f how large or small that risk
is in com parison with o th er risks. This is m ore a question o f
m agnitude rather than precision, as the o b jective is to ensure
that it carries enough w eigh t versus o th er risks.
O ne firm undertakes a regular assessm ent o f the p ercep tio n s
o f various stakeh olders (clients, shareholders, em ployees,
and regulators) noting a) that th ese legitim ately differ and b)
that the o b jective should be "no su rp rise s." This approach is
rein forced through the creation o f a sen io r Reputation Risk
C om m ittee co m p rised o f sen io r m anagem ent (C FO , CRO ,
and heads o f Legal and Com pliance). This com m ittee review s
highly co m p lex or structured transactions that may create
(C ontinued)
■ 49
 particularly high levels o f reputation risk. The basic p u rp o se
is to determ ine w hether this is the type o f business the firm
should b e doing. A n o th e r firm uses com m ittee structures to
assess the b ro a der risk im plications o f new p ro d u ct approvals.
A n o th e r firm captures a num ber o f m etrics o f varying im por­
tance. F o r exam ple:
• Com m unications to the central bank/regulator regarding
m oney laundering b rea ch es;
48. The point was also made by many firms that, notwithstand­
ing a professed "zero tolerance" for some categories of
risk (such as reputation risk and the risks of legal or regula­
tory non-compliance) there are, in reality, always tradeoffs,
and zero levels of these risks are not achievable in practice.
The key thing is to recognize these risks and manage them
intelligently.
Overall Lessons:
• To be effective, the risk appetite framework needs to
incorporate all material forms of risk, including those that
are not readily quantifiable. Zero tolerance is not a very
meaningful or practical concept— all risks need to be
actively managed.
• Firms should make a maximum effort to quantify such
risks, making use of such innovative approaches as esti­
mates of earnings foregone.
• Maximum use should also be made of proxies and other
metrics, even where these do not permit the direct quan­
tification of losses. Quantification and the development
of proxies need to draw on operational risk frameworks.
• Committee structures to address reputational or legal
risks directly, and the risk implications of new products
can, if well operated, bring experienced oversight to
bear effectively.
3.4 The Benefits of Risk Appetite as a
Dynamic Tool
49. The following two challenges are somewhat linked and
need to be addressed as important steps in building an
RAF: positioning and communicating the RAF internally as
a dynamic tool for shaping the risk profile of the institu­
tion, rather than as merely a dressed-up, more elaborate
process for setting limits or a source of additional business
constraints, and communicating its benefits.
50 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• Penalties from su pervisors, inclusive o f the results o f inves­
tigations and rem edial actions im p o sed , even w here there
is no fine;
• N ew p ro d u ct activity and de-listing o f p ro d u cts (gives a
real flavor o f the use te st and how this is affecting "real
life ");
• Trading with su sp e c te d insider traders; and
• Com plaints from custom ers.
50. Our investigation has shown that successfully position­
ing the RAF internally as a dynamic tool for shaping the
risk profile of an institution depends critically on how
it is em bedded in the businesses and on the quality of
the ongoing, day-to-day dialogue about risk within and
across business units and with risk management staff and
senior management. As discussed in section 3.2, when
this dialogue works well, it facilitates both intelligent
challenges to risk appetite boundaries and their evolu­
tion over time. In such circumstances, the risk appetite
fram ework is seen and understood to be dynamic by all
participants.
51. Risk appetite frameworks and processes of the kind
discussed in this report are relatively new in many orga­
nizations, and take time to institutionalize. Participating
banks agree that the benefits are not immediately appar­
ent at the outset; in some banks, there is (or was) active
resistance from some business units that needed to be
overcome.
52. It is obvious that leadership from the top is important, in
terms of stating the reason for creating the risk appetite
framework and associated processes and explaining the
benefits to be gained from doing this. Nevertheless, from
the experience of some banks it may be necessary to start
with an element of compulsion. Participants reported that
they needed to push quite hard initially to get the busi­
nesses to think about risk appetite, although after "learn­
ing by doing" for a while, many reported that they have
seen the benefits.
53. In general, senior executives appreciate the benefits of
risk appetite more readily than those lower down in the
business. The active dialogue linked to specific transac­
tions within the business line was described earlier, and it
is key to educating front-line staff about risk appetite and
the benefits that awareness and understanding of it bring
to the business and the group.

O ne participating bank ran a series o f w orkshops fo r line
sta ff in se le c te d business units, titled "H o w risk a p p etite
affects y o u ." Th ese p ro v e d useful in raising aw areness o f
the key risk a p p etite co n ce p ts and re ce iv e d p o sitive fe e d ­
back from participating staff, who generally saw why this
was im portant from an organizational p e rsp e ctiv e .
Similarly, another bank holds risk a p p e tite w orkshops with
each o f its m ajor b u sin esses to identify con cern s such as
im plem entation and/or resou rce issues. Th ese w orkshops
aim not only at "driving d o w n " the R A F into the busi­
n esses b u t also at enabling the b u sin esses to understand
the full b en efits available from a co m p lete risk a p p etite
fram ew ork, such as an assessm en t o f limits and financial
volatility, that is, the volatility o f a business's plan, w here
to focu s resou rces and capital, alignm ent to o th er p ro ­
ce sse s through stress testin g, and gauging the poten tial o f
the busin ess g o in g forw ard.
54. In general, participants agreed that there is a balance to
be found between coercion ("this is the policy/limit, keep
to it") and understanding ("here is the broader risk con­
text and rationale to help guide what you do").
55. As noted previously, business unit leaders must have the
principal responsibility for bringing risk appetite into their
business units and incorporating it into the regular fab­
ric of their businesses. Similarly, they have the principal
responsibility for articulating the benefits of risk appetite
in their businesses— and so they need to be convinced of
the benefits themselves. Some participants reported that
initial resistance in particular business units can be effec­
tively overcome in many instances by the C E O , CRO , and
other senior leaders actively explaining and reinforcing the
need for business unit staff to embrace risk appetite and
have it become part of the fabric of the organization.
56. It is important to note that if specific business units can't
get the needed quantitative information to see how they
are tracking against key risk appetite metrics, then risk
appetite concepts have less traction and less "bite" in
those business units; in these circumstances the benefits
of the framework and processes are less clear to front-line
staff. For this reason, firms should be acutely aware of the
measurement limitations at each stage of their risk appe­
tite framework evolution.
57. In making the benefits more visible in the businesses, it
is important to emphasize the return dimension of risk
appetite and the opportunity for risk/reward optimization
and to position risk appetite as a foundation for active
dialogue within and about the business, as previously
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
described. The key is to be "real" with the business— it is
important to make the risk appetite measures and metrics
clear and real in the individual business units to facilitate
effective challenge and discussion. If this is achieved,
it is the experience of the leading participants that the
benefits will become progressively clearer to all stakehold­
ers as time passes; this is also strongly reflected in the
case studies.
Overall Lessons:
• Leadership from the top is crucial, in terms of stating the
reason for creating the RAF and explaining its benefits.
Nevertheless, it may be necessary to start with an ele­
ment of compulsion.
• The active dialogue within and across business units and
with risk management staff and senior management is
essential to communicate the benefits that the implemen­
tation of an RAF brings to the firm. Such dialogue should
also be linked to specific transactions within the business
line in order to effectively involve front-line staff.
• Education is a key element in raising awareness about
the full benefits originating from a complete risk appe­
tite framework.
• Business unit leaders must have the principal responsibil­
ity not only for bringing and incorporating risk appetite
into their business but also for articulating the benefits of
risk appetite in their businesses.
3.5 The Link with the Strategy and
Business Planning Process
58. The establishment of an effective link between the risk
appetite framework and the strategy and business plan­
ning processes is fundamental.
59. A key finding of this study is that such a link has been
effectively established at a number of leading institu­
tions in recent years. This has been achieved in several
different ways, as the National Australia Bank (NAB) and
Commonwealth Bank of Australia (CBA) case studies
illustrate. There is strong agreement, however, that the
relationship needs to be iterative and based on extensive
internal dialogue.
60. The fi rms that have made the most progress in this typi­
cally followed a process that involved some variation of
the following:
• The Board set key, top-level principles and risk param­
eters for the overall risk appetite at the group level.
■ 51
 • This may take the form of a fully articulated risk appe­
tite statement or, sometimes, an initial, high-level sig­
naling of key risk parameters to business divisions.
• Use of these guidelines by the business units in draft­
ing their own, divisional business and budget plans. In
some cases this involves the creation of local risk appe­
tite statements. In others it involves the articulation of
a risk "posture" that indicates whether risk is expected
to increase, decrease, or remain constant in the busi­
ness unit.
• Ensuring that, whatever the form of the local plan, it
embeds and is fully consistent with the high-level risk
appetite statement or principles.
• Individual and aggregated assessment at the group
level of proposed business and budget plans and com­
parison with the group risk appetite.
• Revision and amendment as appropriate of divisional
level plans and budgets— or, in some cases, group risk
appetite.
61. In some cases the formal planning process, rather than
being wholly "top down," incorporates a significant
amount of "bottom up" planning at an early stage,
starting at the divisional level. But in either case,
iteration— starting with a concept of risk appetite — ►
business planning — ►aggregation — ►checking back with
the risk appetite framework and adjusting as necessary—
was observed to be the key and an important method to
creating essential alignment between the divisional and
business unit plans and the group risk appetite statement.
This process also builds common awareness of the inter­
action and tradeoffs between key risk appetite constraints
and revenue opportunities. Some firms have found the
use of standardized formats for setting out strategic plans
incorporating mandatory sections on risk profile and risk
appetite to be useful mechanisms for ensuring that these
issues have the appropriate prominence in the planning
process.
62. In general, the process begins with high-level signaling of
risk or key risk parameters. For instance, NAB, as further
explained in the case study in Annex I, starts its process
by discussing and agreeing the high-level risk posture
of each major business and the group. Another institu­
tion noted that prior to the strategy planning risk man­
agement and/or finance provide indications of current
sensitivities (e.g., leverage, liquidity, capital objectives
or constraints, etc.), so that the initial business planning
process is done on a more informed basis. There is no
uniform approach for translating high-level risk appetite
decisions into workable parameters for business units.
52 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
In some cases an initial effort is made at translating the
high-level statem ent into metrics such as RoE, RWA, and/
or net funding needs, which are then fed into the busi­
nesses. In general, however, it is recognized that the
process needs to involve a combination of breaking down
the high-level aspirations into measurable dimensions
and business units formulating their bottom-up plans in
a consistent form, allowing the appropriate consistency
checks to take place.
63. The fi nal stage in the iterative process may involve chang­
ing either aspects of the business plans or of the overall
risk appetite— but if the latter, this is done on a properly
informed basis in order to create the needed alignment
between the two that has often been missing in many
institutions in the past. The fact that such decisions are
made on a properly measured and informed basis, and
within a formal and robust governance framework, is the
key to ensuring that the risk appetite framework strikes
the right balance between being unduly rigid— and there­
fore unable to effectively and prudently accommodate
business and strategy evolution— and excessively flexible,
in which case it would fail to create the necessary disci­
pline on the business.
One bank p ro v id e d an exam ple of when the explicit con ­
sideration o f risk a p p etite in the planning p ro ce ss led to
an increase in a business line/asset class rather than the
im position o f a reduction. The group had a g re e d to a firm­
w ide risk a p p etite for a certain a sset class, and one busi­
ness unit w anted to increase exp osu re. This led to a risk vs.
return discussion, which led to a shift within the asset class
o f increased allocation to the requesting business unit, but
w ithout an increase in firm -wide risk a p p etite for that asset
class. It was re p o rte d that "n o t everyone liked the answer,
but they a p p reciated the o p en n ess o f the d iscu ssio n ."
64. The value of a stronger link between risk appetite and
business-level planning was summed up by C BA , "Build­
ing of the consideration of risk appetite into the group's
strategic planning process has been a significant step
forward and has given both management and Board trans­
parency either to amend the strategy to align with the
existing appetite or the appetite to allow for the proposed
strategy over decisions."
65. The following have been key factors in building and rein­
forcing the necessary links with the business units:
• The creation of a strong partnership between the
group risk management, strategy, and finance func­
tions, notwithstanding some initial resistance to this
in a few institutions, because of some concerns about
 potentially complicating the planning/budget process.
There was general recognition and acceptance that
formally including the risk management function in the
planning process may make the process longer and
more complicated, but this was seen by those banks
that have taken this step as well worth it for the result­
ing alignment of risk appetite and plans. As the plan­
ning process is repeated, participants learn by doing
and a new process with new expectations becomes
established that becomes more efficient over time.
However, as observed by NAB in its case study, the
language of risk used by risk management staff can
often be opaque and not closely associated with the
language used by those staff who develop strategy
and business plans. Therefore, it is important for risk
management staff to find ways to communicate and
engage effectively in the planning process.
• Use of the concept of "risk posture"— a qualitative
expression of whether the business unit intends to take
more, less, or approximately the same amount of risk
over the next planning period— at both the divisional
and group levels is an effective approach in moving the
discussion forward and supplements the use of quan­
titative metrics. Risk posture is an intuitive, accessible,
W hat follow s is a n o tew o rth y exam ple o f h ow a re sp o n d e n t
firm is achieving the link b e tw e e n its R A F and stra teg y and
planning:
Links b etw een Risk A p p e tite and Stra teg ic Planning:
• Line o f Business Risk m anagem ent is involved from the
beginning o f the stra teg ic planning cycle to evaluate and
assess how grow th or revenue targets fit with the C o m ­
pany's Risk A p p e tite ;
• The Plan is d e v e lo p e d to assure G overnance and C ontrol
functions are appropriately aligned and sta ffe d around
new grow th;
• A ll plans fo r grow th are a lig n ed around the Risk
A p p e tite ;
• The C h ie f Risk O fficer ensures alignm ent o f the Stra teg ic
Plan to the Risk A p p e tite . Risk m anagem ent has o p p o rtu ­
nities th roughout the p ro ce ss to challenge any elem ents
o f the plan.
Links b etw een Risk A p p e tite and Capital Planning:
• The capital fram ew ork a ssesses capital a dequ acy in rela­
tion to risk and p ro vid e s a com m on currency for m easur­
ing business unit perform a n ce;
• The capital m anagem ent p ro ce ss co n sid ers credit, mar­
ket, operational, in terest rate, liquidity, country, com pli­
ance and stra teg ic risks in the Internal Capital A d e q u a cy
A sse ssm e n t P ro cess;
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
and widely understood concept that avoids technical
language and enables extensive participation by a wide
group of participants in the dialogue and discussion
about risk appetite. The iterative process described
above needs to include an explicit discussion of the
risk/reward tradeoffs. The relevant questions are: What
are we trying to do? and What are the tradeoffs? One
firm reported: "This [risk appetite] approach allows an
intelligent discussion of 'who we are' and the optimal
business mix and balance based on risk and return."
Another said: "getting the Head of Strategy to recog­
nize and incorporate Risk Management personnel into
planning decisions was big win for us."
• Periodic reviews between risk management, finance,
and each business division to discuss what is new or
growing rapidly, what is changing, what's driving those
changes, and what are the emerging risk/capital/liquid-
ity capacity issues, are a good tool for keeping the
required linkage strong. These reviews also support the
process for the next planning cycle.
• Some firms require that each business head be able to
explain how risk appetite has been taken into account in
local strategy documents and how key elements of the
business unit strategy are consistent with risk appetite.
• C u stom er and p ro d u ct profitability are m easured via C u s­
to m er Level Profitability R eportin g (CLPR), which in co rp o ­
rates eco n o m ic capital;
• Capital is re p re se n te d in the Risk A p p e tite sta tem en t and
m easured and m on itored as such.
Links b e tw e e n Risk A p p e tite and Liquidity Planning:
• To geth er with the C h ie f Financial O fficer G roup, Risk M an­
agem en t is involved in settin g and m onitoring liquidity risk
limits, guidelin es and early warning indicators;
• Risk M anagem ent controls include the analysis o f co n ­
tractual obligations and utilization o f stress m odeling to
ensure that e x ce ss liquidity is size d appropriately and
aligned with the liquidity risk tolerance o f the en te rp rise;
• Risk M anagem ent in corporates liquidity risk analysis into
n ew p ro d u ct, business and investm ent decisio n s w here
applicable, and w orks with Lines o f Business that have
m aterial co n tin g en t funding e xp o su re s and/or require
m aterial levels o f u n secu red funding;
• Liquidity Risk is re p re se n te d in the Risk A p p e tite sta te ­
m ent and m easured and m on itored as such.
Links b e tw e e n Risk A p p e tite and Perform ance M anagem ent:
• Perform ance m anagem ent is tie d to adh eren ce to the Risk
A p p e tite in all areas o f the en terp rise, including Risk, Lines
o f Business and En terp rise C ontrol Functions.
Overall Lessons: 69.
• There needs to be an iterative relationship between set­
ting risk appetite and planning at both the group and
the business unit levels.
• This involves a partnership between a group's risk man­
agement, strategy, and finance and the business units,
with explicit consideration of risk in business planning.
• Risk posture— a qualitative expression of whether a busi­
ness unit intends to take more, less, or approximately
the same amount of risk over the next planning period—
can be a useful starting point for this discussion.
70.
• The annual planning process should be supplemented
with quarterly reviews by risk management, finance, and
the businesses to assess how the risk profile and the
risk/return tradeoffs are changing. These reviews should
place a special focus on business activities or risk con­
centrations that are new or growing rapidly and what is
changing and what's driving those changes, as well as
71.
any emerging risk/capital/liquidity capacity issues.
3.6 The Role of Stress Testing within
an RAF
66 . An important issue on which the investigation has been
focused is the potential role of stress and scenario test­
ing within a risk appetite framework. Linked to this is the
question of how appropriate levels of risk can be deter­
mined for individual businesses and in aggregate for the
group in total and the relationship between these.
67. Consciously constraining aggregate risks in advance so
as to ensure a firm's survival under severe stress scenarios
72.
is part of the raison d 'e tre and at the heart of setting risk
appetite appropriately. It is essential for senior manage­
ment and the Board to carefully analyze and understand
the likely distribution of potential outcomes that would
be experienced over time under a variety of severe, but
plausible economic and market scenarios and to deter­
mine what level of loss would be tolerated under each of
these scenarios.
68 . These assessments are crucial but very complex and dif­
ficult, involving both significant technical challenges and
the exercise of a substantial amount of judgment. They
cannot be reduced to a series of simple, formulaic steps.
This is because, as the financial crisis has shown, for large
financial groups the aggregate, integrated risk profile of a
firm and the way this evolves is opaque, to insiders as well
as to outsiders, and difficult for senior management, direc­
tors, and supervisors to properly understand.
54 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
In this context, leading banks in a number of jurisdic­
tions are increasingly using a variety of stress testing
processes, which typically feature a combination of mac­
roeconomic scenarios and changes in market variables,
to understand financial outcomes for the group, including
potential credit and market losses and the likely reduction
or loss of business revenues under severe economic and
market scenarios. Conducting such stress tests for all enti­
ties across a group requires overcoming a number of very
substantial technical challenges and the significant exer­
cise of management judgment.
In general, banks in national jurisdictions that were hit
hardest by the financial crisis appear to have made more
progress on developing comprehensive, firm-wide stress
testing capabilities, perhaps in response to Industry-wide
stress testing requirements of national regulators. They
are therefore more likely to use these capabilities in a
more central way in their process for setting risk appetite.
An important challenge facing management in the deter­
mination of risk appetite is how much relative weight
should be given to:
• The predicted level or range of aggregate losses that
could be sustained over a defined time period under
relatively likely, less se ve re adverse economic and
market conditions (e.g., a "one-in-ten year" economic
downturn scenario), as against
• The much higher predicted level or range of aggre­
gate losses that could be sustained over a defined
time period under a variety of relatively unlikely, m ore
severe— but nonetheless plausible— stress scenarios
(including severe liquidity stress scenarios).
The key areas in which management needs to exercise
judgment are therefore:
• The severity of the stresses/scenarios to be applied.
As noted, it is necessary to strike a balance in estab­
lishing scenarios that are appropriately severe while
being not so implausible as to make it impossible to act
upon them.
• The implications of the stress and scenario outcomes
for losses and how these compare to what are judged
to be acceptable loss levels within the existing risk
appetite. It is also necessary to ensure that the implica­
tions for capital levels are rigorously assessed.
• The implications of the foregoing for risk appetite
and strategy. Boards and management need to be
equipped to assimilate and act upon the outcomes of
stress tests, even where they embody relatively low
probability events.
73. It would appear that in many banks these judgments have
been made somewhat implicitly to date, given the con­
siderable technical challenges involved. These are very
subjective but important questions, and a divergence of
76.
views regarding their treatment was seen among the par­
ticipating banks. Indeed, participants reported that it is
common to see a divergence of views on these questions
even within the management teams of individual banks.
74. It is nevertheless important to distinguish between the
relatively technical challenges of ensuring that scenarios
are chosen carefully and their implications properly
worked through and the strategic challenge of ensuring
that the outcomes of stress and scenario tests are acted
upon. Boards and management often report difficulty in
assimilating the implications of relatively low probability
events and pushing through the necessary adjustments to
business models and strategies. Some report that this will
become even more of a challenge as competitive pres­
sures reassert themselves as memories of the crisis fade.
75. It is possible to make a tentative observation that some
of the banks that were hit hardest in the financial crisis are
currently taking a more conservative approach than others
that were impacted less severely. The former are placing
more weight in setting their overall risk appetite upon the
likely losses that would be experienced under more severe
stress scenarios and treating the results of these stress
scenarios as more binding in the risk appetite process.
Some banks participating in our investigation, including
some banks in jurisdictions that were less affected by the
financial crisis, have not yet built a comprehensive, group­
wide stress testing capability or have not yet fully incor­
porated stress testing into their process for setting risk
appetite. For these banks, selected stress tests have been
used to date primarily as a basis for checking and chal­
lenging the reasonableness of quantitative risk appetite
parameters and boundaries that have been set via other,
more subjective means. Some banks in this category have
placed higher emphasis to date on ensuring a strong risk
culture and effective dialogue about risks at all levels, and
they caution that placing heavy emphasis on stress test­
ing in the risk appetite— setting process may risk placing
too much focus on "known unknowns." Consequently, it
is clear from our investigation that the further develop­
ment of stress testing capabilities and the evolution of
the way in which stress testing outcomes are incorporated
into the process and context for setting risk appetite is an
area that many firms are continuing to develop, as can be
clearly seen in some of the case studies.

One leading firm has d e v e lo p e d a co m p re h e n sive , firm ­
w ide stre ss-te stin g capability and uses this in a way that is
central to the p ro c e ss o f se ttin g its risk a p p e tite . The bank
had originally built its firm -w ide risk a p p e tite fram ew ork
around a s e t o f statistical loss m easures, which it co m p a re d
with earnings and capital m etrics. U n derpin ning the fram e­
w ork w ere statistica l m o d els fo r individual b u sin e sse s and
p o rtfo lio s, c o m p le m e n te d by stre ss m o d els ta rg e te d tow ard
the idiosyn cra tic vulnerabilities o f th o se p o rtfo lio s (not
g en era lly com b in a b le due to in co n sisten t scen a rio a ssu m p ­
tions). Lim its on a com bination o f th e se stre ss and sta tisti­
cal m o d e l results w ere u se d as o p era tin g co n tro ls on the
b u sin e sse s. W hile se vera l units within the bank had g a in e d
su bstan tial e x p e rie n c e in the g en era tio n o f m acro and mar­
k e t scen arios and the evaluation o f th eir im pacts on their
re sp e c tiv e b u sin e sse s, th e se had n o t b e e n in te g ra te d to
d e v e lo p firm -w ide scen a rio s.
During the financial crisis, the firm reco g n ized the n e e d
to a dapt its risk a p p etite fram ew ork to incorporate stress
scen arios alongside its statistical m odels and to particularly
em phasize p ro tectio n o f its Tier 1 capital as a risk a p p etite
o b jective. The p e rio d follow ing the Lehm an collapse se rv e d
as a catalyst and m o d el exam ple fo r the d e ve lo p m e n t o f
firm -wide scen arios, since it im p acted many o f the bank's
business lines and esta b lish ed an unam biguous level o f se v e r­
ity. Su b seq u en tly, scen arios coverin g o th er poten tia l firm ­
w ide vulnerabilities have been im plem ented.
D eve lo p m en t o f scen arios typically b eg in s with the identifica­
tion and prioritization o f an area o f concern, i.e ., a poten tia l
eco n o m ic or m arket crisis, through dialogue am ong risk
m anagers, econ om ists, and line m anagem ent. Scenarios are
calibrated on a "h o w bad cou ld it plausibly g e t " basis. B a sed
on a broad outline o f the prim ary scenario drivers, the firm
d e v e lo p a d eta iled scenario specification d escrib in g the e v o ­
lution o ver 1-2 years o f a fe w dozen b ro a d m acro and m arket
variables such as G D P grow th in m ajor m arkets, in terest and
F X rates, equ ity m arkets, cred it sp rea d s, inflation, and hous­
ing p rices. Both short-term and long-term behavior m ust b e
m o d e le d to evaluate im pact on p o rtfo lio s at o p p o site en ds
o f the liquidity sp ectru m , i.e., m arket vs. cred it risks. H istory
and sta keh o ld er input inform the settin g o f th ese param ­
eters, which are u p d a ted periodically (at least once a year)
to ensure that scenario assum ptions remain econom ically
m eaningful.
In tandem with this, analysis— often making use o f historical
data at a granular level— is p e rfo rm e d to iden tify' the key
sensitivities o f busin ess/portfolio incom e with the scenario
inputs; w here n ecessary (i.e., for trading p ortfolios), the

(C ontinued)

Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions

 scenario specification is e x te n d e d to substantially g re a te r
detail. In som e ca ses, w here data analysis d o e s n ot lead to
su fficien t explanatory pow er, ju d g m e n t as to scenario im pacts
or p ro xy m etrics is applied. The possib ility that causal rela­
tionships are m istakenly id en tified through analysis o f lim ited
data is also co n sid ered . Typically, e ffe cts on m arket and cred it
risk p o rtfo lio s and incom e o f a sset gathering b u sin esses are
p o ssib le to m od el m ore robustly, while volum e-based bu si­
n esses and operational risks require m ore ju d g m en t.
Scenario im pact on P&L, capital, and RW As are evaluated
both in absolute term s and with re sp e c t to typical m etrics
(i.e.. Tier 1 ratio). The w orst-case scenario o f the available s e t
is chosen (along with the com plem entary firm -wide statistical
m odel results) for com parison against risk a p p etite o b jectives.
O f th ese, p erh a p s the g re a te st focus is on maintaining a mini­
mum Tier 1 ratio at all tim es, evaluated fo r each quarter o f
Challenges Associated with Firm-wide Risk
Aggregation:
77. One of the significant challenges that firms will eventually
face as they proceed along the risk appetite journey is
the issue of risk appetite aggregation—that being, once
individual businesses have set their own risk appetite
boundaries, how does an organization decide whether, in
aggregate, these boundaries fit within the firm's overall
risk appetite? Or, conversely, if key quantitative aspects of
the group's overall risk appetite have been determined,
how can the risk appetite of individual businesses be set
in such a way as to ensure alignment with the overall risk
appetite in aggregate? Given that this discussion includes
all risks, some of which are not easily quantified, a great
deal of management judgment is required to effectively
manage this issue, which is obviously very closely related
to the issue of risk aggregation.
78. The technical challenges involved in risk aggregation are
numerous and complex. In practice, most banks use a
variety of regulatory and economic capital measures for
risk aggregation purposes. However, these measures suf­
fer from a number of important weaknesses when used for
this purpose. These include:
• The inability of capital measures to capture and reflect
non quantifiable risks.
• The challenges of determining the appropriate treat­
ment of risk concentrations and diversification within
and between risk types.
• The difficulty of directly linking capital measures to spe­
cific macroeconomic stress scenarios.
56 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the scenario. A dditionally, the sufficiency o f earnings to co ver
poten tial losses (and the timing o f th ose losses) is co n sid ered .
C onform ance to risk a p p etite is te ste d and re p o rte d to senior
m anagem ent m onthly in the form o f a dash board and com ­
m entary, including d eta iled review o f portfo lio and business
losses/perform ance under the binding scenario. During the
annual planning p ro ce ss, the entire risk a p p etite fram ew ork
is review ed up to Board level and business plans are evalu­
a ted through the lens o f the fram ew ork and its m etrics. Firm ­
w ide stress scenarios are co n sid e re d a particularly valuable
co m p o n en t o f the fram ew ork, beca u se o f the relative ease
o f d escrib in g (and debating) the causal chain by which losses
arise and can b e iden tified with bu sin esses, p o rtfo lio s, and
risk drivers. C on sequ en tly, it is co n sid e re d that scenario-
b a se d m etrics o ffer advantages o f transparency and avoid­
ance o f (som e) blind sp o ts relative to statistical m easures.
• The inability of capital measures to capture the liquidity
dimensions of risk, which are so crucial for understand­
ing potential losses in severe scenarios.
• More fundamentally, the non intuitive nature of capi­
tal measures. Experience has shown that it is difficult
to get senior managers and directors to engage in a
meaningful way with statistical variables and capital
measures (e.g., Value at Risk at 99% or 99.95% confi­
dence levels) and use them with confidence in the risk
appetite process. The experience of a number of firms
has been that it can be easier to get active engage­
ment from senior management and directors around
specific macroeconomic scenario assumptions.
For these reasons, although certain capital measures (e.g.,
Tier 1 capital adequacy) are the subject of prominent focus
in the overall risk appetite process, it is difficult to robustly
determine an acceptable level of aggregate risks using
capital measures alone. This is one reason why, in addition
to capital and liquidity measures, leading banks in certain
jurisdictions are increasingly using a variety of stress testing
processes, as discussed in detail above.
79. While Industry practice is clearly still developing in this
area of risk appetite aggregation, our investigation has
shown that there are certain practices that have proven
effective to date. These include:
• All risks should be included in the aggregation process,
not just those that are quantifiable, such as market,
credit, and liquidity.
• For risks that are quantifiable, comparison of the
enterprise-level limit framework to the aggregation
 of business unit limits— including single name, Industry
concentration limits or economic and regulatory capi­
tal allocation— is an effective and practical measure
of alignment.
• Attention to the diversity, quality, and stability of earn­
ings across the enterprise is essential;
• Aggregation should identify areas of excessive risk
concentration. In this regard it is also important that
when aggregating risk, over-reliance not be placed
on a potential diversification benefit. Recent history
has proved that in times of crisis, diversification of risk
often fails in practice.
• For all risks, the aggregate view of risk posture (as
outlined in this paper) is helpful in determining how
an organization is approaching risk overall. If, for
example, the individual business units are each willing
to take on more risk in the coming year, comparison
of risk posture at the platform level is a simple cross­
check to determine if senior management has that
same awareness.
• Aggregation of risk appetite should be done on both a
"normal course" and stressed basis.
80. Aggregation of all risks for the purpose of determining fit
within the overall risk appetite of the organization is an
ongoing challenge. As an industry, some progress is being
made but as with many other aspects of this paper, this
will take time and a great deal of management judgment
to develop.
Overall Lessons:
• A comprehensive, enterprise-wide stress testing
mechanism is a key part of a fully effective risk appetite
framework.
• Management needs to develop clear and consistent
criteria for deciding on the severity/plausibility of the
stress and scenario tests chosen. Firms should generally
err on the side of choosing more, rather than less-severe
scenarios, though this needs to be balanced against the
need for the results to be operationally useful.
• Once the primary scenarios have been chosen, economic
and markets expertise, together with informed judg­
ment, are needed to assess the array of secondary impli­
cations for the firm as a whole.
• Results of stress tests need to be linked to key objective
variables such as P&L, RWAs, and Tier 1 capital and illus­
trate explicitly how outcomes for these would comply
with risk appetite boundaries through time.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
• Management and Boards need to feel confident in
assessing the results of the chosen stress and scenario
tests. It is often more meaningful to present outcomes
in concrete terms ("This is what the following scenario
would imply for Tier 1 capital . . .") than in more abstract
terms ("There is a 1 percent probability of a loss of
$X million.")
• Boards need to ensure that there is a robust mecha­
nism for holding the line on risk appetite in light of
stress results when faced with inevitable resistance
from the business. If the decision is to take no action in
response to a stressed scenario, the Board and manage­
ment should be able to explain fully why this decision
is defensible.
• The compliance of stressed outcomes with the bound­
aries contained within the RAF should be monitored
frequently, and the risk appetite and stress testing
frameworks themselves should be reviewed at least
annually with the Board.
SECTION 4 - RECOMMENDATIONS
FOR FIRMS
81. This section draws together a number of the main findings
of this report for Board directors, senior management, and
risk managers in firms.
Recommendations for Board Directors
82. One of the main m essages from this report is that a
well-functioning risk appetite fram ew ork is one that
is pervasive throughout the organization. A ttem pts
to introduce risk appetite as a remote and disem bod­
ied aspect of risk m anagem ent have tended to fail.
The process has been much more successful where it
has been recognized that risk appetite needs to be
intim ately bound up with corporate culture, corporate
governance, and strategy and planning as well as risk.
Boards have an integral part to play in the definition
and monitoring of risk appetite and the interchange
with m anagem ent, risk m anagem ent, and the business
is crucial in this. The following are the main im plica­
tions of our investigation for Board m em bers. They are
particularly relevant for m em bers of Board Risk Man­
agem ent Com m ittees.
83. Board members need to be properly equipped to
engage fully with risk and risk appetite. They need
■ 57
 to understand generic risk concepts and the relevance
of these to the business. They also need to have access
to the information and expertise necessary to enable
them to develop a good understanding of the risk pro­
file of the firm. They should insist that the material pro­
vided to them strikes the right balance between providing
a comprehensive macro perspective and illustrating the
required level of detail.
84. Board members should be proactive in insisting on proper
support from management and risk management pro­
fessionals, in terms of education on risk concepts and
approaches, technical briefings, and updates on the risk
implications of products and activities.
85. The Board needs to establish the framework for risk, typi­
cally through the articulation of a clear and meaningful
risk appetite statement. This is likely to include a num­
ber of key metrics as well as clear qualitative guidance
in respect to less quantifiable risks. One test of whether
the statement is meaningful might be whether and how
it would change in response to a decision by the Board
that 10 percent more (or less) risk would be acceptable.
Another test would be whether the statement would
provide the basis for an effective challenge to plans on
the part of one or more business units to move to a mark­
edly more expansionary mode, with attendant implications
for risk.
86. Board members need to ensure that risk appetite is
used in a dynamic and iterative way. A key conclusion of
this report is that an effective RAF extends far beyond a
mechanism that simply creates limits. Instead, it involves a
dynamic or iterative process in which:
• The Board provides a clear statement or set of signals
regarding its preferred risk/return trade off.
• This informs an enterprise-wide process in which, on
the basis of extensive dialogue, business units deter­
mine their business models and strategies and the risk
implications of these.
• The Board then considers whether the individual and
aggregate risk stances and positions of the business
units are consistent with the firm's risk appetite.
• If these are not consistent, a conscious and informed
decision is made to change one or more of the busi­
ness unit profiles or the overall risk appetite.
In some cases, the process is more "bottom up" with the
initiative for setting risk taken more at business unit level.
In such cases, the role of the Board in establishing the
parameters for risk and actively assessing it at both busi­
ness unit and aggregate levels is especially important.
58 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
87. Operating a risk appetite framework in the dynamic and
iterative way advocated in this report makes it particularly
important that all participants, including Board members,
risk management staff, senior management, and busi­
ness heads, are clear about their respective functions and
responsibilities. Setting out the initial risk appetite state­
ment or signaling a set of risk preferences is just the start
of a process of ongoing discussion and testing. Board
members need to challenge senior management to ensure
that the necessary processes and structures to facilitate
this are put into place and remain effective.
88 . Such an iterative approach results in Board members hav­
ing other significant challenge functions. This challenge
is essential to ensuring that the risk appetite framework
is neither stultifyingly rigid nor excessively flexible. These
challenge functions include, but are not confined, to:
• Making certain that mechanisms are in place to ensure
that new business initiatives, transactions, or products
are consistent with the enterprise-wide risk appetite,
and that the risk implications of these are fully under­
stood before the activity proceeds.
• Ensuring that mechanisms are in place to monitor and
manage risks that are not readily quantifiable— such as
reputation and legal risks— and that their level is consis­
tent with overall risk appetite.
• Ensuring that stress testing is undertaken in a rigorous
and comprehensive way and that the Board is able to
assess the results in the context of the risk appetite
framework (more on this below).
89. In general, as this report emphasizes, an effective RAF
is indissolubly linked to the culture of an institution.
There are no simple measures of risk culture, and it is a
key responsibility of Boards to understand and shape this
culture. Experience has shown that it can be exceptionally
difficult for Boards and supervisors to detect weaknesses
in risk culture in an otherwise performing firm; in particular,
the absence of obvious contra-indicators cannot be taken
as positive evidence of a strong culture. Understanding and
shaping the firm's risk culture involves setting broad direc­
tion and continual challenging of senior management to
demonstrate how their actions and communications are con­
sistent with this and how rewards and penalties are visibly
and predictably aligned with the firm's avowed risk culture.
Senior management should be expected to account for
their behaviors, and Board members may find it helpful to
find opportunities to interact directly with staff at all levels in
an attempt to gauge the extent to which they are aware of
and responsive to a positive risk culture, and to assess, for
example, the extent to which "bad news travels upwards".
90. Even the strongest risk culture needs to be supported by
effective systems and controls. Board members need to
satisfy themselves that the firm has a clear and consistent
set of controls and limits that support the objectives of
the risk appetite statement and the observance of the
boundaries of acceptable risk embodied within the risk
appetite framework. Board members should challenge
management on the way in which these systems are used
to encourage compliance and penalize noncompliance.
This may, for example, involve the setting of objective
and quantifiable behavioral norms or objectives that can
be used in determining remuneration or promotion or,
conversely, as the basis for disciplinary action when neces­
sary. The Board may seek input from the CRO in regards
to any risk cultural or behavioral issues that the Board
should consider in making incentive payment decisions
for executives.
91. Boards have a key role to play in the evaluation of
stress and scenario test results. Members need to satisfy
themselves that the stress tests are conducted rigorously,
that the stresses and scenarios strike the right balance
between severity and realism, and that the implications
have been properly evaluated across all businesses in
the group. Boards have a fundamental role in deciding
whether risk appetite needs to be revisited or adjusted in
light of the results. Board members also need to ask them ­
selves searching questions about their ability to assimilate
and respond to low-probability but high-impact scenarios.
Many Board members find this very challenging. Boards
need to be aware of their limitations in this regard and
consider carefully whether these are acting as a brake on
effective decision-making.
92. Finally, Boards should subject their own operations
and processes to constant review. Every effort should
be made to identify, on a continuous basis, areas in which
Board procedures have worked well and not so well and
to learn from mistakes. There should be an annual review
of how the Board interacts with the management and
business heads. Overall, the Board should have a formal
process at least annually for considering whether and
how it has made a real difference to risk management in
the organization.
Recommendations for Senior
Management
93. Implementation of an effective risk appetite framework
is highly dependent on visible support from senior
management, including a bank's Executive Committee
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
and business leaders. This includes recognition and
acknowledgment that a clear statement of risk appetite
helps drive risk and governance discussions, is integral
to the strategic and business planning discussions, and
provides assurance to regulators and rating agencies that
the institution has clear parameters for how much risk it
will take on. The following are the main implications of our
investigation for senior management:
94. To be effective it is essential that senior manage­
ment set the tone and lead the discussion regarding
risk appetite. Senior management must be seen as
taking a leadership role in articulating the importance
and benefit of risk appetite throughout an organiza­
tion. This is an ongoing responsibility and must be
continually emphasized.
95. Recognition that risk appetite and risk culture are inex­
tricably linked is important, given that culture derives
from leadership and determines inter alia, how middle-
level managers assimilate and embed risk appetite.
96. Creation of an enterprise-wide RAF is an iterative
process involving the Board, senior management, and
risk management staff. At the heart of the process is an
ongoing dialogue, and senior management should expect
to be challenged by the Board as to what is being recom­
mended, including risk/return tradeoffs and regular close
scrutiny and discussion of all aspects of the firm's risk pro­
file under stressed conditions.
97. It is an absolute requirement that the business (and not
risk management) take ownership and drive the devel­
opment of line-of-business risk appetite and profile. It
must be recognized that risk appetite does not belong
to the risk management staff and is not simply another
way to set limits and constrain business. Business unit risk
appetite frameworks are the main vehicle for providing
guidance and clarity regarding which activities and risks
businesses can consider and what would be outside of
agreed upon appetite.
98. It is important to recognize that while it is helpful to have
an articulation of risk appetite that can be used by the
Board and all levels of management, there is no clear
need to have the enterprise-level RAF as a document
that middle management across the enterprise must use.
The critical component is to have a risk appetite fram e­
work that helps drive a clear and comprehensive limit
structure for the various businesses as well as activities
and limits that determine the ability of middle manage­
ment to pursue and grow specific lines of activity that
link back to the enterprise risk appetite framework. Line-
of-business risk appetite frameworks should not be
■ 59
 developed as simple subsets (or even simple "clones")
of the enterprise framework. While there are linkages to
the enterprise framework, the most useful aspects of the
business-level frameworks are often quite specific to the
line of business, reflecting the diversity of a firm's activi­
ties, geographic scope, or regulatory regimes in which
it operates.
99. Senior management needs to ensure that the risk appe­
tite framework includes full consideration of and appro­
priately reflects business strategy. It is important that the
Board and the market understand that the senior manage­
ment takes risks in areas that are central to its key strategies
and businesses and that losses in those areas, while not
positive, are expected and understood as a likely outcome
in both normal business conditions and under a difficult
market/stress scenarios. Smaller and more peripheral
businesses by contrast should not be a source of significant
losses.
100. It is important that senior management understands and
accepts how the RAF will apply to its activities and impact
any initiatives, growth plans, or acquisitions that may be
under consideration. The strategic planning process
must include discussions relating to risk appetite and
profile. While risk appetite needs to become a fundamen­
tal driver of strategy and of front-line business decisions, it
should be accepted that it will take time and effort to get
this to a point at which business unit leaders and risk man­
agers are comfortable with the process.
101. Business leaders must ensure that risk metrics ade­
quately capture and reflect all material risks of their
business. These metrics should be meaningful and pertain
to their key business and risk drivers. Similarly, the busi­
nesses are responsible for putting appropriate controls in
place to effectively manage their risks, so as to ensure that
they do not exceed their defined risk appetite.
Recommendations for Risk Management
102. Development and maintenance of an effective risk appe­
tite framework is a shared responsibility, with risk man­
agement staff playing an essential role in the process. It
is not uncommon for risk management to take the lead in
building management support and engaging the Board as
the framework is developed. Similarly, the ongoing main­
tenance of a robust framework is heavily dependent on
risk management to provide good-quality reporting of risk
metrics to support the framework and its application. The
following are the main implications of our investigation for
risk management staff:
60 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
103. Risk management needs to be actively involved at
multiple levels in the development of the risk appetite
framework. It is incumbent upon risk management to
provide clarity of concept and definition and support
in understanding the implications of the risk appetite
statements and metrics as they develop. A lack of clar­
ity in definition often leads to confusing and ineffective
discussion that can frustrate the participants and extend
the process unnecessarily. In this regard, it is important
that risk management provide the necessary coaching and
training to facilitate the understanding of risk appetite on
an enterprise-wide basis.
104. An effective RAF covers all risks, and it is important that
risk management work with all stakeholders in developing
the right balance of appropriate quantitative and quali­
tative metrics. Recognizing that the appetite for some
risks is more easily quantified than others, it is important
that risk management lead the discussion and develop­
ment of desired behavior and tolerances for less quantifi­
able risks such as reputation risk.
105. Risk appetite is an iterative process that requires perse­
verance. To that end, the challenges faced early in the
process are different from those experienced later. At
all stages, it is important for risk management to ensure
full engagement by all key stakeholders, including the
Board, senior management, and risk practitioners.
106. At the same time, risk management must allow the busi­
nesses to take charge of the process of developing line-
of-business-level risk appetite statements. This means
the business unit leaders themselves, not the embedded
risk management staff within the business units.
107. Risk management needs to provide the appropriate
infrastructure and controls to support the ongoing
maintenance of the RAF. This includes comprehensive
and timely reporting to senior management and the
Board to provide clear reference to the current risk profile
and to make the framework itself both real and relevant.
Ongoing reporting of the firm's risk profile relative to the
agreed upon risk appetite— and how this is changing—
and repeated/iterative discussions of the evolving fram e­
work itself, will help to build both "pattern recognition"
and acceptance of the framework as a useful tool.
108. Risk appetite needs to be viewed in the context of both
normal and stress conditions. Risk management needs
to be capable of providing both of these perspectives and
facilitating the appropriate discussion at the Board level
with regard to the potential impact on business strategy
and planning.
109. It is critical that risk management engage with the busi­
nesses in the strategy and planning process to ensure
proper alignment between the enterprise-level state­
ment of risk appetite and those statements created at the
business-specific level.
110. Risk management should be the catalyst and conduit
for effective discussion of risk appetite between the
Board and the businesses by translating what may be at
times high-level statements of risk preference into effec­
tive risk measures and limits appropriately tailored to
each business.
111. Risk management must ensure that the RAF is supported
by a suite of risk policies that reinforce and reflect the
risk appetite as articulated. This includes a clear under­
standing of the process for dealing with and reporting
transactions that may be approved outside of policy
boundaries as well as excesses to approved risk appetite.
112. Education and communication are areas in which it is vital
for risk management to participate on an ongoing basis. It
is necessary to effectively communicate the key elements
of the design, implementation, and maintenance of the
risk appetite framework to all stakeholders internally and
externally. It also is important that the Board be able to
address questions raised by shareholders and regulators
alike as to the appropriateness of the nature and quan­
tum of the risks being assumed, both individually and in
aggregate, and how senior management is challenged in
this regard.
ANNEX I: CASE STUDIES
Developing a Risk Appetite Framework
at RBC May 2011
A b o u t RBC
Royal Bank of Canada (RY on TSX and NYSE) and its subsidiaries
operate under the master brand name RBC. We are Canada's
largest bank as measured by assets and market capitalization,
and among the largest banks in the world, based on market
capitalization. We are one of North America's leading diversi­
fied financial services companies, and provide personal and
commercial banking, wealth management services, insurance,
corporate and investment banking and transaction processing
services on a global basis. We employ approximately 79,000 full-
and part-time employees who serve close to 18 million personal,
business, public sector and institutional clients through offices in
Canada, the U.S. and 50 other countries. For more information,
please visit rbc.com.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
Initial Planning and Development of RBC's Risk
Appetite Framework
Work to formalize RBC's enterprise risk appetite began in 2006,
as part of the annual process to benchmark and refresh credit
risk and market risk limits. An initial presentation on risk appe­
tite was made to the Risk Committee of our Board of Directors
to gain feedback on the approach to articulating RBC's risk
appetite, and confirm areas of priority.
Initial statements of RBC's risk appetite were derived from
a review of decisions made by senior management and the
Board that yielded explicit statements about what risks were
acceptable, and what risks we wanted to avoid. We identified
to the Board areas we intended to enhance, as well as a plan to
develop a comprehensive Risk Appetite Framework. The global
financial crisis of 2008 then triggered further prioritization of risk
appetite for financial services institutions.
The Chief Risk Officer and Group Risk Management (risk man­
agement corporate function) acted as a catalyst to define and
communicate the value of risk appetite. Our Board of Directors
was engaged primarily through the Board Risk Committee, and
this committee provides feedback and challenges the risk/return
tradeoffs implicit within risk appetite. It was understood that our
Risk Appetite Framework would be expanded and refined over
time, and that we were learning as we progressed through the
development process.
RBC's Risk Appetite Framework was created through an itera­
tive process. We faced an early challenge to reach consensus on
a single management view of self-imposed constraints or other
specific parameters to put forward to the Board for feedback
and approval. We gradually gained senior management buy-
in, yet had to remain focused on building senior management
understanding and acceptance of how the Risk Appetite Frame­
work would apply to the key activities and decisions they faced
within their business segments.
Buy-in to the Risk Appetite Framework also had to be built
within our Group Risk Management function. We needed to cre­
ate a forum for the various specialist groups within Risk to shape
the framework, and we now rely on these teams to communi­
cate and reinforce the framework.
Central to our framework is the consideration of business strat­
egy, and the concept that not all losses are created equally. This
pertains to our ongoing intention to take risks in areas that are
central to our key strategies and businesses, and that losses in
those areas, while not a positive, are expected and understood
as a likely outcome in difficult market and stress scenarios.
Smaller and more peripheral businesses by contrast should not
be a source of significant losses.
■ 61
Risk Appetite Framework
Risk appetite is now a fundamental part of RBC's Enterprise Risk
Management Framework, which is our enterprise-wide program
for identifying, measuring, controlling and reporting of the
significant risks faced by the organization. Integral to our Enter­
prise Risk Management Framework is our strong risk culture,
which is both a prerequisite to and reinforced by risk appetite.
Used effectively, risk appetite aligns business strategy, people,
processes and infrastructure.
We define risk appetite as the amount and type of risk we are
willing to accept in the pursuit of our business objectives. RBC's
Risk Appetite Framework provides a structured approach to:
• Establish and regularly confirm our risk appetite, defined
by drivers and self-imposed constraints through which
we have chosen to limit or otherwise influence the
amount of risk undertaken
• Translate our risk appetite into risk limits and tolerances
that guide businesses in their risk taking activities
• Regularly measure and evaluate our risk profile against
risk limits and tolerances, ensuring appropriate action
is taken in advance of risk profile surpassing risk
appetite
RBC's Risk Appetite Framework is composed of four major
components:

• Define our risk capacity by identifying regulatory con­

straints that restrict our ability to accept risk

The largest circle represents the regulatory constraints RBC faces. RBC’s regulatory
constraints are classified as:
1) Financial - Tend to be quantitative in nature and therefore easier to interpret.
Capital ratios and liquidity metrics are examples of financial regulatory
constraints.
2) Other - Tend to be predominately qualitative in nature and therefore require
judgment in interpreting requirements and assessing compliance. Examples
include maintaining compliance with legislative and regulatory requirements,
and adhering to privacy and information security regulations.
Financial

The darker center circle represents RBC’s risk appetite as defined by

1) Drivers - These are business objectives that imply risks RBC must accept to
generate the desired financial return. Examples include revenue growth and
earnings per share.
2) Self-imposed constraints - Quantitative and qualitative statements that
Regulatory Reputationa restrict the amount of risk RBC is willing to accept. Examples follow
on the next page.

Financial
The center circle refers to our risk limits and tolerances that we translate from
risk appetite:
1) Risk limits are quantifiable levels of maximum exposure RBC will accept. They
are established only for risks that are financial and measurable, such as
credit risk and market risk.
2) Risk tolerances are qualitative statements about RBC's willingness to accept
risks that are not necessarily quantifiable and for those risks where RBC does
Regulatory Reputationa
not have direct control over the risk we accept (such as legal risk and
reputational risk).
We communicate risk limits and tolerances through policies, operating procedures and
Financial
limit structures.

The striped oval represents the organization's risk profile at a given point in time.

Regulatory
Reputational

62 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
A key element of RBC's Risk Appetite Framework is self-
imposed constraints and drivers in which we have chosen to
limit or otherwise influence the amount of risk undertaken. We
have seven key categories of self-imposed constraints:
• Maintain a "A A " rating or better
• Ensure capital adequacy by maintaining capital ratios in
excess of rating agency and regulatory thresholds
• Maintain low exposure to "stress events"
• Maintain stability of earnings
• Ensure sound management of liquidity and funding risk
• Maintain a generally acceptable regulatory risk and com­
pliance control environment
• Maintain a risk profile that is no riskier than that of our
average peer
For each category of self-imposed constraints we then have
a set of quantitative and qualitative key measures. Our self-
imposed constraints and key measures are regularly reviewed
and updated, and approved by the Risk Committee of our
Board of Directors.
Application of RBC's Risk Appetite Framework
Beginning in 2008, two pilots were conducted to determine
if the Risk Appetite Framework used to determine enterprise
level self-imposed constraints could be applied at the busi­
ness segm ent level. The heads of risk with direct responsi­
bility for business segm ent risk management facilitated the
interpretation of the enterprise fram ework to each business
segm ent context. This led to the developm ent of business
level constraints that aligned to the seven key categories of
enterprise self-imposed constraints. Businesses also chose to
incorporate several key specific constraints to businesses which
they manage.
We have made significant progress building out comprehensive
statements of risk appetite for each business segment. Risk
appetite and risk profile were applied in this year's business seg­
ment strategy development process more explicitly than in pre­
vious years. Activities continue to enhance business segment/
unit risk appetite, and communicate risk appetite concepts to
broad employee audiences.
We observe an increasing number of discussions and propos­
als framed within the context of risk appetite. We see our
organizational capability improving to ensure that risk appetite
considerations are well incorporated into growth initiatives and
business planning overall. Group Risk Management will continue
to facilitate and oversee enhancements to business segment risk
appetite and related reporting.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
Reporting
Risk profile relative to risk appetite is reported quarterly to
senior management and the Board of Directors. An Annual
Enterprise Risk Presentation is also made to the full Board of
Directors. We have found that a comprehensive and balanced
set of our most meaningful metrics, connected with external
developments, has yielded effective discussion and decision
making. Reporting has been a key component in building under­
standing of the framework and its application.
Success Factors
An important success factor has been strong support of our
Board of Directors, Chief Executive Officer, and senior manage­
ment. Our emphasis on risk appetite as an enterprise priority
has been framed and accepted as a critical element to advance
our strong risk culture.
Repeated iterations with stakeholders were helpful in gradually
building pattern recognition, senior management buy-in, Board
of Directors' support, and confirmation of the central compo­
nents of our Risk Appetite Framework.
Risk appetite development has been led by our CRO , with
ongoing facilitation by senior executives in Group Risk Manage­
ment and engagement with business segments. We began to
build business segment ownership of business segment— level
risk appetite by integrating risk appetite with business strategy.
A flexible approach was required because one method would
not fit for all businesses and stakeholders.
Our risk frameworks contain straightforward terminology and
can be generally understood by all stakeholders. We avoid
overly technical and complex discussions about risk with our
Board and senior management, and focus discussion within
the context of real and current issues for our institution. In this
vein, our business segment statements of risk appetite are quite
focused and business driver specific, for example, concentration
risk for certain sectors, acceptable earnings volatility and levels
of capital at risk.
Challenges
It was initially challenging to achieve clarity on what risk appetite
means and how it is used to drive management decisions. Board
and senior management decisions implied a high level risk
appetite; however, it was initially challenging to gain consensus
and concisely articulate risk appetite for the enterprise. Itera­
tive discussions on the framework and ongoing reporting of risk
profile helped improve our definition of risk appetite, and build
understanding and acceptance with senior management and
the Board.
■ 63
It also took time to gain traction building business segment
articulations of risk appetite because it was not possible for
business segment frameworks to be developed as simple
subsets of the enterprise framework. While there are distinct
linkages to the enterprise framework, some of the most useful
aspects of the business level frameworks are often quite specific
to the business segment or business line.
We also needed to demonstrate the value of a risk appetite
framework in some instances, before the businesses (and not
Group Risk Management) would take ownership and drive the
development of business segment risk appetite. There were some
early concerns that risk appetite and risk profile reporting was
one more mechanism to impose limits or constrain growth plans.
Lesson Learned and Key Benefits Achieved
By articulating risk appetite at both an enterprise and busi­
ness segment level, we have an effective combination of top-
down constraints and business specific risk drivers. The linkage
between the enterprise level constraints and the actions of busi­
nesses to grow or change risk profile is now fairly clear. Owner­
ship of issues is also now clearer.
Risk appetite and risk profile are effective communication tools.
Increased transparency and reporting on these matters has facil­
itated internal alignment among business and functional lead­
ers, and supports effective decision making. Our enterprise risk
profile provides a consolidated view of risk concentrations and
deficits to ensure alignment between actual risk exposure and
target risk exposure. Our Risk Appetite Framework and risk pro­
file have also been very helpful in conversations with our Board,
regulators and rating agencies.
Risk appetite is increasingly integrated into our business strate­
gies and planning processes, so that strategies are developed
and approved in the context of risk appetite. We are em bed­
ding into our annual strategic planning process analysis of how
growth objectives, degree of planned change and "risk posture"
may impact business segment risk profile and risk appetite. In
addition, our annual process where the Board approves del­
egation of authorities to management and the associated limit
structures is now put forward with direct linkage to risk appetite.
Moving Forward
Our enterprise Risk Appetite Framework is updated at least
annually, focused on continued development of self-imposed
constraints. For example, we are enhancing constraints pertain­
ing to low exposure to stress events, operational risk and quali­
tative measures for non-financial risks. Other areas of focus are
to create more forward looking metrics, and achieve the right
blend of qualitative and quantitative key measures.
64 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
As mentioned, we will continue to enhance articulations of risk
appetite for our business segments and key lines of business.
Compensation risk management is another practice that we are
integrating into our risk frameworks.
It is also our objective to cascade risk appetite concepts to
broader employee audiences, to create a general understanding
of risk appetite and instill ownership of risk. Consistent with our
industry peers, we have made significant progress in the area of
risk appetite, and there remains work to be done to achieve full
business engagement and integration into all relevant manage­
ment processes.
Risk Appetite within National Australia
Bank: an Ongoing Journey
Overview-Where We are on the Journey
The setting of risk appetite within National Australia Bank
currently manifests itself in two key ways. Firstly, the framework
by which we determine our risk posture is strongly aligned to,
and informs, the planning process. Secondly, the statement of
risk appetite (the Risk Appetite Statement (RAS)) and its three
elements ("posture," "budget" and "settings," described
below) sets out our capacity for taking on risk and the settings
associated therewith.
Our current capability, in terms of risk appetite, reflects an
ongoing journey over a number of years and will continue to
evolve as our thinking develops. As with most large organisa­
tions, the pace of change is a function of the ability of the
organisation to absorb that change. As such, our strategy for
improving the risk appetite has been measured, rather than
dramatic, so as to ensure understanding, acceptance and use
as we progress. This has allowed us to approach the task with
a longer term vision, introduce change progressively, reflect on
the responses and then refine our thinking.
The risk appetite framework (RAF) is grounded in:
• strong engagement between key stakeholders, including
Board and Executive, in setting the planning envelope
for the business; and
• an interactive process over the planning period that sees
agreement on the risk reward tradeoffs that are required
for the plan.
The framework results in a statement on risk appetite, the RAS,
which encompasses:
• a "risk posture" that seeks to qualitatively describe our
capacity and willingness to take risk at any point con­
sidering the internal and external circumstances and a
forward view;
 • a "risk budget" expressed as an economic capital limit
within which the Group must operate; and
• "risk settings" that express key operational limits.
Through a combination of a framework strongly integrated into
the plan, and the production of a RAS as the embodiment of
risk appetite, we seek to effectively communicate this appetite
throughout the organisation.
Modest Beginnings
The development of our RAS and associated framework has
been, and continues to be, iterative. As described below we are
currently up to the 3rd generation RAS. Our current capability
owes much to the learnings, insights and persistence of those
tasked with earlier efforts.
We have been preparing RASs for a number of years and well
before it was becoming an explicit regulatory expectation. The
RAS was created under the leadership of the Board Risk Com ­
mittee and the sponsorship of the C FO and CRO . Whilst rigor­
ous and well-grounded in principles of corporate finance, the
emphasis was on quantitative risk and capital metrics and not
enough on qualitative discussion or actual risk settings, limits
and policies. For this reason the RAS remained a centrally man­
aged document with little visibility or traction beyond the Board
and Group Executive.
Our "second-generation" RASs set out to respond to these
identified gaps by incorporating clear, explicit and detailed
risk settings, limits and triggers. The drawback of these RASs
was that whilst there was a lot of detail around risk settings,
it became inaccessible to readers given its complexity. More
important, the Board and the executive felt that the detail
made it hard to "see the wood for the trees" and were of the
view that links between the RAS and overall business strategy
were unclear.
This issue of the lack of strategic relevance for the RAS was
compounded by the absence of a fully integrated role for the
Risk function itself within the planning process. Whilst Risk had
a clear role in matters such as the validation of forecasts on loan
loss provisioning or expectations about the movement in asset
quality, it had a minimal part in framing the initial risk envelope
in which the business strategies and financial plans were to fit.
Why was this the case? Apart from the well-accepted view that
Finance "ran the planning process," Risk lacked both a platform
to effectively communicate its views and a framework to mean­
ingfully participate in the planning process. In particular, Risk
was not successful in identifying a language that readily con­
veyed its position and views. Unlike Finance, whose language is
encapsulated in metrics that are well understood, the language
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
of risk is somewhat opaque and not broadly identified with by
those tasked to develop and execute strategy and plan— that
is, the businesses. Finding ways for Risk to communicate and
engage in planning was thus critical to the development of
risk appetite.
On top of all this, responsibility for preparing the RAS frequently
changed hands between teams in either Risk or Finance, which
made it difficult to establish a long-term vision or change
agenda for risk appetite.
Our First Steps-Dedicated Resources and
Defining "Risk Posture" Qualitatively
By 2009, we found ourselves at a crossroads. Thinking around
risk appetite was relatively basic and the RAS was seen by many
as having limited relevance or influence.
Despite our best efforts it focused primarily on economic capital
(a measure not widely understood in the business), was pre­
pared after the annual planning and strategy process was com­
plete (hence merely reflecting what was to be done) and was
widely seen as uninformative in terms of strategic and business
decisioning (and hence of little strategic use).
The Group CRO and the Board Risk Committee continued
to push for further improvements in the thinking behind, and
delivery of, the RAS, highlighting areas that could be improved
to assist the Group in its understanding and application around
risk appetite. At this stage, responsibility for the RAS changed
hands yet again, and was given to a designated owner within
Risk. We created a new position— Head of Risk Appetite, who
reported through the General Manager Credit Strategy to the
Group Chief Credit Officer. A dedicated risk appetite function
was an important step in the journey, taken to lift the relevance
and influence of risk appetite concepts and methodology in the
Group. For the first time, it had an owner whose principal role
was to not only prepare the RAS but to develop our thinking
around how best to embed risk appetite into the business.
Given this structural change, the risk appetite team embarked
on developing the "third-generation" RAS by starting with a
clean slate and spending time thinking more explicitly about
what we were looking to achieve.
The challenge was to give life and meaning to risk appetite so
that there was one agreed [upon] view that was used and under­
stood throughout the Group.
The major breakthrough was the decision to describe the "risk
posture" for the Group, and separately each business unit, in
terms of three broad settings linked to directional benchmarks.
These settings were qualitative, and conveyed how the Group
would position itself over the plan period, having regard to the
■ 65
internal and external environment. It effectively sought to pro­
vide direction on whether we were prepared to take more or
less risk. By describing this posture, both in language and visual
form, we provided an anchor point from which to develop the
Risk engagement with the business units about the respective
risk appetite.
After defining this "risk posture," it became easier to debate
where we should be, or wanted to be, in terms of a risk stance.
This debate could be had at both the Group level and at each
business unit recognising differing market positions, strategic
capability and priority and external conditions which vary mark­
edly across our Group. It provided a framework for the Execu­
tive to do this in a manner that was more readily understood
without reversion to the traditional language of risk (limits,
metrics, etc.). As such, it elevated the richness of the discussion
and gave new impetus to the role and purpose of risk appetite.
By forcing this discussion around the appropriate posture, given
both the subsisting circumstances and our capabilities and con­
straints, the linkage to the plan was more easily understood. It
also ensured that once a particular posture was agreed upon,
risk appetite and settings could be more explicitly linked to
the strategy.
For 2009 the initiative around risk posture was "after the event"
as the plans were by then already substantially completed. Since
then, we have sought to set the risk posture (and associated
guidelines) ahead of the planning process so as to provide the
businesses with appropriate direction.
Importantly, we seek to describe the risk posture for each line of
business and bring these together to reflect the overall Group
position. Debate around posture occurs both when we start
Conservative Neutral Expansionary
66 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
planning (to signal direction) and when planning is finalised (to
assess whether plans reflect the agreed upon posture). This
debate occurs between all stakeholders, including the Board,
and can best be described as interactive and iterative. There
are a number of stage gates during the planning process where
we revisit the posture assumptions and positioning. More for­
mally, we submit three RASs a year to the Board, each showing
changes in the posture relative to prior periods (for both the
businesses and the Group).
As we evolve our thinking on posture, we see opportunity to
further enhance and enrich the discussion. To this end we are
trialling whether the description of a risk posture statement
for key risks (e.g., credit, operational, market, reputation, etc.)
and for major business activities would enhance messaging. A
direct benefit in developing this thinking is that it forces broader
engagement with all stakeholders and raises awareness around
risk appetite.
Along the Path-Completing the Picture
Whilst describing a risk posture was a catalyst for increased
debate at Executive and Board level, and one that has seen the
quality of discussion around risk appetite increase throughout
the Group, other developments have also been important.
A key development has been increased engagement by Risk
with the Strategy and Finance teams in the development of the
strategic, financial and risk parameters established for the plan­
ning process. This has allowed us to more effectively integrate
risk appetite into the planning process, as businesses see the
three key Group functional stakeholders (in risk, finance and
strategy) more closely aligned and linked in their messaging
around the drivers of financial outcomes. From a Board per­
spective, increased engagement between the Group func­
tions has provided comfort that the strategies and business
plans more effectively reflect a risk lens.
This has also allowed for more effective review and challenge
throughout the planning process (over some 6-8 months) in
order that plan outcomes reflect not only the financial expec­
tations but also the risk appetite. Where they are outside this,
adjustments to either the plan or the risk appetite are made.
This integration and the role of the RAF in the planning cycle
are shown below in Exhibit 4.1.
As discussed above, the concept of a risk posture has
allowed Risk to more effectively communicate with strategy
and finance. We have also developed the concept of "key risk
them es" within the RAS, which are the most important risks
(or "categories" of risk) facing the Group at any time. They
complement thinking around Group strategies, form a basis
for identifying the most relevant points of vulnerability in the

Rik Appetite, Fisnancial Plan
and Strategy are integrally
connected
All three communicate risk /
reward 'trade-off^ to be
made, though with different
Capital ft funding language
Exhibit 4.1 Risk a p p e tite in th e planning cycle.
plan and provide a framework for thinking about risk mitigation.
In addition, because they are described in common language
rather than technical terms, they provide a more broadly under­
stood link for those outside the Risk community.
Having established the role of "risk posture" (a qualitative risk
setting description) in risk appetite we have also sought to
enhance our thinking around the more quantitative aspects of
the RAS, in particular:
• setting a "risk budget" in terms of economic capital; and
• describing operational "risk settings" to further enhance
the communication with bankers.
The "risk budget" is described in economic capital terms and
sets our maximum risk taking capacity. Reflecting the posture,
it establishes a limit in advance on the use of our available risk
capital to support business activity. Allocated to the businesses
by risk class (e.g., credit, market, operational risk, etc.), it pro­
vides a quantitative boundary for planned activity. Actual use
of economic capital is then measured against these limits. This
approach has served as a trigger to review increased business
activity in certain areas where economic capital limits were likely
to be insufficient to support the proposed activity.
In the past, economic capital would not have acted as such a
constraint as it had always been an outcome of the plans (i.e.,
the agreed upon plan used "this" amount of economic capital)
and as such was not seen as a limit on activity or as a trigger
point for a decision.
Having set a "risk posture" (qualitative) and a "risk budget"
(quantitative), we then establish "risk settings" to further pro­
vide guidance as to the risk tolerances within which the Group
should operate. These risk settings are represented by limits,
policies and procedures and other setting statements and are
more operational in nature. They are at different levels of granu­
larity depending on the messaging required.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
This approach to the RAF is shown below.
Whilst the framework for the RAS and risk appetite was evolv­
ing, we were conscious that communication through to bankers
remained a challenge. The language of the RAS is targeted at
the Board, Executive and Senior Management. Beyond this,
the language is less appropriate for day-to-day activity. Not­
withstanding, it is clear that effective communication to bank­
ers needs to occur in some form if the RAS is to fulfil its role of
"Board to Banker" understanding of risk appetite.
To this end we have sought to engage businesses in preparing
their own "risk-setting statements" (RSSs) that can be more
granular and effective in communicating messages to all levels
of the business. Whilst these clearly need to align to the RAS,
they provide more latitude to effectively communicate to a
broader audience. Although some progress has been made, this
remains a work in progress.
Lessons Learned-Successes and Challenges Along
the Way
The developm ents described above have been interactive
with enhancem ents to both the RAS and the fram ework
occurring as we progressed. In the course of our journey,
the absence of an "off the shelf" solution has meant we
have spent significant time discussing what works and what
doesn't. Our approach has always been to dem onstrate
ongoing steady im provem ent rather than coming up with the
"com plete solution." Given the uniqueness of the issue, the
m ultifaceted nature of the challenge and the relative interest
and needs of stakeholders, we have concluded that this is not
achievable. Rather, ongoing developm ent and refinem ent will
lead to better outcom es.
Against this backdrop, there are lessons we have learnt along
the way that have shaped, and continue to shape, our thinking.
The things that have led to significant improvement for us
include:
• fostering leadership of the debate on risk appetite from
the C E O , the CRO and the Board Risk Committee;
• fostering a receptive internal environment. The organisa­
tion has worked hard on its culture over time and has a
strong emphasis on teamwork, collaboration and enter­
prise thinking. This, alongside the wake-up call issued to
all parties associated with the financial services sector
(arising from the global financial crisis and its aftermath),
has enabled more sophisticated and planned discus­
sions and analysis on the forward outlook for risk and the
environment and our response through posture, appetite
and strategy;
■ 67
 Risk settings
Existing Customer Controls
Outlook
franchise needs
• Models • Hurdles
• Trading (e.g. x-sell,
lim its return, LVR,
etc.)
Potential • Op. loss
• Policies
rewards tolerance
• Audits

Limits
Confidence in • Industry • Equity
capabilities • Country • Product
• Market • Liquidity
. IRRBB • etc.
Expectations
for return
Processes / procedures
• Making • Custom er
decisions onboarding
• Product • Training
exposu re
monitoring
Risk^aking Regulatory Legacy
capacity constraints assets /
Messaging
liabilities

Not all risk settings are in the R A S -b u t all are w ith it

Exhibit 4.2 From risk p o stu re to risk b u d g e t and actual risk se ttin g s.

• identifying a single, dedicated team with accountability
for the RAS and the broader framework has allowed us
to attain consistency in approach and provide the impe­
tus for innovation;
• separating discussion of risk appetite into three parts,
each of which are linked but serve a different purpose:
risk posture, risk budget and risk settings;
• integrating the risk appetite and RAS with the strategic
and financial planning process;
• increasing the dialogue with the business units around
their view of risk posture;
• delivering three RASs to the Board with the cycle and
content linked to the planning process. This has allowed
for more regular Board discussion on risk appetite and
has reinforced the link between risk appetite and the
business strategies and plans. The Board now sees more
careful consideration of the implications of proposed
actions and activities on the Group risk profile and its
relation to the Group Risk Appetite and evidence of risk
appetite thinking in its discussions with management;
• supplementing the RAS and associated discussion with
risk workshops and targeted risk papers for the Board,
has assisted the Board in linking risk appetite to the busi­
ness activities and the portfolios;
• engaging with our Regulator;
• identifying key stakeholders in the business to champion
risk appetite discussion; and
• maintaining the ongoing commitment of key stakehold­
ers such as the Board and senior executive.
Most important, we can already say that in the past few years
the outcome of a number of material strategic decisions taken
by the Group were significantly influenced by the framework
described above.
As there are diverse views around the approach to risk appetite
(and the RAS) our journey has not been without challenges.
Some of the more significant challenges have been:
• balancing the desire for quantitative or prescriptive crite­
ria to define risk posture with the flexibility and generality
that qualitative, "principles-based" definitions provide.
We have responded by developing a number of quantita­
tive metrics which are "indicative" of risk posture whilst
avoiding the trap of attempting to define it formulaically.
• choosing the appropriate metric for each application.
For example, economic capital is the metric for risk
"budgeting" across the Group, but other metrics are
more useful for other applications, such as exposure lim­
its, trading desk limits, industry or country credit expo­
sure limits, etc. Our response has been not to promote a
single all-encompassing risk metric but rather to identify
the most appropriate risk metrics for each purpose.

68 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 • whilst used as the measure of risk budget, the use of
economic capital still remains a challenge. We continue
to use it given its historic link to past RASs, ICAAP and
the fact that most measured risks can be quantified in
economic capital terms (albeit there is always debate
as to the voracity of the number). Notwithstanding this,
most stakeholders still have little engagement with eco­
nomic capital as a meaningful metric to measure risk
performance against. The proper place and purpose of
economic capital as a useful tool in the RAF continues to
be a focus.
• never allowing the sole use of "risk adjusted" metrics
(like economic capital, RWAs and VaR) to lead us to lose
sight of the underlying nominal exposure behind each
risk. Banks lose dollars, not economic capital— and the
same can be said of shareholder dividend payments— so
we always seek to ensure visibility of unadjusted expo­
sures when discussing any risk.
• integrating meaningful stress testing into the risk appe­
tite and planning framework, including setting limits
more systematically and drawing insights from the
results, which is a task that is still a work in progress; and
• balancing coverage of credit risk (our largest single
risk type), with other material risks (such as operational
or reputation risk), which are less easily quantified or
described. As with stress testing, this is still a work
in progress.
Where We Go from Here-Further Increasing the
Value of the Risk Appetite Framework
The journey never ends. Whilst we have made progress, we
are of the view that further enhancements can be, and will
be, made to our RAF to increase its effectiveness within the
Group. In recent discussions with stakeholders, including
Board members, a range of issues have been identified that
would further enhance the impact of the RAS and associated
framework including:
• further progressing the discussion around stress testing,
scenarios and responses and incorporating this more
robustly into the planning process;
• continuing to complement the use of economic capital
with consideration of other key measures such as regula­
tory capital and simple, unadjusted exposure;
• enhancing how the risk appetite shapes portfolios from
a top-down perspective, with analysis on why such deci­
sions would be taken— e.g., matching external risks with
portfolio shape and defining "where we want to be"
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
from a risk portfolio perspective, not just our limits, bud­
get and tolerances;
• further linking the "return-on-risk" (as opposed to return­
on-capital) with the risk appetite;
• using the RAS to further enhance transparency around
trade-offs in respect to choices between strategic priori­
ties, investments and risk levels we are prepared to accept;
• continuing to develop the framework for defining "risk­
setting statements" (RSSs) within the businesses; and
• explicitly linking changes in external environment to
changes in risk appetite.
Conclusion-Reflecting on the Journey
The key for National Australia Bank in advancing the RAF has
been:
• identifying dedicated resources for accountability;
• developing a standardised risk language around posture,
appetite, settings;
• aligning Risk with Strategy and Finance;
• fully engaging Risk as key participant in the planning
process;
• continuing to develop thinking around the RAF by
engaging with the key stakeholders; and
• seeking ways to broaden the view and understand­
ing of risk appetite so others feel more engaged in its
development.
The benefits from the advancement of our RAF and the align­
ment on issues of strategy, finance and risk have elevated the
quality of debate around risk profile and the linkages with the
current and targeted risk profile. Our approach has been to
develop our risk appetite framework in a manner which meets
our organisational needs, reflecting our experiences and our
level of maturity. We have taken an evolutionary approach to
ensure we bring the organisation along at a pace that will more
deeply embed the RAF into our organisational culture and
processes. We know that if we pushed the pace of change too
rapidly, and without the appropriate engagement and consulta­
tion with the business units, our efforts would not be as suc­
cessful. We know this because we hear and observe many more
discussions and debates around risk appetite today than in the
past. Our internal culture has aided the development of the Risk
Appetite framework and at the same time, the Risk Appetite
framework assists in continuing to define, describe and shape
our risk culture. The challenge is to remain vigilant to ensure that
we continue to learn and adapt our thinking reflecting where we
are at and where we want to be. We cannot be complacent.
■ 69
Scotiabank-A Canadian Experience in
Setting Risk Appetite May 2011
The year 2008 marked a strategic inflection point for the
world's view on "risk." The financial crisis compelled the
Risk Management discipline in global financial institutions to
re-assess every method and assumption em bedded in their
processes. Three years later, we can all reflect on how financial
institutions have evolved their risk frameworks, including, to
various degrees, a deliberate, robust and clear expression of
"risk appetite."
This case study captures the challenges and lessons in the
design and implementation of a Risk Appetite Framework at
Scotiabank (the Bank). Today Scotiabank considers implementa­
tion of their Risk Appetite Framework to have been successful.
For perspective, however, Scotiabank was not starting at the
beginning. It already had a risk appetite position embedded in
its strong risk culture that had served it well through the finan­
cial crisis. Nonetheless, Scotiabank recognized the potential
value of a more clearly defined, comprehensive Risk Appetite
Framework based on governing financial objectives, risk prin­
ciples and risk appetite measures. Scotiabank integrated these
key dimensions into an enterprise-wide framework, strength­
ening its overall approach to governing risk-taking activities.
The Risk Appetite Framework was approved by the Bank's
Board of Directors in early 2010. The journey of evolving that
Framework continues.
Enterprise Risk
In 2006 the Bank created an Enterprise Risk function with a man­
date of linking capital capacity, revenue and risk-taking across
the various risk types (e.g., credit, market, liquidity, operational
risk, etc.). The first priority of the new team was the develop­
ment of appropriate and actionable risk metrics. From there, a
comprehensive information package was developed for regular
reporting to senior management and the Board on all risks span­
ning the entire Bank against key Board-approved risk limits,
globally, creating a clear picture of the Bank's risk exposures.
Additional priorities included further development of the Bank's
credit risk strategy. With these developments, the Board was
more informed and could become more engaged. Together,
these risk limits, and various risk reporting aspects, helped
senior management articulate to the Board the amount of risk
being taken at the institution.
By 2008 it was evident that a broader strategy was required.
Risk Management at the Bank was still, to a large extent, siloed
by risk type. The inter-connectedness of risks was only begin­
ning to be aggregated. And various dimensions of financial
performance and strength were not consistently being viewed
70 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
through a risk lens. Risk managers across the industry began giv­
ing more consideration to defining risk appetite as a guide for
decision-making— to frame how much risk their firms were will­
ing to take on in the context of executing their business strate­
gies and in the drive for value.
A t the tim e, Scotiabank participated in a Canadian bench­
marking survey, conducted by D eloitte, as one input to
defining appropriate practices. The study confirmed that risk
appetite was an active area of focus for the banks and that
formalization would take the form of a Board-approved fram e­
work with ties to capital m anagem ent and other management
activities.
There is general industry consensus on the meaning of "risk
appetite" and the importance of distinguishing it from risk
capacity. The broadly held view is that risk appetite is an expres­
sion of the desire to take risk and, implicitly, a statement of
how returns will be earned against that risk. It is, in effect, a
key part of the contract between senior management and the
Board . . . and the shareholders they represent. Risk appetite is
clearly distinct from risk capacity, which is the ability of the firm
to withstand risk events. However, that seems to be where the
industry consensus ends. To date there is no common approach
beyond definitions and key elements of a framework at the cor­
porate level.
Setting Context
The Bank's most senior executives were actively engaged in
industry discussions relating to risk, implications of the global
crisis and the subsequent way forward for the industiy. Senior
executives became involved in 11F benchmarking efforts, sup­
ported by a broad cross-section of management.
The Enterprise Risk mandate was expanding in several ways. In
addition to becoming central support for the EF benchmarking
analysis, the team began integrating risk measures from across
the firm. They started to serve as a clearinghouse for all types
of risk information, and as a risk communications channel for
senior management and the Board. Without a more defined Risk
Appetite Framework, however, the risk reporting lacked context.
So the team conducted an internal assessment of what was in
place and confirmed the following:
• The Bank already had an implicit risk appetite embedded
in its strong risk management culture. At Scotiabank, the
risk culture is anchored in a long history of who we are as
a lender, from our early days of financing North Am eri­
can Eastern Seaboard trade to the launch of our first per­
sonal loans in 1958, and continuing today with market
leading financing programs around the world. Our deep
experience in lending has embedded a focus on capital
 preservation that spans the full spectrum of risk . . . mak­
ing risk management a strategic priority shared by all
employees. Today, a key aspect of this culture is to be
well-diversified across business lines, countries, products
and industries. Another key element of the culture is
the relatively long tenure of employees. For example, of
Canadian-based managers— people in decision-making
roles— over one-third have been with the Bank more
than 20 years. And the Executive Management Commit­
tee's tenure is even longer. Based on that deep experi­
ence, senior management has a strong sense for what
would be "offside" relative to the cultural norms estab­
lished over almost one hundred and eighty years;
• Existing limit structures were, in effect, a network of
contracts already in place between Risk Management,
the Business Lines and the Board on what risks could be
taken, or not; and
• Business lines clearly owned risk, complemented by highly
centralized decision-making on risk policy setting and sig­
nificant transactions through executive committees.
However,
• The existing limit structure was com plex and not codi­
fied in any way that made it straightforward to com­
bine and report the total risk taking activities to the
Board; and
• There was no explicit statement of the objectives
and principles that governed the Bank's decisions for
risk-taking.
Most experts on "risk appetite" acknowledge that the develop­
ment of a framework should engage senior management in the
Risk Management function and in the Business Lines, as well as
the Board. However, the biggest obstacle to developing the
framework and implementing it can be the lack of consensus on
what risks are appropriate for the firm and the extent of controls
needed to mitigate the risks. So, when there is broad apprecia­
tion of an established risk culture along with specific risk-based
contracts already in place between the stakeholders, the task
of designing and implementing a risk appetite framework is
already well advanced.
Diving In
The first iteration of the Risk Appetite Framework involved
selection of existing quantitative metrics (covering Board-
approved risk limits, performance targets and capital targets) as
key indicators of the Bank's risk appetite and actual risk profile.
The indicators were consolidated and incorporated into the
Capital Management Policy. By the end of 2008, however, it was
evident that a more complete policy was needed.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
Development of the next iteration of the Framework focused on
a few key areas:
• The context of the Bank's governing financial objectives
and strategic principles;
• Articulation of Risk Management principles (qualitative
attributes) that would guide the Bank's overall approach
in risk-based activities;
• Bringing into focus a limited number of risk measures
that were considered essential objective expressions of
the Bank's risk profile, along with corresponding target
ranges; and
• Establishment of monitoring and reporting structures.
Development of the Risk Appetite Framework was driven by
Risk Management in collaboration with a broad range of stake­
holders. Finance was a pivotal partner in the work as they had
overall management of the Bank's Balanced Scorecard (more
recently moved to the Strategic Planning Office). As well,
Global Human Resources ensured that employee incentives are
linked to performance, and that risk performance is taken into
consideration. Engagement of senior management in the Busi­
ness Lines was a key part of the review and approval process.
The Bank's Asset & Liability Committee served as the forum
for review prior to presentation to the Executive Management
Committee, and ultimately the Board.
The approach could be relatively expedient based on a few
factors:
• The well-established risk culture;
• The independence of the Risk Management oversight
function; and
• The specific limits to be brought into the Framework
could be largely to be drawn from the network of exist­
ing controls.
The Framework that emerged from the discussions had two sides: a
qualitative, principles-based component, and specific risk measures
in key risk disciplines. More specifically, the structure was under­
pinned by sound risk governance, followed by the Risk Appetite
Framework itself. The use of risk management techniques was con­
sidered to be another key component, including the strategies, pol­
icies, limits, processes, measurement and monitoring tools which
Risk Management implements. These risk management techniques
are deployed across the spectrum of risk disciplines covering credit,
market, liquidity, operational and reputational risk. Finally, the
entire structure is underpinned by the Bank's strong risk culture.
Operationalizing the Framework
With the Framework generally agreed upon, the risk measures
were operationalized through quarterly monitoring, including
■ 71
comprehensive Board reporting. This practice helped to
consolidate risk reporting and to bring into focus the Bank's
performance on the risk contract between management and
the Board.
Functionally, the Bank implemented the principles component
of the Framework by referencing the Framework in policies such
as the Capital Management Policy and by communicating the
risk appetite principles to the Board, Executive, Senior Manage­
ment and shareholders via the "Management's Discussion &
Analysis" section of the Annual Report.
Through established policy groups, the Framework was cas­
caded to major international subsidiaries.
The Framework was initially socialized externally with local regu­
lators and at a "College of Supervisors" and was included in
presentations with rating agencies.
By 2010, formalized processes were being put into place for
ongoing internal discussion. Annually, the Framework is now
shared with the senior team responsible for Bank-wide strategic
planning development—the Strategy Working Group— which is
made up of Senior Vice Presidents and C FO s for the Business
Lines and Corporate Functions. As well, the Framework has
become a lens for reviewing the strategic plans of each Business
Line in the Executive Management Committee's annual strategic
planning process.
• avoidance of excessive concentrations, and
• ensuring that risks are clearly understood, measurable
and manageable.
2. Strategic Principles provide qualitative benchmarks to
guide the Bank in its pursuit of the Governing Financial
Objectives, and to gauge broad alignment between new
initiatives and the Bank's risk appetite. Strategic principles
include:
• placing emphasis on the diversity, quality and stability of
earnings;
• focusing on core businesses by leveraging competitive
advantages; and
• making disciplined and selective strategic investments.
3. Governing Financial Objectives focus on long-term share­
holder value. These objectives include sustainable earnings
growth, maintenance of adequate capital in relation to the
Bank's risk profile and availability of financial resources to
meet financial obligations on a timely basis at reasonable
prices.
4. Risk Appetite Measures provide objective metrics that
gauge risk and articulate the Bank's risk appetite. They

Evidence of Change
The value of formalizing the Risk Appetite Framework is best
illustrated by the change in Scotiabank's Annual Report to
shareholders. Prior to 2008, there had been no discussion of risk
appetite. By 2010, the Annual Report contained several pages
directly connected to the new Risk Appetite Framework, cap­
tured here:

In discussing Scotiabank's overarching Risk Management Frame­

work, the Bank is now more able to enunciate the relationship of
risk governance, risk appetite and risk management techniques
and the foundation of these in the Bank's strong risk manage­
ment culture.

2010 Annual Report Risk Management _ ^ ^. .

. Strategic Principles
The Report notes that the Risk Appetite Framework consists of
four components and elaborates on each:

1. Risk Management Principles provide the qualitative founda­

tion of the Risk Appetite Framework. These include:
11 Risk Appetite
Framework
\

• promotion of a robust risk culture,

• accountability for risk by the Business Lines, Governing Financial Risk Appetite
Objectives Measures
• independent central risk oversight,

72 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 provide a link between actual risk-taking activities and the
risk management principles, strategic principles and gov­
erning financial objectives. These measures include capital
and earnings ratios, market and liquidity risk limits and
credit and operational risk targets.
Strategies, Policies Guidelines, Processes
8t Limits Et Standards
Risk Management
Techniques
Measurement,
Monitoring
8t Reporting
• Risk management techniques are regularly reviewed and
updated to ensure consistency with risk-taking activities, and
relevance to the business and financial strategies of the Bank
Key Benefits, Challenges and Future
Considerations
The Framework is envisioned as a living document that will
undergo periodic review and update. The Bank considers it to
be an evolving guideline that will continue to be disseminated
internally and which will find expression in additional policies,
strategies and risk management practices in the future.
The biggest benefits of defining the Risk Appetite Framework
for Scotiabank have been that it provides greater transpar­
ency of the key objectives, principles and measures defining
the Bank's appetite for risk in the pursuit of value, and it has
enabled greater awareness and more effective communication
with internal risk decision-makers and external stakeholders.
This "case" captures how the development of a strong and
functioning Risk Appetite Framework can be accomplished in
the setting of a strong, existing risk culture where there is a
deep network of established controls, limits and risk oversight
structure. The development of the Framework was the straight­
forward part. Work continues on key challenges around imple­
mentation and further alignment.
The key challenge continues to be a combination of 1) aware­
ness and application of the Framework within the Business
Lines, and 2) finding the right balance between broad principles
and granular guidance for day-to-day decision-making with line
management throughout the Bank.
In terms of awareness, the program was launched with "road
shows," but more communication work needs to be done to
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
evolve from reliance on the culture and norms, to embedding
the Framework as the more clearly defined and rigorous context
for decision-making.
As for "the right balance," there still needs to be linkage
between the high-level principles and metrics as expressions
of risk appetite at the top of the Bank and the risk indica­
tors and limits deployed at a business unit level. While some
measures of credit and market risk have been allocated to
businesses, others, including most measures for operational
risk are not easily aggregated, nor divided. As such, the Bank
(and the industry) continues to work at an effective way to link
certain "top of the house" measures with business specific risk
performance measures.
Additional work also remains to further integrate the Risk A p pe­
tite Framework with other risk policies and the enterprise-wide
stress testing program.
Ultimately, Scotiabank's test of an effective Risk Appetite
Framework is that it fits the organization; the Board under­
stands it; management is having good discussions reflecting
both qualitative and quantitative measures; decisions are made
and action is taken; and sustainable long-term earnings growth
is achieved.
Risk Appetite Framework Development
at the Commonwealth Bank of Australia
Background
Within the Commonwealth Bank of Australia (CBA) Group, risk
appetite had always been part of the risk vocabulary. However,
historically there has been little documentation of a formal
framework. During the mid-2000s some attempts had been
made to define the framework but it was not until the appoint­
ment of the new Group Chief Risk Officer in 2008 and the
actions of an energetic Board Risk Committee chairman that
the need for a formal, Board-owned risk appetite foundation
gathered real traction. Consequently, a project to develop a
risk appetite framework was launched at the start of 2009 and
this case study covers the various stages of its development
to date.
What Do We Mean by Risk Appetite?
The first challenge was to understand what was meant by risk
appetite. Internal discussions revealed many different interpreta­
tions of what was meant by risk appetite. Furthermore, publicly
available disclosures from banks and financial institutions around
the world also appeared to use the term in different ways.
Annual Reports often referred to "acting in accordance with risk
appetite," but nowhere was the risk appetite defined.
■ 73
We felt that part of the reason for the lack of traction in previous
attempts to establish a risk appetite framework was the lack of a
common definition of "in what terms" risk appetite was defined.
A clear conceptual definition was therefore required.
This led us to define risk appetite as: "The types and degree
of risk the Group is willing to accept for its shareholders in its
strategic, tactical and transactional business actions." That is,
appetite was expressed as a boundary on risk taking activities
that defines where we do not want to be, rather than where we
want to be. We liken it to the outer boundary markings on a
sports field-we don't mind where you play as long as you don't
go outside of this boundary.
This contrasts with the amount of risk you are able to take (a
capacity for risk taking), the amount of risk you wish to take (a
target for risk taking) and, of course, the actual risk profile (the
amount of risk you are actually taking). All these alternative
expressions add characterisation to our risk taking capabilities
and exposures.
If the role of risk management is thought of in terms of both
protecting the organisation from unwanted outcomes and
advising the organisation on how to optimise its risk/return out­
comes, then risk appetite is supporting the protection role of
risk management; the optimisation of risk and return is part of
the advisory role of risk management and is addressed by assist­
ing business set their target risk profile.
Monitoring risk levels then becomes one of monitoring the
actual risk profile against target levels that have been set to
optimise risk-adjusted returns within the risk appetite boundary.
This is illustrated in Figure 4.1.
The Group actively uses these types of "spider" diagrams in its
business unit and Board dashboards to good effect.
With a clear concept established, we could turn attention to the
terms in which we should express the risk appetite boundary
Spare Risk Risks actively
Capacity sought
Dimension 5 Dimension 2
BOUNDARY
(APPETITE)
Actual Risk r
f Target Risk Profile
Profile / l (Strategy)
Dimension 4 Dimension 3
® CBA Group
F ig u re 4.1 T h e risk a p p e tite co n ce p t in C B A
74 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
and, just as important, how we could establish the Board's views
on this.
Board and Management Engagement
The Group's risk appetite needs to be owned by the Board. We
were aware that getting effective engagement and ownership
of the Board depended on us taking the Board along the devel­
opment road with us rather than either presenting a document
for them to rubber stamp or other actions that lowered Board
member personal investment in the outcome.
Our approach was to have a series of structured conversations
over a period of months with the Board. The first of these was
conducted as an interactive voting session to gather anonymous
views from all Board members on a number of key questions
regarding outcomes for the Group that they would be least will­
ing to accept. This involved selecting various absolute measures
as well as ranking various potential outcomes. Where answers
were not well aligned between Board members a staff-facili­
tated discussion was used to arrive at an acceptable consensus
view. We found that questions requiring ranking of choices
added clarity of insight on Board appetite. A fear by staff that
the Board would collectively adopt a highly conservative risk
outcome did not happen, but we prepared the Board by talking
about appropriate risk-taking as key to profitable growth.
Armed with this base input we were able to translate the Board's
views into what we believed was the risk appetite that they had
expressed. This was written up and presented back to the Board
as a draft Risk Appetite Statement for their further discussion and
refinement over a series of further Board meetings. In the latter
stages nuancing of the words became more and more prevalent,
but by starting the Board engagement without a draft document
the initial conversations had concentrated on the concepts rather
than the words.
The same interactive voting session was first trialled with a sub­
set of the Group's management Executive Committee. Interest­
ingly, the views of management were less well aligned than they
were amongst the Board members.
Content of the Group Risk Appetite Statement
At C BA the risk appetite is defined by a combination of the
Group Risk Appetite Statement (RAS) and the supporting Group-
level risk policies, such as the credit concentration policies, which
define specific limits aligned with the RAS principles and metrics.
The RAS covers three important areas:
• The conceptual definition of risk appetite for the Group;
• Risk Culture; and
 • The risk-taking boundary— specific boundaries
(expressed in both quantitative and qualitative terms) for
major risk drivers, together with expressions on how par­
ticular risk types are controlled.
Having an appropriate "Risk Culture" is viewed as absolutely key
to effective risk management. The RAS sets down a high-level
statement of intent with regard to risk, i.e., what we stand for
in risk terms (e.g., the business, not Risk, manages and own the
risks), and the expected behaviours of employees with regard to
risk. The aim is to ensure that the right people own the risk and
support the desired risk outcomes.
The approach to defining the culture was no different to the
other content in the RAS— we asked the Board questions about
the culture and behaviours they expected and then drafted
content that we thought reflected their responses. The result
was a single page containing around 10 cultural and 6 behav­
ioural principles relating to risk, which was edited based on
Board responses to it. Exam ples of the types of topics that we
cover are the need to understand and appropriately price for
risk and a culture where it is safe to call out mis-management of
risk by others.
In order to embed the desired culture there was a need to link it
to the remuneration system and this has been addressed in two
main ways:
The Board asked, as one element of aligning with the regula­
tor's requirements, that risk management opine on compliance
with these principles for their consideration in setting executive
incentive awards; and
The Group's internal staff performance review system opens
with the requirement to consider whether an individual's key
performance has been achieved by operating within the culture
and boundaries of the Group's and the relevant business units'
RAS.
The risk-taking boundary includes qualitative expressions of
"risks to which the Group is intolerant" together with more
quantitative limits for key financial outcomes for the Group.
exposures/outcomes that we do not wish to experience but
recognise are not 100% preventable. Where they arise the RAS
commits us to take rapid and comprehensive action to minimise
the chance of reoccurrence.
Having developed the content of the Group RAS with the
Board, an important second step was to validate the alignment
of the existing Group-level risk policies, and in particular the
limits contained within those policies, to the RAS. These poli­
cies complete the definition of the overall risk appetite. The
RAS metrics are now one of the key drivers of the limits that
are included in risk policies, for example, the counterparty,
industry and country limits within the credit concentration policy
framework.
Cascading of the Risk Appetite
By necessity, the Group-level risk appetite is high level and
requires translation into more specific and meaningful terms for
a particular business unit.
The approach to this was to make the head of each business
unit— not the Chief Risk Officers of the business units—
accountable for developing an equivalent RAS for their business
unit. The RAS would need to be both aligned with the Group
risk appetite but also specific to the characteristics of their busi­
nesses. This responsibility was an important part of the cultural
change, with the business themselves rather than Risk Manage­
ment being responsible for the risks being taken on and for their
outcomes.
Board members read these documents to test their specificity
to the activities of the business unit, and also as a lens through
which to view the strategies presented by businesses.
Bedding in R A S
requires c a s c a d i n g
Principles Supporting limits

The "intolerant" concept arose from conversations with the

Board and management about incentives and consequences <
Qi_

of operating outside of appetite. If we were to say that we had Q_

•

n>
CD

zero appetite for particular risks (e.g., fraud) and we aligned o

n
-n

performance assessment and incentives to operating within —

oT
appetite, then a fraud incident should have remuneration 3
n>
CQ

implications. This could create the wrong behaviours (either

spending disproportionately on preventing fraud or non­
reporting of fraud incidents) and so, rather than talk about zero
appetite, the concept of intolerance was developed. These are F ig u re 4 .2 Risk a p p e tite co m p o n e n ts and cascad in g

Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions ■ 75

Link to Strategy
A major element of the overall risk appetite framework is the
interaction between risk appetite and strategy. The formal align­
ment and interaction of these two elements had not previously
been built into the operations of the Group.
The first point of connection is that both appetite and strategy
should be aligned with the Group's vision and values. Beyond
that the appetite is setting boundaries on risk taking activities
while strategy is seeking optimal use of the Group's resources
in response to the evolving environments in which we oper­
ate. Each should be challenging the other. Equally, reading one
should give knowledge of the other. These concepts are illus­
trated in Figure 4.3.
The building of the consideration of risk appetite into the
Group's formal strategic planning process has been a significant
step forward. However, it is not just in a formal way that risk
appetite has impacted decision making across the organisation.
The referencing of decisions as being aligned with or outside
risk appetite is now becoming part of the everyday conversa­
tions around the bank. Even more gratifying is to hear people
often talk of the need to reassess the risk appetite in light of
opportunities that are presented, which creates an evolving and
productive challenge to current RASs— leading to keeping RASs
fresh and appropriate.
Successes to D ate
There have been several aspects of the development of risk
appetite that have worked well and translated into meaningful
benefits for the Group:
• Firstly, the approach to engaging with the Board led to a
strong sense of ownership and a depth of understanding
of risk appetite by the Board that would not otherwise
have been achieved.
Bedding RAS in...
Links it to other critical elements in a risk framework
CBA Group Vision and Values
• By setting clear Risk Culture expectations in the Group
RAS and putting ownership for developing business unit
RASs on the heads of the business units (rather than the
business unit risk teams), there has been a cultural shift
in the ownership of risk from Risk Management to the
businesses. Business units now act with clearer responsi­
bility (ownership) for the risk they take on.
• The incorporation of the review of risk appetite as part
of the strategic planning process, and the presentation
of strategic plans, formally accompanied by recently
agreed upon risk appetite statements, to both manage­
ment and Board has brought risk appetite considerations
form ally into key decision making and strategy setting
discussions.
• The understanding of the interaction of strategy and
risk appetite has changed previously held views that
risk appetite was a barrier to progress, and in particular
that it could not be challenged or changed. A lot of
work has gone into explaining the connection between
strategy and appetite and the important way that they
are brought together in strategic planning, to give both
management and the Board transparency over decisions
either to amend the strategy to align with the existing
appetite, or the appetite to allow the proposed strategy.
The joint consideration and refinement of strategy and
risk appetite is now part of business as usual. (See the
"Assess & Revise" arrows in Figure 4.3.)
• By establishing clear boundaries, Business units under­
stand what is outside appetite and therefore do not pur­
sue these opportunities, leading to a reduction in both
wasted effort and frustration.
• By bringing the requirement to operate into align­
ment with the Group and local risk appetite statements
into the performance management and remuneration
framework, risk appetite has achieved a high level of
awareness and influence on behaviours. Key behaviours
are found in the Group RAS, e.g ., responsibility to raise
issues, protection for doing so and "no harm" to people
who raise false-positive issues.

0 4

Group Strategic Plan

Assess
et Group Risk Appetite Continuation in the Evolution of Risk Appetite
Revise Statement/Policies
Although considerable success has been achieved in the risk

$: K J appetite journey so far, we are cognisant that there is more

BU1 | to be done in developing the maturity of risk appetite across
BU [ BU2 | Business Unit
Risk Appetite the Group.
#
Strategic BU3
fitoup v
BU 4
Plans Statement/Policies
• By necessity, the Group RAS is high level and principle
Fiq u re 4 .3 T h e critical link b e tw e e n a p p e tite and based in nature. The challenge is in cascading this
strateg y. to lower levels in a way that makes it meaningful in

76 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 day-to-day decision making on the front line. Business
units are developing risk parameters for lower level
portfolios/products that will translate the limits/prin-
ciples established in the Group and business unit RASs
into meaningful limits for staff working in these areas.
This will allow a more granular inclusion of RAS con­
sideration into performance assessments and incentive
payment outcomes.
• There has been some initial reluctance by some busi­
ness units to set the hard quantitative boundaries
required to help define risk appetite. This may be
partly due to the presence of a formal policy limit set­
ting fram ework, plus a previously held view that once
set, RAS quantitative boundaries would be difficult to
change. (The Board actively assists in this matter by
engaging on proposed changes out of cycle to the
annual RAS review process.) Further work is needed
to include more specific quantitative boundaries for
these businesses.
• Further development is ongoing in adding clarity to busi­
ness unit RASs and strategies so that they become more
overtly complementary and aligned.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions
• The incorporation of stress testing outcomes into the
contextual setting of risk appetite is an area that we con­
tinue to develop.
Summary o f Key Lessons Learned
As the risk appetite has been developed a number of lessons
have been learned, the foremost of which include:
• Without sponsorship from the top it is difficult to get
traction in developing a risk appetite framework.
• Without a clear conceptual definition of risk appetite
there are many confusing and ineffective discussions
about risk management and we fail to get business buy-
in to the framework.
• The conversations around risk appetite are equally as
important and beneficial as the actual Risk Appetite
Statement document produced from them.
• Culture is a fundamental part of risk appetite and to the
success of embedding risk appetite in the organisation.
Taking the time to craft descriptions of what risk appetite
the Group and business units have for variance in risk
culture breathes life into risk culture.
■ 77
Banking Conduct
and Culture
A Permanent Mindset Change

Learning Objectives
After completing this reading you should be able to:

Describe challenges faced by banks with respect to Assess the role of regulators in encouraging strong conduct
conduct and culture and explain motivations for banks to and culture at banks, and provide examples of regulatory
improve their conduct and culture. initiatives in this area.

Explain methods by which a bank can improve its corporate Describe best practices and lessons learned in managing a
culture and assess progress made by banks in this area. bank's corporate culture.

E x c e rp t is rep rin ted from Banking Conduct and Culture: A Permanent Mindset Change, by the G 30 W orking G roup, 2018.

79
INTRODUCTION
This year marks the tenth anniversary of the 2008-09 global
financial crisis, an event that put banking culture and conduct
under the global spotlight. In the previous installment of our
series of reports on this topic, Banking C o n d u ct and Culture— A
Call for Su sta in ed and C om preh en sive Reform (2015), we put
forth a set of recommendations for banks, their boards and
BOX 5.1 DEFINITION OF CULTURE AND CONDUCT
In our 2015 report,* we defined culture as the mechanism that
delivers the values and behaviors that shape conduct and con­
tributes to creating trust in banks and a positive reputation for
banks among key stakeholders, both internal and external.
We used a fram ework that identifies key factors that deter­
mine two broad outcomes for a bank: (a) client and stake­
holder perceptions about the bank's reputation and services,
and whether the bank builds trust (among stakeholders
including em ployees, society, government, and supervisors);
and (b) financial performance, which rewards shareholders.
To achieve these outcomes, the bank starts with its history
(client franchise, brand, technology, and financial resources),
defines a purpose or strategy for the institution, and devel­
ops a unique culture that is the summation of values and
ethics, desired conduct standards, and implied behaviors.
Figure 5.1 provides a schematic summary of this framework.
Culture comprises not only conduct and behaviors, but also
the bank's values and ethics. While cultural norms and beliefs
cannot easily be measured, the conduct and behaviors that
the cultural norms encourage or discourage can be. In fact,
conduct can and should be observed, monitored, managed,
and incentivized. It is important to remember that while con­
duct and behaviors— that is, what people actually say and
do— are the only visible elements of culture, they are directly
INPUTS
C U LT U R E
Conduct & Values &
behaviors ethics
BAN K P U R P O S E & S T R A T EG Y
BANK HISTORY
Figure 5.1 Elements of a unique bank culture.
80 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
management, and supervisors, and promised to provide an
update on the progress major banks have made in implementing
our recommendations. This report provides that update.
We focus on two fundamental questions: (1) How much progress
has the banking industry made in culture and conduct (Box 5.1)
since the financial crisis, particularly since our last report?, and
(2) Where do we go from here? That is, in what areas should
banks continue to press on, and what evolving questions should
influenced by the less tangible elements, such as the bank's
unspoken rules, ideas, norms, and subconscious beliefs that
lie beneath the surface.
Managing culture thus requires understanding visible con­
duct and behaviors as well as the complex web of influences
that lie beneath them.
While conduct can be evaluated as good or bad, culture
itself cannot be. The culture of each firm is unique to that
organization and it is not empirically right or wrong;
rather, it has to be right for that organization. In that same
vein, firms that have had conduct issues or scandals do not
necessarily have an overall bad culture but have elements of
their culture that are misaligned with the outcomes the firm
is seeking and that are driving undesirable or inappropriate
behaviors. That is why it is so important to focus on both the
overall culture and all of the elements that comprise culture.
Culture is complex and is made up of multiple structural
elements (such as processes, policies, organization, and
technology) and multiple human elements (such as norms,
expectations, beliefs, and values), all of which must be
aligned with one another and with the desired outcomes in
order for the culture to work for the firm.
* Source: Banking Conduct and Culture - A Call for Sustained and
Comprehensive Reform, Group of Thirty, Washington, D.C., 2015.
OUTCOMES
C LIEN T & S T A K E H O LD E R
P E R C E P T IO N S
Reputation Trust
FINANCIAL P ER FO R M A N C E
they be mindful of going forward? 85
To address these questions, we inter­ 80
viewed a significant number of C EO s,
75 74
board members, and senior executives
at major banks across the globe, as well - - 70

as a number of supervisory institutions 0) 65

>
and industry standards bodies. We o f62lf62l
60
also drew on other sources including 3
OT

55
insights from Oliver Wyman's global
practice. 50

45
O ver the last decade, bank culture
and conduct have received increased 0
attention from bank management 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

and their supervisors, clients/ Banks Consumer goods Media Automotive

customers, and investors. Supervisors, Energy Health care Technology
regulators, and governments globally Fiqure 5.2 Ed elm an Trust B a ro m e te r results by industry sector, 2 0 0 6 -2 0 1 8
have increased scrutiny of culture and
Source: Edelman Trust Barometer Archive.
conduct issues; since the financial crisis,
the banking industry has paid an esti­ Note: Trust level results are distinguished between two populations: "Informed public" (ages 25-64,
collegeeducated, in top 25 percent of household income per age group/country), and "general
mated US$350 billion to US$470 bil­ population" (all population ages 18+). Due to differences in publicly disclosed results by Edelman,
lion1 in penalties (including fines and years 2006-2011 of this figure show informed public results; years 2012-2015 show a blend of
litigation/settlement charges) for informed public and general population results; and years 2016-2018 show general population
results.
conduct-related matters, evidence that
these so-called soft people issues can significantly impact the • Systematization of the roles of second and third lines of
bottom line. Both institutional clients and retail customers are defense in culture and conduct, and a push toward greater
becoming more focused on bank conduct and culture, driven by ownership of these concerns by the first line
highly publicized cases of conduct failures. Senior executives • Changes to business processes, including new prod­
and board members are increasingly expected to demonstrate uct approval and product governance, revised pric­
that conduct risk is understood and managed, and that appro­ ing approaches, improved whistleblowing mechanisms,
priate discipline and culture are being reinforced. and review of questionable market practices in trad­

A s a result, banks have invested significant effort in improv­ ing and hedging, all of which are signs that the conduct
ing their culture and conduct. With increasing appreciation of agenda is beginning to cascade down to the way business
the scope and scale of culture and conduct issues, banks have is done.

instituted many changes focused on improving their culture and
conduct. These efforts span both formal and informal measures
and include:
• Refinement and/or re-articulation of bank purpose and val­
ues, with subsequent establishment of extensive communica­
tion and training programs
• Heightened engagement at the board level on conduct and
culture issues
• Modification of compensation and performance management
schemes to incorporate not just financial results but also
behavioral considerations
1 Sources: Conduct Costs Project, Good Jobs Project, Oliver Wyman
analysis.
Despite these efforts to improve conduct and culture, the
banking industry still suffers from a negative reputation,
and trust still needs repairing. According to the Edelman
Trust Barometer, the banking industry historically ranked
among the most highly trusted industries since the end of the
World War II; however, trust declined precipitously during the
financial crisis, and today remains low compared to other indus­
tries and far from recovering to precrisis levels, as shown in
Figure 5.2.
The ongoing stream of conduct scandals, ranging from lapses
in customer protection to anti-money-laundering deficiencies
to manipulation of market benchmark rates to rogue trad­
ers, has called attention to the intimate link between conduct
and reputation and continues to take a toll on the bank­
ing industry's reputation. The broad spectrum of topics and

Chapter 5 Banking Conduct and Culture ■ 81

geographies of recent scandals (see Figure 5.3) reveals that
conduct is not just an investment banking issue but an "all
banks, all g e o g ra p h ie s, all b u sin e sse s p o te n tia l issu e ," as one
banking official put it. It is relevant to all banks globally and to
all lines of business within banks. (See Box 5.2 for the case of
Australia.)
While some scandals are institution-specific, the reputational
fallout is often not limited to the offending institution but has
a contagion effect, impacting other players in the industry.
This shows that trust is an industry common good rather than
an institution-specific competitive advantage. Further, as scan­
dals are often revealed retrospectively rather than in real time,

Note: AML = anti-money laundering; BBSW = Bank Bill Swap Rate; ETF = exchange-traded fund; EU = European Union; FX = foreign exchange;
IPO = initial public offering; LIBOR = London Inter-bank Offered Rate; 1MDB

82 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 the reputational overhang can live on long after the miscon­
duct occurs, sometimes even after the specific issue has been
addressed. All this shows that while trust and reputation are
easy to lose, rebuilding it is much more difficult. Even as banks
continue their efforts to become more trustworthy, becoming
trusted again will be a slower process.
are n o t " Banks have a small window to figure out how to man­
age culture and conduct and regain the public's trust. Without
earning trust every day, the continued survival of banks is at risk
from displacement by new industry entrants, a growing list that
includes fintech start-ups, technology firms, retailers, and tele­
com companies.

Banks cannot afford to be complacent about their trust and In addition to the risk of client attrition, trust and reputational
reputational problems, especially in light of emerging com­ issues may over time also lead to problems in acquiring and
petition from alternative providers. As Bill Gates presciently retaining talent. For instance, young millennials continue to be
put it nearly twenty-five years ago, "banking is n ecessary; banks turned off by banks' reputational problems and are opting instead

IN G BANK
Money laundering: An investigation opened in 2016
has resulted in a US$900 million fine for failing to
prevent years of money laundering abuse.
ABN AMRO
r pumob notional bonk
CM U M IfK if

Mortgage fraud: Mortgage Fraudulent transaction:

advisors forged client signatures Issued fraudulent guarantees A B LV
in revised documentation on for diamond merchant firms Violated International sanctions
mortgages to withdarw unsecured loans against North Korea & bribed Latvian
from overseas branches official to prevent tougher AM L rules

W ELLS
FARGO
Fraudulent accounts:
Opened millions of
fradulent savings
& checking accounts
without customer
consent
Commonwealth Bank
/ D e u ts c h e B a n k
Money laundering: Money laundering: Failied
^ + ICBC
C5 fOCTAL s u r r a a v u t OF a < IM Negligence led to more to prevent a US$10 billion
Loan fraud: 19 banks granted loans than 50,000 breaches Russian money-laundering
to criminals who illegally pledged of AM L & counterterriosm scheme, resulting in
gold of low purity as collateral aws worth US$ millions US$630 million in fines

i i i i i= f
2015 2016 2017 2018
* *
i i i
TD Bank
bsi. /tr
iJank < Danske
IALC0N PR!\AIL BANK
Unsuitable financial Aggressive sales Money laundering: C EO
Money laundering: Bankers targets: Increased resigns amid probe into
advice: Encouraged
participated in and coordinated overdraft protection US$200 billion money­
more than 3,500
money laundering activities linked amounts & credit card laundering scheme
clients to undertake
to corrupt Malaysian 1MBD fund borrowing limits without perpetrated at its
risky, inappropriate,
investments customer authorization Estonia branch
WKLLS
FARGO US
Coyrw ofi wealth Bark p AMP#-
"Forced" auto insurance sales: Fees for "no service":
Sold auto collateral protection Charged thousands of
insurance to more than 550,000 customers for financial
customers who did not need advice that was not
coverage delivered

Chapter 5 Banking Conduct and Culture ■ 83

 BOX 5.2 THE AUSTRALIAN CRISIS
As the current situation unfolding in Australia demonstrates,
the banking industry remains subject to further serious scan­
dals and fallouts.
In December 2017, Australian prime minister Malcolm Turn­
bull's government called for the establishment of the Royal
Commission into Misconduct in the Banking, Superannua­
tion and Financial Services Industry following revelations of
years of serious misconduct by Australia's financial institu­
tions. Since the 2015 G30 report, egregious examples
of misconduct have surfaced, affecting one or more of
Australia's "Big Four" banks* These include rate manipula­
tion allegations (2015), unsuitable financial advice impacting
thousands of clients (2015), weak controls to prevent thou­
sands of breaches of anti-money-laundering/counterterrorism
laws (2018), and fees for no service (for example, charging
accounts of dead clients) (2018).
These incidents have led to over US$700 million in penal­
ties and compensation since the 2008 global financial crisis,
removal of senior leadership (at C BA and AMP), and numerous
legal and criminal investigations. An interim report, released
in September 2018, noted remuneration practices and inade­
quate consequences as having been closely linked to issues of
conduct and culture, with more to come pending the final rec­
ommendations of the Royal Commission. The executive sum­
mary of the Interim Report of the Royal Commission points to
greed as a central issue, resulting in "the pursuit of short-term
profit at the expense of basic standards of honesty" (p. xix).
Separately, the Australian Prudential Regulatory Authority
(APRA) concluded in April 2018 its prudential inquiry into
C BA and released a report that outlines key shortcomings in
governance, accountability, and culture. While the findings are
for other sectors, as seen in the changing career destinations cho­
sen by MBA students post-graduation (Figure 5.4). Despite a
number of high-profile discrimination lawsuits, banks' efforts
focused on improving diversity have been minimally successful, as
diverse talent remains deterred by cultures they view as not
supportive and attentive to their development and well-being.2
Further, the shift toward digitization will continue to reveal gaps
in banks' technology capabilities, pressuring banks to compete
for talent that is already in high demand by other industries.
This and similar trends may spark concerns about potential
talent shortages in an industry that is highly dependent on its
human resources as a competitive differentiator.
Bank culture and conduct are more important than ever,
to repair trust and reputational issues and fulfill the role
o f banks in society. Sound culture and conduct are critical for
2 "Why Diversity Programs Fail," Frank Dobbin and Alexandra Kalev,
Harvard Business Review 94 (7) (July/August), 2016.
84 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
specific to APRA's review of CBA , the report contains lessons
for the industry as a whole, and in fact, other banks are being
required to conduct a self-assessment against the specific CBA
findings. The key issues outlined in the review include:
• Lack of alignment between banking remuneration
practices and frameworks and indicators of good conduct
• Lack of senior leadership and board oversight on issues of
conduct and culture
• Inadequate oversight and challenge by the Board and its
gatekeeper committees of emerging nonfinancial risks
• Unclear accountabilities, starting with a lack of ownership
of key risks at the Executive Committee level
• Paucity or nonexistence of sufficient internal controls.
As next steps, APRA has recommended that the banks
design and implement stronger remuneration practices that
will align with strong conduct and culture outcomes, and that
banks leverage the Banking Executive Accountability Regime
(BEAR) to detail international best practices on strengthening
conduct and culture.
With the ongoing Royal Commission investigation and
pending recommendations, as well as continued revelations
of retrospective misconduct among Australia's financial institu­
tions, we anticipate that the Australian banking industry is only
beginning its long journey to repair its conduct and culture.
• National Australia Bank (NAB), Commonwealth Bank of Australia
(CBA), Australia and New Zealand Banking Group (ANZ), and West-
pac (WBC).
Source: "Why is Australia investigating its banks?," BBC News,
February 12, 2018.
banks to be able to play their role in society, and to the stability
of the broader financial system. Banks are held to a higher stan­
dard than many other service providers given that the services
banks provide are viewed by many as a public good that ben­
efits society—that is, intermediating between sources and needs
of funds and facilitating transactions throughout the economy—
and the effects of failure extend beyond just shareholders, with
repercussions for the broader economy. Further, because bank­
ing products and services can be complex and difficult to under­
stand, the public expects banks to provide good advice based
on expertise and in the clients' best interest.
And yet, many banks that devote considerable attention to their
business strategies and actions spend insufficient time thinking
about their purpose and the role they play in society. Despite
the trending notion of balancing stakeholder needs and the
argument that, over the long run, putting the customer first is
the best way to drive sustainable shareholder value, shortterm
trade-offs often confront banking executives, in which doing
 Finance
Consulting
Technology
Investment Banking*
0 10 15 20 25
Percentage of MBA graduates entering each industry
■ 2007 ■ 2013
Fiaure 5.4 C a re e r d estin a tio n s ch o sen by M B A stu d en ts.
Sources: 2007 and 2013 data: "Business education: Banks? No, thanks!," The Economist, October 11,2014. 2017 data: average
employment data from Chicago Booth, Wharton, Harvard, London, and INSEAD.
what is best for customers may lead to less immediate profit or
more immediate cost.3 In such situations, clarity of purpose is
critical to enable executives to resist the temptation of near-
term gains, and to make decisions for the long run. Banks must
understand, reinforce, and internalize their key economic and
social purpose and improve their culture and conduct to fulfill
that purpose.
Responsibility for ensuring the organization's ability to bal­
ance purpose and profit ultimately resides with the board and
the C E O . Under the rubric of culture, as with other aspects
of business performance, the board should see it as its key
responsibility to set the right tone and reinforce the desired
culture, and to oversee the bank's efforts to sustain a healthy
culture. In addition to the board, the chief executive should
have a comprehensive awareness of the overall tone and know
what is happening under his or her watch. An expectation that
senior management should invariably be aware of every depar­
ture from desired behaviors would, of course, be unrealistic,
inappropriately implying a reversal of the burden of proof. But
it is a specific responsibility of the board and senior manage­
ment to put in place robust processes to identify and ensure
appropriate escalation of behavioral breaches. Such processes
should be designed to be auditable and the subject of regular
monitoring by internal audit as a key ingredient of the third line
of defense.
Despite significant efforts, many still voice concern about the
industry's ability to make profound and lasting change. In our
interviews, industry leaders voiced several questions and con­
cerns about culture and conduct:
3 Balancing stakeholder needs with putting the customer first ultimately
improves company success, so no trade-off between customers and
shareholders should exist.
* “ Investment Banking” is a subset
of the “ Finance” category. MBA =
30 35 40 45 Master of Business Administration.
■ 2017
• Have things really changed? Skeptics wonder whether true
change is possible in an industry that maintains large poten­
tial upsides to pushing the boundaries, and point to the
example of Wall Street in 2017 recording its highest bonuses
since 2006.4 In addition, despite banks implementing many
process and policy changes to mitigate misconduct, culture
and conduct have yet to be fully embedded in many banks in
how they do business, and conduct issues are still observed
in banks worldwide. Others are concerned about the passage
of time dimming the effect of the lessons learned during the
global financial crisis, and of the possible return to old prac­
tices, especially if interest rates rise, regulation is lessened,
and other business conditions improve. As post-global finan­
cial crisis regulations are potentially rolled back (in some juris­
dictions), firm-level focus on conduct and culture (by the
board and senior leaders) must take on even greater
importance.
• Potential for culture and conduct fatigue. Especially in
some geographies where there has been a long-standing
focus on conduct and culture problems, we detected some
desire to move on and get on with business. Banks cannot
think of culture and conduct as separate from business,
or as merely soft or HR-specific issues. They are business,
that is, how business needs to be done and the means by
which banks can achieve continued success and sustain­
ability. For culture and conduct initiatives to be success­
ful, they need to become internalized as a way of doing
business rather than a program that is created and then
ignored. Conduct and culture must be understood by all
em ployees.
4 "NYS Comptroller DiNapoli: Wall Street Profits and Bonuses Up
Sharply in 2017," Office of the New York State Comptroller, March 26,
2018; http://www.osc.state.ny.us/press/releases/marl8/032618.htm.
Chapter 5 Banking Conduct and Culture ■ 85
• Shift in relevant management and leadership capabili-
ties. Many leaders reported that historically, the banking
industry managed the business and the people primarily via
quantitative metrics (for exam ple, volumes, sales, and prof­
its), which were relatively straightforward to assess. In the
context of the increased emphasis on culture and conduct,
however, there is greater need for management acumen
and skill as banks start to manage not just the "w hat" but
also the "how," which requires much more judgm ent as
well as proximity to and involvement in the daily business
operations. Also, driving sustainable cultural change at large
organizations requires leadership capabilities that may not
have been a focus of developm ent in the past, such as more
focus on soft people management skills rather than finan­
cial acumen. Finally, creating an environment of psycho­
logical safety where all em ployees feel empowered to be
authentic, where diversity can thrive, and where challenging
groupthink is encouraged will require greater management
skills.
• Shifting toward a more nuanced and effective style of
management. This is especially difficult in many institutions
given the leadership deficit they are facing. In fact, many
banks historically promoted their best producers/perform-
ers into management roles with minimal regard to ability or
interest in managing others (and often without regard to the
individuals' values and ethics, sending a powerful message
in terms of the organization's priorities). And little time was
dedicated to developing management skills. A management
role was often considered a reward for a job well done rather
than a privilege, obligation, and responsibility to develop
others and ensure the long-term sustainability of the firm.
Banks are now realizing a leadership gap in middle manage­
ment layers, with a lack of skill and capacity to manage the
"how" of performance, and limited ability to influence and
drive team member behaviors. A number of banks that have
historically underinvested in the management and leadership
capabilities that they require are now investing in leadership
development to make up for lost time.
• Evolving forces on conduct. While the definition of good
conduct will stay the same, the pressure points will change
as the market and business models continue to evolve.
Banks will be tasked with anticipating and addressing addi­
tional scenarios for misconduct that may emerge, such as
uncertainty in pricing contracts in the context of the London
Inter-bank Offered Rate (LIBOR) transition; new General
Data Protection Regulation (GDPR) requirements around
data usage, consent, retention, and portability; and risk of
86 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
embedded bias in automated black box systems and artificial
intelligence (Al).
• Rolling bad apples. Individuals with poor conduct records
move from one bank to another. Can issues truly be resolved
and addressed at the industry level if "bad players" can
simply move from one institution to another with impunity?
What can the industry do to address this? Are there lessons
from other professional industries (for example, legal, medi­
cal, engineering) that are applicable? Do laws defending
employee rights clash with the industry's ability to protect
itself from toxic employees? The industry continues to grap­
ple with these issues within the constraints of privacy and
employment laws.
• Increasing scope for supervisory gaps and conduct
arbitrage. As the thinking of financial authorities around
the world continues to evolve on conduct and culture, the
divergence in supervisory approaches across jurisdictions
is arousing concerns around conduct arbitrage, that is to
say large firms seeking to benefit from supervisory over­
sight in jurisdictions that may be less focused and demand­
ing. Further, Open Banking developments have started
to create some blurring of competitive lines across banks,
technology companies, retailers, and telecom companies,
adding to concerns around fair competition and customer
protection.
'k 'k -k
This report is structured as follows. Section 1 presents industry
progress on conduct and culture since the financial crisis, and
particularly since our 2015 report; section 2 outlines the lessons
learned; section 3 offers additional, specific recommendations
reinforcing our 2015 recommendations; and section 4 explores
outstanding questions and opportunities for continued progress
in the future.
W hile this report focuses on banks as our primary audience,
we note that non-bank financial institutions (for exam ple, pri­
vate equity firms, hedge funds, and insurance companies) are
also prone to conduct and culture issues that are similar to
those of banks. Certain issues may come into particularly sharp
focus at these institutions, such as the possibility of outsized
financial rewards promoting excessive risk-taking behavior. We
hope that, as has been the case with our previous reports on
governance and supervision, the leadership and directors of
non-bank financial institutions will also internalize the lessons
learned and our recommendations. As Box 5.3 makes clear,
conduct and cultural failures are not unique to banks— far
from it.
BOX 5.3 NOT JUST BANKS
Examples of corporate misconduct are not limited to the
banking industry. Other industries worldwide, including man­
ufacturing, automotive, and high tech, have exhibited various
forms and levels of misconduct, especially over the last few
years. As in banking, the root causes of misconduct stem
from poor corporate cultures, inexperienced or self-absorbed
managers, weak internal controls, and lack of safe escalation
procedures. These have resulted in billions of dollars in fines,
criminal investigations and charges, leadership removal, and
loss of customers.
Two industries, in particular, automotive and high tech, high­
light the similarities in environmental factors also observed in
the banking industry, which led to cultural breakdowns and
eventually to misconduct issues.
• Automotive: In Germ any, in particular, several major
incidents of misconduct have emerged from the
intentional manipulation of vehicular software to deceive
emissions tests. In Septem ber 2015, the United States
and Germany opened investigations into Volkswagen's/
Audi's deliberate rigging of software on 11 million diesel-
powered vehicles worldwide between 2009 and 2015,
including 600,000 vehicles in the United States, to falsify
emissions levels to pass U.S. emissions tests. Investigators
further found active approval, engagement, and conceal­
ment of this program by the Volkswagen/Audi senior
leadership, including then-CEO Martin W interkorn.
Consequently, Volkswagen has faced numerous federal
investigations in both the United States and Germany;
criminal charges or arrests of senior leaders and manag­
ers, including Volkswagen's and Audi's C E O s; and over
US$30 billion in recalls, legal penalties, and settlements
as of midyear 2018.1 In addition, German authorities are
investigating similar misconduct at Daimler, which faces a
potential US$4.4 billion fine for illegal software in some
Mercedes-Benz m odels.1 2
It is worth noting that the German car executives
concerned received among the highest bonuses in the
country.
• High tech: The high-tech industry has also struggled with
many reputational issues, allegations of misconduct, and
loss of business due to actions that negatively impact key
stakeholders (that is, customers and employees). In addi­
tion, the hightech industry overall has been plagued by
extensive accusations of discrimination and mistreatment
of female employees. The examples of cultural failings
1‘ "Audi CEO Rupert Stadler arrested in Germany," CNN Money,
June 18, 2018.
2' "Germany threatens Daimler with 3.75 billion euro fine over
emissions-Spiegel," Reuters, June 1, 2018.
are rampant. During the tenure of its former C E O , Uber's
culture had serious faults and resulted in numerous inci­
dents of misconduct, including deliberately undermining
its competitors (for example, booking thousands of fake
Lyft rides, spamming Lyft drivers), underpaying its drivers,
using technology to deceive law enforcement, applying
surge prices inappropriately, and stealing trade secrets
from Waymo (the Uber example is also an interesting case
of social media turning on a company for its decisions/
behaviors, and the #DeleteUber movement showed cus­
tomers voting with their feet).
In December 2017, Apple admitted to slowing the pro­
cessors on its older generation iPhones, presumably to sell
more batteries or new iPhones. Finally, Facebook has
demonstrated significant negligence in managing the pri­
vacy of millions of its users' data, as revealed in the Cam ­
bridge Analytica scandal in early 2018. Personal conduct
of senior executives is also under scrutiny; in a one-month
period in the summer of 2018, three C EO s in the chip
industry resigned or were fired for conduct reasons (the
companies involved are Texas Instruments, Intel, and
Rambus).3
Cross-industry lessons
Upon examination of other industries that have suffered
significant and systemic cultural breakdowns similar to
those observed in banking, we identify five characteristics
that these industries have in common and that might
provide insights into characteristics that lead to greater
culture risk.
1. Lack of diversity: Industry homogeneity in backgrounds,
education, gender, and racial/ethnic composition
remains prevalent and can foster groupthink cultures.
Such environments limit the number of challenges or
alternative opinions required to effectively mitigate poor
business decisions.
2. Presence of dominant companies: A few large, success­
ful players dominate these industries and may lead to
deprioritizing culture, given that these companies have
been able to attract customers and talent due to their
dominant brands.
3. High dependence on specialized skills: High-quality,
well-educated candidates with specialized knowledge
are critical in these industries. As a result, such individu­
als can often take on an outsized organizational role in
3- "Texas Instruments CEO Resigns After Code of Conduct Viola­
tions," Maria Armental and Eliot Brown, Wall Street Journal, July 17,
2018.
(C ontinued)
Chapter 5 Banking Conduct and Culture ■ 87
 their influence and decision making and make it more
challenging to fire such highly valued individuals even
in the face of egregious behaviors or inappropriate
decisions. Distorted views of individual's contributions
can also lead to the cult of personality in many of these
firms.
4. Misaligned incentives: Performance and remuneration
schemes are often aligned with quantitative or financial
targets, which can inadvertently prioritize decisions that
lead to misconduct. In addition, average annual wages
for positions in these industries tend to be significantly
higher than mean annual national wages; for example, in
the United States, the mean annual wage for financial
analysts and advisors is 107 percent higher than the U.S.
mean annual wage across all industries, and the mean
SECTION 1. ASSESSMENT
OF INDUSTRY PROGRESS*•
Our 2015 report outlined key recommendations for improv­
ing conduct and culture, across both the what and the how for
banks to challenge their cultural foundation:
• THE WHAT. Banks should specify their cultural aspirations
through a robust set of principles, and fashion mechanisms
that deliver high standards of values and associated conduct
consistent with the firm's purpose and broader role in society.
• THE HOW. Banks should work to fully embed the desired cul­
ture through ongoing monitoring and perseverance, drawn
from four key areas: senior accountability and governance,
performance management and incentives, staff development
and promotion, and an effective three lines of defense.
Our specific recommendations are summarized in Table 5.1.
This chapter reviews the progress the banking industry has
made on conduct and culture since the financial crisis, particu­
larly since our last report in 2015, with a specific focus on the
recommendations above. Before we begin, two caveats:
• It is not possible to holistically grade progress at a global
level, given the (sometimes very) significant differences
by geography and by each individual institution; for larger
banks, progress may even differ across businesses, offices,
and teams. For example, banks in markets directly impacted
by the financial crisis (for example, the United States, the UK,
and Europe) experienced an immediate spotlight on culture
and conduct and have been on this journey for a decade,
while banks in markets that escaped the financial crisis rela­
tively unscathed (for example, Australia) have only more
recently begun to focus on the issue. In many of the areas
88 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
annual wage for computer- and tech-related jobs is 77
percent higher than the U.S. mean.4
5. Ineffective leadership and management skills: Board
members, senior leaders, and middle management of
fast-growing and highly successful firms may over- esti­
mate their own and their company's capabilities and be
ill-equipped and too inexperienced to recognize poten­
tial risks and complexities of their operating and revenue
models. Hubris caused by a high degree of success can
also cause individual leaders to believe their capabilities
and decisions are unassailable and they start to believe
their own rhetoric.
4- "National Occupational Employment and Wage Estimates," U.S.
Bureau of Labor Statistics, Washington, D.C., May 2017.
assessed, we observed significant gaps between the leaders
and laggards, with some institutions having made significant
improvements while others still operate under the perception
of "it w ould n ever happen to us."
• While progress in terms of inputs/efforts can be easily
observed, whether and how these inputs/ efforts actually
impact outcomes is difficult to prove. Even a reduction in
conduct breaches over time cannot be considered a con­
clusive indication of improvement, as seen by the number
of conduct scandals that persisted for many years and only
recently have come to light.
Given these considerations, we focus on the efforts and inputs
of banks to improve culture and conduct, and we attempt to
provide a range of views on progress across the industry.
That the industry mindset on culture has evolved was a point
of unanimous agreement across all our interviews. There is
now collective appreciation of the importance of culture and
conduct, and the need to improve. But tangible industry prog­
ress has been slow, especially as the bar for good conduct
continues to rise and the public continues to expect more from
banks, and as levels of transparency (especially due to social
media) increase. While a number of individual firms have made
headway in implementing changes to formal and informal ele­
ments of culture, the industry as a whole continues to struggle
to embed culture in a more fundamental manner, and to con­
clusively demonstrate the effects of these changes. Moreover,
there is a growing gap between firms that are applying a holis­
tic, multipronged approach with active board-level engagement
and firms that continue to focus more narrowly on misconduct
management and compliance as the solution to cultural issues.
Two relatively recent incidents in particular have attested to the
seriousness of the continuing cultural and behavioral leadership
Table 5.1 Summary of 2015 Recommendations

Area Recommendations

1 Fundamental shift in a. Banks should look at culture and look to achieve consistent behavior and conduct aligned
the overall mindset on with firm values, as key to strategic success.
culture
b. Banks should reinforce the messages in their actions and in their internal communications.

c. Banks' behaviors and conduct should be open to constructive internal challenge.

2 Senior accountability d. Oversight of embedded values, conduct, and behaviors should receive regular attention in
and governance boards' agenda setting, given sensitivity to reputational risk.

e. Board charters should include responsibility for oversight of values and conduct.

f. Boards should build a reputation, values, and conduct risk tolerance dashboard to aid in their
evaluation of cultural issues.

g. If the Chair and C EO positions are not split, boards should ensure that the lead independent
director spends adequate time in the effective challenge role to the C EO on values and con­
duct issues.

h. The C E O and Executive team should be highly visible in championing the desired values and
conduct, and face material consequences if there are persistent or high-profile breaches.

i. The C E O should ensure that there is a thorough process that reviews the bank's brand and
reputational standing.

j. Asset owners and third-party fund managers should tell boards directly that they consider
effective governance and accountability to be a priority cultural matter for the firm and
investors.

3 Performance k. Compensation and promotion processes should ensure reflection of desired behaviors,
management and including consequences for weak management oversight or willful blindness.
incentives
l. A comprehensive set of indicators is needed to monitor and assess the adherence of individu­
als and teams to firm values and desired conduct.

m. Individual review and assessment of senior executives by the senior leadership and C EO is
required.

4 Staff development and n. Banks should buttress first-line skills and ensure that frontline management and leadership are
promotion properly trained in how to conduct judgment-based staff evaluation and deal with identified
breaches.

o. Banks should develop programs for staff across all areas of the bank that regularly reinforce
what the desired values and conduct mean in practice.

p. Institutions should formulate and implement a system-wide values and conduct evaluation
process for internal promotions and external hires.

5 An effective three lines q. Staff and management in the business (first line of defense) should shoulder the largest respon­
of defense sibility forjudging whether behavior is in line with the bank's values and desired conduct.

r. Banks should allocate clear second-line ownership to Compliance or Risk Management func­
tions and ensure that the designated function is on the Executive team.

s. Banks should provide assurance to all employees that reports of wrongdoing in the workplace
will be taken seriously and confidentially without reprisal. Banks should challenge the conven­
tional wisdom on legal impediments and ensure that robust penalties and appraisal processes
are in place.
(C ontinued)

Chapter 5 Banking Conduct and Culture ■ 89

Table 5.1 C ontinued

Area Recommendations

t. Staff rotation between control and business functions may be beneficial and help develop the
desired firm-wide cultural mindset.

u. Banks should ensure that the third line of defense is robust, has operational independence, is
suitably staffed, and has a clear mandate to examine adherence to standards.

6 Regulators, supervi­
sors, and enforcement
authorities
v. Regulators should carefully consider the limited effectiveness of promulgating rules related to
values and conduct.
w. Conduct-of-business and prudential supervisors can, however, gauge the effectiveness of
board and management processes that generate tangible oversight and change in values and
conduct.

x. Conduct-related assessment should be embedded into the core supervisory work, rather than
developed as an "add-on" task or objective.

y. Industry-led standard-setting initiatives should be encouraged.

and managerial deficit, one regarding Wells Fargo in the United
States and one regarding Commonwealth Bank of Australia
(CBA). Wells Fargo, considered an industry leader in cross-sell
metrics and praised for having successfully navigated the finan­
cial crisis, saw a series of high-profile scandals erupt in succes­
sion from late 2016 that revealed serious cultural failings such
as flawed incentives and excessive sales pressures, a pattern of
corner-cutting and unethical behavior, and inaction by senior
leadership. C BA , the largest financial institution in Australia and
a bank respected for its history of financial success and technol­
ogy innovations, also underwent a succession of scandals and
was found in a 2018 prudential inquiry to harbor critical cultural
shortcomings, including a sense of complacency; utilizing only
a reactionary approach to exposed risks; insularity; and pursuit
of consensus at the expense of constructive challenge and
accountability.
In some ways, these cases shook up the industry in each market
more than other cases because they were so unexpected; these
were institutions with stellar reputations that had weathered the
financial crisis relatively unscathed. They were also considered
solid traditional banking institutions with a community focus.
These scandals proved that conduct issues are not limited to
investment banking and can in fact permeate conventional retail
and wealth management banking activities. As one senior industry
member stated, it is when the institution is successful, growing,
and well-regarded that senior leadership must be most vigilant
against the "tyranny o f su cce ss," extreme overperformance vis-a-
vis competitors, and the temptation of willful blindness.
Unfortunately, major conduct failures continue elsewhere, further
underscoring this is not predominantly an Anglo-Saxon matter.
For example, the Danske Bank US$200 billion Estonia-Russia
money-laundering scandal has shown that whistleblowing cannot
be overlooked and should always be carefully and swiftly investi­
gated by senior management with the oversight of and reporting
to the board. Likewise, a money laundering scandal at ING led to
a US$900 million fine earlier this year. The Punjab National Bank
US$2 billion fraud has also highlighted conduct and oversight
weaknesses in India's state-owned banks. Finally, the reported
conduct failure at Goldman Sachs related to 1MDB, drives home
that a focus on conduct and behavior is essential to all firms.
Mindset of Culture
Since the financial crisis, culture and conduct concerns have
risen in prominence at many banks, representing a clear shift in
the mindset of culture. Most banks by now have re-articulated
their core values (which are unique to each bank, but commonly
include concepts such as customer/client centricity, integrity,
and internal collaboration) in a Code of Conduct or similar docu­
ment and have made efforts to repeatedly communicate these
throughout their organizations (including implications of per­
sonal and company behaviors and expectations related to the
firm's values).
Banks have taken various approaches to communicate values
throughout their organizations. One C EO personally reviews
important bank-wide communications to increase visibility of
the bank's values and ensure alignment with the organization's
culture. Other banks have set up regular town halls and focus
groups to promote dialogue on values and create venues for
constructive challenge. A number of institutions have devel­
oped interactive training and role-playing to further clarify and
entrench the values and expectations.

90 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Despite significant progress in formal intention, frameworks, and
communications, the degree to which these values have been
embedded in the day-to-day behaviors of employees has yet
to be determined. While "tone from the top" is appropriately
focused on conduct and culture matters, it is unclear if this has
flowed throughout the organization and whether employees at
all levels, and especially in the front lines, have fully internalized
how this will change how they do business. Much opportunity
also remains in working with middle management layers to
ensure that tone from above properly reflects the message and
intent from the top, and that employees are not in a position
where they feel a conflict between what they hear from senior
leadership and what they are required to do on a day-to-day
basis.
Accurately understanding and measuring changes in culture on
the ground remains challenging (especially in large, multi-geog­
raphy and multi-business-unit banks), and will require banks to
continuously monitor whether the formal shifts in their mindset
of culture have translated to changes in the day-to-day conduct
and behaviors of their employees.
Banks need to ensure that the inclusion of behavior and
conduct within their mindset and approach toward business is
permanent, and to view the process underway as a fundamental
shift in how they do business rather than a program or set of
initiatives. Many leaders interviewed shared the concern that as
the crisis and scandals are put behind us, the lessons might be
forgotten and a return to old practices might occur.
Senior Accountability and Governance
Board Responsibilities and Involvement
With the increased public scrutiny on conduct and culture, and
greater expectation for Boards to be fully informed of and
involved in such issues, ignorance is no longer an acceptable
excuse. In fact, on conduct issues and risk taking, many directors
are asking themselves "h ow d o we really kn ow ?" and are put­
ting in place measures for greater involvement and insights into
the company culture.
The banking industry overall has stepped up board-level involve­
ment on these topics. Prior to the crisis, only one-third of global
systemically important financial institutions (SIFIs) had a dedi­
cated board- level financial risk com m ittee,5 and boards rarely
(for example, once a year or sometimes even less frequently)
5 "BSB Blog: Sir David Walker on Banking Conduct and Culture,"
David Walker, Banking Standards Board, May 24, 2018; https://
www.bankingstandardsboard.org.uk/bsb-blog-sir-david-walker-
on-banking-conduct-and-culture/.
dedicated attention to culture and conduct topics, leading to a
deficit in expectations and guidance for senior executives on
such issues. Today, conduct and culture discussions account for
a meaningful share of board agendas, and as observed by indus­
try participants, the increased board involvement represents not
just lip service but tangible improvement.
The specific form of implementation varies across banks. Some
boards have co-opted existing, more broadly mandated com­
mittees (for example, Risk Committees); some banks have newly
established dedicated subcommittees on culture and conduct
topics; and still others have opted for multiple overlapping com­
mittees to exercise joint oversight over these issues.
Our prior recommendation to split Board Chair and C EO roles
has been executed to varying degrees. Many U.S. banks persist
in a combined role. Wells Fargo notably shifted to a split model
driven by shareholder pressure in the aftermath of the conduct
failure and scandal, and Citigroup has announced they will
confine to split the Chair and C E O roles. While the splitting of
roles does not on its own guarantee elimination of misconduct
(scandals have occurred in banks with split roles), it nonetheless
is good governance practice and facilitates checks and balances
between board and executive leadership.
Board-Level Conduct Management Reporting
Developing management and board-level conduct management
reporting has been a major area of focus for many banks over
the last few years, in response to regulatory and senior manage­
ment pressure. Many banks are in the process of creating and
refining their culture (and often also ethics) dashboards, often
leveraging data and information that is already collected across
the organization, and now collating and analyzing these
indicators through a culture lens for the first time. There is
general agreement on the value and importance of such
dashboards, though the approaches vary in the type, amount,
and granularity of indicators. Results are often examined by a
variety of factors including geography, business unit/function,
tenure, and employment level, to identify subcultures, discrep­
ancies, and pockets of issues existing today and appearing
over tim e.6
The trend analysis across both leading and lagging indicators
has been used effectively in a number of institutions, but many
organizations still struggle with shortcomings in their reporting
abilities. The challenges reported by banks include:
• DATA QUALITY AND AVAILABILITY: The required data are
not available and take time to build (requiring capability
6 See Section 2 Lessons Learned for additional information on how
banks are approaching culture and conduct measurement and reporting.
Chapter 5 Banking Conduct and Culture ■ 91
 enhancement or new roles and responsibilities), and/or
available data are of poor or variable quality. Data must
also enable reporting and metrics at the right level of detail
and granularity to be able to identify localized declines or
weak areas. Management must be able to slice and dice
the information in order to spot, highlight, and investigate
specific or localized issues. Greater advances in technology
and Al are starting to enable greater monitoring and analysis
capabilities.
• APPLICABILITY: Defining standardized metrics across busi­
nesses and geographies that are meaningful and can be
aggregated remains a challenge.
• RELEVANCE AND EFFECTIVENESS: Existing metrics pro­
vide useful but limited insights in isolation, and relationships
between variables and trends need to be considered. Also,
banks continue to struggle to develop forward-looking
measures and test outcomes, and given the fact that avail­
able metrics are often asymmetrical, they remain focused
on reporting misconduct rather than conduct more broadly
(including positive measures of conduct).
• USEFULNESS: Conduct and culture reporting in many institu­
tions is a relatively new exercise and will require practice to
get right. Many banks are still struggling with how to best
use the data and metrics to trigger action or achieve goals
of better managing conduct risk. Interpreting the data and
translating it into actionable insights is a work in progress at
many banks we interviewed.
Monitoring and measurement will always be difficult, but this
should not dissuade firms from the exercise, as they can con­
tinue to develop and adjust their tools over time.
Modeling Behavior
Banks increasingly recognize the importance of leading from the
top ("tone from the top") and the need for senior management
to consistently set concrete examples of desired behavior for
the organization to follow. While tone from the top can material­
ize in various ways, a few best practices have emerged in recent
years.
First, leaders can ensure that their communications through­
out the bank are consistent, clear, and relatable, (for example,
clearly explaining key decisions, how they fit with the firm's
overall strategy and culture, and how the decision is relevant
to employees). Second, leaders can demonstrate the desired
behavior by living it on a daily basis and exhibiting it in how they
act within the firm, with employees, and with customers and
clients. Examples matter, and those set by a firm's leadership
are key to embedding culture. One C EO set a strong tone early
in their tenure by rejecting a business opportunity that was not
92 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
aligned with the company's culture, even though it resulted in a
significant loss of business and profits for the company. Third,
leaders can and should model desired behaviors by express­
ing (and, more importantly, demonstrating) a genuine desire
to receive and respond to feedback. At one bank, the C EO ,
upon finding that a culture issue raised by an employee had not
received attention in a timely manner, proffered a personal apol
ogy for the delay.
Finally, bank leadership can tangibly demonstrate they are in
the same boat with employees by taking responsibility for the
consequences of difficult actions or outcomes. For example,
the C E O at one bank took a voluntary 40 percent pay reduction
upon unveiling a plan to cut staff numbers and instituted long­
term incentive plans with compensation deferred for multiple
years.
Senior leaders sharing their own dilemmas and scenarios of
when they faced difficult and ambiguous decision making also
helps in both defining the expectations and making leaders
more approachable.
Role of Asset Owners and Third-Party Fund
Managers in Influencing the Board and
Management Focus on Culture and Conduct
• Asset owners and shareholders are beginning to increase
pressure on banks with regard to culture and conduct, and in
a number of interviews, C EO s spoke about actively engag­
ing key shareholders in a dialogue about their firm's culture.
Investors, on the other hand, still feel it is difficult to have
a true voice in the process given the diffuse nature of the
investor community; that is, they rarely speak with one voice
(see Box 5.4).
• The Wells Fargo scandals revealed the extent of increasing
investor attention on these topics: not only did they incite
vocal reactions from activist investors, demanding improved
governance and changes in board membership, but the
resulting record US$60 million senior executive claw-backs
were made possible by prior activism in 2013 by New York
City's pension funds to enable claw- backs in the event of
misconduct.7,87
8
7 "Citi, Wells broaden exec pay clawback policies, MarketWatch,
March 13, 2013; https://www.marketwatch.com/story/
citi-wells-broaden-exec-pay-clawback-policies-2013-03-13.
8 Clawbacks (especially ones due to public/investor demands) should be
seen by the industry as a last resort measure. The industry should strive
to achieve effective upfront compensation assessments rather than after-
the-fact remediation.
 BOX 5.4 THE INVESTOR VIEW
As companies in the banking industry (and in other industries)
face increasing conduct issues, and have incurred significant
financial costs (fines, lawsuits, lost business), we have seen
investors increasingly paying attention to the softer issues
beyond financial results. A number of bank C EO s reported
to us that they have started engaging directly with large
investors to discuss their culture— and the potential impact
of strategy on culture and conduct. For the first time, we
included interviews with large institutional investors in our
report, the key findings of which are described below.
Investors we interviewed care about the culture of their
portfolio companies from two perspectives: (a) they look for
a board that is independent and strong, while also being
appropriately involved in understanding how the business is
run; and (b) they look for sustainability, which requires both
strong financial results and positive outcomes for all stake­
holders, not just shareholders.
Board culture: The investors we spoke with look at the corpo­
rate culture but also, importantly, at the board culture. While
the two are related, they are not the same. Assessing the
board culture enables investors to understand the effective­
ness of the board in representing and defending the interests
of shareholders. Elements that they look at include:
• Diversity of board members (such as experience, back­
ground, and gender)
• Culture of accountability within the board
• Ability to dissent and have differing views from the
majority
• "Chumminess" of the board with the C EO .
Investors also assess how well the board understands the cul­
ture of the firm and how the culture drives ability to achieve
desired results. One investor we spoke with said that while
boards have become more involved in discussions with man­
agement about culture, many directors are still unable to fully
articulate or describe the company culture. From the inves­
tors' viewpoint, there appears to be room for improvement
in terms of boards' understanding, involvement in, and influ­
ence on corporate culture.
Culture as a driver of sustainability: While investors focus on
returns, there is an increasing recognition that "soft" fac­
tors such as culture can make or break a company. Financial
Performance Management
and Incentives
Many banks, particularly in the UK and Europe,9 driven by
recent Financial Conduct Authority (FCA) and European Banking
9 In Australia, APR A released an updated remuneration framework and
set of standards; see "Information Paper: Remuneration practices at
large financial institutions," Australian Prudential Regulation Authority,
returns are necessary but not sufficient; returns can be wiped
out by one event. Culture failures not only lead to hard costs
(fines, lawsuits) and financial losses, but scandals and reputa­
tional issues put management in a crisis mode, which detracts
from their focus on business growth and revenue generation.
A sustainable business model must include a focus both on
financial results and on addressing the interests and well­
being of all stakeholders. As one institutional investor stated:
"It is not a choice between profit or purpose— we are long­
term investors for our clients and that requires our portfolio
companies to pay attention to both profit and purpose."
The challenge, of course, is that even today, the markets
put significant focus on quarterly earnings, which can lead
to business decisions and actions that maximize short-term
financial results over other priorities. One institutional inves­
tor told us that the market needs to start thinking long term
rather than in quarterly results, "but the market is not good at
pricing the value of having sustainable results: there is value
in good culture and good corporate citizenship but we call
these the nonfinancial elements because we don't know how
to price sustainability." This investor looks carefully at envi­
ronmental, social, and corporate governance (ESG)* elements
as they believe these provide forward-looking insights. Finan­
cial results report on historical performance, but the ESG
elements provide predictive insights into an organization's
health, and therefore continued ability to perform.
While asset owners have the potential to significantly influ­
ence boards and management to focus on culture as a driver
of long-term sustainability; the greatest impediment remains
the diffuse nature of the investor community and of their
interests. Even the largest institutional investors rarely have
significant ownership in any one company, and it can be dif­
ficult for them (on their own) to influence board/management
agendas. Aside from specific scandals that can cause inves­
tors to align their interests, shareholders in any one com­
pany often have very diverse goals and may seek divergent
outcomes. The asset owners we interviewed spoke about
the need for the investment community as a whole to better
align on the importance of culture and governance as drivers
of sustainable financial results.
* Note: The ESG elements are the three main areas of focus in
measuring the sustainability and ethical impact of an investment in a
company.
Authority (EBA) guidance, have reviewed their remuneration
schemes, and incorporated cultural and behavioral consider­
ations into performance scorecards, most notably at senior
management levels. Banks are at varying stages of formalizing
these measures, cascading them to middle management levels
Sydney, April 2018. Specifics on implementation and outcomes are not
yet available.
Chapter 5 Banking Conduct and Culture ■ 93
and below, and ensuring consistent application. While some
banks are beginning to report cases of significant compensation
adjustments resulting from the adoption of balanced score-
cards for performance management, many banks still weigh the
"how" element lower than the "w hat." In practice, it is much
easier to evaluate direct results than behaviors, and difficult to
penalize high performers who do not fall in line with cultural
expectations. Nonetheless, boards and management must take
this step, and be willing to terminate employees for conduct
breaches when necessary.
Recent years have seen cases of conflicted remuneration
models that incentivize overly aggressive sales behaviors that
resulted in harmful outcomes for customers. A number of indi­
vidual firms have removed sales-focused incentives for frontline
staff, opting instead for alternative measures such as those
based on team goals and customer satisfaction outcomes.
One bank shifted compensation away from paying based on
profitability metrics to paying commission based on a service
provided to the customer. For the commission to be paid, the
client must be aware of and happy with the service (a third
party is employed to collect client satisfaction key performance
indicators [KPIs]). Another bank shifted to a three-pronged
performance evaluation for all staff: (a) performance in job, (b)
effectiveness of behavior, and (c) results on personal stretch
goals.
This transition in compensation structures has not been without
friction, with some banks experiencing initial sales declines, and
others needing to experiment with alternative performance
measures to achieve the right balance between incenting good
conduct and achievement of strategic goals. The changes in
incentives will also require efforts in other areas, such as reedu­
cating staff to better assess customer needs and make suitable
recommendations, and introducing new service tools and rou­
tines for frontline staff.
Another challenge of transitioning from purely results-based
compensation to a balanced-scorecard compensation structure
is that it requires insight into how employees perform their role.
This means that managers must have enough time and man­
agement acumen to understand what actions and decisions are
required in different circumstances and whether the employee
did in fact exhibit these behaviors. Also, because compensation
is such a blunt (and limited) instrument for influencing behav­
ior, organizations that value the "how" as much as the "what"
need to minimize reliance on compensation as a management
tool. Compensation has a role to play, but more important is
the role of leadership. One institution we interviewed trains
managers to look for real-time coachable moments to drive
employee behaviors rather than only ex-post compensation
measures.
94 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
A number of leaders we interview ed, while agreeing about
the need to change com pensation structures, also pointed
to the limited im pact on culture this change will have if done
in isolation. In fact, com pensation is often a by-product of its
environm ent rather than a driver. W henever there is m iscon­
duct, there are almost always issues with incentive design.
However, one must ask w hether the incentives drove the
undesirable behavior or the incentives are an indication of
the wrong m indset, which is ultim ately responsible for the
behavior.
To be credible, the shift toward a balanced performance man­
agement culture also requires willingness and courage on the
part of leadership to deal with high performers (from a purely
results perspective) who display toxic behaviors. When manage­
ment unevenly upholds standards of behavior, it sends a power­
ful message to all team members of what is important in reality
regardless of the stated values.
Banks have also become more willing to act on and publicize
breaches of conduct, and some have signaled when conduct
failures have led to terminations, which, when done, sends
a very strong firm-wide message. W hereas in the past poor
behavior from a strong producer may have been overlooked,
banks today have much lower tolerance for bad behavior
and have stated that they are even willing to forego revenue
opportunities (for exam ple, withdraw from certain deals or
businesses) where necessary in favor of maintaining a strong
culture.
Banks are also beginning to weigh the potential benefits of
using breach of conduct incidents and terminations as teaching
moments, against the potential risks of running afoul of privacy,
confidentiality, and employment law. Some banks are choosing
to explicitly communicate such narratives, while others rely on
informal grapevines and collective consequences (for example,
heavier scrutiny of activities) imposed on teams of the offend­
ing individual or individuals to spread the message internally.
A number of senior industry executives pointed to the discon­
nect between regulation and societal expectations on the one
hand, and employment and privacy laws on the other. Deal­
ing rapidly and forcefully with egregious breaches of conduct
can be difficult, especially in certain jurisdictions with strong
employee protection. In the current climate of social justice
campaigns and activist investors, ethical and legal consider­
ations need to be aligned.
Staff Development and Promotions
Training programs on conduct and culture have expanded
in size and scope at most banks, often focusing on defining
specific expectations around behavior and helping employees
understand how abstract values and principles specifically trans­
late into day-to-day responsibilities and expectations. This is a
very important element of driving behavior; historically, while
banks had value and mission statements, there was very little
guidance for employees to translate highlevel statements into
"w hat d o e s this mean specifically fo r m e in my everyday jo b
to b e able to live up to the exp ecta tio n s o f the institution ?"
Banks are applying a variety of scenario-based/role-playing/
industrial theater approaches and using a combination of live
and web-based mechanisms to deliver content. As one industry
leader put it, "w e n e e d to map the culture to the p ra ctica l,"
providing actual examples of how the culture must be lived.
Another area of training is around the grey zones where judg­
ment is required. Banking is a complex business where rules and
policies are not possible (or even desirable) for every situation.
A principles-based culture requires that employees also have the
knowledge, skills, and tools to face the multitude of decisions in
BOX 5.5 USE OF MACHINE LEARNING FOR CULTURE AND CONDUCT
SURVEILLANCE BY SUPERVISORS
Both banks and supervisors have recently started to look
at the use of advanced technology (that is, Al and machine
learning) to support conduct risk management through auto­
mated surveillance techniques.
Culture and conduct surveillance establishes what normal
or expected behavior is for a company/function/role, and
then analyzes relevant data to identify behaviors that are
not in line with the norm. This objective of identifying pat­
terns and anomalies in behavior is an ideal application for
machine learning models. For example, clustering algorithms
are effective in identifying patterns, trends, and correlations
in large bodies of data such as account openings and sales
performance. In addition, natural language processing tech­
niques can be used to extract sentiment and meaning from
chat logs and call transcripts to identify employee misbehav­
ior or trends in customer complaints.
While not without some controversy (related to privacy and
intrusiveness), the technology is advancing rapidly and there
are numerous benefits to automating the monitoring, com­
parison, and analysis of behavior patterns. Indeed, individual
companies have experimented with and are starting to imple­
ment such capabilities. Supervisory bodies are also exploring
how these capabilities could be used to address their goals
of ensuring safety and soundness.
Assuming supervisors can collect the necessary data at the
appropriate granularity and frequency from institutions, they
could apply machine learning techniques to monitor culture
and conduct at the industry level and across institutions on
an ongoing or near real-time basis. However, even though
such applications are feasible in theory, the practical reality is
much more challenging.
ambiguous and complex situations where the right answer is not
obvious.
At the same time, some banks have seen that the increased
level of training on all aspects of conduct can have a numbing
effect on staff, where employees start to tune out and training
has the opposite effect than intended. It is important to have
the right training for the right people at the right time and to
target the training and not push everyone through everything.
Conduct screens are also increasingly being applied to promo­
tion and external hiring decisions. Some banks have stepped up
their hiring practices to better assess new recruits' alignment
with the organization's purpose, values, and expectations
on behavior; examples include conduct interview questions,
ethical screening, and various forms of personality assessments.
Recent years have also seen active investment in surveil­
lance technology at banks (see Box 5.5), typically beginning
The initial practical challenge is the collection of the nec­
essary data in a consistent manner across institutions.
However, bigger concerns and challenges arise after the
data are collected. These include establishing baseline
behavior, setting thresholds and triggers, drawing mean­
ingful comparisons given the com plexity of institutions
and differences across institutions, engaging institutions
to investigate potential issues, and the treatm ent of false
positives. The other overarching issue, particularly from the
perspective of supervised institutions, is the potential nega­
tive consequence of big brother influence on em ployees
created by the ongoing monitoring of em ployee behaviors
and actions.
The potential to use machine learning by supervisors for
industry-wide culture and conduct surveillance is real,
given that the technology already exists, and the data
already reside within individual institutions. The benefits are
numerous and include rapid identification and remediation
of bad behavior and systemic issues; reduction of manual,
siloed, and costly monitoring processes at institutions; and
understanding of the cultural health of the industry (similar
to how other industry-wide exercises such as Com prehen­
sive Capital Analysis and Review [CCAR] help supervisors
understand the financial health of the industry). However,
the practical challenges are significant and likely prohibitive
at this point. Overcoming these challenges would require
a concerted effort and collaboration between supervisors
and the industry to ensure that the potential benefits of
this new generation of surveillance methods outweigh the
downsides.
Chapter 5 Banking Conduct and Culture ■ 95
with capital markets businesses but increasingly broadening
in scope to other areas. The focus at the cutting edge is on
making better use of available data with advanced analytics,
bringing together disparate analytical outputs (for example,
communications/ trade/voice surveillance, social media scan­
ning), and exploring additional analytics to detect or predict
potential conduct events (for example, reputational/sentiment
analysis, network analysis, cluster analytics). While the technol­
ogy is rapidly evolving to support such capabilities, the ethical
questions around the acceptable degree and level of employee
monitoring remain. With increased monitoring capabilities,
banks need to carefully balance the need to manage conduct
with the need to provide employees with some level of privacy
and trust.
An Effective Three Lines of Defense
An effective three lines of defense is the area of greatest
challenge and least progress to date. The shift of ownership
of conduct and culture initiatives to the first line (where it
belongs) has been slow. Banks are beginning to improve clarity
of second-line oversight of conduct and culture risk, though
a standard model has yet to em erge; the specific setup varies
by bank size, com plexity, and risk management approach.
A t many banks, second line teams are often still responsible
for driving conduct initiatives, focusing on the development
of frameworks and standards, piloting, and initial stages of
implementation. In terms of the third line of defense, while
some banks have started to establish culture audit practices,
many banks still struggle with the best way to audit what can
feel very intangible. Given this is a relatively new area of focus,
banks are in the process of working through a maturity curve
to understand the risk and develop a common taxonomy and
frameworks.
The biggest gap we observed in the effective implementation of
the three lines of defense for conduct risk management is that in
many banks it still appears to primarily be a second line focus
area. As with all other risks, to be properly managed, it needs to
be owned by the first line and embedded in all business pro­
cesses. It is especially important for the first line to be deeply
aware of and accountable for conduct risk management given
that conduct by its nature is how you do business. A conduct
risk lens needs to be explicitly applied to all business activities
including new product approvals, pricing guidelines, customer
complaint handling, and evaluation of new transaction/business
opportunities. Where it has been a focus by regulators and
banks, some progress has been made. For instance, as the UK
FCA notes in its "5 Conduct Questions" April 2018 Industry
Feedback report,101for the polled com panies,11 nearly all
96 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
frontline business areas have taken full ownership for conduct
risk and related change and development programs. There are,
however, firms that were slower to make this shift and continue
to lag behind their peers.
In addition to ensuring that the first line firmly owns conduct and
culture risk management, banks have also struggled with the
organizational placement of the second line conduct oversight
and control responsibility. Many banks have shifted the respon­
sibility for second line oversight across a number of functions in
order to find the right fit. Common organizational placements
are Compliance, HR, Risk (directly under the Chief Risk Officer),
Operational Risk, and Enterprise Risk Management. Each of
these has its own set of benefits and challenges:
• Compliance is probably the most natural fit given that it has
the expertise, experience, and discipline for surveillance and
monitoring of employee activity. However, some banks are
starting to worry that it may restrict the view too much with a
focus on laws and regulations. Conduct is about what should
or should not be done, rather than on what can or cannot be
done.
• HR has the benefit of being able to integrate conduct man­
agement into the broader talent management life cycle from
hiring to termination. Banks with close HR involvement in
conduct initiatives have benefited from the ability to closely
embed culture and values into various HR processes, includ­
ing performance evaluations, incentives structures, and
external recruiting. The downside is that as HR in some banks
plays a first line role in many of those activities, its second
line abilities may be restricted (in fact, in a number of banks,
HR is considered a first line function). Another potential limi­
tation is that in many institutions, HR does not have the same
organizational power as the Risk function, nor does it have
the proximity to the daily business that Compliance and Risk
have.
• Placing conduct management in the Risk function directly
under the Chief Risk Officer can be effective, especially in
institutions that have experienced significant conduct issues,
as it elevates the importance of the function and senior man­
agement line of sight. However, as an ongoing business-as-
usual structure, this can lead to a siloed approach to conduct
risk management.
• Operational risk management is a natural fit for many institu­
tions that have defined conduct risk within the operational
risk taxonomy and structure. Given that operational risk
10 "5 Conduct Questions" Industry Feedback for 2017 Wholesale
Banking Supervision, Financial Conduct Authority, London, April 2018.
11 Per the report, a sample of approximately 30 firms.
 covers people, process, and technology risks, conduct risk
can be viewed as an extension of those risk types. The down­
side is that operational risk is such a broad and still evolving
area of risk management that conduct risk may get lost in the
fray and not receive the attention it needs.
• More recently, some banks have moved conduct risk man­
agement under enterprise risk. This can make sense for sev­
eral reasons: it is closely linked to reputational risk, it requires
a holistic understanding of risks across the enterprise, and it
entails significant reporting effort for the board and senior
management. The downside is that the Enterprise Risk Teams
in many banks may be too small and not have the capacity to
undertake oversight of such a pervasive risk type.
Furthering the dilemma on the organizational placement of
second line conduct risk oversight is that many institutions do
not yet have full clarity on whether conduct, culture, and ethics
should be managed as one integrated function, or separately.
While the industry has not defined one agreed model for sec­
ond line oversight of conduct and culture, there are two guiding
principles that should be observed:
• W hichever function is selected as the responsible second
line, it needs to be clear. While all the groups listed above
likely have a role to play in the oversight and governance of
conduct and culture, there needs to be clarity on roles and
responsibilities; that is, which function is taking the lead and
which functions are tasked with contributing input (and the
type of input) need to be explicitly stated. The risk respon­
sibilities, policies, and appetite statements also need to be
aligned.
• W hichever team is given second line oversight and gover­
nance responsibility also needs to be given proper power for
conduct initiatives to have teeth.
Banks are also starting to further their thinking in terms of the
third line's role in the management of culture and conduct. A
number of banks have explicitly structured culture audit pro­
cesses, and in some cases, institutions have established audit
teams specifically focused on culture auditing.
While second line placement is important for an effective
conduct risk management program, most important for the
long-term and permanent success of culture and conduct
efforts is ownership by the frontline business. Progress has
been slow in embedding ownership of conduct risk in the first
line, often due to a lack of understanding or experience by
the first line management and/or the view of culture and con­
duct as a soft HR issue rather than a business imperative. Due
to lack of first line ownership, some banks have seen first line
responsibilities slip to the second line, which in turn rendered
ineffective the second line's role of independent challenge.
This is often due to the lack of clarity of how this risk should
be defined and managed. It cannot be overstated that ulti­
mately, ownership and oversight for conduct and culture risk
management needs to be owned by the Board, the C E O , and
the heads of the business units. Defining conduct risk, incorpo­
rating it into the risk appetite statement, and developing risk
identification and auditing processes are all still very much a
work in progress. For instance, many institutions are still strug­
gling with the classification of conduct risk: is it its own risk type
or a subset of another risk such as operational risk? As with all
other risk types (credit, market, and operational and reputa­
tional risks), the methodologies and practices will mature over
time. Formal risk management routines will need to be agreed
and adopted for the effective functioning of the three lines
of defense.
Regulators, Supervisors, Enforcement
Authorities, and Industry Standards
Regulators and supervisors across the globe have increased
attention to and expectations regarding conduct and culture.
Examples include:
• UNITED KINGDOM: The FC A has been a driving force, issu­
ing the Fair and Effective Markets Review in conjunction with
the Bank of England and Her Majesty's Treasury, and imple­
menting regulations for benchmark rates, foreign exchange
(FX) remediation programs, and the Senior Managers and
Certification Regime to increase individual accountability and
governance via banks' senior leadership.
• EUROZONE: European regulators have dialed up scrutiny of
conduct issues, for instance, with the EC B /EB A releasing
conduct-related guidelines on governance arrangements and
remuneration policies, and the De Nederlandsche Bank
(DNB, the Dutch central bank) conducting examinations
focusing on topics such as decision making, leadership, and
communication. Further, the ECB updated its Manual for
Asset Quality Review in June 2018, incorporating the
implications of International Financial Reporting Standard 9
(IFRS 9)12 and increasing the importance of bank business
models focused on investment services. Also, as part of its
Internal Capital Adequacy Assessment Process, DNB has
stated they will devote particular attention to strategic risks
to banks, including the gradual deterioration of a business
model.
12 IFRS 9 was promulgated by the International Accounting Standards
Board and addresses accounting for financial instruments. It covers the
classification and measurement of financial instruments, impairment of
financial assets, and hedge accounting.
Chapter 5 Banking Conduct and Culture ■ 97
• UNITED STATES: There has been increased focus on culture
and conduct from the Federal Reserve Banks, the Office of
the Com ptroller of the Currency (O C C ), the Financial Indus­
try Regulatory Authority (FINRA), the Securities and
Exchange Commission (SEC), and the Consumer Financial
Protection Bureau (CFPB). In particular, the Wells Fargo
sales practices scandal led the O C C to launch a multiphase
industry-wide review. In his June 2018 speech, "Now is the
Tim e for Banking Culture R efo rm ,"13 Federal Reserve Bank
of New York president and C E O John Williams expressed a
sense of urgency in addressing banking culture, and the
"n e e d to en sure that bank m an agem en t and b o a rd s are
e xe rtin g stro n g and e ffe c tiv e lea d ersh ip with ro b u st
g o ve rn a n ce . That m eans h oldin g m an agem en t and b o a rds
o f d ire cto rs to high sta n da rd s in term s o f culture and
c o n d u c t. "
• CANADA: The Financial Consumer Agency of Canada
(FCAC) launched a business practices probe, focusing on
bank employees' obligation to obtain customer consent and
provide proper disclosure about fees and costs when selling
new products, and the Office of the Superintendent of Finan­
cial Institutions (OSFI) launched a review of domestic retail
sales practices. The FC A C s related report,14 released in
March 2018, noted insufficient controls at Canada's largest
banks to mitigate the risk of mis-selling and breaching market
conduct obligations.
• AUSTRALIA: The Banking Executive Accountability Regime
(BEAR) is seeking to improve standards of behavior and
accountability, and the Banking Royal Commission is cur­
rently investigating incidents of misconduct. The Interim
Report of the Royal Commission is critical of regulators, and
in its final report, due in February 2019, is likely to recom­
mend that they be accorded additional powers. In May 2018,
the Australian Prudential Regulation Authority (APRA),
released its review of Commonwealth Bank of Australia's
frameworks for governance and accountability,15 noting
"C PA 's con tin u ed financial su cce ss d u lled the se n se s o f the
institution, particularly in relation to the m anagem ent o f
13 Now Is the Time for Banking Culture Reform: Remarks given at
Governance and Culture Reform Conference, Federal Reserve Bank
of New York, by John C. Williams, President and CEO of the Federal
Reserve Bank of New York, June 2018.
14 "Domestic Bank Retail Sales Practices Review," Financial Consumer
Agency of Canada, Ottawa, March 20, 2018.
15 "Prudential Inquiry into the Commonwealth Bank of Australia (CBA)
Final Report," Australian Prudential Regulation Authority, Sydney, April
2018.
98 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
nonfinancial risks. " As a result, the APRA applied a $1 billion
Australian dollar add-on to CBA's minimum capital
requirement.
• HONG KONG: The Securities and Futures Commission's
(SFC's) Manager in Charge regime aims to increase account­
ability of senior management and managers of key/control
functions, while the Hong Kong Monetary Authority (HKMA)
recently released a framework for fostering sound culture at
banks.
• SINGAPORE: The Monetary Authority of Singapore (MAS)
has drafted proposed guidelines on individual accountability
and conduct via banks' senior leadership.
• CHINA: The China Banking Regulatory Commission (CBRC)
has published Conduct Management Guidelines for banks,
designed to facilitate reporting of improper conduct in
banks. The process is designed to establish norms for long­
term monitoring and inspection of bank practices. The
People's Bank of China has also underlined the importance of
conduct and culture for the leadership of major banks via its
support for the G30 recommendations.
Financial authorities recognize that culture and conduct supervi­
sion represents a departure from historical, often quantitatively
based prudential supervision, and are grappling with what that
means in terms of the skills and capabilities of their staff and
their traditional approaches, and their own internal culture and
practices. A consensus view has yet to emerge on whether out­
side organizations that have traditionally focused on quantitative
measures of bank health can, without hands-on experience, truly
assess the culture of the banks they supervise and add value to
a culture review.
In our interviews we heard significant differences of opinion in
terms of the role regulatory agencies can play. On the one hand,
culture is so intimate and unique to the strategy and values of a
specific institution, it is hard to imagine any external party being
able to engage productively in an assessment of the culture.
On the other hand, numerous scandals and conduct issues have
shown that insiders can miss signals of cultural deterioration,
and management could benefit from external, unbiased inquiry.
Some regulators have taken an optimistic view on this and are
experimenting with alternative approaches. For example, DNB
has hired psychologists to observe and analyze culture at banks,
and the Monetary Authority of Singapore is building up Al and
data analytics capabilities.
An important differentiation in determining the role supervisors
should adopt in this space is the difference between conduct
and culture. Given that conduct risk management is based on
observable behaviors, it may lend itself to a clearer supervisory
 BOX 5.6 HOLDING MANAGERS ACCOUNTABLE
First introduced in 2016 by the UK Financial Conduct Author­
ity, Accountability Regimes already cover or will cover many
major financial centers and financial business models. These
regimes are a direct response to a call to amend professional
standards and the culture of the banking sector following a
perceived lack of personal responsibility for management fail­
ings in the financial crisis.
The UK Senior Managers and Certification Regime (SMCR),
introduced a statutory duty of responsibility for a defined set
of senior individuals in a firm to demonstrate that they have
taken reasonable steps to prevent prudential and conduct
failures. The regime has been recognized by many as a key
driver of cultural and behavioral changes in senior managers
in banking. The SM CR was originally established for deposit
takers and later extended to include investment firms and
insurers and focused clearer articulation of senior roles,
responsibilities, and accountability, as well as individual con­
sequences extending to legal prosecution and sanction in the
event of breaches by the firm.
Accountability Regimes have since emerged in several other
jurisdictions including Hong Kong Manager-in-Charge (MIC),
effective October 2017; the Australian Prudential Regulation
Authority's BEAR (Banking Executive Accountability Regime)
assessment. As Box 5.6 shows, in recent years, supervisory
authorities in a number of countries have recognized this and
reinforced managerial responsibility for conduct and conduct
failures with accountability regimes.
Culture, on the other hand, is intangible and ubiquitous; as
such, it requires deep understanding of the strategy, operating
model, and values of the organization. In other words, conduct
can be assessed as right or wrong, whereas culture is not
objectively right or wrong, it can only be assessed in terms of
its alignment to the strategy and values of the institution.
In some markets, discussions on conduct and culture have
moved beyond individual bank efforts to collaboration across
multiple players in the industry, including tools and practices
that are shared more broadly. Examples include:
• The Banking Standards Board in the UK conducts an annual
assessment across banks on culture and conduct topics, pro­
viding participating banks with useful benchmarking on how
they are doing relative to peers.
• The Fixed Income, Currencies and Commodities Markets
Standards Board has developed actionable standards on
behavior and statements of good practice that have been
well received by industry participants.
effective July 2018; and most recently the Monetary Author­
ity of Singapore's proposed Individual Accountability and
Conduct Regime and guidance from the US Federal Reserve
Bank.
In designing and implementing these regimes, supervisors
need to have a clear view of the intended outcomes of an
Accountability Regime, and design a regime that adheres
to those outcomes, taking lessons learned from established
regimes such as the FCA SM CR. Special attention should be
paid upfront to consider potential unintended consequences
and design standards and principles that allow for flexible
application where appropriate.
Firms themselves should avoid a pure compliance-based
"tick-box" approach when responding to Accountability
Regimes and ideally use such regimes as an opportunity to
drive and build on strengthening leadership behaviors and
overall culture in the organization, ensuring that employees
have the resources and support to discharge their duties.
Firms that need to respond to regimes in multiple jurisdic­
tions will need to align on approaches, and navigating the
minefield of unintended behavioral consequences will be key
for both firms and supervisors.
• The Financial Stability Board has since 2015 been
coordinating international efforts around a work plan to
reduce misconduct risk, most recently publishing a tool­
kit for firms and supervisors to strengthen governance
fram eworks. The tools focus on mitigating cultural drivers
of misconduct, strengthening individual responsibility and
accountability, and addressing the "rolling bad apples"
phenomenon.
• The Bankers' Oath in the Netherlands is a legally required
ethics statement and code of conduct holding bankers to
standards of good behavior. To date, it has been taken by
87,000 Dutch bank em ployees.16
• The Global Banking Education Standards Board recently
announced standards for ethics education and training for
professional bankers, with plans to develop further standards
in both general banker competency and on the capabilities
required in credit products.
16 "The Banker's Oath," Tuchtrecht Banken, Amsterdam; https://www
.tuchtrechtbanken.nl/en/the-bankers-oath.
Chapter 5 Banking Conduct and Culture ■ 99
SECTION 2. LESSONS LEARNED
As the banking industry reflects on the last decade, and culture
and conduct efforts gain additional maturity, our research has
revealed eight key lessons.
1 Managing culture is not a one-off event, but a
continuous and ongoing effort that needs to be
constantly reinforced and that must become a
permanent way of doing business.
2 Leadership always matters; conduct and culture must
be embedded from the top down throughout the firm,
starting with the board and senior management but
also importantly including middle management.
3 The scope of conduct management is shifting from
misconduct to conduct risk management more
broadly.
4 Managing culture requires a multipronged approach
and the simultaneous alignment of multiple cultural
levers.
5 Ten years out from the financial crisis, there is strong
recognition that a more diverse set of views and voices
in senior management will lead to better (and more
sustainable) outcomes for all stakeholders.
6 While cultural norms and beliefs cannot be explicitly
measured, the behaviors and outcomes that culture
drives can and should be measured.
7 Regulation has a limited role in rule setting and man­
dating culture.
8 Restoring trust will benefit the industry as a whole; as
such, industry-wide dialogue and best practices shar­
ing are important elements in the journey toward a
stronger and healthier banking sector.
A discussion of each of these lessons follows.
LESSON 1. Managing culture is not a one-off event, but a
continuous and ongoing effort that needs to be constantly rein­
forced, and it needs to be permanent (see Box 5.7). Banks need
to not only find ways to keep culture discussions from becom­
ing stale or repetitive, but also to ensure that culture efforts are
responsive to potential changes in the desired outcomes them ­
selves as the industry evolves (for example, digitization). This
is particularly important as changes to conduct and culture are
further embedded throughout the organization. It is also impor­
tant to remember that culture is not (and should not be) static;
it will evolve as the business evolves, customer needs change,
and competitive forces modify. As such, the firm must constantly
and deliberately adapt culture to align to a changing strategy
and business conditions. Constant nudges and reinforcement of
expectations are needed in everyday life as training alone is not
enough to shift behavior.
100 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
LESSON 2. Leadership always matters. Conduct and culture
must be embedded from the top down throughout the firm,
from the board to senior management and through middle man­
agement down to the teller, and through all business units and
geographic locations.
First and foremost, the board needs to be aware of and involved
in defining and guiding the culture. The board's role is to define
purpose of the organization and ensure that all business levers
are aligned with that purpose. Strategy, communications, poli­
cies, processes, and practices must all align with the desired
culture, and the board must oversee that alignment.
Senior leaders need to involve middle management to further
articulate and reinforce firm values and intended behaviors in
their respective areas of oversight. The day-to-day realities of
frontline staff are most profoundly impacted by their immediate
manager rather than by the C EO or other senior executives. As
such, leadership modeling must flow all the way through the
organization and cannot only be seen at the senior levels. This is
especially difficult for large, multi-geography and multi-business-
unit banks. A direct manager that does not model the values
of the firm can easily undermine any example or message com­
municated by the C E O ; as such, many banks are shifting away
from focusing mainly on tone from the top, to tone from above.
While the tone and direction of the culture message needs to be
consistent across all leaders, it also needs to be flexible enough
to be aligned with the different styles of each leader.
LESSON 3. The scope of conduct management is shifting from
misconduct to conduct risk management more broadly. Conduct
is not just about purposeful misbehavior driven by an employee's
desire for personal gain or to meet performance targets (for exam­
ple, rogue traders); rather, it should be considered more broadly.
For example, a bank's decisions— in the form of such things as
business targets, product design, and automated processes— can
sometimes have unintended consequences and harm clients, cus­
tomers, and/or colleagues even in the absence of bad intentions.
In many institutions, conduct has been defined to include intent,
negligence, and failure of judgment. The definition is also
broadening to cover all stakeholders, having shifted from only
market and customer impact to also include harm to colleagues.
In this context, rather than just focusing on how to reduce bad
conduct, it may be useful to consider the mirror image ques­
tion of how to promote good conduct that aligns and furthers
the organization's purpose and values. It is also important to
consider the full potential consequences and implications of ail
business decisions.
LESSON 4. Managing culture requires a multipronged approach
and the simultaneous alignment of multiple cultural levers. Cul­
ture is not empirically good or bad, but it must be right for the
 BOX 5.7 LESSONS FROM OTHER INDUSTRIES
Banks can learn from other high-risk, asset-intensive indus­
tries that have worked for years to embed responsibility for
managing behaviors throughout the organization. Examples
include the following.
Oil and gas: Companies have established specific guidance
on behavior (for example, Shell's "Life-Saving Rules") that sets
clear expectations on acceptable vs. unacceptable behavior.
Also, firms use a buddy system to encourage employees,
upon observing non-compliant behavior by peers, to intervene
with each other without the need to escalate the issue up
the management chain. This helps create an environment of
trust and psychological safety where employees look after the
well-being of the firm and of each other. Banks could consider
applying similar approaches to clarify behavioral expectations
and foster a speaking-up culture. A speaking-up culture could
also mean speaking out to a colleague through mentoring and
coaching rather than only via escalation measures.
Medical devices: "Hazard analysis" (also known as risk analy­
sis) is a mandatory step in the design of medical devices, to
consider the possible consequences of inadvertent misuse by
organization based on its values, strategy, and business model.
And the various levers of culture must be aligned with the desired
outcomes. Cultural levers include structural elements such as
policies, organization, processes, and technology, as well as intan­
gibles such as tone from the top, beliefs, and perceptions.
Embedding culture is not about changing specific cultural levers
in isolation, but about achieving alignment throughout, that is,
a clearly stated (and believed) purpose that flows into strategy,
policies, behaviors, governance models, processes, performance
measurement, and incentive schemes. Tone from the top and
leading by example are necessary for initiatives to have credibil­
ity, but they are not sufficient. Processes and structural elements
are also critical for enabling messaging to cascade uniformly
and effectively throughout the organization, especially for larger
banks. Small changes in everyday decisions ultimately add up to
big changes over time. Implications of this lesson include:
• Along the lines of "every organization is perfectly designed
to get the results it gets," a bank's various culture elements
are a reflection of its true (which may differ from its stated)
values and priorities. Banks should think carefully about how
each culture element came to be designed/implemented/
perceived in its current form, and make necessary adjust­
ments to ensure that it is aligned with the organization's
desired values and priorities.
• Beyond articulating purpose and values, banks need to pro­
vide practical, actionable guidance to help staff make deci­
sions. This means clear communication of expectations, and
the customer, and to mitigate those hazards so that the cus­
tomer is not harmed. Such analyses, applied to banking and
other financial products, could help banks think more rigor­
ously about product features, even those commonly taken for
granted, and build in appropriate safeguards against poten­
tial customer misuse.
Pharmaceuticals: Healthcare professionals abide by a phi­
losophy of "right patient, right medication, right tim e"* to
ensure patient safety and reduce errors in drug administra­
tion.** A banking analog (for example, articulated as "right
customer, right product, right need") of this philosophy could
help guide retail sales staff in recommending appropriate
products for customers, reduce mis-selling incidents, and ulti­
mately improve customer satisfaction and outcomes.
* Some versions also specify, for example, right dose, right route,
right reason, right documentation, and right response.
** While considered a useful rule of thumb, this is not a foolproof
guideline; see "The Five Rights: A Destination without a Map," by
Matthew Grissinger, P& T35 (10) (October): 542, 2010; https:\\www
.ncbi.nlm.nih.gov/pmc/articles/ PMC2957754.
concrete, relatable examples around behavior in real-life situ­
ations that employees may face. While values and principles
provide direction, on their own they are often too abstract
to be directly useful in gray-zone situations. This can be best
achieved through tailored trainings across levels and more
open communication from senior leadership.
LESSON 5. Ten years out from the financial crisis, there is strong
recognition that a more diverse set of views and voices in senior
management will lead to better (and more sustainable) out­
comes for all stakeholders. Many of the industry leaders inter­
viewed pointed to group-think as a contributing cause of the
behaviors leading to the financial crisis and many of the scandals
that have occurred since.
Diversity in thinking, problem solving, and leadership styles
will help organizations achieve better results through greater
questioning, challenging, creativity, and innovation. Diverse
leadership teams can also help employees (especially diverse
employees) feel safer in raising concerns and escalating issues.
Many leaders stated that their institutions have recently placed
greater focus and importance on hiring, retaining, and empow­
ering diverse employees. These leaders recognize that suc­
cessful, innovative, and learning organizations are ones that are
diverse— at all levels of the organization. As one senior industry
leader stated, "everythin g changes for the b e tte r when you
have critical mass o f w om en in the C-Suite and the B oardroom ."
But results on this front are slow, and achieving truly diverse
teams (especially at the senior levels) will require intentional
Chapter 5 Banking Conduct and Culture ■ 101
and ongoing effort. A 2016 study by Oliver Wyman showed that them. While measuring culture is a challenging task, it is also
while slight improvement is being made in terms of female rep­ a necessity. Leadership's ability to confidently and objectively
resentation in the C-Suite and the board, the numbers are very state that the conduct of individuals across the organization
low and only marginally improving (see Figure 5.5). is in line with their strategy, core principles, and desired goals
requires a set of indicators that can support their statements. To
Recent analysis of the financial sector by Mercer shows that
maintain a healthy culture and detect conduct issues before they
women are significantly better represented at the support staff
become a significant problem, management needs to be able
level than at the senior manager or executive level. In addition,
to observe and track behavior through meaningful and objec­
the proportion of women decreases at each level as we move
tive metrics. This is especially true for larger organizations that
up the hierarchy; they are hired at a lower rate than men at all
span numerous geographies and business lines, and can host a
levels except for senior manager; they are less likely than men to
myriad of subcultures that differ significantly. In addition, banks
be promoted to the next level across all levels of the organiza­
need to measure and report on culture and conduct because
tion; and they exit at higher rates than they are being hired at all
only by measuring them will banks be able to shift their focus
levels, and even more so at manager level and above. This is a
away from purely quantitative financial metrics (for example,
troubling picture. Global firms in other industries do not display
revenues, volumes, profits) to an understanding of how their
such large skews.
actions and decisions align to their values.
In addition, gender disparity in pay is gaining attention as an
Culture also needs to be measured and monitored because it
issue in the banking industry, as recently highlighted in the UK
is not constant; culture can and should evolve over time and be
but holding true globally. While some of this disparity can be
influenced by a number of factors including company strategy,
attributed to issues with equal pay for equal work, the fact that
hiring, growth, acquisitions, and external drivers such as evolv­
women hold fewer senior, highly paid positions than men is typi­
ing customer needs or technology advancements. Without
cally a larger source of disparity. Such imbalances can create
effective measurement, leadership cannot determine whether
culture issues such as bullying, harassment, and other behaviors
this evolution is progressing in a desirable direction.
that can negatively impact clients.
Deriving metrics from company values is a multistep process
One Bank Board Chair interviewed rightly stated: "A s human
that requires organizations to look inward and answer some
bein gs, we are n o t w ired to se e k out diversity; the natural o rd er
challenging questions starting with values, identifying stakehold­
is to b e drawn to th o se who are like us. A n d fo r too many years,
ers and outcomes for each, and then articulating desired behav­
cultural fit has b een u sed in hiring and prom otion d ecisio n s as a
iors and translating them into observable metrics. Following this,
p ro xy for 'is ju s t like m e ."'
banks will need to embark on a data exploration and analysis
LESSON 6. While cultural norms and beliefs cannot be explicitly effort to make sure that the data needed for the desired metrics
measured, the behaviors and outcomes that culture drives can are available or can be readily collected. Several tools, including
and should be measured. Banks are at various stages of trial and internal surveys, audits, and customer assessments, are particu­
error to determine what the right metrics are and how to use larly useful in gathering data for given metrics.

30

Board

ExCo

Interquartile range
(25th to 75th
percentile)
0
2003 2008 2013 2016
Fiaure 5.5 P e rce n ta g e of board and E x e cu tiv e C o m m itte e (ExC o) m em b ers in m ajor
financial se rv ice s o rg an izatio n s w ho are w o m en .

Source: Oliver Wyman analysis of organization disclosures across 381 financial services organizations in 32 countries
("Women in Financial Services," Oliver Wyman, New York, 2016).

102 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
There is no silver bullet for measuring and reporting conduct
and culture, but several key design principles are critical to
building a culture dashboard that provides useful and actionable
insights, as shown in Figure 5.6.
The more mature banks in terms of culture and conduct report­
ing provide the following lessons learned:
• The report should focus on metrics that are meaningful to
the purpose and values of the firm. Also important in metric
selection is having both leading and lagging metrics: the
forward-looking metrics are key to identify what might hap­
pen rather than only reporting on what did happen.
• To be truly valuable, the metrics should be seen over time
and analyzed as a trend rather than a single number or
point in time. In addition, the analysis should not just look
at individual metrics in isolation but rather assess how the
data interact. Metrics from across strategy, governance, HR,
service, operations, product, sales, and clients should come
together to form the full narrative on culture and conduct.
• The details are critical, and the board and senior manage­
ment should focus on the anomalies, exceptions, and the tail,
given that in the summary view, the issues can be buried and
lead to a false sense of complacency.
• The report should include commentary and explanation of
the data, and the reporting operating model should also
include the ability to do further analysis and investigation
where needed. With culture and conduct reporting, the
metrics do not identify issues per se; rather, they identify
where to look for potential issues. The metrics don't tell you
what went wrong, they just tell you where to look. In that
same vein, as banks refine their approach to selecting and
calibrating metrics, they often struggle with many false posi­
tives. Getting the right metrics and inferring the right insights
will take time and should be piloted/tested over a period of
time.
• The reporting should focus on conduct rather than nar­
rowly on misconduct. When banks start down the culture
and conduct measurement path, many focus their efforts
on misconduct— intentional actions that are clear breaches
of policies. However, culture and conduct reporting should
also include outcomes driven by unintentional behaviors and
unintended consequences, such as flawed product design
that does not meet customer needs. Furthermore, to provide
a truly comprehensive and balanced view of company culture
and conduct, the scope of measurement should cover p o si­
tive conduct and associated indicators such as employee
volunteer hours, employee satisfaction survey results, sustain­
ability efforts, and social impact investments.
• The reporting tool should be flexible and provide multiple
views, levels of granularity, geographic focus, and types of
metrics needed to meet the needs of multiple audiences (for
example, the board, senior management, business heads, and
various second line functions). A number of institutions are start­
ing to develop dynamic web-based reporting views (Figure 5.7).

O Has direct link to firm values © Displays trends over time © Provides granular results
and risk appetite framework for each indicator across lines of business

S
Leading S
s — — — — MX I.IX MX M MX
Value Metric vs. lagging
• • • k• • %!•••••• 9 • 0 0 M l M l MS
/ U lx MX

Company Revenue and cost against target Leading !•• •!••!••« •«(••••
— 'w l.«X M l I.IX MX •JX

landscape Efficiency ratio Leading •• • 'w — n - ix t in IU I IMX •MX

— j• » Af0 lu x IU I IMX fl.lx IM X

Involuntary turnover, by type (e.g. Sales Leading Efficiency ratio 0

— • • II CM
Our People Ml Ml

Practices, Fraud, etc.) Custom er complaints —

•
V Ml u «•> M Ml
1

Sales training completion rates, by type Leading

I
Suitability reviews — — — IM MX MX MX IMX
1
Com pliance breaches # II IX MIX
Customer complaints by type Lagging
11 IX MIX It lx
Customers 0
1 Em ployee surveys 0
— u ii 49 IM Mil • ill

# or % of products only appropriate for a Lagging 0

• • 41 41 IB ll

small subset of customers 0

€X •M II fli • 1X

r
••
Risk Control # of products with periodic review overdue Leading *t 0J.
• •*.!##•
k *
in Ml Ml MV •IV

• •• S i m — 1 MV •IV m f |Y IM

% open issues raised by audit Lagging ®

• •••#• •* 4»«
•• •
m
0
— 44V in in •IV •IV
♦••• •• •• •••!♦ •
Overdue customer appropriateness reviews Lagging .. .
0
—
^km_ 0 in III IM 41* m

0 m rtx •n m in
— Hv
Number of compliance breaches Lagging i-------- »----
*00 $ * 0•%- 9 ••««•••••!•••
0 0
Ml t il Ml MX
j / w MV

o Includes granular
data and targets
Q Uses both leading
and lagging indicators
0 Provides value-adding
commentary

Conduct metrics Dashboard

F ia u re 5 .6 Design principles for conduct and culture measurement.

Chapter 5 Banking Conduct and Culture ■ 103

 Conduct risk dashboard Settings Log Out

Board View Detailed View

Filte rs Region All ▼ Office All ▼ Periodl 2018 Q1 ▼

M etrics sum m ary Insights All

S ta k e h o ld e r c a te g o ry O v e ra ll s ta tu s C o m m e n ts Feb 12, 2018

Employee turnover
Status: Open
C u s to m e rs a n d
c lie n t s • Spike in LOB 1 employee turnover over the
past two quarters.

Feb 12, 2018

E m p lo y e e s S p ik e in L O B 1 e m p lo y e e
tu rn o v e r

Feb 2, 2018
Employee Hotline Volume
C o m m u n it ie s Status: Resolved
• 10% increase in Employee Hotline volume
across the enterprise during 2017 Q4
• The increase was determined to be the result
S h a r e h o ld e r s
of an employee hotline awareness campaign

S u p e r v is o r s ,
r e g u la t o r s , a n d Feb 2, 2018
g o v e rn m e n ts
Customer Complaints
Status: Resolved

Conduct risk dashboard Settings Log Out

Board View Detailed View

Filte rs Region All ▼ Office All ▼ Period 2018 Q1 ▼

Teammates: Metric overview Insights

Metric ° (v: ra" LOB 1 LOB 2 LOB 3

status Employee turnover
Employee hotline volume and whistleblower cases
Status: Open ▼

Number of misconduct incidents (overall) Spike in US employee turnover over the

Number of employees with a misconduct incident in the past 12
past two quarters. The change is currently
months under investigation.
Rate of employee turnover
• The trend is isolated to LOB1 at London
office 1. LOB 2 in the same office also
Employees: Trends has a spike, but not as large.
Jane Smith, Feb 12, 2018
-

• Reached out to the LOB 1 HR team in

Employee hotline volume Whistleblower cases that office; waiting for their perspective
Volume pegged to historical average Includes both substantiated and before escalating
unsubstantiated cases Jane Smith, Feb 14,2018
-

M
KJ Add an update
US

Employee Hotline Volume

20 Status: Resolved ▼
• 10% increase in Employee Hotline
volume across the enterprise during
10
2017 Q4

Fiq u re 5 .7 Sample conduct and culture dashboards: Board view and detailed view.
Source: Oliver Wyman.

LESSO N 7. Regulation has a limited role to play given that response, undermining the clarity of the message that culture is
culture cannot be mandated or defined by rules; that is, good a matter for banks' boards and executives, creating a mindset
culture cannot be regulated into existence. A number of indus­ of outsourcing good judgment, and forcing disengagement
try leaders raised concerns related to the potential downsides of from activities that may expose banks to future financial pen­
overly prescriptive regulation, such as encouraging a box-ticking alty. Having said that, regulatory agencies are responsible for

104 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 BOX 5.8 SKILLS AND CAPABILITIES REQUIRED OF REGULATORS
To effectively assess banks and assist them in effecting last­
ing conduct and culture changes, supervisors themselves
will need to evolve in order to be properly equipped with
the right skills and capabilities. As one senior industry leader
stated, "a su p e rviso r w ould not undertake the review o f a
financial m odel w ithout financial m odeling e x p e rtise ; how
can they en g a g e in dialogue and review o f culture w ithout
the skills in behavioral d rive rs?"
Supervisory teams should be composed of experienced
individuals who understand banks' business models and strat­
egy, and can engage in judgment-based, forward-looking
discussions with boards and senior executives about con­
duct matters. These teams must be adept at leveraging new
types of assessment methodologies and be able to identify
potential issues and behavioral outliers in a constructive and
safeguarding the safety and soundness of the financial services
industry. As such, these agencies cannot be excluded from the
dialogue and monitoring.
The industry continues to explore effective approaches to regu­
lation and supervision; while there is not yet a consensus view,
agreement is beginning to emerge in some areas, including:
• REGULATION: Regulation can be an effective tool to focus
banks' attention on specific and tangible areas of persis­
tent conduct failures (for example, conflicts of interest, risk
incentives, and customer protection), in such cases clearly
outlining basic principles while leaving room for banks to
own and drive the specifics of implementation. The approach
of principles-based regulation has recently proven effective
in two areas: increasing accountability of senior leadership
(FCA's Senior Managers and Certification Regime [SM&CR])
and aligning remuneration policies to drive better conduct
(FC A /EBA guidance on remuneration). Regulatory bodies can
also outline requirements in terms of claw-back practices,
including defining the appropriate time period for deferrals
and clawbacks, which may be too short in some cases today.
The various senior accountability regimes seen in some juris­
dictions are one way regulation has impacted bank culture.
While the specifics differ, increasingly supervisors are incor­
porating individual accountability for breaches of conduct
in the mandate of their senior management regimes. These
are leading to changes in the roles and responsibilities of
senior leaders and directors, and are also affecting how
banks recruit, appoint, train, and compensate their most
senior leaders. It is of course also having a direct impact on
the mindset and actions of these individuals and on how they
well-intentioned manner. Further, supervision of conduct and
culture will involve greater resources and time commitment
relative to traditional supervisory activities, requiring ongoing
dedication, careful planning, and a deeper understanding of
each bank's business model and strategy.
Over time, some supervisors may find themselves needing
to reassess their internal governance structure, operating
model, and rules of engagement. It goes without saying that
there should be no conduct issues among those tasked with
evaluating conduct. Finally, supervisors should consider lever­
aging additional expertise from external experts (for exam­
ple, behavioral scientists, governance experts) to bolster the
quality of assessments and strengthen supervisors' knowl­
edge and capabilities going forward.
carry out their responsibilities on a daily basis (that is, they
are more involved in and aware of the activities and decisions
being carried out in their organizations). See Box 5.8 for a
discussion of the skills and capabilities required of regulators.
• SUPERVISION: Supervision has an important role in engag­
ing in a dialogue with the industry and holding up a mirror
to the institution. Supervisors can ask questions of the board
and management to ensure an appropriate focus on culture
and conduct topics, and can also share industry best prac­
tices and learnings. It is important that supervisors share
culture insights that they have gleaned from their work across
multiple institutions and in their dialogue with regulatory
bodies from around the world.
Supervisors can also help in anticipating future sources of
potential misconduct given their broader industry-wide view.
Trust, transparency, and open dialogue between banks and
supervisors will be critical to allow for this, and to enable
early intervention to prevent serious issues before they
materialize.
• SYSTEMIC ISSUES: Systemic issues such as the "rolling bad
apples" problem cannot be addressed by individual bank
efforts and require collective response across the industry
and regulatory/supervisory bodies.17
LESSO N 8. Restoring trust will benefit the industry as a whole;
as such, industry-wide dialogue and best practices sharing are
important elements in the journey toward a stronger and health­
ier banking sector. The banking industry in major markets should
17 Although this must be done within the constraints of local legislation
and employee protection laws.
Chapter 5 Banking Conduct and Culture ■ 105
 BOX 5.9 TRAINING FOR LASTING BEHAVIORAL CHANGE
Many banks struggle to change their culture because they fail
to address the issue of behavioral change. Training for behav­
ioral change is not a linear process, but an iterative process,
with potential loopbacks to allow adjustments and learning.
People change their behavior gradually and on an individual
basis, as behavior is embodied in the person. That is, in the
moment of action, an employee doesn't always think about
his or her behavior, but rather simply behaves according
to subconscious patterns. Changing these behaviors is not
possible in a one-off training or coaching session, but rather
requires repeated rewiring of new patterns and suppressing
old ones over a series of reinforcing experiences, often an
awkward and difficult process, until the new patterns move
out of the conscious mind into the subconscious and become
behaviors.
Neuroscience research suggests that driving behavioral
change relies on cycles that ensure new behaviors stick,
starting with a diagnostic to develop a plan of action, then
engineering a shock to raise awareness of target behaviors
seriously consider mechanisms of collaboration (for example,
through industry standards organizations) to develop cross­
industry comparisons regarding their progress on culture and
conduct. Even though culture is unique to each institution, col­
laboration and comparisons can benefit the industry by provid­
ing banks with a view, considered by some to be more honest
than that collected in-house, into their own culture relative to
those of peers. Further, such benchmarking results can provide
banks with an objective basis for introspection and construc­
tive challenge, guarding against overconfidence in their own
approaches.
The Banking Standards Board (BSB) in the UK provides a good
example of this industry-wide collaboration. Established in 2015,
the BSB is a private, nonregulatory, membership-based orga­
nization open to any bank in the UK. The BSB has provided UK
banks with an open forum to share and aggregate best practices
on conduct and culture. One of the cornerstone pieces of work
achieved and published annually is the BSB Annual Review,
which assess current and year- over-year changes in behavior,
competence, and culture in UK banking, and identifies key best
practices from member banks. Though only its second report,
the 2017 Annual Review received over 36,000 responses of
input across 25 UK banks, which highlights the keen interest
and active participation on the part of UK banks in critically
106 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
and actions, followed by nudges (ideally every eight or so
days), seeking to affect the subconsciousness associated with
the change, and finally closing out to reinforce behavioral
change.
While there is no one-size-fits-all process of behavioral
change, there are typically five stages: awareness (becoming
aware of the new behaviors and need to change), nudging
(starting to experience the impact of the new behaviors),
reinforcing (frequent repetition of new behavior delivers
consistent feedback), sustaining (reinforcing structures help
embed the change), and, finally, impact (positive results
appear on both a business and personal level).
A well-designed training program comprises not just the
initial training sessions, but also interventions in subsequent
months that help reinforce the behavioral intent. Banks
should look for ways to incorporate such interventions in
order to fully reap the benefits of the investment they make
in their training programs.
evaluating their own firm's practices and collaborating with and
supporting other banks in identifying changes in conduct and
culture.
The Fixed Income, Currencies and Commodities Market Stan­
dards Board also provides good examples of behavioral patterns
evident in misconduct in its July 2018, Behavioural C lu ster A n a l­
ysis study.18 The publication provides a practical toolkit to iden­
tify the root causes and relevant behaviors that underlie market
misconduct. The study has identified 25 patterns, which can be
categorized into seven categories of behavior: Price Manipula­
tion, Circular Trading, Collusion & Information Sharing, Inside
Information, Reference Price Influence, Improper Order Han­
dling, and Misleading Customers. The study finds that there are
a limited number of patterns that repeat themselves, are juris-
dictionally and geographically neutral, occur across different
asset classes, and adapt to new technologies and market struc­
tures. This study also demonstrates that conduct issues are a
long-standing and constant struggle that management must vig­
ilantly monitor and mitigate. (See Box 5.9).
18 "Behavioural Cluster Analysis, Misconduct Patterns in Financial Mar­
kets," Fixed Income, Currencies and Commodities Markets Standards
Board, London, July 2018.
Risk Culture

Learning Objectives
After completing this reading you should be able to:

Compare risk culture and corporate culture and explain
how they interact.
Explain factors that influence a firm's corporate culture
and its risk culture.
Describe methods by which corporate culture and risk
culture can be measured.
• Describe characteristics of a strong risk culture and
challenges to the implementation of an effective risk
culture.
Assess the relationship between risk culture and business
performance.

E x c e rp t is C h a p ter 2 from Risk Culture in Banking, by A lessa n d ro Carretta, Franco Fiordelisi and Paola Schwizer.
6.1 INTRODUCTION
Studies on corporate culture have been carried out for a long
time. Corporate culture has been a popular management tool
since the early 1980s and, more recently, an intense activity
of research on this subject (arisen from the failure of tradi­
tional cultural models) turned cultural explanations into a more
valuable asset than a simple matter of "claiming the residuals"
(Zingales 2015).
In the last decades, the market saw a clear evolution of the
role of banks, passed from public institutions to profit-driven
private entities. A new com petitive environment, in terms
of actors, rules, geography, and products, produced an
evolution of corporate culture in banking. In this fram ework,
risk culture can be seen as a subculture with a central role
in financial institutions. This Chapter provides an introduc­
tion to the concept of risk culture, focusing on its definition,
importance, and effects on bank competition and financial
stability. It includes an in-depth analysis of the relevant litera­
ture and of good/bad practices. This Chapter is structured as
follows:
• Definition and measurement of corporate culture and its
impact on corporate behaviors;
• Presentation of the scope and alternative definitions of Risk
culture;
• Analysis of drivers and effects of risk culture on sound and
prudent management of financial institutions;
• Discussion on main challenges in deploying an effective risk
culture.
6.2 WHAT CORPORATE CULTURE
IS AND WHY IT MATTERS?
Literally speaking, there are many thousands of definitions of
corporate culture, all sounding subtly different. Literature often
refers to corporate culture as the missing link to fully under­
stand how organizations act (Kennedy and Deal 1982). Culture
is the result of shared values, basic, underlying assumptions and
business experiences, behavior and beliefs, as well as strategic
decisions. Culture is much more than a management style: it
is a set of experiences, beliefs and behavioral patterns. It is
created, discovered or developed when a group of individuals
learn to deal with problems of adaptation to the outside world
and internal integration. Individuals develop a system of basic
assumptions proven to be valid by past experience. Members
of the same group assimilate these assumptions, which become
108 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the organization's specific way to perceive, think, and feel in
relation to problems (Schein 2010). Organizational culture deals
with different approaches. One takes into account external out­
puts: environmental, architectural, technological, office layout,
dress code, behavioral standards (visible and audible aspects),
official documents (statutes, regulations, and internal commu­
nication), and symbols. Such an analysis is the necessary basis
for investigating principles, knowledge, and experiences that
guide attitudes and behavior. These aspects reflect the internal­
ized core values of the organization and justify the behavior of
individuals. In fact, basic assumptions which underlie actions are
often hidden or even unconscious: beliefs determine the way
in which group members perceive, think, feel, and therefore,
act but are difficult to observe from an outside perspective
(Carretta 2001).
Culture is more complex than other organizational variables: it
can be extremely effective and at the same time resistant to the
need for change dictated by the environment (Fahlenbrach et al.
2012). Culture is, in fact, "what you do and how you do it when
you are not thinking about it". If well governed over time, it can
be the glue that holds together a company.
Culture has always been considered a key tool affecting cor­
porate behavior, but authors do not agree on how this occurs.
Some consider culture as a fixed effect on firm performance,
while others argue that it is a variable that can be managed over
time. Viewing culture as a variable is a quite recent fact, and
several institutions have developed proper management tools
and frameworks to measure and manage it.
The discussion is still going on, but, in principle, a culture suitable
for being applied to a business formula makes a significant con­
tribution to business performance. A suitable culture implies that
people "make use" of the same assumptions and adopt behavior
inspired by the company's values; this increases the market value
of the company identity. In business, the importance of main­
taining behavior consistent with corporate culture needs to be
constantly stressed, especially by "leaders", at all levels of the
organization. The management should always remind the staff of
the underlying cultural contents and their positive impact on indi­
vidual and organization performance, by setting good example
and communication. According to economic literature, culture
is a mechanism in such a way that makes the corporation more
efficient through simplified communication and decision-taking
process. From this perspective, a strong culture has high fixed
costs but reduces its marginal costs (Stulz 2014).
The fact that culture can be structured as artifacts, values, and
assumptions implies different levels of analysis and assess­
ment. The purpose of analysis requires a specific level of
assessment and the most appropriate methodology. However,
researchers should keep in mind that the study of only the vis­
ible manifestations of culture is likely to describe "how " but
not "why" (Carretta 2001). And as noted by Karolyi, there is a
fragility in the measures of the cultural values available to us
(Karolyi 2015).
A number of survey methods and metrics are used, among
others, by firms to investigate the mind-sets underlying culture
(See Box 6.1).
In academic literature, there are some relatively well-established
approaches to measuring culture. Qualitative methods are the
BOX 6.1 MEASURING CULTURE AND
CULTURAL PROGRESS: RANGE OF
APPROACHES USED BY FIRMS
Em ployee engagem ent and culture survey
Most firms use annual employee engagement surveys,
supplemented by culture and climate surveys or modules
added to the regular engagement survey
Custom er perceptions and outcom es
According to some firms, the real test of culture consists
in the outcomes it generates. The focus is particularly on
customer satisfaction scores, while other firms even try to
test outcomes (e.g., mystery shopping or regular online
panels of customers)
Indicator dashboard
Several firms use a range of indicators, sometimes consoli­
dated into "culture dashboards", including:
• Customers: satisfaction scores, complaints
• Employees: engagement scores, speaking up scores,
turnover, absence rates, grievances, use of whistleblow­
ing lines
• Conduct and risk: conduct breaches, clawbacks, mate­
rial events, and escalations
Validation
Firms use a range of methods to validate progress or per­
formance and confirm understanding:
• Consultancy firms' benchmarking exercises
• Other external benchmarks
• Internal Audit assessments
• Triangulation across various data sources, e.g. staff and
customer surveys
Source: Adapted from Banking Standards Board (2016).
ethnographic analysis and the case study, which allow an in-
depth investigation, but at the same time limit the comparability
of results. According to Schneider (2000), direct observation is
the only way to understand culture, since many of its aspects are
silent. In addition, people within an organization are not aware
of how many assumptions affect their behavior and take for
granted that it applies to everyone in the sector. Furthermore,
cognitive beliefs of researchers may influence their evaluation
capacity. As a consequence, a problem of objectivity prevents
the possibility for other researchers to replicate the analysis and
confirm its results.
On the other hand, quantitative methods use standardized
approaches of analysis through statistical tools. These methods
do not provide in-depth observations but are more objective
and allow the comparison of different situations.
The goal should be to create a homogenous method within
organizations or groups of intermediaries, capable of reflecting
the needs of companies and of the environment. This would
result in a comparable approach compliant with the regulatory
environment. Quantitative methods have been primarily used
to evaluate culture indirectly, by observing developments in risk
governance and the link between risk governance and the com­
pany's risk- return combinations (Ellul and Yerramilli 2013; Lingel
and Sheedy 2012; Aebi et al. 2012).
A new and dynamic environment, in terms of actors, rules, geog­
raphy, and products has produced an evolution of corporate
culture in the banking sector. In the last century the market saw
a clear evolution of the role of banks, passed from public institu­
tions to profit-driven private entities. For some countries, this
shift was very difficult and driven by an incisive, market-oriented
intervention by regulators, especially in Europe, where the final
goal was the creation of a common market. Prudent regulation
has increased the range of banking services offered and, indi­
rectly, competition. In order to prevent excessive risk-taking, the
Basel Committee has promoted the " self-regulation" of inter­
mediaries, setting up a system of internal controls and a new
compliance function. The new culture of supervisors is based
on the collaboration with banks and this relationship may have
positive effects in terms of bank performances (Carretta et al.
2015). The financial behavior of families and firms, traditionally
the main banking clients, has also undergone rapid changes.
Family propensity to save has decreased. Families today tend to
invest more in financial instruments inside or outside their home
countries, while firms are adopting new forms of financing, by
acting directly on the capital markets.
These underlying shifts demonstrate the importance of study­
ing the effect of corporate culture on banks' performance and
Chapter 6 Risk Culture ■ 109
competitiveness. The literature on banking culture focuses on
the existence of a specific culture and on how it reacts to the
new paradigms, showing that culture creates value in firms, and
especially in banks. In an ever-changing market, credit supply
and screening remain the most important activities undertaken
by banks and represent a basic know-how. This comes from
experience and the «mutual commitment based on trust and
respect» (Boot 2000), which are the expression of a specific
bank's culture.
In some cases, culture in the financial institutions has demon­
strated the ability to integrate companies' know-how and new
market opportunities. For example, the entry of banks into the
insurance business was difficult, due to limited experience with
sophisticated products. On the other hand, insurers had limited
experience with bank retail client requirements. The problem
was solved through successful strategic alliances in which banks
used their distribution capacity and insurers developed simpler
products. Culture has also driven the creation of new approaches
to answer increasing competition. A "culture of distribution" has
replaced the pre-existing "culture of production". Due to this
change, management has shifted the focus from an efficient ser­
vice development towards an effective selling system. This new
perspective is centered on creating unique and personalized
conditions to attract the highest possible number of clients.
In the new context, culture is a resource rather than a limitation.
If adequately taken into consideration, it can ensure the suc­
cess of complicated events such as mergers and acquisitions.
The "one size fits all" solution is not valid anymore, and despite
cultural integration is never easy, effective management is the
only chance to make it successful (Carretta et al. 2007). Part of
the literature considers culture as a static element to be devel­
oped only in the long-term, but many authors and practitioners
highlight that culture may be used in order to improve firm
performance and stability. Nowadays, it is particularly difficult to
develop and implement a strategy due to the intrinsic variability
of the market, with controls becoming increasingly complicated
due to a wider range of bank activities and functions. In this con­
text, culture can create shared values to drive individual behav­
ior in pursuing the organizational strategy and assisting the role
of internal controls.
To conclude, a specific corporate culture exists in the bank­
ing sector and literature shows that, in specific contexts, it
can change and help bank stability. Empirical studies confirm
it (Carretta 2001): positive relations with the environment are
linked with an open culture. Banks have overcome their previous
specialization, developing various new internal competences:
integration, teamwork, and interpersonal relations are the base
for a new model of leadership. However, the results also show
that this new culture is not yet widespread.
110 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
6.3 RISK CULTURE: SCOPE
AND DEFINITION
The Oxford Dictionary defines risk as a situation that involves
exposure to danger. Particularly dangerous exposure is called
bad risk. But banks, as well as any other firm, have the same
opportunities to take risks of an ex ante reward on a stand­
alone basis. This risk is being called "a good risk". One might
be tempted to conclude that good risk management reduces
the exposure to danger. However, this view of risk manage­
ment ignores the fact that banks cannot succeed without taking
risks that are ex ante profitable. Consequently, taking actions
that reduce risk can be costly for shareholders when lower risk
means avoiding higher risk valuable investments and activities.
Therefore, from the perspective of shareholders, valuable risk
management does not reduce risk in general, since reducing risk
would mean not taking on valuable projects. If good risk man­
agement does not mean low risk, then what does it mean? How
is it implemented? What are its limitations? What can be done
to make it more effective? (Stulz 2014). These questions can be
answered by looking at the concept of risk culture.
Some authors define risk culture (RC) as an element of corporate
culture; it is what in the culture relates to risk (Power et al. 2013).
It is a product of organizational learning concerning what has or
has not worked in past investments and procedures of a financial
institution (Roeschman 2014). RC could be seen as a subculture
with a central role in financial institutions. In fact, the culture of an
organization is neither unique, nor uniform throughout the com­
pany (Schein 2010). The growing complexity of operations, roles,
and activities performed by firms produces different subcultures at
all levels of the organization; for example, the point of view on the
environment taken by the risk management department can sub­
stantially differ from that taken by the business line. In this case,
RC interacts with dominant corporate culture and subcultures to
ensure a continuous balance between the need for integration
and the opportunity for differentiation of these two perspectives.
This balance is the basis for the adaptation to the environment
and for business changes. Box 6.2 presents a selection of the
existing definitions for RC in financial institutions; the main ones
are by FSB, Institute of International Finance (IIF) and Institute of
Risk Management (IRM). These institutions use concepts that are
widely used in literature to define corporate culture, such as val­
ues, norms, ethics, and traditions. The FSB and IIF definitions are
very similar; in fact, both define RC as norms and behavior related
to how individuals identify, understand, discuss (risk awareness ),
and act (risk-taking and management) concerning the risks. The
IRM definition, on the other hand, refers to values and beliefs, and
is in line with previous literature, which asserts that basic assum p­
tions (beliefs) are at the heart of culture (Schein 1990).

BOX 6.2 RISK CULTURE
DEFINITIONS
Risk culture can be defined as the norms and traditions
of the behavior of individuals and of groups within an
organization that determine the way in which they identify,
understand, discuss, and act on the risks the organization
confronts and the risks it takes ( Institute o f International
Finance 2009).
«A bank's norms, attitudes, and behavior related to risk
awareness, risk-taking and risk management and controls
that shape decisions on risks. Risk culture influences the
decisions of management and employees during the day-
to-day activities and has an impact on the risks they assume»
(Financial Stability Board 2014; Basel Com m ittee 2015).
«Risk Culture is a term describing the values, beliefs,
knowledge, and understanding about risk shared by a
group of people with a common purpose, in particular, the
employees of an organization or of teams or groups within
an organization)) ( Institute o f Risk M anagem ent 2012).
«Barclays risk culture is the set of objectives and practices,
shared across the organization, that drive and govern risk
management ( Barclays PLC).
Number of levers are used to reinforce the risk culture,
including tone from the top, governance and role
definition, capability development, performance
management and reward)) ( Lloyds Banking G roup).
«Risk culture is characterized by a holistic and integrated
view of risk, performance, and reward, and through full
compliance with our standards and principles)) (UBS).
«lt can be defined as the system of values and behavior
present throughout an organization that shapes risk deci­
sions. Risk culture influences the decisions of management
and employees, even if they are not consciously weighing
risks and benefits)). (Farrel and Hoon 2009)
«The behavioral norms of a company's personnel with
regard to the risks presented by strategy execution and
business operations. In other words, it is a key element
of a company's enterprise risk management framework,
albeit one that exists more in practice than in codification))
(Sm ith-Bingham 2015).
«Risk culture encompasses the general awareness,
attitudes, and behavior of an organization's employees
toward risk and how risk is managed within the
organization. Risk culture is a key indicator of how widely
an organization's risk management policies and practices
have been adopted)) (D elo itte Australia 2012).
Concluding, RC is composed of underlying assumptions and the
way they turn into norms, values, and artifacts. Not all assump­
tions are relevant, but only those about risk or, more precisely,
those that affect «the way in which they identify, understand,
discuss, and act on the risks» (IRM 2012). So, RC is related to
«risk awareness, risk-taking and risk management, and controls
that shape decisions on risks», which act at all levels of the insti­
tution «during the day-to-day activities and have an impact on
the risks they assume» (FSB 2014).
6.4 RISK CULTURE: DRIVERS
AND EFFECTS
First of all, RC depends on national culture and environment.
As far as culture is concerned, some countries are more homo­
geneous than others, even though sometimes, areas having
a similar culture are part of different nations. Despite these
limitations, comparing national cultures is still a meaningful and
revealing venture and has become part of the main social sci­
ences. Research by Hofstede has shown that national cultures
differ particularly at the level of habitual, unconscious values
held by the majority of a population. According to Hofstede, the
dimensions of national cultures are rooted in our unconscious
values. Provided that these values are acquired in childhood,
national cultures are remarkably stable o vertim e; changing
national values is a matter of generations. Instead, practices
change in response to the changing circumstances: symbols,
heroes, and rituals change, but underlying values are largely
untouched. For this reason, differences between countries have
such a remarkable historical continuity.
Similarly, culture is very much a product of the environment
(Lo 2015). The International Monetary Fund has published
empirical evidence covering about 50,000 firms in 400 sectors
in 51 countries, according to which firms operating in countries
characterized by lower aversion to uncertainty, greater indi­
vidualism and sectors with a strong opacity of information such
as the financial world have a more aggressive risk culture, and
"even in a highly-globalized world with sophisticated managers,
culture matters" (Li et al. 2013). Furthermore, these aspects will
be discussed in the following subsections: the impact of regula­
tion and its underlying culture (Carretta et al. 2015), as well as
supervision pervasiveness of a company's risk culture (Power
et al. 2013). In the financial system, supervisors and supervised
parties can collaborate in order to improve the culture of risk,
fully aware that it is a sensitive area requiring time and resources
(Senior Supervisors Group 2009; Group of Thirty 2008).
Culture directly impacts on corporate risk-taking not merely
through indirect channels such as the legal and regulatory
frameworks (Mihet 2012).
Risk culture also impacts on characteristics and behavior of a
firm and at the same time is an expression of them. Over time
(Fahlenbrach et al. 2012), it can regulate the possibility for
Chapter 6 Risk Culture ■ 111
 BOX 6.3 THE MACQUARIE UNIVERSITY RISK CULTURE SCALE
The Macquarie University Risk Culture Scale was used to
assess the culture in 113 business units across three large
banks, two headquartered in Australia and one in North
America.
The main findings were as follows:
• Strong risk culture was generally associated with more
desirable risk- related behavior (e.g., speaking up) and less
undesirable behavior (e.g., manipulating controls).
• Personal characteristics were also important. Long-tenured
and less risk tolerant employees, and employees with a
positive attitude towards risk management were more
likely to display desirable risk-related behavior. Those with
high personal risk tolerance were more likely to display
undesirable risk-related behavior.
• Good risk structures (policies, controls, IT systems, training,
and remuneration systems) appeared to support a strong
culture and ultimately a less undesirable risk behavior.
Good risk structures did not by themselves guarantee good
behavior. Early results suggested that structures such as
remuneration were interpreted through the lens of culture.
• Senior staff tended to have a significantly more favorable
perception of culture than junior staff. This highlighted
businesses to adapt to the changing environment, but it may
also change if it is no longer able to solve an organization's
problems (Richter 2014). Therefore, it will only affect the role
of risk management in the organization; even in case of highly
sophisticated and formalized risk governance, risk culture is still
in charge of deciding which rules and behavior are important
(Roeschmann 2014; Stulz 2014). As a mechanism of control over
behavior, risk culture can impact on results, and if it is strong
and in a stable environment, it can become more persistent over
time (Sorensen 2014).
The organization is perhaps the "elementary unit" for the analy­
sis of culture (Carretta 2001) and risk culture, but the individual
is the unit in terms of personal integrity and propensity towards
risk. High levels of perceived integrity are positively correlated
with good incomes, in terms of higher productivity, profitability,
better industrial relations, and a higher level of attractiveness
to prospective job applicants (Guiso et al. 2015), but individual
behavior appears to be influenced by both context and profes­
sional identity which, once more, confirm the key importance of
the organization (Villeval 2014).
Obviously, risk culture can appear in different forms as sub­
cultures, or even conflicting countercultures, in the following
areas: type of risk (i.e., credit or market), business functions and
families in which it develops, prevailing business models, roles in
112 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the importance of anonymous and independent risk cul­
ture assessments where staff felt safe to reveal their true
beliefs.
• There were statistically significant differences between the
risk cultures of the three large banks analyzed.
• The majority of business units assessed (more than 95%
of 113) had an internally consistent perception of culture,
namely, there was a strong or obvious culture in the unit
(i.e., not just the perception of an individual but a qual­
ity of the group). However, it should be noted that there
might have been agreement on the fact that culture was
good or poor.
• The most significant variation in risk culture scores
occurred at the business unit level and seemed to be
driven by the local team environment. This was consis­
tent with the hypothesis that culture was a local construct
highly dependent on interactions with close colleagues
and immediate managers.
Source: Adapted from Elizabeth Sheedy and Barbara Griffin, Empiri­
cal Analysis of Risk Culture in Financial Institutions: Interim Report,
Macquarie University, November (2014).
bank's overall corporate governance (i.e. shareholders, board of
directors, management, and auditors).
Subcultures may exist depending on the different contexts within
which parts of an institution operate (See Box 6.3). However,
subcultures should adhere to the high-level values and elements
that support an institution's overall risk culture. A dynamic bal­
ance is required between the value generated by the differences
in risk perception and that generated by a unitary risk approach.
6.5 CHANGE AND CHALLENGE:
DEPLOYING AN EFFECTIVE RISK
CULTURE
Risk culture is not a static thing but a formal and informal process
continuously repeating and renewing itself. Risk culture, as well
as corporate culture, evolves over time in relation to the events
that affect an institution's history (such as mergers and acquisi­
tions ) and to the external context within which it operates.
Building a sound risk culture is a collective process, not simply a
matter of improving technical skills. Risk culture shall be a part
of a business and not simply of the supervision, which is not
necessarily a good proxy. Therefore, it concerns decisions and
actions on a daily basis, such as the way information is shared,

BOX 6.4 "USING" CULTURE
Although its influence on firm behavior has long been
clear, culture has only recently been discovered as a
dependent variable of planning by management litera­
ture. In theory, culture suited to the type of enterprise can
make a significant contribution to firm success. This means
that people "make use of" culture, that their behavior
is inspired by company values, and that they have com­
municated company values to the market, emphasizing
the positive aspects of its culture (Hofstede 1983). It is
necessary for the "bosses" at all levels to continuously
emphasize the importance that behavior adheres to com­
pany culture, repeat and strengthen its basic contents and
remind people that it has a positive impact on people and
company performance.
the people being asked, when something went wrong, the
capacity to represent risk inside the organization and the under­
standing and correct use of documents. It also includes what
"worked" in the past. With the changing of both external and
internal conditions, culture too changes along with a strategic
change (See Box 6.4). Obsolete business culture is an obstacle
to improving performance.
The Group of Thirty (2015) states that culture and behavior
in today's financial systems and institutions are inadequate.
An important finding is that a suitable culture, with particular
regard to risk, is not a critical success factor but is displayed
only to meet the expectations of a public, customers or norms
at particular times. It is not central to governance organs or
senior management. It is not sufficiently rewarded in perfor­
mance management and does not feature in bank personnel
training. It does not dialogue with three lines of risk defense,
(business, supervision and risk management, auditing). In the
United Kingdom, the Banking Standard Board has been set up
by seven big banks in response to the findings of a Parliamen­
tary Commission. The Board aims to raise and spread behavioral
standards inside the British financial system, thus contributing to
the continuous improvement in bank behavior and culture».
The main changes since 2008 in the risk culture scenario are
enforcement in legislation, growth of the risk function, introduc­
tion of balanced scorecards replacing sales staff performance
indicators, shift in focus from compliance to conduct, and cul­
ture becoming a board issue (Cass Business School 2015).
So how can a renewed culture be fully developed and spread in
a bank today?
Theory and cross-industry experiences clearly demonstrate
that three mechanisms are critical for achieving the cultural
transformation of the banking sector. (1) Changing the culture
of a complex organization like a bank is possible, but difficult
and requires the awareness of the need for change, many
resources, and a long time. In fact, relationships between
management actions and culture are not necessarily linear, as
there are multiple, complex issues relating to proportionality
and accountability of individuals versus institutions that require
consideration by enforcement agencies (Group of Thirty 2015).
A major improvement in culture can be secured by focusing on
values and conduct, which are the building blocks of culture.
(2) Change necessitates a systemic approach to all subjects
involved, by taking into account their mutual roles. A sustained
focus on conduct and culture shall be carried out by banks
(board and management), and the banking industry. All is
needed to make major improvements in culture within the bank­
ing industry and individual institutions (Group of Thirty 2015).
Addressing cultural issues must of necessity be the responsibility
of the board and management of firms. Supervisors and regula­
tors cannot determine culture, but the former has an important
monitoring function. (3) In order to be successful, the new cul­
ture has to be profitable and create real value for all subjects,
institutions, and individuals which present forms on their own
motivations explaining their possibly diverging behavior (Lo
2015). The effect of all this should be the creation of a competi­
tive advantage for firms with better cultures and conducts, with
respect to client reputation and the ability to attract staff and
investors. Banks will only succeed if they accept that culture is
core to their business models and if they decide that fixing cul­
ture is key to their economic sustainability (Dickson 2015).
The assessment of a bank's risk culture and the perception
of its possible distance from a culture that can be considered
adequate to context, business model, and government require­
ments are matters for the individual bank according to its char­
acteristics. In fact, there is no doubt that risk culture is widely
inadequate today and that there is a need to move from "form
to substance". The attitude "I have complied with the regula­
tions" needs to be replaced by "I have done everything possible
to prevent and resolve problems". Just because it is legal it
does not mean that it is right (See Box 6.5).
A process of cultural change is ambitious as it involves many
players. It is the case that bank shareholders, management,
bank staff, parliament, government, legal system, supervision
authorities, media, education system, and customers are respon­
sible for the current unsatisfactory situation to various degrees.
What matters today is that all these forces are involved in a
common effort to promote a new banking culture shared by
both banking authorities and clientele. And, importantly banks
themselves shall play an active role in this new cultural change.
Risk culture is a sensitive area and cannot be dealt with on the
single dimension of lowering risk propensity by strengthening
Chapter 6 Risk Culture ■ 113
 BOX 6.5 MEASURES TO REDUCE MISCONDUCT RISK
Codes and standards of conduct have been in place across
the industry for some time. The issue was not the develop­
ment of codes or standards, but their effective implemen­
tation and enforcement across diverse business lines and
jurisdictions. Official sector and private sector representa­
tives noted that the effective implementation of conduct
risk management involves fundamental changes in culture
and behavior across the industry, involving firms and market
stakeholders. Such changes take time.
Critical implementation challenges include:
• Integration in business decision-making. The integration of
behavior and ethical considerations in business decisions
(which could involve limiting or withdrawing from certain
transactions or businesses) challenges the "prevailing con­
sensus" on success; other stakeholders, including a firm's
customers and shareholders, may need to be involved in
supporting these changes.
• Consistency of messages and action. The "tone at the
top" is not always supported by consistent actions that
demonstrate that conduct and ethical considerations vis­
ibly determine hiring, promotions, professional standing,
and success. This requires coordinated engagement of all
parts of the organization; ethical and behavior consider­
ations cannot, therefore, be segregated into compliance
or human resources functions. Ensuring that senior level
employees take responsibility for driving forward changes
is important to success.
• Cross-border and cross-cultural issues. Supervisors, clients,
and stakeholders have different expectations and perspec­
tives of the role of financial services providers. As such,
approaches to conduct risk management, as well as rules
relating to permissible incentives regarding conduct, differ
across jurisdictions. These differences pose challenges for
global firms seeking to establish consistent expectations
across the institution.
• Common taxonom y for conduct risk. The integration
of conduct risk in all aspects of a firm's business, in a
supervision. The most fundamental issue in the risk culture
debate is the trade-off between risk-taking and control (Power
et al. 2013).
As reported in the Financial Times, the C EO of UBS recently
commented that: "Mistakes are ok . . . try to eliminate all risk­
taking and threaten to punish all mistakes and the ensuing
culture of fear will limit the pursuit of legitimate business." The
controversy caused by these comments showed that seeking
to completely eliminate risk, which after all underpins all finan­
cial intermediation, is unrealistic. Instilling into the personnel
the fear of making mistakes can only lead to immobility. In the
context of a robust and sound culture of risk, mistakes are a
114 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
manner that is consistent across the industry, requires
the developm ent of a consistent set of definitions,
methods of assessm ent, and measurement of conduct
risk. These risks vary across product lines and may vary
with the organizational structure of businesses within
firms.
• Grey areas. Actions that are not "illeg al" but which,
under particular circum stances, could be inconsistent
with a firm's values are som etim es difficult to address
because they are often dependent on facts and circum­
stances. Frontline em ployees are often called upon to
exercise their discretion in fulfilling custom er requests;
these decisions are som etim es com plex and can vary
across business lines. Under these circum stances, it is
difficult to make prior determ inations on the best course
of action or to define clear boundaries. Firms need to
develop fram eworks to address these questions in a
consistent manner. A visible institutional leadership in
resolving and sanctioning a weak management of con­
duct risk will be important. Engaging business lines in
cooperative approaches to identifying conduct risk such
as "reporting in the public interest" may help overcome
limitations of "w histleblow ing" approaches, which risk
putting em ployees and the institution on opposite
sides. It was however noted that there was a significant
amount of regulation and case law in existence which
should help give firms clarity on what constituted a
breach of regulation or law.
• Role of directors. W hile board oversight of conduct risk
is critical to the strengthening of conduct risk m anage­
ment, an appropriate balance should be established
between the accountability of individual executives and
the board, in particular, N ED s. It was acknowledged that
boards are facing increased pressure and that there may
be a risk that this could potentially create disincentives
for experienced and qualified experts to serve on them.
Source: Adapted from Financial Stability Board (2015).
management tool and need to be explained in detail for a cor­
rect balance between risk-taking and the maintaining of an
appropriate level of control. "Bad apples" in a bank shall not be
allowed to take the blame for specific behavior which reflects
a weak risk culture. Rather than a lack of personal integrity or a
"natural" tendency towards dishonesty, non-compliant behavior
is, in fact, the outcome of exogenous environmental and com­
pany factors which deform the sound conversion of individual
values into behavior and actions, which, in other words, reflect
a firm's unsatisfactory risk culture. An experiment recently per­
formed on a sample of bank managers compared with other
sectors aiming to test their propensity to lie yielded interesting
findings. The propensity to lie is similar in different sectors and
in normal conditions, but rises significantly for managers, whose
work environment (in this case the bank) is mentioned (Cohn
et al. 2014).
Risk culture is definitively 100% compatible with risk-taking and
profit-making. A sound risk culture helps ensure that activities
beyond the institution's risk appetite are recognized, assessed,
escalated, and addressed in a timely manner (Dickson 2015).
CONCLUSIONS
Culture matters. Risk culture is essential for a prudent and sound
bank management, and needs to be central in any evaluation.
Risks are an inherent aspect of bank function and are taken,
transformed, and managed with competence and profession­
alism. In this sense, risk culture is central to banks and has an
impact on risk-taking propensity and policies, types of risk assess-
ment/performance ratio and final decisions. The behavior of
banks and their personnel are a direct expression of risk culture.
Banks must develop their risk culture beyond regulatory
guidelines, in order to support their corporate strategy and
strengthen their core skills, and turn risks into opportunities.
They are required to commit, to more effectively improving their
culture. The banks which are successful at doing this with consis­
tency, awareness, and determination in strategic decisions will
raise and consolidate their market reputation.
BIBLIOGRAPHY
Aebi, A . B., Sabato, G ., Schmid, C. "Risk Management, Corpo­
rate, Governance and Bank Performance in the Financial Crisis".
Jou rn a l o f Finance and Banking 36 (2012): 3213-3226.
Basel Committee on Banking Supervision, BSCBS Publications.
C o rp o ra te G overnance Principles for Banks. G uidelines, 2015.
Banking Standards Board. Annual R eview 2015/201 6, London,
March 8, 2016.
Boot, A. W. A. "Relationship Banking: What Do We Know?"
Jou rn a l o f Financial Interm ediation 9 (2000): 7-25.
Carretta, A ., Farina, V., Fiordelisi, F., Schwizer, P., Stentella
Lopes, F. S. "Don't Stand So Close to Me: The Role of Supervi­
sory Style in Banking Stability". Jou rn a l o f Finance & Banking
52 (2015): 180-188.
Carretta, A. (ed.). II g o vern o d e l cam biam ento culturale in
ban co: m odelli di analisi, strum enti operativi, valori individuali,
Rome, ITA: Bancaria Editrice (2001).
Carretta, A ., Farina, V., Schwizer, P. "Cultural Fit and Post-merger
Integration in Banking M&As". Jou rn a l o f Financial Transform a­
tion 33 (2007): 137-155.
Cass Business School. "A Report on the Culture of British Retail
Banking". London, UK: New City Agenda and Cass Business
School, November 24, 2014.
Cohn, A ., Fehr, E., Marechal, M. A. "Business Culture and
Dishonesty in the Banking Industry". Nature 516 (2014): 86-89.
Deloitte Australia. "Cultivating an Intelligent Risk Culture: A Fresh
Perspective". Sydney, AU: Deloitte Touche Tohmatsu Ltd. (2012).
Dickson, J . "The Relevance of the Supervision of Behavior
and Culture to the SSM ". Amsterdam, NED: 'Looking
forw ard: Effective Supervision o f Behavior and Culture at
Financial Institutions ' C o n feren ce in the Tropenmuseum, De
Nederlandsche Bank, Amsterdam, September 24, 2015.
Ellul, A ., Yerramilli, V. "Stronger Risk Controls, Lower Risk:
Evidence from U.S. Bank Holding Com panies". Jou rn a l o f
Finance 68 (2013): 1757-1803.
Fahlenbrach, R., Prilmeier, R., Stulz, R. M. "This Time is the
Same: Using Bank Performance in 1998 to Explain Bank Perfor­
mance During the Recent Crisis". Jou rn a l o f Finance 67 (2012):
2139-2185.
Farrel, J. M., Hoon, A. What's Your Com pany Risk C ulture? US:
KPMG US Lip., May, 2009.
Financial Stability Board, FSB. G uidance on Su p erviso ry Interac­
tion with Financial Institutions on Risk Culture. A Fram ew ork
for A sse ssin g Risk Culture, FSB Publications, Policy Documents,
April 7, 2014.
Financial Stability Board, FSB. M easures to R ed u ce M isco n d u ct
Risk, FSB Publications, Progress Reports, November 6, 2015.
Group of Thirty. Banking C o n d u ct and Culture. A Call for S u s­
tained and C om preh en sive Reform , Washington DC, US: Group
of Thirty, July, 2015.
Guiso, L., Sapienza, P., Zingales, L. "The Value of Corporate
Culture". E IE F W orking p a p e r 27 (2013).
Hofstede, G . H. "The Cultural Relativity of Organizational Prac­
tices and Theories". Jou rn a l o f International Business Stu d ies
14(1983): 75-89.
Institute of International Finance(IIF). Reform in the Financial
Services Industry: Stren gth en in g Practices for a M ore Stab le S y s­
tem , Report of the 11F Steering Committee on Implementation,
2009.
Institute of Risk Management. Risk Culture U nder the
M icro sco p e G uidance for Board, 2012.
Chapter 6 Risk Culture ■ 115
Karolyi, G . A. "The Gravity of Culture for Finance". Jou rn a l o f Schein, E. H. Organizational Culture and Leadership, 4th Edition,
C o rp o ra te Finance 41 (2015): 610-625. San Francisco, US: Jossey-Bass Inc. (2010).

Kennedy, A. A ., Deal, T. E. C o rp o ra te C ultures: The Rites and Schneider, B. The Psychological Life o f O rganizations in H and­
Rituals o f C o rp o ra te Life, New York, US: Perseus Books (1982). b o o k o f O rganizational Culture and Clim ate, eds. Ashkanasy,
Neal, M., Wilderom, Celeste, P. M., Wilderom and Peterson,
Li, K., Griffin, D., Zhao, L. "How Does Culture Influence Corpo­
Mark. F., London, Thousand Oaks, New Delhi, UK, US, IND:
rate Risk-taking?" Jou rn a l o f C o rp o ra te Finance 23 (2013): 1-22.
Sage (2000).
Lingel, A ., Sheedy, E. A. "The Influence of Risk Governance on
Senior Supervisors Group. Risk M anagem ent Lesso n s from
Risk Outcomes— International Evidence". M acquarie A p p lie d
Financial Crisis 2008, 2009.
Finance C entre Research Paper 37 (2012).
Sheedy, E., and Griffin, B. Em pirical Analysis o f Risk Culture in
Lo, A. W. "The Gordon Gekko Effect: The Role of Culture in the
Financial Institutions: Interim R ep ort, Sydney, AU: Macquarie
Financial Industry". N B ER W orking Papers 21267 (2015).
University (2014).
Mihet, R. "Effects of Culture on Firm Risk-Taking: A Cross-country
Smith-Bingham, R. Risk Culture: Think o f the C o n seq u e n ces,
and Cross-industry Analysis". IM F W orking Paper 210 (2012).
New York, US: Risk Management Insights, Marsh & Me Lennan
Power, M., Ashby, S., and Palermo, T. Risk Culture in Financial Companies, Oliver Wyman (2015).
O rganizations: A Research R ep o rt, London, UK: London School
Sorensen, J . B. "The Strength of Corporate Culture and the
of Economics (2013).
Reliability of Firm Perform ance". A dm inistrative Scien ce
Richter, C. "Developm ent of a Risk Culture Intensity Index to Q uarterly 47 (2014): 70-91.
Evaluate the Financial Market in Germ any". P ro ceed in g s o f
Stulz, R. M. "Governance, Risk Management, and Risk-Taking in
FIK U SZ Sym posium fo r Young R esea rch er 14 (2014): 237-248.
Banks". Finance W orking Paper 427 (2014).
Roeschman, A . Z. "Risk Culture: What it is and how it Affects an
Villeval, M. C. "Behavioural Economics: Professional Identity Can
Insurer's Risk Management. Risk Management and Insurance".
Increase Dishonesty". Nature 516 (2014): 48-49.
Risk M anagem ent and Insurance R eview 17 (2014): 227-296.
Zingales, L. "The 'Cultural Revolution' in Finance". Jou rn a l o f
Schein, E. H. "Organizational Culture". The Am erican Psychologist
Financial Eco n om ics 117 (2015): 1-4.
Association 45 (1990): 109-119.

116 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
OpRisk Data and
Governance
Learning Objectives
After completing this reading you should be able to:

Describe the seven Basel II event risk categories and identify
examples of operational risk events in each category.
Summarize the process of collecting and reporting
internal operational loss data, including the selection of
thresholds, the time frame for recoveries and reporting
expected operational losses.
Explain the use of a risk control self-assessment (RCSA)
and key risk indicators (KRIs) in identifying, controlling,
and assessing operational risk exposures.
Describe and assess the use of scenario analysis in
managing operational risk and identify biases and
challenges that can arise when using scenario analysis.
Compare the typical operational risk profiles of firms in
different financial sectors.
Explain the role of operational risk governance and
explain how a firm's organizational structure can impact
risk governance.

E x c e rp t is C h a p ter 2 o f Fundamental Aspects of Operational Risk and Insurance Analytics: A Handbook of Operational Risk,
by M arcelo G. Cruz, Gareth W. P eters, and Pavel V. Sch evch en ko.

117
7.1 INTRODUCTION
One of the first and most important phases in any analytical pro­
cess, and this is certainly no different when developing OpRisk
models, is to cast the data into a form amenable to analysis. This
is the very first challenge that an analyst or quant faces when
determined to model, measure, and even manage OpRisk. At
this stage, there is a need to establish how the information avail­
able can be modeled to act as an input in the analytical process
that would allow proper risk assessment to be used in risk man­
agement and mitigation. In risk management, and particularly in
OpRisk, this activity is today quite regulated and the entire data
process, from collection to maintenance and use, has strict rules,
which in a way reduces the variance in the use of the data across
the industry.
The OpRisk framework starts by having solid risk taxonomy so
risks are properly classified. Firms also need to perform a com­
prehensive risk mapping across their processes to make sure
that no risk is left out of the measurement process. This is a key
process to be accomplished and where a number of firms should
be paying more attention.
In this chapter, we lay the ground for the basic building blocks
of OpRisk management. First we describe how risk taxonomy
works, classifying loss events into the major risk categories. Then
we describe the four major data elements that should be used
to measure and manage OpRisk: internal loss data, external
loss data, scenario analysis, and business and control environ­
ment factors. When these risk mapping, taxonomy, and data
building blocks are reasonably structured, it becomes important
to configure the organization of the OpRisk department and a
firm's risk governance. Even a very efficient and well-developed
OpRisk framework would fail if the proper organization and poli­
cies are not in place.
7.2 OPRISK TAXONOMY
The term "taxonomy" has become quite popular in the risk
management industry. In most conferences and industrial work­
shops, and most certainly among consultants, the term "risk
taxonomy" has become a regular mantra. So, what is risk taxon­
omy? Taxonomy is actually a term borrowed from biology. One
of the missions of the biologist is to discover new species on
remote places of the planet and it would make their work easier
if they could classify a new species into a new group based
on some characteristics. So taxonomy means the conception,
naming, and classifying organisms into groups. It is a common
practice in biology to group individuals into species, arranging
species into larger groups, and giving those groups names, thus
118 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
producing a classification. For example, the fact that dolphins
live in the sea and look like a fish does not make them a fish as
many of their characteristics made biologists classify them as
"m am m als". Taxonomy basically encompasses description, iden­
tification, nomenclature, and classification. Therefore, taxonomy
has become an interesting and a popular turn in risk manage­
ment industry as new risks are being encountered at regular
intervals.
Before getting onboard the risk taxonomy bandwagon, a firm
must perform a comprehensive risk mapping exercise. This
means going through, in excruciating details, every major pro­
cess of the firm. For example, let us imagine the equity trading
process. Analyzing this process would mean going through the
risks since the customer places an order until the transaction
gets fully settled with exchanges of payment and securities
delivered. Those will be the basic risks that unlikely would
change, unless there is a change in the process. From this pro­
cess, a risk manager should also be able to point out where
losses are coming from and develop mechanisms to collect
them. The outcome of this exercise would be the building block
of any risk classification study.
It is interesting to note that even today firms are struggling
with basic risk classification, which is the base of the risk man­
agement pyramid, the very first building block of a robust risk
management framework. Mistakes made in the past years in
classifying a risk will have repercussions in the risk management
and on the communication of risks, at a minimum, to outside
parties like regulators, and might compromise any good work
done elsewhere in the framework. There are roughly three
ways that firms drive this risk taxonomy exercise: cause-driven,
impact-driven, and event-driven. In many firms, risk taxonomy
is a mixture of these three making it even more difficult to get
it right. Let us discuss these three methods. In the cause-driven
method, the risk classification is based on the reasons that cause
operational losses. This usually follows the old OpRisk definition
(which most firms use in their annual reports) in which OpRisk is
defined as a function of "people, systems, and external events".
Some risk types in this classification would be, for example,
"lack of skills in trade control" or "inappropriate access control
to system s". Although there are some advantages in this type of
classification, as a "root cause" is pretty much embedded into
the risk classification, challenges arise when multiple causes exist
or the cause is not immediately clear. If this cause-driven risk
classification is applied to a process in which operational losses
have high frequency, it would be very difficult for risk manag­
ers to correctly classify every single loss, and the attrition within
the business and within the department is likely to be high.
Another way to perform this classification exercise is through an
impact-driven method. In this method, the classification is made
according to the financial impact of operational losses. Most
firms that follow this type of classification do not invest heavily
in OpRisk management; they just use this type to retrieve data
from their systems. This is quite common in smaller firms. In this
type of classification, it is quite difficult to manage OpRisk as,
although the exposures are known, it is difficult to understand
what is driving these losses.
The event-driven risk classification is probably the most common
one used by large firms. It classifies risk according to OpRisk
events. This is the classification used by the Basel Committee.
It is interesting to know that during the Basel II discussions,
when this type of risk taxonomy was presented, most of the
industries were reluctant to accept it. A number of firms, even
today, follow their own classification initially and map to the
Basel event-type category later. What is interesting in this clas­
sification is that the definition is rather broad which should make
it easier to accept changes in the process. For example, under
"Execution, Delivery, and Process Management" (EDPM ), which
is the level-1 event type, there is a category named "Transaction
Capture, Execution, and Maintenance" that can be an umbrella
for a number of event types. For example, if the equity trading
process changes from an old-fashioned phone-based system to
online high-frequency trading, using this classification would be
easy to define the taxonomy of these risks.
Given how new risks emerge in OpRisk, and also the breadth of its
scope, the concept and the ideas behind risk taxonomy in OpRisk
sound quite appealing. However, as this is a building block of the
Table 7.1 Ex ecu tio n , D elivery & P ro cess M an ag em en t (ED PM ) Event-Type D efin ed as L o sse s fro m F a ile d
T ra n sa c tio n P r o c e s s in g o r P r o c e s s M a n a g e m e n t , fro m R e la tio n s w ith T ra d e C o u n t e r p a r t ie s a n d V e n d o r s . Basel II
e v e n t ty p e classification as p ro vid ed in B C B S (2006, pp. 3 0 5 -3 0 7 )
Category (Level 1) Categories (Level 2)
Execution, Delivery & Transaction Capture, Execution
Process Management and Maintenance
Monitoring and Reporting
Customer Intake and
Documentation
Custom er/Client Account
Management
Trade Counterparties
Vendors and Suppliers
OpRisk framework, firms need to be very careful. In the following
sections, all seven Basel II event types required for the advanced
measurement approach (AMA) are defined and discussed in
detail; detailed breakdown into event types at level I, level 2, and
activity groups is provided in BCBS (2006, pp. 305-307).
Execution, Delivery, and Process
Management
EDPM loss event type is one of the most prominent in the
OpRisk profile of firms or business units with heavy transaction
processing and execution businesses. It encompasses losses
from failed transaction processing, as well as problems with
counterparties and vendors. Table 7.1 describes the Basel event-
type breakdown for this risk.
Losses of this event type are quite frequent as these can be
due to human errors, miscommunications, and so on, which are
very common in an environment where banks have to process
millions of transactions per day. A typical example of execution
losses might help to illustrate how frequent these losses can be.
Consider the following deal: A foreign exchange (FX) trader
bought USD 100,000,000 for €90,000,000 (i.e., USD 1 = €0.90)
and then sold USD 100,000,000 for €90,050,000 (i.e.,
USD 1 = €0.9005) with a trading initial profit of €50,000. Both
transactions were made almost at the same time, and the trader
was obviously very satisfied with a profit of €50,000. In his/her
excitement at the successful deal, however, there were some
Activity Examples
Miscommunication; data entry, maintenance or loading error;
missed deadline or responsibility; model/system misoperation;
accounting error/entity attribution error; other task misperformance;
delivery failure; collateral management failure; reference data
maintenance
Failed mandatory reporting obligation; inaccurate external report
(loss incurred)
Client permissions/disclaimers missing; legal documents missing/
incomplete
Unapproved access given to accounts; incorrect client records
(loss incurred); negligent loss or damage of client assets
Nonclient counterparty misperformance; misc. nonclient
counterparty disputes
Outsourcing; vendor disputes
Chapter 7 OpRisk Data and Governance ■ 119
 EXECUTION, DELIVERY AND PROCESS MANAGEMENT: MISUNDERSTANDING
A TRADING ORDER: LARGE US PRIVATE BANK, AUGUST 2012
Despite the fact that there are currently many options to
place orders, where technological devices such as e-mail,
Internet, live chats are available, many purchase orders,
particularly in private banking, are still being placed by old-
fashioned telephone methods. A very common mistake is
the misunderstanding of the order, especially frequent when
the counterparty is a foreign-language speaker and the com­
munication chain usually goes from client to banker to trader
assistant to trader, and in any one of these links there is
potential for communication breakdowns to happen.
In a busy afternoon at the end of summer 2012, a client
asked his private banker to purchase "USD 100,000 of a
snags in the back-office with some confusion on where to remit
the payments of one leg of the deal, and the transaction was
finally settled 3 days later than it should have been.
In FX transactions trading tickets are usually larger to compensate
for the low margins. Similar situations as described earlier may lead
to errors. The counterparties obviously would have demanded a
compensation as the settlement has been delayed for 3 days, and
the bank would also have paid a penalty, in the form of interest
claims of €55,000. Therefore, any error has the potential to be big­
ger than a transaction's eventual economic profit.
The overall scenario is alarming. There was a loss of €5,000 on
the aggregate due to operational errors {€50,000 transaction
profit less €55,000 interest claims due for late payment). This
is the reality a trading environment faces on the day-to-day.
The actions of traders are recognized at the closing of the deal,
and errors coming to light at a later time (e.g., mis-pricing, late
Table 7.2 C P B P Event-Type D efin ed as L o sse s A r is in g fro m an U n in te n tio n a l o r N e g l ig e n t F a ilu re to M e e t a
P r o f e s s io n a l O b lig a tio n t o S p e c i f i c C lie n t s (in c lu d in g fid u c ia ry a n d s u ita b ility r e q u ir e m e n t s ) o r fro m t h e N a tu r e o r
D e s ig n o f a P r o d u c t . Basel II even t ty p e classification as p ro vid ed in B C B S (2006, pp. 3 0 5 -3 0 7 )
Category (Level 1) Category (Level 2)
Clients, Products, and Suitability, Disclosure,
Business Practices and Fiduciary
Improper Business or
Market Practices
Product Flaws
Selection, Sponsorship,
and Exposure
Advisory Activities
120 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
particular share". The private banker passed this order to
the trader, and at the end of the day the trader passed a
bill to the private banker for several million US dollars. The
private banker was absolutely stunned to see that they had
bought a significant portion of this particular company. As a
consequence of this transaction, the share price of this com­
pany rose significantly which also generated questions from
authorities that suspected some type of pum p-and-dum p
scheme. Considering it all, the bank decided to keep the
shares and sell it little by little. The operational loss in this
case was reflected in the value lost in returning the stocks to
the market after the shares returned to their average price.
settlement) are not linked back to the underlying cause. The
error goes to an "error account" or the like and, in terms of
OpRisk management, those who are responsible for the errors
are never identified; even worse is that the real profitability of
individual transactions is rarely understood. The cost side (and
the OpRisks involved) is in general ignored.
Knowing where these errors occur is very important for OpRisk
management.
Clients, Products, and Business Practices
Loss events under Clients, Products and Business Practices
(CPBP) risk type are usually the largest, particularly in the US.
These events encompass losses, for example, from disputes with
clients and counterparties, regulatory fines from improper busi­
ness practices, or wrongful advisory activities. Table 7.2 presents
Activity Examples
Fiduciary breaches/guideline violation; suitability/disclosure issues (e.g.,
KYC); retail customer disclosure violations; breach of privacy; aggressive
sales; account churning; misuse of confidential information; lender liability
Antitrust; improper trade/market practices; market manipulation; insider
trading (on firm's account); unlicensed activity; money laundering
Product defects (e.g., unauthorised); model errors
Failure to investigate client per guidelines; exceeding client exposure
limits
Disputes over performance of advisory activities
 REAL OPRISK EVENTS: SBC WARBURG (INVESTMENT BANK), OCTOBER 1996
The Securities and Futures Authority in the UK (the former
City of London regulator since superseded by the Financial
Services Authority) released partial details in March 1997
of an investigation that had commenced in October 1996
into rogue trading in a program trade in SBC Warburg. (A
program trade is a transaction where one agent, generally a
fund, chooses another agent, generally a bank or a broker,
to sell part of its shares in the market in a determined day
and hour determined by market prices.) The program trading
error that made SBC Warburg the subject of the investiga­
tion is thought to have cost it no more than £5 million. Nev­
ertheless, this program trade was one of the largest ever to
be awarded to SBC Warburg, and the SFA investigation has
clearly embarassed it. The investigation relates to a mistake
made during the execution of a £300 million program trade
for an investment trust which caused the price of a number
of French stocks to fall sharply. The investigation is being
extended whether this bank made a similar error when selling
Spanish shares as part of the same program deal.
The SFA investigation focused on a 30-min period on O cto­
ber 30, 1996. At some time around mid-day. SBC Warburg
traders learnt that the bank had been awarded three con­
tracts by Kleinwort Benson European Privatization Investment
(Kepit) to execute a series of share sales (the so-called pro­
gram trade) on its behalf. Contracts for programme trades
are often awarded just before the deal takes place, and the
Kepit deal was no different. It involved SBC Warburg taking
the £300 million-worth of shares onto its books just minutes
later, at 12:30 pm, and paying Kepit, the mid-market prices
for each share at that time. In the remaining minutes before
the Basel event-type breakdown and definition for this risk
type. This is a specific and an important risk type for firms with
operations in the US where litigation is very common. As seen
in recent regulatory fines imposed on French banks and other
foreign banks operating in US jurisdiction, this loss type can also
be significant to off-shore entities.
Business Disruption and System Failures
Business Disruption and System Failures (BDSF) event type is
one the most difficult to spot in a large organization. A system
crash, for exam ple, would almost certainly bear some financial
loss for a firm, but these losses must likely would be classified
as EDPM . An exam ple might help to clarify this point. Suppose
that the funding system of a large bank crashes at 9:00 am.
Despite all efforts from IT, the system comes back online only
by 4:00 pm when money markets are already closed. When
the system returns, the bank learns that it needs to fund an
extra USD 20 billion on that day. As the markets are already
the 12:30 pm deadline, SBC Warburg traders sought to sell
some of the same shares they were about to get from Kepit
in order to reduce the risk (this process is known as short sell,
and it is accepted as a normal practice in a program trade, as
long as the price does not fall too much).
Elsewhere at SBC Warburg, a trader was running an arbitrage
position on Kepit, seeking to make money by exploiting
differences between Kepit's own share price and the price
of the shares the bank owned. SFA investigators were told
that in the minutes before the 12:30 pm deadline, the SBC
Warburg trader running the arbitrage position was seen on
the trading floor making gestures with his hands for traders
to get the price of the shares down. Nevertheless, a mistake
by one of the SBC Warburg's Paris-based traders attracted
the attention of SFA. Instead of selling as much as he could
before 12:30 pm, SFA investigators have been told that the
trader misunderstood his instructions and instead attempted
to sell at the strike time. The trader also failed to put a so-
called down limit on his proposed share sales, effectively
turning it into an unlimited sell order.
In the tapes passed to the SFA (all conversations on the trad­
ing desk are recorded), the London-based trader is heard
talking with a colleague about how the price of the French
shares had fallen much further than they had planned. The
trader complained that a colleague had just told him, in hind­
sight after the share prices had collapsed, that they should
only have pushed the prices down by 1%. SBC admitted in
March 1997 that its short selling had contributed to adverse
price movements and dismissed several employees involved
in the trade.
closed, they need to make requests to their counterparties to
allow them special conditions; however, the rates in which they
capture these funds are higher than the daily average. This
extra cost, although due to a system failure and, therefore,
should be classified as BDSF, would hardly be captured at all.
Table 7.3 presents the formal Basel definition and breakdown
of this risk type.
Table 7.3
________ B D S F E v e n t Risk Type D efin ed as
ing fro m D is r u p tio n o f B u s in e s s o r S y s t e m F a ilu re s.
»l II ev e n t ty p e classification as p ro vid ed in B C B S
Category Category
(Level 1) (Level 2) Activity Examples
Business Systems Hardware; software;
Disruption and telecommunications; utility
System Failures outage/disruptions
Chapter 7 OpRisk Data and Governance ■ 121
Table 7.4 Extern al Fraud E v e n t Risk Type D efined
as L o s s e s D u e t o A c t s o f a T y p e I n t e n d e d to D e fr a u d , REAL OPRISK EVENTS: MODEL
M is a p p r o p r ia t e P r o p e r t y , o r C ir c u m v e n t t h e L a w INPUTS FRAUD, NATWEST,
b y a T h ird P a rty . Basel II ev e n t ty p e classification as MARCH 1997
p ro vid ed in B C B S (2006, pp. 3 0 5 -3 0 7 ) One of the most famous cases in derivatives mispric­
ing was the one that happened at NarWest in 1997. On
Category Category
February 28, 1997, a few days after the bank released its
(Level 1) (Level 2) Activity Examples annual results, it announced a loss of approximately USD
150 million caused by a junior trader who has already left
External fraud Theft and Theft/robbery; forgery;
the bank. The trader was said to be dealing in long-dated
fraud check kiting
O TC interest rate options, used by companies that borrow
Systems Hacking damage; theft of at a floating rate and purchase a cap on the interest pay­
security information (w/monetary ments. The major problem in valuing these options is that
loss) they are relatively illiquid. The trader calculated the price
of the options by providing his own estimates of volatil­
ity, which he apparently overestimated, creating fictitious
The difficulty to capture this event type is reflected in external profits that built up in the books over time.
databases where, aside damage to physical assets, this risk type The volatility estimates resulted in the options being under-
has least number of events. priced. The trader attracted more clients, booking the
requested premium, thereby increasing the apparent prof­
itability of his desk (and, by extension, his remuneration).
External Frauds The loss was realized when the options were exercised.

External frauds are frauds committed or attempted by third parties

or outsiders against the firm. Examples would be system hacking
and check and credit card frauds. External fraud is very common in
retail businesses where financial firms deal with millions of clients.
Frauds attempted or committed by clients are a daily event in
sectors such as retail banking, retail brokerage, and credit card ser­
vices; see Table 7.4 for Basel II definition and breakdown.
accepted mark-to-market price, are not uncommon. Recently
there were a number of large internal frauds in which billions of
dollars were lost as traders of a particular bank failed to men­
tion their position. These are usually low-frequency/high-severity
events. Table 7.5 presents the formal Basel definition and break­
down of this risk type.

Internal Fraud
Internal frauds are frauds committed or attempted by a firm's
own employees. It is one of the less frequent types of OpRisk
loss. Given the sophisticated controls that most institutions have
this would be unlikely. However, events such as traders mismark-
ing positions, particularly in assets that are hard to establish an
Employment Practices and Workplace
Safety
Employment Practices and Workplace Safety (EPWS) type of risk
is more prominent in the Americas than Europe or Asia as either
the labor laws are old-fashioned and/or there is more a culture

Table 7.5 Internal Fraud E v e n t Risk Type D efin ed as L o s s e s D u e t o A c t s o f a T y p e I n t e n d e d to D e fr a u d ,

M is a p p r o p r ia t e P r o p e r t y o r C ir c u m v e n t R e g u la tio n s , t h e L a w o r C o m p a n y P o lic y , E x c lu d in g D iv e r s it y /
D is c rim in a tio n E v e n t s , W h ich In v o lv e s a t L e a s t O n e In te r n a l P a rty . Basel II e v e n t ty p e classification as p ro vid ed in
B C B S (2 0 0 6 , pp. 3 0 5 -3 0 7 )

Category (Level 1) Category (Level 2) Activity Example

Internal fraud Unauthorised/Activity Transactions not reported (intentional); transaction type unauthorised
(w/monetary loss); mismarking of position (intentional)

Theft and fraud Fraud/credit fraud/worthless deposits; theft/extortion/embezzlement/

robbery; misappropriation of assets, malicious destruction of assets;
forgery; check kiting; smuggling; account take-over/impersonation/etc.;
tax noncompliance/evasion (willful); bribes/kickbacks; insider trading (not
on firm's account)

122 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 7.6 EP W S E v e n t Risk Type D efin ed as L o s s e s 7.3 THE ELEMENTS OF THE OPRISK
A r is in g fro m A c t s In c o n s is t e n t w ith E m p lo y m e n t ,
FRAMEWORK
H e a lth o r S a f e t y L a w s o r A g r e e m e n t s , fro m P a y m e n t o f
P e r s o n a l In ju ry C la im s, o r fro m D iv e rs ity / D is c rim in a tio n The four elements that should be used in any OpRisk framework
E v e n t s . Basel II even t ty p e classification as p ro vid ed in are as follows:
B C B S (2006, pp. 3 0 5 -3 0 7 )
• Internal loss data;
Category Category • Business environment and internal control factors;
(Level 1) (Level 2) Activity Examples
• External loss data:
Employment Employee Compensation, benefit, • Scenario analysis.
Practices and relations termination issues;
Workplace organised labor activity We provide a description of each of these elements in the fol­
Safety lowing text.
Safe General liability (e.g., slip
environment and fall); employee health
and safety rules events; Internal Loss Data
workers compensation
Operational loss means a gross monetary loss (excluding insur­
Diversity and All discrimination types
ance or tax effects) resulting from an operational loss event. An
discrimination
operational loss includes all expenses associated with an opera­
tional loss event except for opportunity costs, forgone revenue,
and costs related to risk management and control enhance­
of litigation against the employers (Table 7.6). For example,
ments implemented to prevent future operational losses.
some large banks in Brazil would count employment litigation on
the tens of thousand and it is one of the main OpRisks for banks. Having a robust historical internal loss database is the basis of
In some lines of business like investment banking employment any OpRisk framework. These losses need to be classified into
issues are also quite important. As these lines of business mostly the Basel categories (and internal if different than the Basel) and
provide advisory to large corporations and the key personnel mapped to a firm's business units. Given their importance for
is highly compensated, litigation against some of these key the OpRisk framework, the collection and maintenance of these
employees and losing them can cost millions of dollars. data are heavily regulated. Basel II regulation says that firms
need to collect at least 5 years of data, (BCBS, 2006), but most
decided not to discard any loss even when these are older than
Damage to Physical Assets this limit. Since losses are difficult to acquire and take years to
Damage to Physical Assets (DPA) is another OpRisk event type. build up a reliable and informative loss database, consequently
The most common method to assess the exposure to this risk is most firms even pay to supplement internal losses (see the
through scenario analysis using insurance in formation. Very few external loss database). Hence, it is clear that it would not make
firms actively collect losses on this risk type as these are usually sense to discard losses that took place in the firm unless the
either too small or incredibly large. The formal Basel definition business in which this loss took place was sold. There are a num­
and breakdown of this risk type is presented in Table 7.7. ber of issues that can come from internal data modeling that are
worth comments and are listed below.

Considerable challenges exist in collating a large volume of

Table 7.7 D PA E v e n t Risk Type D efin ed as L o s s e s data, in different formats and from different geographical loca­
A r is in g fro m L o s s o r D a m a g e to P h y sic a l A s s e t s fro m tions, into a central repository, and ensuring that these data
N a tu ra l D is a s t e r o r O t h e r E v e n t s . B asel II e v e n t ty p e feeds are secure and can be backed up and replicated in case of
classification as p ro vid ed in B C B S (2006, pp. 3 0 5 -3 0 7 ) an accident.

Category Category
(Level 1) (Level 2) Activity Examples
Setting a Collection Threshold and
Possible Impacts
Damage to Disasters and Natural disaster losses;
physical assets other events human losses from external Most firms set a threshold for loss collection as allowed by Basel.
sources (e.g., terrorism, However, this decision can have significant impact in establish­
vandalism) ing the risk profile of a business unit. This is usually the case

Chapter 7 OpRisk Data and Governance ■ 123

Table 7.8 Th e Im pact of T h resh o ld C h o ice : Lo sse s in a C e rta in Y ear for th e A sse t M an ag em en t Division of a Bank
Loss Brackets (USD) Number of Losses
> 5,000.000 3 23,750,325
1,000,000-5,000.000 7 13,775,000
500,000-1,000,000 10
100,000-500,000 12
50,000-100,000 22
20,000-50,000 71
< 20,000 1520
in businesses that have heavy transaction execution like asset
management or equities. See the example in Table 7.8. If the
OpRisk department had chosen USD 100,000 as the threshold,
usually under the argument that only tail events drive OpRisk
capital, that firm would think that its total loss in that year was
USD 49 million. If the threshold choice was USD 20,000, the total
losses would be USD 53 million. However, most losses are due
to compensating retail clients whose orders are usually ranging
from USD 1,000 to USD 50,000. The sum of the losses under
USD 50,000 is about USD 20 million, which is almost equivalent
to the losses above USD 5 million. For this particular firm, setting
the loss collection threshold at USD 100,000 would show total
losses for the year as USD 49 million. However, if this firm had
not set a loss collection threshold they would observe that their
actual losses were USD 71 million, a very different risk profile.
A number of OpRisk managers pick their threshold thinking
only in terms of OpRisk capital. Disregarding these small losses
in many cases can bias the risk profile of a business unit and, of
course, this will also have an impact on OpRisk capital.
Completeness of Database
(Under-Reporting Events)
In gathering data from disparate sources, we need to avoid an
OpRisk in collecting the OpRisk data. Such risks and subsequent
losses may arise, for example, the employee responsible for
reporting losses does not send the loss information to the cen­
tral database, whether accidental or not. The Basel II document
BCBS (2006) refers to this scenario with the possible conse­
quence being that an institution that could not prove that loss
data is flowing with a high degree of reliability to the central
database(s) is likely to be disallowed to employ more advanced
techniques for assessing the levels of risk.
The development of filters that capture operational issues
and calculate an eventual operational loss is one of the most
124 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Total (USD) Accumulated Total (USD)
23,750,325
37,525,325
8,250,781 45,776,106
3,562,177 49,338,283
1,723,490 51,061,773
2,159,021 53,220,794
17,500,235 70,721,029
expensive parts of the entire data collection process, but the out­
come can be decisive in making an OpRisk project successful and
increasing confidence in the completeness of the loss database.
This OpRisk filter will vary from bank to bank depending on their
systems, but in all cases it works like a conduit between systems,
collecting every cancellation or alteration made to a transaction or
any differences between the attributes of a transaction in one sys­
tem compared to its attributes in another system. The transaction
flow starts at the front-office system that registers the transaction
passing it to the accounting and clearing systems. Any discrep­
ancy, alteration, or cancellation must be extracted by the OpRisk
filter. Also, abnormal inputs (e.g., a lower volatility in a deriva­
tive) can be flagged and investigated. The filter will calculate the
OpRisk loss event and several other impacts in the organization.
Recoveries and Near Misses
The Basel II rules (BCBS, 2006) in general do not allow for the
use of recoveries to be considered for capital calculation pur­
poses. The issue again is that if firms are trying to estimate losses
that can happen once every thousand years, it would not make
sense to start applying mitigating factors to reduce the losses
and eventually reducing also capital. For this reason, gross losses
should be considered for OpRisk calculation purposes.
The only exception is on rapidly recovered loss events but even
this exception is not accepted everywhere. Rapidly recovered
loss events are OpRisk events that lead to losses recognized in
financial statements that are recovered over a short period. For
instance, a large internal loss is rapidly recovered when a bank
transfers money to a wrong party but recovers all or part of the
loss soon thereafter. A bank may consider this to be a gross loss
and a recovery. However, when the recovery is made rapidly, the
bank may consider that only the loss net of the rapid recovery
constitutes an actual loss. When the rapid recovery is full, the
event is considered to be a "near miss".
Time Period for Resolution of Operational
Losses
Some OpRisk events, usually some of the largest, will have a
large time gap between the inception of the event and the final
closure, due to the complexity of these cases. As an example,
most litigation cases that came up from the financial crisis in
2007/2008 were only settled by 2012/2013. These legal cases
have their own life cycle and start with a discovery phase in
which lawyers and investigators would argue if the other party
has a proper case to actually take the action to court or not. At
this stage, it is difficult to even come up with an estimate for
eventual losses. Even when a case is accepted by the judge it
might be several years until lawyers and risk managers are able
to estimate properly the losses. Firms can set up reserves for
these losses (and these reserves should be included in the loss
database), but they usually do that only for a few weeks before
the case is settled to avoid disclosure issues (i.e., the coun­
terparty eventually knows the amount reserved and uses this
information in their favor). This creates an issue for setting up
OpRisk capital because firms would know that they are going to
undergo a large loss and yet are unable to include it in the data­
base; the inclusion of this settlement would cause some volatility
in the capital. The same would happen if a firm set a reserve of,
for example, USD 1 billion for a case, and then a few months
later, if a judge decides to remove the loss in favor of the firm.
For this reason, firms need to have a clear procedure on how to
handle those large, long-duration losses.
Adding Costs to Losses
As said earlier, an operational loss includes all expenses associ­
ated with an operational loss event except for opportunity costs,
forgone revenue, and costs related to risk management and con­
trol enhancements implemented to prevent future operational
losses. Most firms, for example, do not have enough lawyers on
payroll (or expertise) to deal with all the cases, particularly some
of the largest or those that demand some specific expertise and
whose legal fees are quite expensive. There are cases in which the
firm wins in the end, maybe due to some external law firms, but
the cost can reach tens of millions of dollars. In such cases, though
the firm wins a court victory, there will be an operational loss.
Provisioning Treatment of Expected
Operational Losses
Unlike credit risk, the calculated expected credit losses might
be covered by general and/or specific provisions in the bal­
ance sheet. For OpRisk, due to its multidimensional nature, the
treatment of expected losses is more complex and restrictive.
Recently, with the issuing of IAS37 by the International Account­
ing Standards Board, W ittsiepe (2008), the rules have become
clearer as to what might be subject to provisions (or not). IAS37
establishes three specific applications of these general require­
ments, namely:
• a provision should not be recognized for future operating
losses;
• a provision should be recognized for an onerous contract— a
contract in which the unavoidable costs of meeting its obliga­
tions exceeds the expected economic benefits;
• a provision for restructuring costs should be recognized only
when an enterprise has a detailed formal plan for restructur­
ing and has raised a valid expectation in those affected.
These provisions should not include costs, such as retraining
or relocating continuing staff, marketing or investing in new
systems and distribution networks; the restructuring does not
necessarily entail that.
IAS37 requires that provisions should be recognized in the bal­
ance sheet when, and only when, an enterprise has a present
obligation (legal or constructive) as a result of a past event. The
event must be likely to call upon the resources of the institution
to settle the obligation, and, more importantly, it must be pos­
sible to form a reliable estimate of the amount of the obligation.
Provisions should be measured in the balance sheet at the best
estimate of the expenditure required to settle the present obliga­
tion at the balance sheet date. Any future changes, like changes
in the law or technological changes, may be taken into account
where there is sufficient objective evidence that they will occur.
IAS37 also indicates that the amount of the provision should not
be reduced by gains from the expected disposal of assets (even
if the expected disposal is closely linked to the event giving rise
to the provision) nor by expected reimbursements (arising from,
for example, insurance contracts or indemnity clauses). When
and if it is virtually certain that reimbursement will be received
should the enterprise settle the obligation, this reimbursement
should be recognized as a separate asset.
7.4 BUSINESS ENVIRONMENT AND
INTERNAL CONTROL ENVIRONMENT
FACTORS (BEICFs)
One can see OpRisk as a function of the control environment.
If the control environment is fair and under control, large
operational losses are not likely to take place and OpRisk is con­
sidered to be under control. Therefore, understanding the firm's
business processes, mapping the risks on these processes, and
assessing the control of these processes are the fundamental
Chapter 7 OpRisk Data and Governance ■ 125

Trade
Custody and
Trade capture matching and
control
confirmation
F ia u re 7.1 E q u ity se ttle m e n t p ro cess
roles of an OpRisk manager. A simple example is the equities
trading process and is shown in Figure 7.1.
Firms need to be able to assess risk on the many steps of the
settlement process and report them regularly. There are a
couple of tools that are commonly used by financial firms to per­
form this task: Risk Control Self-Assessment and Business and
Control Environment programs.
Risk Control Self-Assessment (RCSA)
These are also known as Control Self-Assessm ent (CSA) in
some firms, According to this procedure, firms regularly ask
experts about their views on the status of each business pro­
cess and subprocess. These reviews are usually done every
12 or 18 months and color rated Red/Am ber/Green (RAG)
according to the perceived status. Some firms go beyond
and try to quantify these risks using subjective approaches or
through a scorecard. For many firms, RCSA is the anchor of the
OpRisk fram ework and most OpRisk activities are linked to this
procedure.
In a broad sense, the RCSA program requires the docum enta­
tion and assessm ent of risks em bedded in a firm's processes.
Levels of risks are derived (usually from a frequency, and
severity basis), and controls associated with these risks are
identified. As risks are usually reported by business units, these
processes are aggregated to a certain business unit and rated/
assessed.
In the RCSA program, managers first identify and assess
inherent risks by making no inferences about controls
em bedded in the process: controls are assumed to be absent.
Under this assumption, managers must carefully identify
how risk manifests within the activities in the processes.
The following are the usual questions asked by risk managers
in this phase:
• Risk scenarios. W here are the potential failure points in
each of these processes?
• Exposure. How big a loss could happen to my operation if
a failure happens?
• Correlation to other risks. Could a failure altogether change
my organization's performance, either financially, its reputa­
tion, or affect any other area?
126 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The answers point toward the specific
Clear and Settle inherent risks em bedded within a busi­
trades ness unit's process, which must be
assessed to determine the likelihood
the events could occur (frequency) and
severity. The results of this analysis provide a birds' eye view of
the inherent risk of a firm's business processes. Management
can then use this assessment to prioritize and focus on the
most critical risks that must be proactively managed.
Once these inherent risks are understood, controls will be
added in the RCSA fram ework. The effectiveness of these
controls are then assessed to understand how efficient these
are to mitigate risks. A t this stage, the residual risk is also
calculated, which is the risk that is left after inherent risks are
controlled. Put another way, residual risk is the probability of
loss that remains to systems that store, process, or transmit
information after security measures or controls have been
implemented.
For a firm that has the RCSA program as the core of
the OpRisk fram ework, all other OpRisk initiatives under the
firm's O pRisk program are usually structured to feed the
RCSA. Risk metrics such as key risk indicators (KRIs), inter­
nal loss events, and external events would contribute to
the risk identification process ensuring the organization has
considered all readily available data and benchmark risk
assessments.
Once the universe of controls and mitigation measures has
been identified, the business unit can partner with various
control functions to conduct the control testing phase of the
RCSA. Control testing is critical to a mutual understanding of
expectations and actions across business units and between
the front and back offices.
One significant challenge that arises due to combining RCSA
data is interpreting what the data actually means. For exam ple,
outputs from a RCSA program might lead a risk manager to
conclude that no immediate action is required if the risk expo­
sures are controlled within the tolerances acceptable to the
firm. On the other hand, if the RCSA data indicates that the
control environment is weakening and threatening the success
of a particular business goal, a risk manager might decide to
recommend a corrective action. However, weighting those risks
across the entire risk universe and naming the most important
or "key" might not be an easy and objective task.
There are a number of vendors that provide systems that help to
collate these results. The issue with these programs in general is
that they make it harder to integrate with the other data inputs
that are numeric. Even if these RAG assessments can be con­
verted to a number or rating, there is always a bias embedded
that the person who does the assessment would have a motiva­ confirm ations older than 30 days increases to over a certain
tion to improve their ratings so as to reduce their capital. percent of the total population, and the number of repudi­
ated trades increases, one might say that this process is
Key Risk Indicators facing challenges that need to be addressed.

These indicators/factors are mostly quantitative and are
used as a proxy for the quality of the control environm ent
of a business. For exam ple, in order to report the quality
of the processing system s of an investm ent bank, we might
design factors such as "system dow ntim e" (measuring the
number of minutes that a system stayed offline), and "sys­
tem slow tim e" (counting the minutes that a system was
overload and running slow). These KRIs can be extrem ely
im portant in O pRisk m easurem ent as they can allow O pRisk
models to behave very sim ilarly to those in m arket and
credit risks.
Going back to the equity settlem ent exam ple, instead of
using RAG self-assessm en t, a better way to assess the
quality of these processes is to establish a few KRIs that
provide an accurate picture of the control environm ent as
seen in Figure 7.2. As an exam ple, on the trade confirmation
stage of the settlem ent process, if the number of unsigned
Daily trade volume
Late booking trades
Trade capture
and execution
Unsigned confirmation > 30 days
Repudiated trades
Trade Breaks
matching and
confirmation
Breaks
Disputed collateral calls
Custody and
control
The process of KRI collection deserves special attention. It is
im portant that these data are absolutely reliable, in order to
display relationships between KRIs and losses. Autom ating
the collection straight from the firm's operational system s
might help to create a more realistic reflection of the true
profile of the infrastructure of a certain business. There are
many stages in establishing these links and of course there
is a cost associated with the im plem entation of the KRI
program , but probably no other type of data will be more
powerful than KRIs for managing and measuring operational
risk. It is much easier to explain O pRisk as a function of the
control environm ent in which a firm exists than to say that
O pRisk capital is moving up or down because of past losses
or changes in scenarios.
The first stage of the KRI collection process is trying to establish
assumptions on the OpRisk profile of a certain business. For
example, we might assume that execution errors in the equi­
ties division can be explained by the trade volume on the day
the number of securities that failed to be received or delivered,
the head count available on the trading desk and the back
office, and system downtime (measured by minutes offline).
The decision to be made is: at what organizational level should
this relationship be measured? Equities division as a whole?
Should we break down the equities division into cash equities,
listed derivatives and O TC derivatives, or along any other lines?
Should we consider breaking it down along regional lines? All
these questions are fundamental for the success of the analysis.
If loss data and KRIs are collected at cost center level (the
lowest possible level), it becom es possible to perform this
disaggregation. In general, the lower the level you model the
causal relationship, the better the chances that you will find
higher level fits to the m odel. Put this another way, it is easier
to find strong causal relationships, if you model, for exam ple,
the US cash equities departm ent than modeling at the global
equities division level, as the lower level would better capture
local nuances, idiosyncrasies, and trends.

The m odeler might also consider using external factors such

Fails as equity indexes and interest rates. It is common to find
Breaks (agent cash, agent stock) strong relationships between a stock m arket index and opera­
Clear and settle
trades tional losses, for exam ple, higher volatility on stock markets
is usually associated with high trading volum es, which in turn
is highly associated with execution losses in O pRisk. Table 7.9
presents few exam ples of Business Environm ent and Internal
F iq u re 7 .2 Eq u ity se ttle m e n t p ro cess. Control Factors (B EIC Fs) used in few environm ents.

Chapter 7 OpRisk Data and Governance ■ 127

Table 7.9 Examples of BEICFs Used in Few Environments

Business Environment Factor Description

Systems System downtime Number of minutes a system is offline

System slow time Number of minutes a system is slow
Software stability
Number of code lines changed in a program or software in a certain
period of time

Information Security Malware attacks Number of malware attacks

Hacking attempts Number of hacking attempts

People/Organization Employees Number of employees

Employees experience Average experience of employees

Execution/Processing Transactions Number of transactions processed

Failed transactions Number of transactions that failed to settle
Data quality Ratio of transactions with errors
Breaks Number of transactions breaks

7.5 EXTERNAL DATABASES
According to the Basel Accord, OpRisk modelers need to cal­
culate regulatory capital at the 99.9% confidence level, which is
equivalent to finding enough capital to protect against losses in
the worst year in a 1,000 year period. One way to try to over­
come these challenges is through using other firms' loss experi­
ences. This is common in insurance. For example, suppose that a
US insurer wants to expand to a new state, say New Jersey. This
insurer does not have experience in New Jersey; New Jersey
has different characteristics, for example it may have much more
cars per square foot than other states and hence the accident
ratio is known to be higher. How can this insurer price correctly
its premium in New Jersey? The most used alternative is to start
with a local database of car accidents. This database is available,
with considerable details, for insurance companies to acquire.
Obviously, this database would never replace the insurer's own
loss experience in their portfolio, but while this loss experience
is not available, the best way to start the business is using this
external database. As the insurer starts building up their own
loss experience, it can start weighting the importance of the
external database in their premium through credibility theory
methods.
Similarly, banks and other financial firms might struggle to come
up with reasonable measures for some types of risk because
they were never exposed to large losses, but, despite that, they
understand that they are still under the risk that such a loss
would happen eventually. These loss-gathering databases can
be very useful in these cases.
There are basically three ways to get hold of these databases
as seen in Table 7.10. The best choice for a firm would depend
significantly on how their framework is structured and how the
modeler expects to use these losses.

Table 7.10 M eth o d s to A cq u ire Ex tern al D ata and D etails

Type Details Pros Cons

Internally developed Firm gathers these losses from Cheapest way It might not be comprehensive
news feeds and magazines enough and may miss losses in
many industries and jurisdictions

Consortia The most popular is O RX which Loss reporting threshold is No details on the losses. It can
has some of the largest banks in €20,000 only be used for measurement
the industry

Vendors There are a number of vendors More detailed analysis on Loss threshold is usually high
like IBM OpVantage and SAS the loss. It can be used for (USD 1 million). Loss details
management or scenarios might not be accurate as these
were taken from newspapers

128 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
7.6 SCENARIO ANALYSIS 16 n

Another important tool in OpRisk management and mea­

surement is scenario analysis. For a significant number of
firms, the scenario analysis program is the pillar of their
framework. These scenario estimates are usually gathered
through expert opinions, where these experts (or a group
of experts) communicate their estimates on how losses can
happen on an extreme situation. These experts are com­
monly guided by information gathered from external data
or KRIs and internal loss trends, see for instance discussions
workshops discussions
on scenario analysis for OpRisk in Rippel and Teply (2008).
Alderweireld et. al. (2006) and Huffman (2002). Figure 7.3 S u rvey on how US banks run scen ario s.

Though there are different approaches to run a scenario

workshop, only three approaches are widely used: struc­
tured workshops, surveys, or individualized discussions.
A recent survey in 2012 with the largest US financial firms
(the results are not in public domain and reference can­
not be provided) shows that information from experts is
obtained mainly through structured workshops (Figure 7.3).
A comprehensive guide to performing and establishing
appropriate statistical structures for surveys in such work­
shops is provided in detail in O'Hagan et. al. (2006).

Scenarios can be a useful tool in case of emerging risks
where a loss experience would not be available. Finan­
cial institutions understanding this challenge are creating
many new scenarios for these emerging risks every year.
Figure 7.4 presents some other results of this survey about the
number of new scenarios developed annually by financial firms
showing that most firms develop between 51 and 100 scenarios
every year.
In order to make the outcomes of the scenario analysis work­
shops useful to the OpRisk measurement and qualification
Fiaure 7.4 N u m b er of new sce n a rio s d e v e lo p e d
annually by financial firm s.
key limitations of this process as these biases are very difficult to
mitigate or avoid. Some of the biases are as follows:
• Presentation Bias. This arises when the order in which the
information is provided can skew or alter the assessment from
the experts; see discussion in Hogarth and Einhorn (1992);
• Availability bias. It is related to the over/underestimation of

efforts, the opinions need to be converted into numbers. There loss events due to respondents' exposure or familiarity to a

are a few ways to do so, but the most frequent is through gath­ particular experience or risk. For example, if the expert has

ering estimates on the loss frequencies on predefined severity

brackets. These numbers are then converted to empirical dis­ Table 7.11 Using S cen ario A n alysis O u tco m e for
tributions, see example in Table 7.11, that are aggregated with M easu rem en t
internal losses later.
Loss Bracket Relative
After convening expert opinion into an empirical distribu­ (in USD thousand) Loss Frequency Frequency
tion, the question is how to incorporate this into the OpRisk
USD 5,000 7 6.9%
framework. There are a number of articles on the subject, for
example, see recent publications of Dutta and Babbel (2013), 1,000-5,000 10 9.8
Ergashev (2012), and Shevchenko (2011). 500-1,000 15 14.7
Common Issues and Bias in Scenarios. Because scenarios are 100-500 30 29.4
usually based on expert opinion, they present a number of
50-100 40 39.2
biases, see for example, a demonstration of such features in the
Total 102
experiments designed by Lin and Bier (2008). This is one of the

Chapter 7 OpRisk Data and Governance ■ 129

 a 30 years career in FX trading and had never experimented
or seen an individual loss of USD 1 billion or larger, he/she
might be unable to accept the risk that such a loss would
take place;
• Anchoring bias. Anchoring occurs when participants restrict
their estimates to being within a range of a given value,
which may come from their own experiences, a value they
have seen elsewhere (e.g., internally, in the media) or a value
provided in the workshop; see discussion in Wright and
Anderson (1989);
• "Huddle" bias or anxiety bias. It involves the tendency of
groups to avoid conflicts and differences of opinion, either
because individuals do not want to disrupt the smooth func­
tioning of the group through dissent, or because they are
unwilling to disagree openly with the more senior, expert,
or powerful people in the room; see discussions in O'Hagan
(2005);
• Gaming. Conflicts of participants' interests with the goals
or consequences of the workshops can cause motivational
biases or gaming. Participants may be unwilling to disclose
information or engage meaningfully in the workshop or may
seek to influence the outcomes;
• Over/under confidence bias. This bias involves over/under-
estimation of risk due to the available experience and/or
literature on the risk being limited;
• Inexpert opinion. In many firms, scenario workshops do not
attract the expert (or the expert is not identified) and a more
junior employee or someone with much less experience ends
up participating in the workshop and providing inaccurate
estimates;
• Context bias. This bias arises when framing in a certain man­
ner alters the response of experts, that is, color their opinion;
see discussion in Fischhoff et. al. (1978).
A fundamental problem that scenario analysis programs face is
the disparity of understanding and opinions on losses' sizes and
frequencies. To circumvent some of these problems, application
of the Delphi technique may be of help. The Delphi technique,
as Linstone and Turoff (1975) defined, ". . . may b e characterized
as a m eth o d fo r structuring a g rou p com m unication p ro ce ss so
that the p ro ce ss is effe ctive in allowing a g ro u p o f individuals, as
a w hole, to deal with a co m p lex p ro b le m ."
The Delphi concept is a spin off from defense research. "Project
Delphi" is the name given to an American Air Force project,
started in the early 1950s, that made use of expert opinion (see
Dalkey and Helmer, 1963). The objective of the original study
was to "obtain the m ost reliable con sen su s o f opinions within a
g ro u p o f e x p e rts " by a series of intensive questionnaires inter­
spersed with controlled opinion feedback.
130 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Delphi has been tested and broadly used in several applications
such as gathering current and historical data not accurately
known or available and examining the significance of events.
Usually, one or more of the following properties of the problem
to be solved leads to the need for employing Delphi.
• The problem does not lend itself to precise analytical
techniques but can benefit from subjective judgments on a
collective basis;
• The individuals needed to contribute to the examination of
a broad or complex problem have no history of adequate
communication and may represent diverse backgrounds in
respect of experience or expertise;
• Time and cost make frequent group meetings infeasible; and
• More individuals are needed than can effectively interact in a
face-to-face exchange.
Therefore, for Delphi to work, it is necessary that a group of
experts in each business get together in order to estimate
OpRisk occurrences at a given confidence level. Consider an
example: a bank in order to assess transaction execution risk in
the fixed income desk decided to get three different perspec­
tives: from the front desk (traders), from the finance group,
and from the operations group. Each one of these areas has
a different perspective on what risks would be and how many
losses would happen. As the estimates from each of the three
areas were very different, a separate scenario workshop was
performed in each department and the participants were elic­
ited to estimate extreme losses. At the end, a final number was
agreed by the three areas and all recognized that tremendous
education took place as traders, for example, did not have the
perspective of losses due to settlement failures. Delphi tech­
nique (Dalkey and Helmer, 1963) has a number of stages:
1. In the first step, the subject under discussion should be
explored with as many individuals contributing additional
information;
2. Given the information from step 1, a feedback and a
description of the issues are provided to the group;
3. (Optional) Bring out the possible differences found in step 2
and evaluate them; and
4. A final evaluation occurs when all the previously gathered
information has been initially analyzed and the evaluations
have been fed back to the respondents for consideration.
Finally, we would like to mention that ideas from works on
expert elicitation processes were implemented in a freely avail­
able toolkit known as the Sheffield Elicitation Framework
(SH ELF)1, which is covered under copyright when it comes to
1 SHELF is available at http://www.tonyohagan.co.uk/shelf/
commercial usage; see details on the associated website. In Table 7.12 Trading and Sales OpRisk Profile
agreement with the standard industrial practice of structured
workshops, the SH ELF framework is developed to be performed Event Type Frequency (%) Severity (%)
with a group elicitation in mind and comprises a framework for Internal Fraud 1.0 11.0
eliciting beliefs of one or more experts as a group.
External Fraud 1.0 0.3

Employment Practices 3.1 2.3

and Workplace safety
7.7 OPRISK PROFILE IN DIFFERENT
FINANCIAL SECTORS Clients, Products, and
Business Practices
12.7 29.0

After deciding the form of the operational loss data model and Damage to Physical 0.4 0.2
Assets
the types of losses that need to be reported, it is useful to split
the financial institution into different business lines, given that Business Disruption 5.0 1.8
the OpRisk profile is generally very diverse across different busi­ and System Failures

nesses within a financial institution. While an asset management
unit is more inclined to have legal/liability problems (although
still having a few transaction processing problems, in general,
asset managers hold their positions longer than treasury), the
investment bank arm is more inclined to operational errors in
processing transaction. A large investment bank might process
over a million transactions a day.
A typical list of business units includes C o rp ora te Finance, Trad­
ing and Sales, Retail Banking, Com m ercial Banking, Paym ent
and Settlem en t, A g e n c y Services, A s s e t M anagem ent, and Retail
B rokerage. These are business units at level 1 as suggested
in Basel II. Detailed breakdown into level 2 business units and
activity groups can be found in BCBS (2006, p. 302). Also it can
be appropriate to add an extra business unit, Insurance. Most of
these business units are discussed in the following sections.
Execution, Delivery & 76.7 55.3
Process Management
Source: Results from the 2008 Loss Data Collection Exercise for Opera­
tional Risk, see BCBS (2009b).
strategic alternatives. The differences to consulting firms are
due to the fact that corporate finance in banks constantly offers
financing options, so deals are made. Therefore, it is expected
that most of the losses fall under the umbrella of "litigation" or
disputes with clients for arguably poor advice when, for exam­
ple, IPOs go wrong; see Table 7.13.
Retail Banking
The OpRisk profile of retail banks is not too dissimilar to that of
retail brokerage; see Table 7.14. On the frequency side, most

Trading and Sales

Table 7.13 C o rp o ra te Fin an ce O p R isk Profile
It should not come as a surprise that trading and sales OpRisk
profile is dominated by "ED PM " or just "Execution". This can Event Type Frequency (%) Severity (%)
be clearly seen in Table 7.12, where both frequency and severity Internal Fraud 1.6 0.24
execution losses dominate. The business model in trading is quite
External Fraud 5.4 0.12
simple; traders perform trades on behalf of either their own firms
or clients, and these trades get settled by exchanging the securi­ Employment Practices 10.1 0.59
and Workplace safety
ties against some form of payments. However, as the products
are diverse and complex and settlement deadlines and proce­ Clients, Products, and 47.1 93.67
dures vary significantly it is not surprising that executing these Business Practices
transactions is the major OpRisk of this business and, for many Damage to Physical 1.1 0.004
trading shops, the major overall risk that they are exposed to. Assets

Business Disruption 2.2 0.02

and System Failures
Corporate Finance
Execution, Delivery & 32.5 5.36
This business is where financial firms many times behave similar Process Management
to consulting firms by providing advice to corporations in pos­ Source: Results from the 2008 Loss Data Collection Exercise for Opera­
sible mergers and acquisitions, doing an IPO or even assessing tional Risk, see BCBS (2009b).

Chapter 7 OpRisk Data and Governance ■ 131

Table 7.14 Retail Banking OpRisk Profile
Event Type
Internal Fraud
External Fraud
Employment Practices
and Workplace safety
Clients, Products, and
Business Practices
Damage to Physical
Assets
Business Disruption
and System Failures
Execution, Delivery &
Process Management
at least another two years, then life insurers' financial pain will
be broader and deeper. On the P&C side, the continuing pros­
Frequency (%) Severity (%)
pects for weak investment returns and low interest rates over an
5.4 6.3 extended period compel carriers to improve underwriting mar­
gins, requiring difficult decisions concerning pricing and operat­
40.3 19.4
ing approaches. Organic growth continues to be a challenge,
17.6 9.8 given the economic situation and the competitive landscape.
Individual insurers confront greater competition, driven by an
13.1 40.4 abundance of capital, uncertainty around the timing, the scope
of regulatory changes, and the continuing volatility caused by
1.4 1.1 weather-related losses, highlighted recently by Hurricane Sandy
in 2012 (in the US, Hurricane Sandy affected 24 states with par­
1.6 1.5 ticularly severe damage in New Jersey and New York). Health
insurers in the US, given the advent of the Patient Protection
20.6 21.4 and Affordable Care Act (signed into law by US President
Barack Obama on March 23, 2010, and commonly referred to as

Source: Results from the 2008 Loss Data Collection Exercise for Opera­ "O bam acare"), are in much better shape than their counterparts
tional Risk, see BCBS (2009b). with a better perspective ahead of them.

Regarding risk regulation in this sector, there are significant

losses are due to external frauds that are daily events for these
firms. Execution comes in a far second. However, when looking
at severity, the largest risk exposure is due to litigation once
again.
Insurance
For those not familiar with this industry, this sector can be
actually divided into three types given the significant differ­
ences: life insurance, health insurance, and property/casualty
or "P& C" insurance (or general insurance as known in Europe).
To put it very simply, life insurers basically charge a premium
from individuals in exchange to providing a sum of money
when they die. Life insurers also offer retirement and income-
protection products. Health insurers provide medical and hos­
pital coverage. P&C insurers offer coverage against damage to
properties caused by fire, natural disasters, theft, etc. They also
offer protection against liabilities (e.g., directors being sued and
professional errors). The actuarial calculation used in the P&C
insurance is very similar to the one used in OpRisk capital calcu­
lation. Most operational risk capital techniques are derived from
P&C actuarial techniques, and there are many articles in the
Jou rn a l o f O pR isk that were written by P&C actuaries.
Regarding the sector's overall current financial situation, simi­
lar to most of the financial sectors, the effects of the financial
crisis still lingers. Life insurers started to feel the consequential
effects from the long low-interest rate environment, which
affects their profitability and company valuations and also, as
consumers struggle, declining sales and revenue. If interest
rates continue to stay low, and it appears likely that they will for
differences between Europe and the US. In Europe, a process
similar to Basel II was developed by insurance regulators, called
Solvency 2. Two key themes have dominated regulatory dis­
cussions in the past year: supervisory focus on risk and capital
management and concerted efforts to move toward a consistent
approach to cross-territory supervision of insurance groups.
These initiatives underscore the importance of embedding
strong risk management principles throughout an enterprise and
moving beyond just "tick the box" compliance, similar to what
Basel II has been influencing in the banking industry.
In the US, the regulatory environment also has been changing
as State insurance departments and rating agencies, in addition
to National Association of Insurance Commissioners (NAIC), are
also influencing the direction of solvency regulation. While these
varied initiatives place differing degrees of emphasis on capital
requirements, reporting standards and risk measures, a common
theme is their intensified focus on clearly articulating an insurer's
risk profile. To prepare and address the regulatory pressures to
enhance risk management, insurers must significantly enhance
their data management, reporting and analytical resources, and
their organizations' ability to integrate risk data across disci­
plines. The US insurance industry is also anticipating potential
impacts of Dodd-Frank legislation, including in the systemically
important financial institution (SIFI) designation and the Federal
Insurance Office's (FIO) pending report to Congress on the state
of US insurance regulation, which in practice creates a national
insurance regulator.
Regarding OpRisk more specifically, insurers are still in the early
stages of the development of their OpRisk frameworks. This
comes somehow as a surprise as insurers suffered several large

132 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
operational losses that were very public and reported in the
media. Some of the examples over the last decade2 are the USD
250 million loss that a large US insurer suffered a few years ago
for discrimination (i.e., allegedly pricing their policies differently
according to race); a large European reinsurer lost USD 3.5 billion
for not having final contracts in place on the 9/11 terror attacks
inflicting damages to clients; a large US auto insurer lost USD
1 billion for using low-quality auto parts in vehicle repairs; a large
US life insurer lost USD 2 billion for abusive sales practices and
illegal sales of securities and the list goes on and on.
Insurers face a number of OpRisks; some of these are mis-selling
their products to clients. A number of insurers worldwide got
severe penalties for these sales practices. As with any retail
sector, insurers are exposed to bad faith claims (i.e., frauds by
customers)— Hollywood has a number of movies on these inter­
esting stories. More recently, the issue of unclaimed property
has become a concern for insurers as public officials are now
focusing much more on the issue than they did in the past.
Given these pressures, insurers have been more diligent to catch
up with banks in developing more robust OpRisk frameworks.
However, they have a long road ahead of them.
Asset Management
The financial crisis brought to the global asset management
industry challenges it has not seen in decades as the industry
was accustomed to high margins and substantial profits (par­
ticularly in the years 2000-2007 due to the availability of excess
liquidity). As the financial markets climbed regularly over the
last 30 years, occasional dips notwithstanding, asset managers
became used to the steady increases in their assets under man­
agement (AUM) and easy profits. However, in the wake of the
biggest downturn since the Great Depression, a slow recovery
has left many firms struggling. Even in 2012, most of the growth
of the asset management came from market appreciation and
not due to increase in flow of resources from clients.
This new environment changed the asset management indus­
try. During the precrisis "golden years" of abundant liquidity,
most asset managers were not overly worried about the costs
incurred in running their operations and did not pay close
attention to the risks involved, since the continuous growth in
personal wealth steadily increased their AUM , covering for these
expenses. Errors and high operating costs were buried under
the increased revenues from a larger asset base and the profits
that came from high returns in the world markets. Postcrisis, the
situation has changed dramatically. Large asset managers have
2 To preserve confidentiality, the company names are not mentioned.
seen their AUM go down by 30 or 40%, not only because of
the drop in asset prices but also because clients are withdraw­
ing funds, either out of necessity to cover debts, because they
fear that the stock markets will take a long time to recover, or
sometimes even out of concern for the financial well-being of
some asset managers. The crisis also showed historic regulatory
failures, like the Bernie Madoff case, in which he created a Ponzi
scheme, that was discovered during the 2008 financial crisis, and
lost USD 6 billion from investors (this case is one of the largest
OpRisk events in history). Many investors close to retirement
lost their pensions not only because of the market conditions
but also because of a lack of caution and risk management from
pension fund managers.
This long-lasting dire economic environment forces asset man­
agers to develop a much more careful discipline around costs,
risk management, and productivity. Each of these factors has
received widespread attention in the specialized media.
The industry has reacted quickly to this new reality. For exam­
ple, a large independent US asset manager has already put in
place several measures to reduce costs, by sharing services in
its distribution and administration departments to reduce costs
across geographical areas. This same firm has also launched an
initiative to reduce its N CE by 20% in 2009, with the develop­
ment of an inter-company committee to determine the expenses
that have to be eliminated.
A European-based global firm decided to reduce the number of
products it offered and the development efforts for a few prod­
ucts where it can build competitive advantage on a global scale.
This firm also decided to immediately implement a plan, which
had been on the shelf for many years, to streamline its operational
platforms on a global basis. Currently, each geographical location
(and sometimes within the same country) has its own platform
with different vendors and frameworks to process securities.
Asset managers are susceptible to all forms of risks, namely
market, credit, and OpRisks. However, due to the characteristics
of their business (and perhaps helped by a historic disregard
for strong controls), OpRisk is typically the largest risk exposure
an asset manager has. Market and credit risk associated losses
would usually have an indirect impact on the asset manager's
revenue, as any loss to the client funds entails lower commis­
sions. However, these losses are usually borne by the fund's
clients, not the asset manager as a financial institution. These
market and credit risk losses would impact the quotas and
NAVs, so the client would take a direct hit; the asset manager
would just have less fee revenue in these cases, an indirect
impact. OpRisk can be manifested in many different ways for
an asset manager as, for example, in errors in processing trans­
actions or a system failure that can cause severe damage and
Chapter 7 OpRisk Data and Governance ■ 133
Table 7.15 Asset Management OpRisk Profile on the retail, offering the convenience of trading from home
or work and charging a reasonable fee for trades and usually
Event Type Frequency (%) Severity (%) offering free online research tools and a few other services,
Internal Fraud 1.5 11.1 brick-and-mortar brokers are mostly a division of larger financial
institutions and tend to focus on a wealthier customer base that
External Fraud 2.7 0.9
would pay for high fees they charge, advice from financial advi­
Employment Practices 4.3 2.5 sors, etc.
and Workplace safety
Over the past decade, the industry had a dramatic transforma­
Clients, Products, and 13.7 30.8
tion with the proliferation of sophisticated, high-speed trading
Business Practices
technology that has changed the way broker-dealers trade for
Damage to Physical 0.3 0.2 their own accounts and as agent for their customers. In addi­
Assets
tion, customers of these broker-dealers— particularly leading-
Business Disruption 3.3 1.5 edge institutions— have themselves begun using technological
and System Failures tools to place orders and to trade on markets with little or no
Execution, Delivery & 74.2 52.8 substantive intermediation of their broker-dealers. This, in turn,
Process Management has given rise to the increased use and reliance on "direct mar­
Source: Results from the 2008 Loss Data Collection Exercise for Opera­ ket access" or "sponsored access" arrangements. Under these
tional Risk, see BCBS (2009b). arrangements, the broker-dealer allows its customers— whether
an institution such as a hedge fund, mutual fund, bank or insur­
ance company, an individual, or another broker-dealer—to
impact the balance sheet of the asset manager. Asset managers
use the broker-dealer's market participant identifier ("M PID")
are also regularly sued for poor performance by clients. Consis­
or other mechanism for the purposes of electronically access­
tently failing to comply with local regulations, or with very basic
ing the exchange. With "direct market access", as commonly
business ethics, can generate very large operational losses and
understood, the customer's orders first flow through the
subsequent reputational damage. A number of examples are
broker-dealer's systems and then enters the markets, while with
available in the media for large losses in each of these cases
"sponsored access", the customer's orders flow directly into the
(Table 7.15).
markets without passing through the broker-dealer's systems.
Coming to realize the need to focus on OpRisk, asset manag­ In all cases, irrespectively, whether the broker-dealer is trading
ers have been setting up OpRisk departments at a fast speed in for its own account, is trading for customers through more tra­
the last few years. The higher focus from regulators on hedge ditionally intermediated brokerage arrangements, or is allowing
funds also made these more sophisticated asset managers to set customers direct market access or sponsored access, the broker-
up better OpRisk procedures around their operations. This new dealer with market access is legally responsible for all trading
focus on control and risks would actually facilitate a more stable activities that occur under its MPID. In some cases, the broker-
growth, with less bumps, when the economic environment even­ dealer providing sponsored access may not utilize any pretrade
tually improves. risk management controls (i.e., "unfiltered" or "naked" access),
and thus could be unaware of the trading activity occurring
under its market identifier and has no mechanism to control it.
Retail Brokerage
Nowadays, order placement rates can exceed 1000 orders per
For OpRisk practitioners, this sector is possibly one of the most
second with the use of high-speed, automated algorithms. If,
interesting. Although we obviously need to consider that risk
for example, an algorithm such as this malfunctions and places
profiles would vary significantly between institutions given their
repetitive orders with an average size of 300 shares and an
different business strategies, broker-dealers risk profile is usually
average price of USD 20, a two-minute delay in the detec­
dominated by OpRisk, which accounts for at least 60-70% of the
tion of the problem could result in the entry of, for example,
total risk capital in these firms. This OpRisk type becomes clear
120,000 orders that values USD 720 million. In sponsored access
when we review the sector.
arrangements, as well as other access arrangements, appro­
Broker-dealers of these days can be roughly classified into priate pretrade risk controls could prevent this outcome from
online and brick-and-mortar brokers. Although what separa­ occurring by blocking unintended orders from being routed
tion then cannot be precisely defined, the customer focus of to an exchange. Incidents involving algorithmic or other trad­
these brokers is different. While online brokers tend to compete ing errors in connection with market access occur with some

134 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
regularity. For example, it was reported that, on September Table 7.16 Asset Management OpRisk Profile
30, 2008, trading in Google became extremely volatile toward
the end of the day, dropping 93% in value at one point, due to Event Type Frequency (%) Severity (%)
an influx of erroneous orders onto an exchange from a single Internal Fraud 5.8 18.1
market participant. As a result, Nasdaq had to cancel numerous
External Fraud 2.3 1.4
trades, and adjust the closing price for Google and the closing
value for the Nasdaq 100 Index. In addition, it was reported Employment Practices 4.4 6.3
that, in September 2009, Southwest Securities announced a and Workplace safety

USD 6.3 million quarterly loss resulting from deficient market Clients, Products, and 66.9 59.5
access controls with respect to one of its correspondent brokers Business Practices
that vastly exceeded its credit limits. Despite receiving intra-day Damage to Physical 0.1 0.1
alerts from the exchange, Southwest Securities' controls proved Assets
insufficient to allow it to respond in a timely manner, and trading Business Disruption 0.5 0.2
by the correspondent continued for the rest of the day, result­ and System Failures
ing in a significant loss. Another example that highlights the
Execution, Delivery & 20.0 14.4
need for appropriate controls in connection with market access Process Management
occurred in December 2005, when Mizuho Securities, one of
Source: Results from the 2008 Loss Data Collection Exercise for Opera­
Japan's largest brokerage firms, sustained a significant loss due tional Risk, see BCBS (2009b).
to an erroneous manual order entry that resulted in a trade that,
under the applicable exchange rules, could not be canceled.
Specifically, it was reported that a trader at Mizuho Securities In this section, we provide an overview of how risk is organized
intended to enter a customer sale order for one share of a secu­ in financial firms, how policies are structured, and the importance
rity at a price of 610,000 Yen, but the numbers were mistakenly of a solid committee and governance structure. Sound internal
transposed and an order to sell 610,000 shares of the security at governance forms the foundation of an effective OpRisk manage­
a price of 1 Yen was entered instead. A system-driven, pretrade ment framework. Although internal governance issues related
control reasonably designed to reject orders that are not rea­ to the management of operational risk are not unlike those
sonably related to the quoted price of the security would have encountered in the management of credit or market risk, OpRisk
prevented this order from reaching the market. management challenges may differ from those in other risk areas.
As these examples show, broker-dealers are intensively exposed
to OpRisk that usually occupies the headlines of most of the
Organization of Risk Departments
newspapers and media. Brokers usually do not hold large pro­
prietary positions and lending, particularly after the 2008 crash, One cannot downplay the role of an organization in any large
has been limited; therefore, most exposure comes from poten­ business. Although many times the focus is on the measurement
tially explosive system issues, execution errors, litigation with models with its complex formulas, most of the times the success of
retail customers, fraud committed by clients, etc. (Table 7.16) implementing an OpRisk framework lies in having the right organi­
zation. The organizational design would usually hint at the strength
and degree of development of an OpRisk framework at a firm. In
7.8 RISK ORGANIZATION AND the following text, we show a few organizational designs and the

GOVERNANCE beliefs that firms need to have to make them work. Usually firms
start with Design 1 and go to Design 4 presented in Figure 7.5.

Developing a solid risk organization is a key part of the frame­
work. Understanding the reporting lines and establishing the
position of this organization on the firm would have probably
as much importance as having a good measurement system.
Also having proper organizational involvement in OpRisk issues
where key stakeholders are regularly informed and oversee risk
is fundamental for success. Developing a framework in a silo
that no one sees or cares is nor a desirable situation. The OpRisk
manager needs to be integrated to the rest of the organization.
• Design 1— Central Risk Function as Coordinator. In this
organizational design, risk management role is more of a
facilitator. Usually in this structure, risk management gathers
information and reports to the C EO or the Board. Sometimes
risk management would add some layer of analysis, but in
most cases, the Central Risk group would be a small group.
One of the issues with this structure is that the regulators dis­
like the idea that risk managers report to revenue generating
businesses;

Chapter 7 OpRisk Data and Governance ■ 135

Design 1 and compensation decisions are still taken by these. In order
for this to be successful, the Business Units should have a
strong risk culture and collaborate very closely with the Central
Risk function. This dotted line structure works well when there
is a culture of Business Unit independence and distrust of the
Central Risk function for some reason or event that happened
in the past;
• Design 3— Solid reporting lines to Central Risk Manage­
ment. This organizational structure is reasonably popular
Design 2 within large firms. Risk Managers still physically work in the
Business Units but report to the Central Risk function usually
based in the headquarters. The Central Risk function will be
better positioned to prioritize risk management efforts across
different initiatives. This solid line reporting will also assist in
the creation of a more homogenous risk culture and consis­
tent approach across the enterprise;
• Design A— Strong Central Risk Management. Large firms
have adopted this structure lately, either by internal agree­
Design 3 ment or through regulatory pressure. In this structure, the
Corporate Chief Risk Officer is the key decision maker in risk
management and fully responsible for risk across the firm.
Central Risk Management is responsible to monitor and
manage all the firm's risks and report to senior management
and the Board. Such structure makes it much easier for the
regulator to streamline supervision as they can focus to one
particular group instead of being scattered in many business
units and geographical areas.

Design 4
Structuring a Firm Wide Policy: Example
of an OpRisk Policy
Example of a policy is presented in Table 7.17. A policy defines
a firm's operational risk management framework, which includes
governance structure, roles and responsibilities, and standards
for OpRisk management and measurement. It also describes
the OpRisk management programs, which are the functional
activities requiring guidelines for consistent firm wide execution
D e sig n s 1 -4 . (e.g., loss capture program, risk control self-assessment, and
scenario analysis).

In order for this structure to be successful, one should believe

that the Business Units will be responsive to the Central Risk Governance
demands even without being part of their reporting line and
Common industry practice for sound OpRisk governance often
the control and incentives that such reporting includes (e.g.,
relies on three lines of defense:
control over compensation, etc.);
• Business line management;
• Design 2— Matrix reporting—the "dotted lines". In this
organizational design, a sort of evolution to the previous • An independent corporate OpRisk management function;
design, risk managers have a dotted line to the Central Risk and
function; however, they are appointed by the Business Units • An independent review (usually internal audit).

136 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 7.17 Example of an OpRisk Policy

Content Description

Executive summary Defines the rationale and scope of the policy

Policy statements Provide a quick definition of the standards that will be used across the policy

Risk taxonomy Categorize OpRisk in different risk types. It can follow the Basel categories, but if it does not, it
usually provides a mapping of internal categories to the Basel-defined categories

Loss collection Defines what losses or incidents should be reported. Discuss concepts of "near misses" and
describes recoveries

Risk assessment Usually describes other programs used to supplement internal loss data collection like scenario
analysis or risk factor analysis

Risk measurement Describes the basic framework for measuring OpRisk, which types of data are used, and how
capital is calculated (overall view of the building blocks not a detailed manual)

Validation Describes how the risk assessment and measurement are validated, how frequent validation
takes place, and which departments are responsible for the validation

Policy assurance and testing Determines which department(s) in the firm will be responsible for assurance that the policy is
being followed and the reports that assure this firm-wide compliance

Governance Describes where this policy is situated, which committee approves it, and how the OpRisk
governance works

References Determine on which regulations, external standards, and/or other firm policies this was based
upon

Depending on the bank's nature, size and complexity, and the
risk profile of a bank's activities, the degree of formality of how
these three lines of defense are implemented will vary. In all
cases, however, a bank's OpRisk governance function should be
fully integrated into the bank's overall risk management gover­
nance structure and the regulators closely monitor this.
If OpRisk governance utilizes the three lines of defense model
(i.e., the business is the first line of defense, risk management is
the second line, and internal audit being the third), the structure
and activities of the three lines often vary, depending on the
bank's portfolio of products, activities, processes, and systems;
the bank's size; and its risk management approach. Strong risk cul­
ture and good communications among the three lines of defense
are important characteristics of good OpRisk governance.
The regulators also reinforce the role of the board of direc­
tors. In the US and UK it is common that the regulators meet
separately with financial firms' board of directors regularly to
discuss their expectations regarding risk management. The
board of directors should take the lead in establishing a strong
risk management culture. The board of directors and senior
management should establish a corporate culture that is guided
by strong risk management and that supports and provides
appropriate standards and incentives for professional and
responsible behavior. In this regard, it is the responsibility of the
board of directors to ensure that a strong OpRisk management
culture exists throughout the whole organization and this will be
closely monitored by regulators.

Chapter 7 OpRisk Data and Governance ■ 137

Supervisory
Guidance on Model
Risk Management
Learning Objectives
After completing this reading you should be able to:

Describe model risk and explain how it can arise in the Explain best practices for the development and
implementation of a model. implementation of models.

Describe elements of an effective model risk management Describe elements of a strong model validation process
process. and challenges to an effective validation process.

E x c e rp t is rep rin ted from Financial Institution L e tte r FIL-22-2017 p u b lish e d by the Fed era l D e p o sit Insurance C orporation.
8.1 INTRODUCTION
Banks rely heavily on quantitative analysis and models in most
aspects of financial decision making.1 They routinely use models
for a broad range of activities, including underwriting credits;
valuing exposures, instruments, and positions; measuring risk;
managing and safeguarding client assets; determining capital
and reserve adequacy; and many other activities. In recent years,
banks have applied models to more complex products and with
more ambitious scope, such as enterprise-wide risk measure­
ment, while the markets in which they are used have also
broadened and changed. Changes in regulation have spurred
some of the recent developments, particularly the U.S. regula­
tory capital rules for market, credit, and operational risk based
on the framework developed by the Basel Committee on Bank­
ing Supervision. Even apart from these regulatory considerations,
however, banks have been increasing the use of data-driven,
quantitative decision-making tools for a number of years.
The expanding use of models in all aspects of banking reflects
the extent to which models can improve business decisions, but
models also come with costs. There is the direct cost of devot­
ing resources to develop and implement models properly. There
are also the potential indirect costs of relying on models, such as
the possible adverse consequences (including financial loss) of
decisions based on models that are incorrect or misused. Those
consequences should be addressed by active management of
model risk.
This guidance describes the key aspects of effective model
risk management. Section II explains the purpose and scope of
the guidance, and Section III gives an overview of model risk
management. Section IV discusses robust model development,
implementation, and use. Section V describes the components of
an effective validation framework. Section VI explains the salient
features of sound governance, policies, and controls over model
development, implementation, use, and validation. Section VII
concludes.
8.2 PURPOSE AND SCOPE
The purpose of this document is to provide comprehensive
guidance for banks on effective model risk management.
Rigorous model validation plays a critical role in model risk
1 Unless otherwise indicated, banks refers to state non-member banks,
state savings associations, and all other institutions for which the Fed­
eral Deposit Insurance Corporation is the primary supervisor. It is not
expected that this guidance will pertain to FDIC-supervised institutions
with under $1 billion in total assets unless the institution's model use is
significant, complex, or poses elevated risk to the institution.
140 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
management; however, sound development, implementation,
and use of models are also vital elements. Furthermore, model
risk management encompasses governance and control mecha­
nisms such as board and senior management oversight, policies
and procedures, controls and compliance, and an appropriate
incentive and organizational structure.
Previous guidance and other publications issued by the FDIC on
the use of models address aspects of model risk management
for specific types of models or pay particular attention to model
validation.2 Based on supervisory and industry experience over
the past several years, this document expands on existing
guidance— most importantly by broadening the scope to
include all aspects of model risk management. Many banks may
already have in place a large portion of these practices, but
banks should ensure that internal policies and procedures are
consistent with the risk management principles and supervisory
expectations contained in this guidance. Details may vary from
bank to bank, as practical application of this guidance should be
customized to be commensurate with a bank's risk exposures, its
business activities, and the complexity and extent of its model
use. For example, steps taken to apply this guidance at banks
using relatively few models of only moderate complexity might
be significantly less involved than those at a bank where use of
models is more extensive or complex.
8.3 OVERVIEW OF MODEL RISK
MANAGEMENT
For the purposes of this document, the term m odel refers to a
quantitative method, system, or approach that applies statistical,
economic, financial, or mathematical theories, techniques, and
assumptions to process input data into quantitative estimates.
A m odel consists of three components: an information input
component, which delivers assumptions and data to the model;
a processing component, which transforms inputs into estimates;
and a reporting component, which translates the estimates into
useful business information. Models meeting this definition
might be used for analyzing business strategies, informing
2 For instance, the FDIC has addressed aspects of model risk manage­
ment in guidance related to different activities; see Joint Agency Policy
Statement on Interest Rate Risk (FIL-52-96), FFIEC Advisory on Interest
Rate Risk Management (FIL-2-2010), Interagency Advisory on Interest
Rate Risk Management Frequently Asked Questions (FIL-2-2012),
FDIC's Credit Card Activities Manual (https://www.fdic.gov/regulations/
examinations/credit_card/), and Supervisory Guidance on Implementing
Dodd-Frank Act Company-Run Stress Tests for Banking Organizations
With Total Consolidated Assets of More Than $10 Billion but Less Than
$50 Billion (79 FR 14153). In addition, the advanced-approaches risk-
based capital rules (12 CFR 325, Appendix D) contain explicit validation
requirements for subject banking organizations.
business decisions, identifying and measuring risks, valuing
exposures, instruments or positions, conducting stress testing,
assessing adequacy of capital, managing client assets, measuring
compliance with internal limits, maintaining the formal control
apparatus of the bank, or meeting financial or regulatory report­
ing requirements and issuing public disclosures. The definition of
m odel also covers quantitative approaches whose inputs are
partially or wholly qualitative or based on expert judgment,
provided that the output is quantitative in nature.3
Models are simplified representations of real-world relationships
among observed characteristics, values, and events. Simplifi­
cation is inevitable, due to the inherent complexity of those
relationships, but also intentional, to focus attention on particu­
lar aspects considered to be most important for a given model
application. Model quality can be measured in many ways:
precision, accuracy, discriminatory power, robustness, stability,
and reliability, to name a few. Models are never perfect, and the
appropriate metrics of quality, and the effort that should be put
into improving quality, depend on the situation. For example,
precision and accuracy are relevant for models that forecast
future values, while discriminatory power applies to models that
rank order risks. In all situations, it is important to understand a
model's capabilities and limitations given its simplifications and
assumptions.
The use of models invariably presents model risk, which is the
potential for adverse consequences from decisions based on
incorrect or misused model outputs and reports. Model risk
can lead to financial loss, poor business and strategic decision
making, or damage to a bank's reputation. Model risk occurs
primarily for two reasons:
• The model may have fundamental errors and may produce
inaccurate outputs when viewed against the design objective
and intended business uses. The mathematical calculation
and quantification exercise underlying any model generally
involves application of theory, choice of sample design and
numerical routines, selection of inputs and estimation, and
implementation in information systems. Errors can occur at
any point from design through implementation. In addition,
shortcuts, simplifications, or approximations used to manage
complicated problems could compromise the integrity and
reliability of outputs from those calculations. Finally, the qual­
ity of model outputs depends on the quality of input data
and assumptions, and errors in inputs or incorrect assump­
tions will lead to inaccurate outputs.
3 While outside the scope of this guidance, more qualitative approaches
used by banking organizations—i.e., those not defined as models
according to this guidance—should also be subject to a rigorous control
process.
Chapter 8 Supervisory Guidance on Model Risk Management
• The model may be used incorrectly or inappropriately. Even
a fundamentally sound model producing accurate outputs
consistent with the design objective of the model may
exhibit high model risk if it is misapplied or misused. Models
by their nature are simplifications of reality, and real-world
events may prove those simplifications inappropriate. This
is even more of a concern if a model is used outside the
environment for which it was designed. Banks may do this
intentionally as they apply existing models to new products
or markets, or inadvertently as market conditions or customer
behavior changes. Decision makers need to understand the
limitations of a model to avoid using it in ways that are not
consistent with the original intent. Limitations come in part
from weaknesses in the model due to its various shortcom­
ings, approximations, and uncertainties. Limitations are also
a consequence of assumptions underlying a model that may
restrict the scope to a limited set of specific circumstances
and situations.
Model risk should be managed like other types of risk. Banks
should identify the sources of risk and assess the magnitude.
Model risk increases with greater model complexity, higher
uncertainty about inputs and assumptions, broader use, and
larger potential impact. Banks should consider risk from indi­
vidual models and in the aggregate. Aggregate model risk is
affected by interaction and dependencies among models; reli­
ance on common assumptions, data, or methodologies; and
any other factors that could adversely affect several models and
their outputs at the same time. With an understanding of the
source and magnitude of model risk in place, the next step is to
manage it properly.
A guiding principle for managing model risk is "effective
challenge" of models, that is, critical analysis by objective,
informed parties who can identify model limitations and
assumptions and produce appropriate changes. Effective
challenge depends on a combination of incentives, com pe­
tence, and influence. Incentives to provide effective challenge
to models are stronger when there is greater separation of
that challenge from the model developm ent process and
when challenge is supported by well-designed com pensa­
tion practices and corporate culture. Com petence is a key to
effectiveness since technical knowledge and modeling skills
are necessary to conduct appropriate analysis and critique.
Finally, challenge may fail to be effective without the influence
to ensure that actions are taken to address model issues. Such
influence comes from a combination of explicit authority, stat­
ure within the organization, and commitment and support from
higher levels of management.
Even with skilled modeling and robust validation, model risk
cannot be eliminated, so other tools should be used to manage
■ 141
model risk effectively. Among these are establishing limits on
model use, monitoring model performance, adjusting or revising
models over time, and supplementing model results with other
analysis and information. Informed conservatism, in either the
inputs or the design of a model or through explicit adjustments
to outputs, can be an effective tool, though not an excuse to
avoid improving models.
As is generally the case with other risks, materiality is an impor­
tant consideration in model risk management. If at some banks
the use of models is less pervasive and has less impact on their
financial condition, then those banks may not need as com­
plex an approach to model risk management in order to meet
supervisory expectations. However, where models and model
output have a material impact on business decisions, including
decisions related to risk management and capital and liquidity
planning, and where model failure would have a particularly
harmful impact on a bank's financial condition, a bank's model
risk management fram ework should be more extensive and
rigorous.
Model risk management begins with robust model develop­
ment, implementation, and use. Another essential element is
a sound model validation process. A third element is gover­
nance, which sets an effective framework with defined roles and
responsibilities for clear communication of model limitations and
assumptions, as well as the authority to restrict model usage.
The following sections of this document cover each of these
elements.
8.4 MODEL DEVELOPMENT,
IMPLEMENTATION, AND USE
Model risk management should include disciplined and knowl­
edgeable developm ent and implementation processes that are
consistent with the situation and goals of the model user and
with bank policy. Model developm ent is not a straightforward
or routine technical process. The experience and judgm ent of
developers, as much as their technical knowledge, greatly
influence the appropriate selection of inputs and processing
components. The training and experience of developers
exercising such judgm ent affects the extent of model risk.
Moreover, the modeling exercise is often a multidisciplinary
activity drawing on economics, finance, statistics, mathematics,
and other fields. Models are employed in real-world markets
and events and therefore should be tailored for specific
applications and informed by business uses. In addition, a
considerable amount of subjective judgm ent is exercised at
various stages of model developm ent, implementation,
use, and validation. It is important for decision makers to
142 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
recognize that this subjectivity elevates the importance
of sound and comprehensive model risk management
processes.4
Model Development and Implementation
An effective development process begins with a clear statement
of purpose to ensure that model development is aligned with
the intended use. The design, theory, and logic underlying the
model should be well documented and generally supported
by published research and sound industry practice. The model
methodologies and processing components that implement the
theory, including the mathematical specification and the numeri­
cal techniques and approximations, should be explained in
detail with particular attention to merits and limitations. Devel­
opers should ensure that the components work as intended,
are appropriate for the intended business purpose, and are
conceptually sound and mathematically and statistically correct.
Comparison with alternative theories and approaches is a funda­
mental component of a sound modeling process.
The data and other information used to develop a model are
of critical importance; there should be rigorous assessment
of data quality and relevance, and appropriate documenta­
tion. Developers should be able to demonstrate that such data
and information are suitable for the model and that they are
consistent with the theory behind the approach and with the
chosen methodology. If data proxies are used, they should be
carefully identified, justified, and documented. If data and infor­
mation are not representative of the bank's portfolio or other
characteristics, or if assumptions are made to adjust the data
and information, these factors should be properly tracked and
analyzed so that users are aware of potential limitations. This is
particularly important for external data and information (from a
vendor or outside party), especially as they relate to new prod­
ucts, instruments, or activities.
An integral part of model development is testing, in which
the various components of a model and its overall functioning
are evaluated to determine whether the model is perform­
ing as intended. Model testing includes checking the model's
accuracy, demonstrating that the model is robust and stable,
assessing potential limitations, and evaluating the model's
behavior over a range of input values. It should also assess the
4 Less complex banks that rely on vendor models may be able to satisfy
the standards in this guidance without an in-house staff of technical,
quantitative model developers. However, even if a bank relies on
vendors for basic model development, the bank should still choose the
particular models and variables that are appropriate to its size, scale,
and lines of business and ensure the models are appropriate for the
intended use.
impact of assumptions and identify situations where the model
performs poorly or becomes unreliable. Testing should be
applied to actual circumstances under a variety of market condi­
tions, including scenarios that are outside the range of ordinary
expectations, and should encompass the variety of products or
applications for which the model is intended. Extreme values for
inputs should be evaluated to identify any boundaries of model
effectiveness. The impact of model results on other models
that rely on those results as inputs should also be evaluated.
Included in testing activities should be the purpose, design, and
execution of test plans, summary results with commentary and
evaluation, and detailed analysis of informative samples. Testing
activities should be appropriately documented.
The nature of testing and analysis will depend on the type of
model and will be judged by different criteria depending on the
context. For example, the appropriate statistical tests depend
on specific distributional assumptions and the purpose of the
model. Furthermore, in many cases statistical tests cannot unam­
biguously reject false hypotheses or accept true ones based on
sample information. Different tests have different strengths and
weaknesses under different conditions. Any single test is rarely
sufficient, so banks should apply a variety of tests to develop a
sound model.
Banks should ensure that the development of the more judg­
mental and qualitative aspects of their models is also sound. In
some cases, banks may take statistical output from a model and
modify it with judgmental or qualitative adjustments as part of
model development. While such practices may be appropriate,
banks should ensure that any such adjustments made as part of
the development process are conducted in an appropriate and
systematic manner, and are well documented. Models typically
are embedded in larger information systems that manage the
flow of data from various sources into the model and handle the
aggregation and reporting of model outcomes. Model calcula­
tions should be properly coordinated with the capabilities and
requirements of information systems. Sound model risk manage­
ment depends on substantial investment in supporting systems
to ensure data and reporting integrity, together with controls
and testing to ensure proper implementation of models, effec­
tive systems integration, and appropriate use.
Model Use
Model use provides additional opportunity to test whether a
model is functioning effectively and to assess its performance
over time as conditions and model applications change. It can
serve as a source of productive feedback and insights from a
knowledgeable internal constituency with strong interest in hav­
ing models that function well and reflect economic and business
Chapter 8 Supervisory Guidance on Model Risk Management
realities. Model users can provide valuable business insight
during the development process. In addition, business manag­
ers affected by model outcomes may question the methods or
assumptions underlying the models, particularly if the managers
are significantly affected by and do not agree with the outcome.
Such questioning can be healthy if it is constructive and causes
model developers to explain and justify the assumptions and
design of the models.
However, challenge from model users may be weak if the model
does not materially affect their results, if the resulting changes
in models are perceived to have adverse effects on the business
line, or if change in general is regarded as expensive or difficult.
User challenges also tend not to be comprehensive because
they focus on aspects of models that have the most direct
impact on the user's measured business performance or com­
pensation, and thus may ignore other elements and applications
of the models. Finally, such challenges tend to be asymmetric,
because users are less likely to challenge an outcome that
results in an advantage for them. Indeed, users may incorrectly
believe that model risk is low simply because outcomes from
model-based decisions appear favorable to the institution. Thus,
the nature and motivation behind model users' input should be
evaluated carefully, and banks should also solicit constructive
suggestions and criticism from sources independent of the line
of business using the model.
Reports used for business decision making play a critical role in
model risk management. Such reports should be clear and com­
prehensible and take into account the fact that decision makers
and modelers often come from quite different backgrounds and
may interpret the contents in different ways. Reports that pro­
vide a range of estimates for different input-value scenarios and
assumption values can give decision makers important indica­
tions of the model's accuracy, robustness, and stability as well as
information on model limitations.
An understanding of model uncertainty and inaccuracy and a
demonstration that the bank is accounting for them appropri­
ately are important outcomes of effective model development,
implementation, and use. Because they are by definition imper­
fect representations of reality, all models have some degree of
uncertainty and inaccuracy. These can sometimes be quantified,
for example, by an assessment of the potential impact of factors
that are unobservable or not fully incorporated in the model, or
by the confidence interval around a statistical model's point esti­
mate. Indeed, using a range of outputs, rather than a simple
point estimate, can be a useful way to signal model uncertainty
and avoid spurious precision. At other times, only a qualitative
assessment of model uncertainty and inaccuracy is possible. In
either case, it can be prudent for banks to account for model
uncertainty by explicitly adjusting model inputs or calculations
■ 143
to produce more severe or adverse model output in the interest
of conservatism. Accounting for model uncertainty can also
include judgmental conservative adjustments to model output,
placing less emphasis on that model's output, or ensuring that
the model is only used when supplemented by other models or
approaches.5
While conservative use of models is prudent in general, banks
should be careful in applying conservatism broadly or claiming
to make conservative adjustments or add-ons to address model
risk, because the impact of such conservatism in complex mod­
els may not be obvious or intuitive. Model aspects that appear
conservative in one model may not be truly conservative com­
pared with alternative methods. For example, simply picking
an extreme point on a given modeled distribution may not be
conservative if the distribution was misestimated or misspecified
in the first place. Furthermore, initially conservative assumptions
may not remain conservative over time. Therefore, banks should
justify and substantiate claims that model outputs are conserva­
tive with a definition and measurement of that conservatism
that is communicated to model users. In some cases, sensitivity
analysis or other types of stress testing can be used to demon­
strate that a model is indeed conservative. Another way in which
banks may choose to be conservative is to hold an additional
cushion of capital to protect against potential losses associated
with model risk. However, conservatism can become an impedi­
ment to proper model development and application if it is seen
as a solution that dissuades the bank from making the effort to
improve the model; in addition, excessive conservatism can lead
model users to discount the model outputs.
As this section has explained, robust model development,
implementation, and use is important to model risk manage­
ment. But it is not enough for model developers and users
to understand and accept the model. Because model risk is
ultimately borne by the bank as a whole, the bank should objec­
tively assess model risk and the associated costs and benefits
using a sound model-validation process.
8.5 MODEL VALIDATION
Model validation is the set of processes and activities intended
to verify that models are performing as expected, in line with
their design objectives and business uses. Effective validation
helps ensure that models are sound. It also identifies potential
5 To the extent that models are used to generate amounts included in
public financial statements, any adjustments for model uncertainty are
required by existing law to comply with generally accepted accounting
principles.
144 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
limitations and assumptions, and assesses their possible impact.
As with other aspects of effective challenge, model validation
should be performed by staff with appropriate incentives, com­
petence, and influence.
All model components, including input, processing, and report­
ing, should be subject to validation; this applies equally to
models developed in-house and to those purchased from or
developed by vendors or consultants. The rigor and sophisti­
cation of validation should be commensurate with the bank's
overall use of models, the complexity and materiality of its mod­
els, and the size and complexity of the bank's operations.
Validation involves a degree of independence from model
development and use. Generally, validation should be done by
people who are not responsible for development or use and do
not have a stake in whether a model is determined to be valid.
Independence is not an end in itself but rather helps ensure that
incentives are aligned with the goals of model validation. While
independence may be supported by separation of reporting
lines, it should be judged by actions and outcomes, since there
may be additional ways to ensure objectivity and prevent bias. As
a practical matter, some validation work may be most effectively
done by model developers and users; it is essential, however,
that such validation work be subject to critical review by an inde­
pendent party, who should conduct additional activities to ensure
proper validation. Overall, the quality of the process is judged
by the manner in which models are subject to critical review.
This could be determined by evaluating the extent and clarity of
documentation, the issues identified by objective parties, and the
actions taken by management to address model issues.
In addition to independence, banks can support appropriate
incentives in validation through compensation practices and
performance evaluation standards that are tied directly to the
quality of model validations and the degree of critical, unbiased
review. In addition, corporate culture plays a role if it establishes
support for objective thinking and encourages questioning and
challenging of decisions.
Staff doing validation should have the requisite knowledge,
skills, and expertise. A high level of technical expertise may
be needed because of the complexity of many models, both
in structure and in application. These staff also should have a
significant degree of familiarity with the line of business using
the model and the model's intended use. A model's developer
is an important source of information but cannot be relied on as
an objective or sole source on which to base an assessment of
model quality.
Staff conducting validation work should have explicit authority
to challenge developers and users and to elevate their findings,
including issues and deficiencies. The individual or unit to whom
those staff report should have sufficient influence or stature
within the bank to ensure that any issues and deficiencies are
appropriately addressed in a timely and substantive manner.
Such influence can be reflected in reporting lines, title, rank, or
designated responsibilities. Influence may be demonstrated by a
pattern of actual instances in which models, or the use of mod­
els, have been appropriately changed as a result of validation.
The range and rigor of validation activities conducted prior to
first use of a model should be in line with the potential risk pre­
sented by use of the model. If significant deficiencies are noted
as a result of the validation process, use of the model should
not be allowed or should be permitted only under very tight
constraints until those issues are resolved. If the deficiencies are
too severe to be addressed within the model's framework, the
model should be rejected. If it is not feasible to conduct neces­
sary validation activities prior to model use because of data
paucity or other limitations, that fact should be documented
and communicated in reports to users, senior management, and
other relevant parties. In such cases, the uncertainty about the
results that the model produces should be mitigated by other
compensating controls. This is particularly applicable to new
models and to the use of existing models in new applications.
Validation activities should continue on an ongoing basis after
a model goes into use, to track known model limitations and
to identify any new ones. Validation is an important check on
model use during periods of benign economic and financial con­
ditions, when estimates of risk and potential loss can become
overly optimistic, and when the data at hand may not fully
reflect more stressed conditions. Ongoing validation activities
help to ensure that changes in markets, products, exposures,
activities, clients, or business practices do not create new model
limitations. For example, if credit risk models do not incorporate
underwriting changes in a timely manner, flawed and costly busi­
ness decisions could be made before deterioration in model
performance becomes apparent.
Banks should conduct a periodic review— at least annually but
more frequently if warranted— of each model to determine
whether it is working as intended and if the existing valida­
tion activities are sufficient. Such a determination could simply
affirm previous validation work, suggest updates to previous
validation activities, or call for additional validation activities.
Material changes to models should also be subject to validation.
It is generally good practice for banks to ensure that all models
undergo the full validation process, as described in the following
section, at some fixed interval, including updated documenta­
tion of all activities.
Effective model validation helps reduce model risk by identify­
ing model errors, corrective actions, and appropriate use. It
also provides an assessment of the reliability of a given model,
Chapter 8 Supervisory Guidance on Model Risk Management
based on its underlying assumptions, theory, and methods. In
this way, it provides information about the source and extent
of model risk. Validation also can reveal deterioration in model
performance over time and can set thresholds for acceptable
levels of error, through analysis of the distribution of outcomes
around expected or predicted values. If outcomes fall consis­
tently outside this acceptable range, then the models should be
redeveloped.
Key Elements of Comprehensive
Validation
An effective validation framework should include three core
elements:
• Evaluation of conceptual soundness, including developmen­
tal evidence
• Ongoing monitoring, including process verification and
benchmarking
• Outcomes analysis, including back-testing
Evaluation of Conceptual Soundness
This element involves assessing the quality of the model design
and construction. It entails review of documentation and empiri­
cal evidence supporting the methods used and variables selected
for the model. Documentation and testing should convey an
understanding of model limitations and assumptions. Validation
should ensure that judgment exercised in model design and con­
struction is well informed, carefully considered, and consistent
with published research and with sound industry practice. Devel­
opmental evidence should be reviewed before a model goes into
use and also as part of the ongoing validation process, in particu­
lar whenever there is a material change in the model.
A sound development process will produce documented evi­
dence in support of all model choices, including the overall
theoretical construction, key assumptions, data, and specific
mathematical calculations, as mentioned in Section IV. As part
of model validation, those model aspects should be subjected
to critical analysis by both evaluating the quality and extent of
developmental evidence and conducting additional analysis and
testing as necessary. Comparison to alternative theories and
approaches should be included. Key assumptions and the choice
of variables should be assessed, with analysis of their impact on
model outputs and particular focus on any potential limitations.
The relevance of the data used to build the model should be
evaluated to ensure that it is reasonably representative of the
bank's portfolio or market conditions, depending on the type of
model. This is an especially important exercise when a bank uses
external data or the model is used for new products or activities.
■ 145
Where appropriate to the particular model, banks should
employ sensitivity analysis in model development and validation
to check the impact of small changes in inputs and param­
eter values on model outputs to make sure they fall within an
expected range. Unexpectedly large changes in outputs in
response to small changes in inputs can indicate an unstable
model. Varying several inputs simultaneously as part of sensitiv­
ity analysis can provide evidence of unexpected interactions,
particularly if the interactions are complex and not intuitively
clear. Banks benefit from conducting model stress testing to
check performance over a wide range of inputs and parameter
values, including extreme values, to verify that the model is
robust. Such testing helps establish the boundaries of model
performance by identifying the acceptable range of inputs as
well as conditions under which the model may become unstable
or inaccurate.
Management should have a clear plan for using the results of
sensitivity analysis and other quantitative testing. If testing indi­
cates that the model may be inaccurate or unstable in some
circumstances, management should consider modifying certain
model properties, putting less reliance on its outputs, placing
limits on model use, or developing a new approach.
Qualitative information and judgment used in model develop­
ment should be evaluated, including the logic, judgment, and
types of information used, to establish the conceptual sound­
ness of the model and set appropriate conditions for its use. The
validation process should ensure that qualitative, judgmental
assessments are conducted in an appropriate and systematic
manner, are well supported, and are documented.
Ongoing Monitoring
The second core element of the validation process is ongoing
monitoring. Such monitoring confirms that the model is appro­
priately implemented and is being used and is performing as
intended.
Ongoing monitoring is essential to evaluate whether changes
in products, exposures, activities, clients, or market conditions
necessitate adjustment, redevelopment, or replacement of the
model and to verify that any extension of the model beyond its
original scope is valid. Any model limitations identified in the
development stage should be regularly assessed over time, as
part of ongoing monitoring. Monitoring begins when a model
is first implemented in production systems for actual business
use. This monitoring should continue periodically over time, with
a frequency appropriate to the nature of the model, the avail­
ability of new data or modeling approaches, and the magnitude
of the risk involved. Banks should design a program of ongo­
ing testing and evaluation of model performance along with
146 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
procedures for responding to any problems that appear. This
program should include process verification and benchmarking.
Process verification checks that all model components are
functioning as designed. It includes verifying that internal and
external data inputs continue to be accurate, complete, consis­
tent with model purpose and design, and of the highest quality
available. Computer code implementing the model should be
subject to rigorous quality and change control procedures to
ensure that the code is correct, that it cannot be altered except
by approved parties, and that all changes are logged and can
be audited. System integration can be a challenge and deserves
special attention because the model processing component
often draws from various sources of data, processes large
amounts of data, and then feeds into multiple data repositories
and reporting systems. User-developed applications, such as
spreadsheets or ad hoc database applications used to generate
quantitative estimates, are particularly prone to model risk. As
the content or composition of information changes over time,
systems may need to be updated to reflect any changes in the
data or its use. Reports derived from model outputs should be
reviewed as part of validation to verify that they are accurate,
complete, and informative, and that they contain appropriate
indicators of model performance and limitations.
Many of the tests employed as part of model development
should be included in ongoing monitoring and be conducted
on a regular basis to incorporate additional information as
it becomes available. New empirical evidence or theoreti­
cal research may suggest the need to modify or even replace
original methods. Analysis of the integrity and applicability of
internal and external information sources, including information
provided by third-party vendors, should be performed regularly.
Sensitivity analysis and other checks for robustness and stability
should likewise be repeated periodically. They can be as useful
during ongoing monitoring as they are during model development.
If models only work well for certain ranges of input values, market
conditions, or other factors, they should be monitored to identify
situations where these constraints are approached or exceeded.
Ongoing monitoring should include the analysis of overrides
with appropriate documentation. In the use of virtually any
model, there will be cases where model output is ignored,
altered, or reversed based on the expert judgment of model
users. Such overrides are an indication that, in some respect, the
model is not performing as intended or has limitations. Banks
should evaluate the reasons for overrides and track and analyze
override performance. If the rate of overrides is high, or if the
override process consistently improves model performance,
it is often a sign that the underlying model needs revision or
redevelopment.
Benchmarking is the comparison of a given model's inputs and
outputs to estimates from alternative internal or external data
or models. It can be incorporated in model development as
well as in ongoing monitoring. For credit risk models, examples
of benchmarks include models from vendor firms or industry
consortia and data from retail credit bureaus. Pricing models
for securities and derivatives often can be compared with alter­
native models that are more accurate or comprehensive but
also too time consuming to run on a daily basis. W hatever the
source, benchmark models should be rigorous and benchmark
data should be accurate and complete to ensure a reasonable
comparison.
Discrepancies between the model output and benchmarks
should trigger investigation into the sources and degree of
the differences, and examination of whether they are within an
expected or appropriate range given the nature of the com­
parison. The results of that analysis may suggest revisions to the
model. However, differences do not necessarily indicate that the
model is in error. The benchmark itself is an alternative predic­
tion, and the differences may be due to the different data or
methods used. If the model and the benchmark match well, that
is evidence in favor of the model, but it should be interpreted
with caution so the bank does not get a false degree of comfort.
Outcomes Analysis
The third core element of the validation process is outcomes
analysis, a comparison of model outputs to corresponding actual
outcomes. The precise nature of the comparison depends on
the objectives of a model, and might include an assessment of
the accuracy of estimates or forecasts, an evaluation of rank­
ordering ability, or other appropriate tests. In ail cases, such
comparisons help to evaluate model performance, by establish­
ing expected ranges for those actual outcomes in relation to
the intended objectives and assessing the reasons for observed
variation between the two. If outcomes analysis produces evi­
dence of poor performance, the bank should take action to
address those issues. Outcomes analysis typically relies on sta­
tistical tests or other quantitative measures. It can also include
expert judgment to check the intuition behind the outcomes
and confirm that the results make sense. When a model itself
relies on expert judgment, quantitative outcomes analysis helps
to evaluate the quality of that judgment. Outcomes analysis
should be conducted on an ongoing basis to test whether the
model continues to perform in line with design objectives and
business uses.
A variety of quantitative and qualitative testing and analytical
techniques can be used in outcomes analysis. The choice of
technique should be based on the model's methodology, its
Chapter 8 Supervisory Guidance on Model Risk Management
complexity, data availability, and the magnitude of potential
model risk to the bank. Outcomes analysis should involve a
range of tests because any individual test will have weaknesses.
For example, some tests are better at checking a model's abil­
ity to rank-order or segment observations on a relative basis,
whereas others are better at checking absolute forecast accu­
racy. Tests should be designed for each situation, as not all will
be effective or feasible in every circumstance, and attention
should be paid to choosing the appropriate type of outcomes
analysis for a particular model.
Models are regularly adjusted to take into account new data or
techniques, or because of deterioration in performance. Parallel
outcomes analysis, under which both the original and adjusted
models' forecasts are tested against realized outcomes, provides
an important test of such model adjustments. If the adjusted
model does not outperform the original model, developers,
users, and reviewers should realize that additional changes— or
even a wholesale redesign— are likely necessary before the
adjusted model replaces the original one.
Back-testing is one form of outcomes analysis; specifically, it
involves the comparison of actual outcomes with model forecasts
during a sample time period not used in model development and
at an observation frequency that matches the forecast horizon or
performance window of the model. The comparison is generally
done using expected ranges or statistical confidence intervals
around the model forecasts. When outcomes fall outside those
intervals, the bank should analyze the discrepancies and inves­
tigate the causes that are significant in terms of magnitude or
frequency. The objective of the analysis is to determine whether
differences stem from the omission of material factors from the
model, whether they arise from errors with regard to other aspects
of model specification such as interaction terms or assumptions of
linearity, or whether they are purely random and thus consistent
with acceptable model performance. Analysis of in-sample fit and
of model performance in holdout samples (data set aside and not
used to estimate the original model) are important parts of model
development but are not substitutes for back-testing.
A well-known example of back-testing is the evaluation of
value-at-risk (VaR), in which actual profit and loss is compared
with a model forecast loss distribution. Significant deviation in
expected versus actual performance and unexplained volatility
in the profits and losses of trading activities may indicate that
hedging and pricing relationships are not adequately measured
by a given approach. Along with measuring the frequency of
losses in excess of a single VaR percentile estimator, banks
should use other tests, such as assessing any clustering of
exceptions and checking the distribution of losses against other
estimated percentiles.
■ 147
Analysis of the results of even high-quality and well-designed
back-testing can pose challenges, since it is not a straightfor­
ward, mechanical process that always produces unambiguous
results. The purpose is to test the model, not individual forecast
values. Back-testing may entail analysis of a large number of
forecasts over different conditions at a point in time or over
multiple time periods. Statistical testing is essential in such
cases, yet such testing can pose challenges in both the choice of
appropriate tests and the interpretation of results; banks should
support and document both the choice of tests and the inter­
pretation of results.
Models with long forecast horizons should be back-tested, but
given the amount of time it would take to accumulate the neces­
sary data, that testing should be supplemented by evaluation
over shorter periods. Banks should employ outcomes analysis
consisting of "early warning" metrics designed to measure
performance beginning very shortly after model introduction
and trend analysis of performance over time. These outcomes
analysis tools are not substitutes for back-testing, which should
still be performed over the longer time period, but rather very
important complements.
Outcomes analysis and the other elements of the validation
process may reveal significant errors or inaccuracies in model
development or outcomes that consistently fall outside the
bank's predetermined thresholds of acceptability. In such cases,
model adjustment, recalibration, or redevelopment is warranted.
Adjustments and recalibration should be governed by the prin­
ciple of conservatism and should undergo independent review.
Material changes in model structure or technique, and all model
redevelopment, should be subject to validation activities of
appropriate range and rigor before implementation. At times
banks may have a limited ability to use key model validation
tools like back-testing or sensitivity analysis for various reasons,
such as lack of data or of price observability. In those cases,
even more attention should be paid to the model's limitations
when considering the appropriateness of model usage, and
senior management should be fully informed of those limitations
when using the models for decision making. Such scrutiny
should be applied to individual models and models in the
aggregate.
Validation of Vendor and Other
Third-Party Products
The widespread use of vendor and other third-party products—
including data, parameter values, and complete models— poses
unique challenges for validation and other model risk manage­
ment activities because the modeling expertise is external to the
user and because some components are considered proprietary.
148 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Vendor products should nevertheless be incorporated into a
bank's broader model risk management framework following
the same principles as applied to in-house models, although the
process may be somewhat modified.
As a first step, banks should ensure that there are appropriate
processes in place for selecting vendor models. Banks should
require the vendor to provide developmental evidence explain­
ing the product components, design, and intended use, to
determine whether the model is appropriate for the bank's prod­
ucts, exposures, and risks. Vendors should provide appropriate
testing results that show their product works as expected. They
should also clearly indicate the model's limitations and assump­
tions and where the product's use may be problematic. Banks
should expect vendors to conduct ongoing performance moni­
toring and outcomes analysis, with disclosure to their clients, and
to make appropriate modifications and updates overtim e.
Banks are expected to validate their own use of vendor prod­
ucts. External models may not allow full access to computer
coding and implementation details, so the bank may have to
rely more on sensitivity analysis and benchmarking. Vendor
models are often designed to provide a range of capabilities
and so may need to be customized by a bank for its particular
circumstances. A bank's customization choices should be docu­
mented and justified as part of validation. If vendors provide
input data or assumptions, or use them to build models, their
relevance for the bank's situation should be investigated. Banks
should obtain information regarding the data used to develop
the model and assess the extent to which that data is repre­
sentative of the bank's situation. The bank also should conduct
ongoing monitoring and outcomes analysis of vendor model
performance using the bank's own outcomes.
Systematic procedures for validation help the bank to under­
stand the vendor product and its capabilities, applicability, and
limitations. Such detailed knowledge is necessary for basic con­
trols of bank operations. It is also very important for the bank to
have as much knowledge in-house as possible, in case the ven­
dor or the bank terminates the contract for any reason, or if the
vendor is no longer in business. Banks should have contingency
plans for instances when the vendor model is no longer avail­
able or cannot be supported by the vendor.
8.6 GOVERNANCE, POLICIES,
AND CONTROLS
Developing and maintaining strong governance, policies,
and controls over the model risk management framework is
fundamentally important to its effectiveness. Even if model devel­
opment, implementation, use, and validation are satisfactory,
a weak governance function will reduce the effectiveness of over­
all model risk management. A strong governance framework pro­
vides explicit support and structure to risk management functions
through policies defining relevant risk management activities,
procedures that implement those policies, allocation of resources,
and mechanisms for evaluating whether policies and procedures
are being carried out as specified. Notably, the extent and
sophistication of a bank's governance function is expected to
align with the extent and sophistication of model usage.
Board of Directors and Senior
Management
Model risk governance is provided at the highest level by the
board of directors and senior management when they establish
a bank-wide approach to model risk management. As part of
their overall responsibilities, a bank's board and senior man­
agement should establish a strong model risk management
framework that fits into the broader risk management of the
organization. That framework should be grounded in an under­
standing of model risk— not just for individual models but also
in the aggregate. The framework should include standards for
model development, implementation, use, and validation.
While the board is ultimately responsible, it generally delegates
to senior management the responsibility for executing and
maintaining an effective model risk management framework.
Duties of senior management include establishing adequate
policies and procedures and ensuring compliance, assigning
competent staff, overseeing model development and implemen­
tation, evaluating model results, ensuring effective challenge,
reviewing validation and internal audit findings, and taking
prompt remedial action when necessary. In the same manner
as for other major areas of risk, senior management, directly
and through relevant committees, is responsible for regularly
reporting to the board on significant model risk, from individual
models and in the aggregate, and on compliance with policy.
Board members should ensure that the level of model risk is
within their tolerance and direct changes where appropriate.
These actions will set the tone for the whole organization about
the importance of model risk and the need for active model risk
management.
Policies and Procedures
Consistent with good business practices and existing
supervisory expectations, banks should formalize model risk
management activities with policies and the procedures to
implement them. Model risk management policies should be
consistent with this guidance and also be commensurate with
Chapter 8 Supervisory Guidance on Model Risk Management
the bank's relative complexity, business activities, corporate
culture, and overall organizational structure. The board or its
delegates should approve model risk management policies and
review them annually to ensure consistent and rigorous prac­
tices across the organization. Those policies should be updated
as necessary to ensure that model risk management practices
remain appropriate and keep current with changes in market
conditions, bank products and strategies, bank exposures and
activities, and practices in the industry. All aspects of model risk
management should be covered by suitable policies, including
model and model risk definitions; assessment of model risk;
acceptable practices for model development, implementation,
and use; appropriate model validation activities; and gover­
nance and controls over the model risk management process.
Policies should emphasize testing and analysis, and promote
the development of targets for model accuracy, standards for
acceptable levels of discrepancies, and procedures for review
of and response to unacceptable discrepancies. They should
include a description of the processes used to select and retain
vendor models, including the people who should be involved in
such decisions.
The prioritization, scope, and frequency of validation activities
should be addressed in these policies. They should establish
standards for the extent of validation that should be performed
before models are put into production and the scope of ongo­
ing validation. The policies should also detail the requirements
for validation of vendor models and third-party products. Finally,
they should require maintenance of detailed documentation of
all aspects of the model risk management framework, including
an inventory of models in use, results of the modeling and vali­
dation processes, and model issues and their resolution.
Policies should identify the roles and assign responsibilities
within the model risk management framework with clear detail
on staff expertise, authority, reporting lines, and continuity. They
should also outline controls on the use of external resources for
validation and compliance and specify how that work will be
integrated into the model risk management framework.
Roles and Responsibilities
Conceptually, the roles in model risk management can be
divided among ownership, controls, and compliance. While
there are several ways in which banks can assign the responsi­
bilities associated with these roles, it is important that reporting
lines and incentives be clear, with potential conflicts of interest
identified and addressed.
Business units are generally responsible for the model risk asso­
ciated with their business strategies. The role of model owner
■ 149
involves ultimate accountability for model use and performance
within the framework set by bank policies and procedures.
Model owners should be responsible for ensuring that models
are properly developed, implemented, and used. The model
owner should also ensure that models in use have undergone
appropriate validation and approval processes, promptly identify
new or changed models, and provide all necessary information
for validation activities.
Model risk taken by business units should be controlled. The
responsibilities for risk controls may be assigned to individu­
als, committees, or a combination of the two, and include
risk measurement, limits, and monitoring. Other responsibili­
ties include managing the independent validation and review
process to ensure that effective challenge takes place. Appropri­
ate resources should be assigned for model validation and for
guiding the scope and prioritization of work. Issues and prob­
lems identified through validation and other forms of oversight
should be communicated by risk-control staff to relevant individ­
uals and business users throughout the organization, including
senior management, with a plan for corrective action. Control
staff should have the authority to restrict the use of models and
monitor any limits on model usage. While they may grant excep­
tions to typical procedures of model validation on a temporary
basis, that authority should be subject to other control mecha­
nisms, such as timelines for completing validation work and lim­
its on model use.
Compliance with policies is an obligation of model owners and
risk-control staff, and there should be specific processes in place
to ensure that these roles are being carried out effectively and
in line with policy. Documentation and tracking of activities
surrounding model development, implementation, use, and vali­
dation are needed to provide a record that makes compliance
with policy transparent.
Internal Audit
A bank's internal audit function should assess the overall effec­
tiveness of the model risk management framework, including
the framework's ability to address both types of model risk
described in Section III, for individual models and in the aggre­
gate. Findings from internal audit related to models should be
documented and reported to the board or its appropriately
delegated agent. Banks should ensure that internal audit oper­
ates with the proper incentives, has appropriate skills, and has
adequate stature in the organization to assist in model risk
management. Internal audit's role is not to duplicate model risk
management activities. Instead, its role is to evaluate whether
model risk management is comprehensive, rigorous, and effec­
tive. To accomplish this evaluation, internal audit staff should
150 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
possess sufficient expertise in relevant modeling concepts as
well as their use in particular business lines. If some internal
audit staff perform certain validation activities, then they should
not be involved in the assessment of the overall model risk man­
agement framework.
Internal audit should verify that acceptable policies are in place
and that model owners and control groups comply with those
policies. Internal audit should also verify records of model use
and validation to test whether validations are performed in a
timely manner and whether models are subject to controls that
appropriately account for any weaknesses in validation activities.
Accuracy and completeness of the model inventory should be
assessed. In addition, processes for establishing and monitor­
ing limits on model usage should be evaluated. Internal audit
should determine whether procedures for updating models are
clearly documented, and test whether those procedures are
being carried out as specified. Internal audit should check that
model owners and control groups are meeting documentation
standards, including risk reporting. Additionally, internal audit
should perform assessments of supporting operational systems
and evaluate the reliability of data used by models.
Internal audit also has an important role in ensuring that valida­
tion work is conducted properly and that appropriate effective
challenge is being carried out. It should evaluate the objectivity,
competence, and organizational standing of the key validation
participants, with the ultimate goal of ascertaining whether
those participants have the right incentives to discover and
report deficiencies. Internal audit should review validation activi­
ties conducted by internal and external parties with the same
rigor to see if those activities are being conducted in accor­
dance with this guidance.
External Resources
Although model risk management is an internal process, a bank
may decide to engage external resources to help execute cer­
tain activities related to the model risk management framework.
These activities could include model validation and review, com­
pliance functions, or other activities in support of internal audit.
These resources may provide added knowledge and another
level of critical and effective challenge, which may improve the
internal model development and risk management processes.
However, this potential benefit should be weighed against the
added costs for such resources and the added time that external
parties require to understand internal data, systems, and other
relevant bank-specific circumstances.
W henever external resources are used, the bank should specify
the activities to be conducted in a clearly written and agreed-
upon scope of work. A designated internal party from the bank
should be able to understand and evaluate the results of valida­
tion and risk-control activities conducted by external resources.
The internal party is responsible for: verifying that the agreed
upon scope of work has been completed; evaluating and
tracking identified issues and ensuring they are addressed; and
making sure that completed work is incorporated into the bank's
overall model risk management framework. If the external
resources are only utilized to do a portion of validation or com­
pliance work, the bank should coordinate internal resources to
complete the full range of work needed. The bank should have a
contingency plan in case an external resource is no longer avail­
able or is unsatisfactory.
Model Inventory
Banks should maintain a comprehensive set of information for
models implemented for use, under development for imple­
mentation, or recently retired. While each line of business
may maintain its own inventory, a specific party should also be
charged with maintaining a firm-wide inventory of all models,
which should assist a bank in evaluating its model risk in the
aggregate. Any variation of a model that warrants a separate
validation should be included as a separate model and cross-
referenced with other variations.
W hile the inventory may contain varying levels of information,
given different model com plexity and the bank's overall level
of model usage, the following are some general guidelines.
The inventory should describe the purpose and products
for which the model is designed, actual or expected usage,
and any restrictions on use. It is useful for the inventory to
list the type and source of inputs used by a given model and
underlying components (which may include other models), as
well as model outputs and their intended use. It should also
indicate whether models are functioning properly, provide
a description of when they were last updated, and list any
exceptions to policy. O ther items include the names of individ­
uals responsible for various aspects of the model developm ent
and validation; the dates of com pleted and planned valida­
tion activities; and the time frame during which the model is
expected to remain valid.
Documentation
Without adequate documentation, model risk assessment and
management will be ineffective. Documentation of model devel­
opment and validation should be sufficiently detailed so that
parties unfamiliar with a model can understand how the model
operates, its limitations, and its key assumptions. Documenta­
tion provides for continuity of operations, makes compliance
Chapter 8 Supervisory Guidance on Model Risk Management
with policy transparent, and helps track recommendations,
responses, and exceptions. Developers, users, control and
compliance units, and supervisors are all served by effective
documentation. Banks can benefit from advances in information
and knowledge management systems and electronic documen­
tation to improve the organization, timeliness, and accessibility
of the various records and reports produced in the model risk
management process.
Documentation takes time and effort, and model developers
and users who know the models well may not appreciate its
value. Banks should therefore provide incentives to produce
effective and complete model documentation. Model develop­
ers should have responsibility during model development for
thorough documentation, which should be kept up-to-date as
the model and application environment changes. In addition,
the bank should ensure that other participants in model risk
management activities document their work, including ongoing
monitoring, process verification, benchmarking, and outcomes
analysis. Also, line of business or other decision makers should
document information leading to selection of a given model and
its subsequent validation. For cases in which a bank uses models
from a vendor or other third party, it should ensure that appro­
priate documentation of the third-party approach is available so
that the model can be appropriately validated.
Validation reports should articulate model aspects that were
reviewed, highlighting potential deficiencies over a range of
financial and economic conditions, and determining whether
adjustments or other compensating controls are warranted.
Effective validation reports include clear executive summaries,
with a statement of model purpose and an accessible synopsis
of model and validation results, including major limitations and
key assumptions.
CONCLUSION
This document has provided comprehensive guidance on effec­
tive model risk management. Many of the activities described
in this document are common industry practice. But all banks
should confirm that their practices conform to the principles in
this guidance for model development, implementation, and use,
as well as model validation. Banks should also ensure that they
maintain strong governance and controls to help manage model
risk, including internal policies and procedures that appropri­
ately reflect the risk management principles described in this
guidance. Details of model risk management practices may vary
from bank to bank, as practical application of this guidance
should be commensurate with a bank's risk exposures, its busi­
ness activities, and the extent and complexity of its model use.
■ 151
Information Risk
and Data Quality
Management
Learning Objectives
After completing this reading you should be able to:

Identify the most common issues that result in data errors. Describe the operational data governance process, including
the use of scorecards in managing information risk.
Explain how a firm can set expectations for its data quality
and describe some key dimensions of data quality used in
this process.

E x c e rp t is C h a p ter 3 o f Risk Management in Finance: Six Sigma and Other Next Generation Techniques, by A n th on y Tarantino and
D eborah Cernauskas.
It would not be a stretch of the imagination to claim that
most organizations today are heavily dependent on the use
of information to both run and im prove the ways that they
achieve their business objectives. That being said, the reliance
on dependable information introduces risks to the ability of
a business to achieve its business goals, and this means that
no enterprise risk management program is complete without
instituting processes for assessing, measuring, reporting,
reacting to, and controlling the risks associated with poor data
quality.
However, the consideration of information as a fluid asset,
created and used across many different operational and ana­
lytic applications, makes it difficult to envision ways to assess
the risks related to data failures as well as ways to monitor
conformance to business user expectations. This requires some
exploration into types of risks relating to the use of information,
ways to specify data quality expectations, and developing a data
quality scorecard as a management tool for instituting data gov­
ernance and data quality control.
In this chapter we look at the types of risks that are attributable
to poor data quality as well as an approach to correlating
business impacts to data flaws. Data governance (DG)
processes can contribute to the description of data quality
expectations and the definition of relevant metrics and
acceptability thresholds for monitoring conformance to those
expectations. Combining the raw metrics scores with measured
staff performance in observing data service-level agreements
contributes to the creation of a data quality scorecard for
managing risks.
9.1 ORGANIZATIONAL RISK,
BUSINESS IMPACTS, AND DATA
QUALITY
If successful business operations rely on high-quality data,
then the opposite is likely to be true as w ell: flawed data
will delay or obstruct the successful com pletion of business
processes. Determ ining the specific impacts that are related
to the different data issues that em erge is a challenging
process, but assessing im pact is sim plified through the char­
acterization of im pacts within a business im pact taxonom y.
Categories in this taxonom y relate to aspects of the busi­
ness's financial, confidence, and com pliance activities, yet all
business im pact categories deal with enterprise risk. There
are two aspects of looking at information and risk; the first
looks at how flawed information im pacts organizational risk,
while the other looks at the types of data failures that create
the exposure.
154 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Business Impacts of Poor Data Quality
Many data quality issues may occur within different business
processes, and a data quality analysis process should incorpo­
rate a business impact assessment to identify and prioritize risks.
To simplify the analysis, the business impacts associated with
data errors can be categorized within a classification scheme
intended to support the data quality analysis process and help
in distinguishing between data issues that lead to material busi­
ness impact and those that do not. This classification scheme
defines six primary categories for assessing either the negative
impacts incurred as a result of a flaw, or the potential opportuni­
ties for improvement resulting from improved data quality:
1. Financial impacts, such as increased operating costs,
decreased revenues, missed opportunities, reduction or
delays in cash flow, or increased penalties, fines, or other
charges.
2. Confidence-based impacts, such as decreased organiza­
tional trust, low confidence in forecasting, inconsistent
operational and management reporting, and delayed or
improper decisions.
3. Satisfaction impacts such as customer, employee, or sup­
plier satisfaction, as well as general market satisfaction.
4. Productivity impacts such as increased workloads,
decreased throughput, increased processing time, or
decreased end-product quality.
5. Risk impacts associated with credit assessment, investment
risks, competitive risk, capital investment and/or develop­
ment, fraud, and leakage.
6 . Compliance is jeopardized, whether that compliance is with
government regulations, industry expectations, or self-
imposed policies (such as privacy policies).
Despite the natural tendency to focus on financial impacts, in
many environments the risk and compliance impacts are largely
compromised by data quality issues. Some examples to which
financial institutions are particularly sensitive include:
• Anti-money laundering aspects of the Bank Secrecy Act and
the USA PATRIOT Act have mandated private organizations
to take steps in identifying and preventing money laundering
activities that could be used in financing terrorist activities.
• Sarbanes-Oxley, in which section 302 mandates that the
principal executive officer or officers and the principal finan­
cial officer or officers certify the accuracy and correctness of
financial reports.
• Basel II Accords provide guidelines for defining the regula­
tions as well as guiding the quantification of operational
and credit risk as a way to determine the amount of capital
 financial institutions are required to maintain as a guard
against those risks.
• The Gramm-Leach-Bliley Act of 1999 mandates financial
institutions with the obligation to "respect the privacy of its
customers and to protect the security and confidentiality of
those customers' nonpublic personal information."
• Credit risk assessment, which requires accurate documenta­
tion to evaluate an individual's or organization's abilities to
repay loans.
• System development risks associated with capital investment
in deploying new application systems emerge when moving
those systems into production is delayed due to lack of trust
in the application's underlying data assets.
While the sources of these areas of risk differ, an interesting
similarity emerges: not only do these mandate the use or pre­
sentation of high-quality information, they also require means of
demonstrating the adequacy of internal controls overseeing that
quality to external parties such as auditors. This means that not
only must financial institutions manage the quality of organiza­
tional information, they must also have governance processes in
place that are transparent and auditable.
Information Flaws
The root causes for the business impacts are related to flaws in
the critical data elements upon which the successful comple­
tion of the business processes depend. There are many types of
erred data, although these common issues lead to increased risk:
• Data entry errors
• Missing data
• Duplicate records
• Inconsistent data
• Nonstandard formats
• Com plex data transformations
• Failed identity management processes
• Undocumented, incorrect, or misleading metadata
All of these types of errors can lead to inconsistent report­
ing, inaccurate aggregation, invalid data mappings, incorrect
product pricing, and failures in trade settlement, among other
process failures.
9.2 EXAMPLES
The general approach to correlating business impacts to data
quality issues is not new, and in fact there are some interest­
ing examples that demonstrate different types of risks that are
attributable to flaws (both inadvertent and deliberate) in data.
Chapter 9 Information Risk and Data Quality Management
Employee Fraud and Abuse
In 1997, the Departm ent of Defense Guidelines on Data
Quality categorized costs into four areas: prevention, appraisal,
internal failure, and external failure. In turn, the impacts were
evaluated to assess costs to correct data problems as opposed
to costs incurred by ignoring them. Further assessment looked
at direct costs (such as costs for appraisal, correction, or
support) versus indirect costs (such as customer satisfaction).
That report documents examples of how poor data quality
impacts specific business processes: " . . . the inability to match
payroll records to the official employment record can cost
millions in payroll overpayments to deserters, prisoners, and
'ghost' soldiers. In addition, the inability to correlate purchase
orders to invoices is a major problem in unmatched
disbursem ents."1
The 2006 Association of Certified Fraud Examiners Report to
the Nation1
2 details a number of methods that unethical
employees can use to modify existing data to commit fraudulent
payments. Invalid data is demonstrated to have significant busi­
ness impacts, and the report details median costs associated
with these different types of improper disbursements.
Underbilling and Revenue Assurance
NTL, a cable operator in the United Kingdom, anticipated
business benefits in improving the efficiency and value of an
operator's network through data quality improvement. Invalid
data translated into discrepancies between services provided
and services invoiced, resulting in a waste of unknown excess
capacity. Their data quality improvement program was, to some
extent, self-funded through the analysis of "revenue assurance
to detect under billing. For example, . . . results indicated leak­
age of just over 3 percent of total revenue."3
Credit Risk
In 2002, a PricewaterhouseCoopers study on credit risk data
indicated that a significant percentage of the top banks were
deficient in credit risk data management, especially in the areas
1 U.S. Dept, of Defense, "DoD Guidelines on Data Quality Manage­
ment," 1997, accessible via www.tricare.mil/ocfo/_docs/DoDGuidelines
OnDataQualityManagement.pdf.
2 "2006 ACFE Report to the Nation on Occupational Fraud and Abuse,"
www.acfe.com/documents/2006-rttn. pdf.
3 Herbert, Brian, "Data Quality Management—A Key to Operator
Profitability," Billing and OSS World, March 2006, accessible at www
.billingworld.com/articles/feature/Data-Quality-Management-A-Key-to-
Operator.html.
■ 155
of counterparty data repositories, counterparty hierarchy data,
common counterparty identifiers, and consistent data
standards.4
Insurance Exposure
A 2008 Ernst & Young survey on catastrophe exposure data
quality highlighted that "shortcomings in exposure data quality
are common," and that "not many insurers are doing enough to
correct these shortcomings," which included missing or inaccu­
rate values associated with insured values, locations, building
class, occupancy class, as well as additional characteristics.5
Development Risk
Experience with our clients has indicated a common pattern in
which significant investment in capital acquisitions and accom­
panying software development has been made in the creation of
new business application systems, yet the deployment of those
systems is delayed (or perhaps even canceled) due to organiza­
tional mistrust of the application data. Such delayed application
development puts investments at risk.
Compliance Risk
Pharmaceutical companies are bound to abide by the federal
Anti-Kickback Statute, which restricts companies from offering or
paying remuneration in return for arranging for the furnishing of
items or services for which payment may be made under Medicare
or a state health care program. Pharmaceutical companies fund
research using their developed products as well as market those
same products to potentially the same pool of practitioners and
providers, so there is a need for stringent control and segregation
of the data associated with both research grants and marketing.
Our experience with some of our clients has shown that an
assessm ent of party information contained within master
data sets indicated some providers within the same practice
working under research grants while others within the same
practice subjected to marketing. Despite the fact that no
individual appeared within both sets of data, the fact that
individuals rolled up within the same organizational hierarchy
4 Inserro, Richard J., "Credit Risk Data Challenges Underlying the New
Basel Capital Accord," RMA Journal, April 2002, accessible at www.pwc
.com/tr/eng/about/svcs/abas/frm/creditrisk/articles/pwc_baselcreditdata-
rma.pdf.
5 Ernst & Young, "Raising the Bar on Catastrophe Data," 2008, acces­
sible via www.ey.com/Global/assets.nsf/US/Actuarial_Raising_the_bar_
catastrophe_data/$file/Actuarial_Raising_the_bar_catastrophe_data.pdf.
156 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
exposed the organization to potential violation of the Anti-
Kickback Statute.
9.3 DATA QUALITY EXPECTATIONS
These examples are not unique, but instead demonstrate pat­
terns that commonly emerge across all types of organizations.
Knowledge of the business impacts related to data quality issues
is the catalyst to instituting data governance practices that can
oversee the control and assurance of data validity. The first step
toward managing the risks associated with the introduction of
flawed data into the environment is articulating the business user
expectations for data quality and asserting specifications that can
be used to monitor organizational conformance to those expec­
tations. These expectations are defined in the context of "data
quality dimensions," high-level categorizations of assertions that
lend themselves to quantification, measurement, and reporting.
The intention is to provide an ability to characterize business
user expectations in terms of acceptability thresholds applied
to quantifiers for data quality that are correlated to the different
types of business impacts, particularly the different types of risk.
And although the academic literature in data quality enumerates
many different dimensions of data quality, an initial develop­
ment of a data quality scorecard can rely on a subset of those
dimensions, namely, accuracy, completeness, consistency, rea­
sonableness, currency, and identifiability.
Accuracy
The dimension of accuracy measures the degree with which data
instances compare to the "real-life" entities they are intended to
model. Often, accuracy is measured in terms of agreement with
an identified reference source of correct information such as a
"system of record," a similar corroborative set of data values
from another table, comparisons with dynamically computed
values, or the results of manually checking value accuracy.
Completeness
The completeness dimension specifies the expectations regarding
the population of data attributes. Completeness expectations can
be measured using rules relating to varying levels of constraint—
mandatory attributes that require a value, data elements with
conditionally optional values, and inapplicable attribute values.
Consistency
Consistency refers to measuring reasonable comparison of
values in one data set to those in another data. Consistency is
relatively broad, and can encompass an expectation that two
data values drawn from separate data sets must not conflict
with each other, or define more complex comparators with a set
of predefined constraints. More formal consistency constraints
can be encapsulated as a set of rules that specify relationships
between values of attributes, either across a record or message,
or along all values of a single attribute.
However, be careful not to confuse consistency with accuracy
or correctness. Consistency may be defined between one set of
attribute values and another attribute set within the same record
(record-level consistency), between one set of attribute values
and another attribute set in different records (cross-record con­
sistency), or between one set of attribute values and the same
attribute set within the same record at different points in time
(temporal consistency).
Reasonableness
This dimension is used to measure conformance to consistency
expectations relevant within specific operational contexts. For
example, one might expect that the total sales value of all the
transactions each day is not expected to exceed 105 percent of
the running average total sales for the previous 30 days.
Currency
This dimension measures the degree to which information is cur­
rent with the world that it models. Currency measures whether
data is considered to be "fresh," and its correctness in the face
of possible time-related changes. Data currency may be mea­
sured as a function of the expected frequency rate at which
different data elements are expected to be refreshed, as well
as verifying that the data is up to date. Currency rules may be
defined to assert the "lifetim e" of a data value before it needs
to be checked and possibly refreshed.
Uniqueness
This dimension measures the number of inadvertent duplicate
records that exist within a data set or across data sets. Asserting
uniqueness of the entities within a data set implies that no entity
exists more than once within the data set and that there is a key
that can be used to uniquely access each entity (and only that
specific entity) within the data set.
Other Dimensions of Data Quality
This list is by no means complete— there are many other aspects
of expressing the expectations for data quality, such as semantic
consistency (dealing with the consistency of meanings of data
elements), structural format conformance, timeliness, and valid
ranges, valid within defined data domains, among many others.
Chapter 9 Information Risk and Data Quality Management
The principal concept is that the selected dimensions character­
ize aspects of the business user expectations and that they can
be quantified using a reasonable measurement process.
9.4 MAPPING BUSINESS POLICIES
TO DATA RULES
Having identified the dimensions of data quality that are relevant
to the business processes, we can map the information policies
and their corresponding business rules to those dimensions. For
example, consider a business policy that specifies that personal
data collected over the web may be shared only if the user has
not opted out of that sharing process. This business policy defines
information policies: the data model must have a data attribute
specifying whether a user has opted out of information sharing,
and that attribute must be checked before any records may be
shared. This also provides us with a measurable metric: the count
of shared records for those users who have opted out of sharing.
The same successive refinement can be applied to almost every
business policy and its corresponding information policies. As
we distill out the information requirements, we also capture
assertions about the business user expectations for the result
of the operational processes. Many of these assertions can be
expressed as rules for determining whether a record does or
does not conform to the expectations. The assertion is a quanti­
fiable measurement when it results in a count of nonconforming
records, and therefore monitoring data against that assertion
provides the necessary data control.
Once we have reviewed methods for inspecting and measuring
against those dimensions in a quantifiable manner, the next step
is to interview the business users to determine the acceptability
thresholds. Scoring below the acceptability threshold indi­
cates that the data does not meet business expectations, and
highlights the boundary at which noncompliance with expecta­
tions may lead to material impact to the downstream business
functions. Integrating these thresholds with the methods for
measurement completes the construction of the data quality
control. Missing the desired threshold will trigger a data quality
event, notifying the data steward and possibly even recom­
mending specific actions for mitigating the discovered issue.
9.5 DATA QUALITY INSPECTION,
CONTROL, AND OVERSIGHT:
OPERATIONAL DATA GOVERNANCE
In this section we highlight the relationship between data issues
and their downstream impacts, and note that being able to con­
trol the quality of data throughout the information processing
■ 157
flow will enable immediate assessment, initiation of remediation,
and an audit trail demonstrating the levels of data quality as well
as the governance processes intended to ensure data quality.
O perational data governance is the manifestation of the pro­
cesses and protocols necessary to ensure that an acceptable level
of confidence in the data effectively satisfies the organization's
business needs. A data governance program defines the roles,
responsibilities, and accountabilities associated with managing
data quality. Rewarding those individuals who are successful at
their roles and responsibilities can ensure the success of the data
governance program. To measure this, a "data quality scorecard"
provides an effective management tool for monitoring organiza­
tional performance with respect to data quality control.
Operational data governance combines the ability to identify data
errors as early as possible with the process of initiating the activi­
ties necessary to address those errors to avoid or minimize any
downstream impacts. This essentially includes notifying the right
individuals to address the issue and determining if the issue can
be resolved appropriately within an agreed-to time frame. Data
inspection processes are instituted to measure and monitor compli­
ance with data quality rules, while service-level agreements (SLAs)
specify the reasonable expectations for response and remediation.
Note that data quality inspection differs from data validation.
While the data validation process reviews and measures confor­
mance of data with a set of defined business rules, inspection is
an ongoing process to:
• Reduce the number of errors to a reasonable and manage­
able level.
• Enable the identification of data flaws along with a protocol
for interactively making adjustments to enable the comple­
tion of the processing stream.
• Institute a mitigation or remediation of the root cause within
an agreed-to time frame.
The value of data quality inspection as part of operational data
governance is in establishing trust on behalf of downstream
users that any issue likely to cause a significant business impact
is caught early enough to avoid any significant impact on
operations. Without this inspection process, poor-quality data
pervades every system, complicating practically any operational
or analytical process.
9.6 MANAGING INFORMATION RISK
VIA A DATA QUALITY SCORECARD
While there are practices in place for measuring and monitoring
certain aspects of organizational data quality, there is an oppor­
tunity to evaluate the relationship between the business impacts
158 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
of noncompliant data as indicated by the business clients and
the defined thresholds for data quality acceptability. The degree
of acceptability becomes the standard against which the data is
measured, with operational data governance instituted within
the context of measuring performance in relation to the data
governance procedures. This measurement essentially covers
conformance to the defined standards, as well as monitoring
staff agility in taking specific actions when the data sets do not
conform. Given the set of data quality rules, methods for mea­
suring conformance, the acceptability thresholds defined by the
business clients, and the SLAs, we can monitor data governance
by observing not only compliance of the data to the business
rules, but of the data stewards to observing the processes asso­
ciated with data risks and failures.
The dimensions of data quality provide a framework for defin­
ing metrics that are relevant within the business context while
providing a view into controllable aspects of data quality man­
agement. The degree of reportability and controllability may
differ depending on one's role within the organization, and cor­
respondingly, so will the level of detail reported in a data quality
scorecard. Data stewards may focus on continuous monitoring in
order to resolve issues according to defined SLAs, while senior
managers may be interested in observing the degree to which
poor data quality introduces enterprise risk.
Essentially, the need to present higher-level data quality scores
introduces a distinction between two types of metrics. The
simple metrics based on measuring against defined dimen­
sions of data quality can be referred to as "base-level" metrics,
and they quantify specific observance of acceptable levels of
defined data quality rules. A higher-level concept would be the
"com plex" metric representing a rolled-up score computed as
a function (such as a sum) of applying specific weights to a col­
lection of existing metrics, both base-level and complex. The
rolled-up metric provides a qualitative overview of how data
quality impacts the organization in different ways, since the
scorecard can be populated with metrics rolled up across dif­
ferent dimensions depending on the audience. Com plex data
quality metrics can be accumulated for reporting in a scorecard
in one of three different views: by issue, by business process,
or by business impact.
Data Quality Issues View
Evaluating the impacts of a specific data quality issue across
multiple business processes demonstrates the diffusion of
pain across the enterprise caused by specific data flaws. This
scorecard scheme, which is suited to data analysts attempt­
ing to prioritize tasks for diagnosis and remediation, provides
a rolled-up view of the impacts attributed to each data issue.
Drilling down through this view sheds light on the root causes of
impacts of poor data quality, as well as identifying "rogue pro­
cesses" that require greater focus for instituting monitoring and
control processes.
Business Process View
Operational managers overseeing business processes may be
interested in a scorecard view by business process. In this view,
the operational manager can examine the risks and failures
preventing the business process's achievement of the expected
results. For each business process, this scorecard scheme con­
sists of complex metrics representing the impacts associated
with each issue. The drill-down in this view can be used for
isolating the source of the introduction of data issues at specific
stages of the business process as well as informing the data
stewards in diagnosis and remediation.
Business Impact View
Business impacts may have been incurred as a result of a num­
ber of different data quality issues originating in a number of
different business processes. This reporting scheme displays
the aggregation of business impacts rolled up from the dif­
ferent issues across different process flows. For example, one
scorecard could report rolled-up metrics documenting the accu­
mulated impacts associated with credit risk, compliance with
privacy protection, and decreased sales. Drilling down through
the metrics will point to the business processes from which the
issues originate; deeper review will point to the specific issues
within each of the business processes. This view is suited to a
more senior manager seeking a high-level overview of the risks
associated with data quality issues, and how that risk is intro­
duced across the enterprise.
Managing Scorecard Views
Essentially, each of these views composing a data quality score-
card require the construction and management of a hierarchy of
metrics related to various levels of accountability for support the
organization's business objectives. But no matter which scheme
Chapter 9 Information Risk and Data Quality Management
is employed, each is supported by describing, defining, and
managing base-level and complex metrics such that:
• Scorecards reflecting business relevance are driven by a hier­
archical rollup of metrics.
• The definition of metrics is separated from its contextual
use, thereby allowing the same measurement to be used in
different contexts with different acceptability thresholds and
weights.
• The appropriate level of presentation can be materialized
based on the level of detail expected for the data consumer's
specific data governance role and accountability.
SUMMARY
Scorecards are effective management tools when they can sum­
marize important organizational knowledge as well as alerting
the appropriate staff members when diagnostic or remedial
actions need to be taken. Part of an information risk manage­
ment program would incorporate a data quality scorecard that
supports an organizational data governance program; this
program is based on defining metrics within a business context
that correlate the metric score to acceptable levels of business
performance. This means that the metrics should reflect the
business processes' (and applications') dependence on accept­
able data, and that the data quality rules being observed and
monitored as part of the governance program are aligned with
the achievement of business goals.
These processes simplify the approach to evaluating risks to
achievement of business objectives, how those risks are associated
with poor data quality and how one can define metrics that cap­
ture data quality expectations and acceptability thresholds. The
impact taxonomy can be used to narrow the scope of describing
the business impacts, while the dimensions of data quality guide
the analyst in defining quantifiable measures that can be cor­
related to business impacts. Applying these processes will result
in a set of metrics that can be combined into different scorecard
schemes that effectively address senior-level manager, operational
manager, and data steward responsibilities to monitor information
risk as well as support organizational data governance.
■ 159
Validating Rating
Models
Learning Objectives
After completing this reading you should be able to:

Explain the process of model validation and describe best Describe challenges related to data quality and explain
practices for the roles of internal organizational units in steps that can be taken to validate a model's data quality.
the validation process.
Explain how to validate the calibration and the
Compare qualitative and quantitative processes for discriminatory power of a rating model.
validating internal ratings and describe elements of each
process.

E x c e rp t is C h a p ter 5 o f Developing, Validating and Using Internal Ratings: Methodologies and Case Studies, by G iacom o De
Laurentis, Renato M aino and Luca M olteni.

S e e bibliography on p p . 421-423.

161
10.1 VALIDATION PROFILES
Ratings systems validation scopes and steps are presented in
this chapter. As a rating system 'comprises all of the methods,
processes, controls, and data collection and IT systems that sup­
port the assessment of credit risk, the assignment of internal
risk ratings, and the quantification of default and loss estimates'
(Basel Committee, 2004, §394), it is clear that the validation
scope is quite wide.
The validation of internal ratings is strictly required by the Basel
Committee (2004, §530) for banks willing to opt for Internal Rat­
ing Based (IRB) approaches: 'banks must have a robust system in
place to validate the accuracy and consistency of their internal
models and modeling processes. A bank must demonstrate
to its supervisor that the internal validation process enables it
to assess the performance of its internal model and processes
consistently and meaningfully'. However, the validation of an
internal rating system is critical to the validation of the whole
credit risk management system of a bank, both from a regulatory
point of view and from a business management point of view.
It is crucial to the former perspective because capital adequacy
depends on rating systems for banks adopting Internal Rat­
ing Based Approaches according to the Basel II regulation (the
use of IRB approaches for the purposes of calculating capital
requirements is subject to an explicit approval by national super­
visory authorities and follows a 'supervisory validation' of rating
systems). In addition, it is critical because Pillar 2 of Basel II is
focused on the adequacy of risk management systems in order
to safely and rationally manage the bank. It is also critical from
the latter perspective because key decisions concerning indi­
vidual loans underwriting decisions as well as credit portfolio
management decisions depend on rating systems.
Therefore, the difference in scope of 'regulatory validation' and
of 'internal validation' is more apparent than real. In addition,
consider that in order to be validated for regulatory purposes,
a system has to be previously internally validated; on top of
that, the technical contents of validation processes are very
similar in both cases. These are reasons why we are going to use
almost indifferent regulatory requirements as internal validation
requirements.
On an ongoing basis, in the validation process, the bank has to
verify the reliability of the results generated by the rating system
and its continued consistency with regulatory requirements and
operational needs. The validation instruments and methods are
periodically reviewed also, and adjusted and updated to ensure
that they remain appropriate in a context of continually evolv­
ing market variables and operating conditions. According to the
'proportionality principle', the scope and depth of quantitative
162 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
and qualitative validation should be correlated with the type of
credit portfolios examined, the overall complexity of the bank,
and the stability of markets.
Rating systems must undergo a validation process consisting of
a set of formal activities, instruments, and procedures for assess­
ing the accuracy of the estimates of all material risk components
and the predictive power of the overall performance system.
The Basel II regulation states that: 'The institution shall have a
regular cycle of model validation that includes monitoring of
model performance and stability, review of model relationships,
and testing of model outputs against outcomes.' (Basel Commit­
tee, 2004, §417). However, the same regulation underlines that
the validation process lies not only on statistical comparisons of
actual risk measures against the ex ante estimates, checking of
parameter calibrations, benchmarking and stress tests, but also
involves analyses of all the components of the internal rating
system, including operational processes, controls, documenta­
tion, IT infrastructure, as well as an assessment of their overall
consistency. Therefore, validation also requires the assessment
of the model development process, with particular reference to
the underlying logical structure and the methodological criteria
supporting the risk parameter estimates.
Validation includes, too, the critical verification that the rat­
ing system is actually used (and how) in the various areas of
bank operations. This is known as the 'use test', also required
by Basel II and better specified in Basel Committee (2006).
The results of the validation process need to be adequately
documented and periodically submitted to the internal control
functions and the governing bodies. The reports shall specifi­
cally address any problem areas.
Figure 10.1 gives an overview of the essential steps of rating
systems validation.
validation p ro ce ss.
In summary, the validation process has the key role of reviewing
model building steps and application choices, detecting weak­
nesses and limitations, verifying the proper use of the system,
and last, but not least, analyzing contingent solutions planned
in case the robustness of the model falls or is lacking. Best
practices have to be monitored to minimize misalignments of
the whole process of internal credit risk management.
10.2 ROLES OF INTERNAL
VALIDATION UNITS
The Basel II regulation is particularly innovative in terms of
organizational requirements and internal controls. The rules lay
down essential notions and criteria that banks must adopt in
developing their rating systems. They also set down the orga­
nizational and quantitative requirements banks must comply
with for recognition of their methods for capital adequacy pur­
poses. The organizational requirements set rules which govern
organization and controls, internal validation of rating systems,
characteristics of rating systems (e.g ., replicability, integrity,
and consistency), their use in operations (use test), informa­
tion systems and data flows. The quantitative requirements
regard the structure of rating systems, the determination of
risk param eters, stress tests, and the use of models developed
by third-party vendors.
Specific requirements are set for the senior management and
those who have roles in corporate governance and oversight.
'All material aspects of the rating and estimation processes
must be approved by the bank's board of directors or a des­
ignated committee thereof and senior management. These
parties must possess a general understanding of the bank's risk
rating system and detailed comprehension of its associated
management reports. Senior management must provide notice
to the board of directors or a designated committee thereof of
material changes or exceptions from established policies that
will materially impact the operations of the bank's rating sys­
tem ' (Basel Com m ittee, 2004, §438).
'Senior management also must have a good understanding of
the rating system's design and operation, and must approve
material differences between established procedure and actual
practice. Management must also ensure, on an ongoing basis,
that the rating system is operating properly. Management
and staff in the credit control function must meet regularly to
discuss the performance of the rating process, areas needing
improvement, and the status of efforts to improve previously
identified deficiencies' (Basel Com m ittee, 2004, §439). Inter­
nal ratings must also be an essential part of the reporting to
these parties.
In performing these tasks, senior management must consider
recommendations produced by the validation process and
review reports produced by the internal audit unit.
The validation process is performed by a specific organi­
zational unit that may partially leverage on the support of
operational units in performing its activities. In smaller banks,
the least that is needed is the appointm ent of a manager
devoted to coordinate and oversee these activities.
To perform these tasks, the validation unit has to be inde­
pendent of other functions devoted to develop and to main­
tain model tools and to handle credit risk processes and
procedures. It is advisable that the validation unit is also inde­
pendent from those involved in assigning ratings and lending.
Specifically, persons in charge of the function should not be
subordinate to persons responsible for such activities.
Specific attention has to be paid to ensure the appropriate skills
of human resources employed.
Where compliance with this requirement would prove to be
excessively burdensome, the validation unit may be involved in
the rating system design and development process, provided
that appropriate organizational and procedural, precautions
are adopted and respected. In such a case, the internal audit
function should verify that these activities are performed in an
independent manner, fully achieving the intended objectives.
The validation unit should also be independent from the inter­
nal audit function, which should review the validation process
and findings.
In short, validation and control processes and organizational
roles involved are depicted in Table 10.1.
Also, the internal audit function is deeply involved in validation
processes, including the continued analysis of the com pli­
ance in the use of rating systems with internal and regulatory
requirements. In particular, it is necessary to audit the inde­
pendence of the validation unit and the quality of resources
involved.
Validation is mostly performed on the basis of the documenta­
tion received by functions in charge of the model development
and implementation in banks' credit processes. Therefore, the
scope, transparency, and completeness of documentation are
essential; these characteristics are important validation criteria.
Banking groups with significant cross-border operations may
have different organizational structures in different countries.
Nevertheless, in all cases the parent company has to ensure
that the organization of the validation and review functions
within the group enable the unified management and control of
models and rating systems.
Chapter 10 Validating Rating Models ■ 163
Table 10.1 P ro ce sse s and R oles of V alidation and C o n tro l of Internal Rating S ystem s

Models Procedures Tools Management Decision

Basic Controls Task: model develop­
ment and back testing
Owner: credit risk
models development
unit
Task: credit Task: operations Task: lending policy
risk procedures maintenance applications
maintenance Owner: lending units/ Owner: central and
Owner: lending units/ IT/internal audit decentralized units/
internal control units internal control units

Second controls layer Task: continuous test of Task: lending policy

models/processes/tools suitability
performance Owner: validation unit/
Owner: lending unit/ internal audit
internal audit

Third controls layer Risk management/CRO Organisation/COO Lending unit/CLO /CO O Lending unit/CLO/CRO

Accountability for Top management/Surveillance board/Board of directors

supervisory purposes

CRO: Credit Risk Officer; CLO: Chief Lending Officer; COO: Chief Operating Officer; IT: Information Technology Department.

10.3 QUALITATIVE AND
QUANTITATIVE VALIDATION
There are two main areas of validation: qualitative and quanti­
tative. Qualitative validation ensures the proper application of
quantitative methods and the proper usage of ratings. Quanti­
tative validation comprises all validation procedures of ratings
in which statistical indicators are calculated and interpreted on
the basis of an empirical dataset. In recent years, many books
and articles have dealt with this topic, included among which
are Engelmann and Rauhmeier (2006) and Christodoulakis and
Satchell (2008).
Qualitative and quantitative validation complement each other.
A rating procedure should only be applied in practice if it
receives a positive assessment in the qualitative area. A positive
assessment by the quantitative validation is not sufficient p e r
se. Conversely, a negative quantitative assessment should not
be considered decisive because statistical estimates are subject
to random fluctuations and a certain degree of tolerance in the
interpretation of results should be allowed. It is, therefore, nec­
essary to place emphasis on qualitative validation.
Qualitative Validation
Rating Systems Design
Rating systems design concerns the proper choice of the models
architecture in relationship to the market segments in which the
model is going to be used. It is necessary to ensure the trans­
parency of the assumptions and/or evaluations which form the
basis of the rating models design. The general suitability of a
rating approach for specific rating segments has to be assessed.
A number of other areas must be investigated:
• consistency of model development processes and
methodologies,
• adequate calibration of model output to default probabilities,
• proper documentation of all model functions,
• analytical description of the rating process, with duties and
responsibilities of key personnel,
• the robust procedures in place for validation and regular review.
In addition, there are important organizational profiles of rating
systems' qualitative validation; they concern the link between
the model, process, procedures, approval powers, and con­
trols. Even the best model does not produce the expected
added value to bank lending if it is misunderstood or if it is not
adequately supported in daily applications. In this perspective,
adequate education, clear procedures, proper guidelines, and
support in tackling exceptions are fundamental. The assessment
of the actual use of rating systems in credit approval processes
is a key component of qualitative validation. In fact, the model
must not only be a formal requirement for capital adequacy
purposes or portfolio decisions; it must be fully integrated in
the decision making process concerning single loans. If the bank
credit culture does not accept the new model-based rating
assignment processes, the risk of having two different processes
(one being formal but inactive and the other informal but used
in daily lending decisions) is very high. The validation has to
detect these situations and suggest how to overcome them.
In the earlier stages of rating systems development in a bank, it
commonly happens that credit risk functions spend a lot of time

164 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
on model building, number crunching, statistical testing, and so
on. Procedural aspects are underestimated in terms of the time,
resources, and investments needed, as they are erroneously
considered less problematic and easier to overcome. Since these
early stages, the role of the validation unit in detecting the orga­
nizational readiness to accept and to correctly apply the new
rating system is essential. The validation unit should have great
visibility to top management and should lever on it in order to
ask enough resources to properly take off the new process.
The essential requirements of rating systems that need to be
checked in qualitative validation can be summarized in the fol­
lowing five main features:
• obtaining probabilities of default
• completeness
• objectivity
• acceptance
• consistency.
O btaining probabilities o f default Ratings are the basis for
almost all risk management applications once they have been
quantified and probabilities of default have been obtained. In
this perspective, different methods of rating assignment pro­
duce PDs in distinctive ways. Statistical models are developed
on the basis of an empirical dataset, which makes it possible
to determine the PD for individual rating classes by calibrat­
ing results with the empirical data. Logistic regression enables
the direct calculation of default probabilities, while for other
methods (e.g., discriminant analysis) a specific adjustment is
needed. Likewise, it is possible to validate the calibration of the
rating model (ex p o st) using data gathered from the operational
deployment of the model. Using this data, the default param­
eter can be constantly monitored and validated over time to
maintain PDs aligned with real world outcomes.
Rating sy ste m co m p le te n e ss Completeness is the next impor­
tant feature of an internal rating system. In order to ensure
the completeness of credit rating procedures, banks need to
take all available information into account when assigning rat­
ings to borrowers or transactions (Basel Committee, 2004,
§417). The nature of the chosen rating assignment approach
strongly impacts on this feature. Many default risk models use
a small number of characteristics of the borrower to infer its
creditworthiness. For this reason, it is important to verify the
completeness of factors used to determine a counterpart's
creditworthiness, at least in model building stages and/or in the
operational use (for instance, analyzing the scope of overrides
proposed by a credit analyst). In the estimation of statistical-
based models, as a large number of borrowers' characteristics
can be tested, the possibility to force variables to enter into the
model in order to increase the completeness of the relevant risk
factors should be verified. Usually, the computer-based pro­
cessing of information enables expert systems and fuzzy logic
systems to take a larger number of characteristics into consider­
ation, meaning that such systems can be more comprehensive if
properly modeled.
Rating sy ste m o b je ctiv ity A good rating system needs pro­
cedures that capture creditworthiness factors clearly and also
minimize room for interpretation. Achieving high discriminatory
power of ratings requires that they are assigned as objectively
as possible, minimizing biases. In judgment-based approaches
this can only be ensured by precise and plausible guidelines,
common cultural backgrounds, appropriate training, ongoing
benchmarking, and adequate organizational choices (team work,
supervision, balancing individual analysts' specialization by sec­
tor, and analysts' teams' cross-sector mix). In statistical models,
borrowers' characteristics are selected and weighed using an
empirical dataset and objective methods; therefore, we can
regard these models as the most 'objective' rating procedures.
When the model is fed by the same information, unavoidably
the same results are obtained. This is also the case for expert
systems and neural networks, where borrowers' creditworthiness
is determined using defined algorithms and rules.
Rating sy ste m a ccep ta n ce Rating systems have also to be
accepted by users, above all, internal users such as credit ana­
lysts, credit officers, and loan officers. Therefore, some require­
ments are necessary:
a. The rating system should not produce classifications that
are very often too far from those expected by bank analysts
and officers;
b. For small and medium enterprises, mechanical rating mod­
els often have higher discriminatory power than a poorly
structured judgment-based approach developed by poorly
experienced and trained credit officers. However, they
are less easily accepted because many actors do not have
enough technical knowledge to understand them. Hence,
an adequate education and level of disclosure on model
frameworks for all actors involved in the lending process are
indispensable.
Therefore, the validation process has to verify that rating models
are well understood and shared by the users.
Different rating approaches have different degrees of acceptabil­
ity. Generally speaking, as heuristic models are designed on the
basis of experts' experience in lending, these models are more
easily accepted; their credit assessments are considered warmer
by end-users because they replicate their common culture. The
acceptance of fuzzy logic systems may be lower as they require
a greater degree of technical knowledge due to their fuzzy
Chapter 10 Validating Rating Models ■ 165
algorithms and changing variables' weights in different con­
texts. One severe disadvantage for the acceptance of artificial
neural networks lies in their 'black box' nature. The increase in
discriminatory power achieved by such methods depends on the
network's ability to learn and on the parallel processing of infor­
mation within the network. However, it is precisely this com plex­
ity which makes it difficult to comprehend results.
R a tin g s y s te m c o n s is te n c y Consistency is the last but not
least feature. Models have to be coherent and suitable for the
borrowers to which they are applied and with the theoretical
frameworks of users. When developing a statistical rating model,
relationships between indicators may arise which contradict eco­
nomic theory. Such contradictory indicators have to be excluded
from further analyses; filtering out these problematic indicators
serves to ensure consistency. Heuristic models do not contradict
recognized scientific theories and methods, as these models are
based on the experience and observations of credit experts.
Pure statistical models depict business inter-relationships directly
from empirical datasets and consistency should be checked.
The Basel II regulation states specific validation requirements
in case statistical models and other mechanical methods are
used to assign borrower or facility ratings or in estimation of
PDs, LGDs, or EADs (Basel Committee, 2004, §417). First of all,
it is recognized that 'Although mechanical rating procedures
may sometimes avoid some of the idiosyncratic errors made by
rating systems in which human judgement plays a large role,
mechanical use of limited information also is a source of rating
errors. Credit scoring models and other mechanical procedures
are permissible as the primary or partial basis of rating assign­
ments, and may play a role in the estimation of loss charac­
teristics. Sufficient human judgem ent and human oversight is
necessary to ensure that all relevant and material information,
including that which is outside the scope of the model, is also
taken into consideration, and that the model is used appropri­
ately'. This means that models must be part of a broader rating
system, in which other methodologies add further information
and expertise assuring completeness.
Other requirements of §417 are as follows: 'the burden is on
the bank to satisfy its supervisor that a model or procedure has
good predictive power and that regulatory capital requirements
will not be distorted as a result of its use. The variables that are
input to the model must form a reasonable set of predictors.
The model must be accurate on average across the range of
borrowers or facilities to which the bank is exposed and there
must be no known material biases. The bank must have in place
a process for vetting data inputs into a statistical default or loss
prediction model which includes an assessment of the accuracy,
completeness and appropriateness of the data specific to the
assignment of an approved rating. The bank must demonstrate
166 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
that the data used to build the model are representative of the
population of the bank's actual borrowers or facilities. When
combining model results with human judgem ent, judgements
must take into account all relevant and material information not
considered by the model. The bank must have written guidance
describing how human judgem ent and model results are to be
combined. The bank must have procedures for human review of
model based rating assignments. Such procedures should focus
on finding and limiting errors associated with known model
weaknesses and must also include credible ongoing efforts to
improve the model's performance . . . The influence of individual
factors on rating results should be comprehensible and in line
with the current business research and practice. For example, if
a multivariate statistical method is applied, factors in a statistical
ratio analysis have to be plausible and comprehensible, accord­
ing to the fundamentals of financial statement analysis and the
economic theory of the firm.'
Therefore, in Paragraph 417 of the Basel II regulation, all five
essential requirements (obtaining probabilities of default, com­
pleteness, objectivity, acceptance, consistency) for a satisfactory
rating system have been detailed.
The same Basel II paragraph indicates two other important
aspects of validation processes, that is to say, the continuity of
validation processes and the completeness of documentation:
'The bank must have a regular cycle of model validation that
includes monitoring of model performance and stability; review
of model relationships; and testing of model outputs against
outcomes . . . In statistical models, special emphasis is to be
placed on documenting the models statistical foundations, which
have to be in line with the standards of quantitative validation.'
In examining all these features, the validation unit also has to
take carefully into account external benchmarks, such as special­
ist literature and competitors application. The rating system is
a decisional tool and can dramatically harm the bank's ability
to compete if it is not aligned with those used by direct incum­
bents in the market.
D ata Quality
In statistical models, data quality is essential. Good data give
outstanding results also using simple models, whereas the most
advanced models cannot overcome poor data quality. There­
fore, a comprehensive dataset is an essential prerequisite for
quantitative validation. In this context, a number of qualitative
aspects have to be considered:
• completeness of data,
• volume of available data,
• representativeness of samples used for model development
and validation,
• consistency and integrity of data sources,
• adequacy of procedures used to ensure data cleansing and,
in general, data quality.
The validation unit has a central role in confirming the dataset
quality.
Particularly relevant are the reliability and completeness of
defaulted observations because these are the actual limit to
develop adequately large datasets for model development,
rating quantification, and validation. The consistency of default
definition used throughout data collection processes (that per­
haps take place in different institution of a bank group, in dif­
ferent periods and countries) and its compliance with the Basel
II definition of default (Basel Committee, 2004, §452) are both
critical. Sample size is important as well as sample homogeneity:
ideally, a sample has to be generated from a unique popula­
tion using the same procedures, criteria, and methodology over
the time. In other words, the sample must be generated by the
same 'lending technology'. This is the set of information, rules,
contracts, and policies applied to credit origination and moni­
toring; changing one or more of these components changes
the credit portfolio generation and the borrowers' profile in the
dataset (Berger and Udell, 2006) and can harm the consistency
between the model development dataset and the population to
which the model is operationally applied to.
A further profile of data quality is the time span to which data
refers. Ideally, the dataset should be generated by considering
an entire credit cycle; otherwise, estimates will be dependent on
specific favorable or unfavorable cycle stages. Macroeconomic
conditions are one of the most important determinants of default
rates. If we miss a good representation of the credit cycle we
miss something really relevant in describing default probability.
The combination of the last two mentioned conditions (lending
technology stability and credit cycle coverage) proves to be very
restrictive. We rarely observe procedures and processes that
remain constant for five or more years of an entire credit cycle
(the last started in 2002 and ended in 2008). Changes are more
frequent because of the increasing technological opportuni­
ties to speed up processes and efficiency, discontinuities in the
economic environment that lead to radically modifying credit
policies, and new market segments becoming relevant; banks'
mergers and acquisitions strongly impact on many aspects of
the lending technology, too.
The validation process also has to pay attention to preliminary
data treatment activities (such as finding and managing outliers,
missing values, and poor data representativeness for some cus­
tomers' segments).
Data quality is so relevant that the validation unit has to dedi­
cate specific attention to these aspects. Figure 10.2 depicts the
Fiqure 10.2 From sam p le s to m arket p o p u latio n :
data relatio n sh ip s.
conceptual structure of data links from the model development
dataset to the market the bank potentially confronts with.
Samples used in model building should have some desirable
technical properties (low heteroscedasticity, no abnormal values,
and so forth). Actual populations do not share these properties.
The best way to extend a model's findings to populations is to
apply a proper calibration and to perform out-of-sam ple analy­
ses. These analyses are based on observations that are gener­
ated by the same lending technology but that were not included
in the development sample. As a result, it is advisable to build
various samples, one dedicated to support model building and
others used for out-of-sample, out-of-time, and out-of-universe
validations of a model's performance.
The validation unit has an essential role in assessing two critical
aspects: (i) stability of the lending technology behind data and
(ii) proper model calibration in order to generalize results from
sample to population. The two issues overlap, to some extent. If
the observed in-sample default rate diverges from the total pop­
ulation, then calibration should reflect this divergence because
the sample's central tendency would be different from the popu­
lation's central tendency. This may simply be due to the fact that
bank's lending technology is selecting borrowers better or worse
than competing banks. This circumstance may also occur when
lending technology changes: if the model is not re-calibrated, it
continues to apply old criteria to new states of business. This is
typically the case when mergers, acquisitions, demergers and so
forth determine a change in the bank's lending technology.
The validation unit should be fully aware of the consequences
of lending technology changes as well as of misalignments
between borrowers' profiles in the original sample and popula­
tion's profiles. If the rupture is significant, an extraordinary phase
of model revision would be needed, at least in terms of model
calibration.
Focus on calibration. Suppose that we use a balanced sam­
ple (50% performing, 50% defaulting borrowers) for model
Chapter 10 Validating Rating Models ■ 167
 Calibration effects on model scores
Cumulated percentiles
Balanced sample score distribution (def.rate 50%)
Population score distribution (calibration at def.rate 2,34%)
— — — Population score distribution (calibration at def.rate 1,0%)
Fiqure 10.3 C alib ratio n effects on m odel sco re
estim a ted PD s using d ifferen t long term a v e ra g e
d efau lt rates.
development in order to assure the best conditions for applying
statistical methods: luckily, real banks' loan portfolios are much
less risky. In other words, a normal long term annual default rate
may be close to 2.5%; this value is far away from the 50% of the
balanced sample. Moreover, defaults cluster together during the
credit cycle with significant changes in default co-dependencies.
The impact on calibration is significant; even small changes in
model calibration have a big influence on a model's cut-off and
on estimated default rates.
Figure 10.3 illustrates estimated PDs in a balanced sample, in a
population where the default rate is 2.4%, and in a population
whose default rate is 1%.
An inaccuracy in determining the long term average annual
default rate modifies default probability measures. In fact, the
lending process is relatively slow in producing evident results,
also due to credit cycle movements. A credit cycle lasts years,
not days or weeks. The central tendency (in statistics) is the
average value to which population characteristics converge after
many repetitions of the same process (this is the law of large
numbers). Think about tossing a coin: after a few tosses, we
cannot understand if the coin has been manipulated or not; we
need a large number of trials in order to be sure that the coin is
manipulated. The statistical repetitions in lending activities are
relatively limited and it takes time to directly assess the effects
of an incorrect parameter. Normally, a robust check on the
validity of the central tendency is only possible after 18 or 36
months, depending on markets, types of facilities, and custom­
ers' segments.
In any case, the central tendency is a compromise between
having long empirical series of observations and constant lend­
ing technology. Therefore, to set the central tendency is a very
168 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
delicate issue that soon becomes a matter of discretion. The
calibration turns into a managerial decision, which is partly
based on empirical evidence and partly depends on strate­
gies and policies (such as fixing the implicit 'risk appetite' of
the organization). Optimistic estimates (default rate lower than
actual) reduce the risk perception and determine aggressive
competitive policies. If rating is also used for pricing purposes,
then prices would not fully reflect the credit risk embedded in
transactions (and loss provisions would be underestimated). On
the contrary, if the estimated default rate is pessimistic, a con­
servative credit policy would be adopted, which would lead to
missed business opportunities, to overestimated provisions, and
to lower credit market shares.
In conclusion, the validation unit has an important role in verify­
ing the central tendency over time through back testing and
stress testing. It should carefully monitor market prices, signals
from marketing people, results of big ticket transactions (syndi­
cated loans, securities placing, securitisation, and so forth) and
fully exploit any other opportunity to benchmark the bank (and
models used) against direct competitors.
Quantitative Validation
Quantitative validation covers four main areas:
1. Sample representativeness of the reference population at
the time of the estimates and in subsequent periods.
2. Discriminatory power: the accuracy of ratings assignments
in terms of the models' ability to rank obligors by risk levels,
both in the overall sample and in its different breakdowns
(for example, based on business sector, size and location).
3. Dynamic properties: the stability of rating systems and
properties of migration matrices.
4. Calibration: the predictive power concerning probabilities
of default.
We have already dealt with the issues of data quality exten­
sively. Here we consider the perspective of samples size. Nowa­
days, the real constraint is usually given by the subsample size
of defaulted firms, as some loan portfolios are characterized by
very few defaults. As risks of these 'low-default portfolios' have
to be assessed in any case, rating systems have to be developed
and validated. A set of principles should be taken into consid­
eration. Firstly, we cannot exclude exposures from the scope of
application of the rating model simply because insufficient data
are available to validate the risk parameter estimates on a sta­
tistical basis. In these cases, the validation unit has to contribute
to set an adequate margin of conservatism in the assumption
of risk parameters. Moreover, validation has to pay particular
attention to analysis techniques adopted in this estimation
process and to their limitations. Many statistical tests depend
on the amount of available information. For instance, for the
Chi-square test to give accurate results when dealing with con­
tingency tables cross-tabulating a dichotomous variable, such
as default/non-default with many rating classes, no more than
20% of cells should contain expected default frequencies less
than five and no cells should have expected frequencies less
than one. In many cases, minimum sample size requirements
are not achieved, mainly due to the small number of defaults.
This is particularly true when we are building models for market
'niches' or for specific industries (that are maybe important for
their economic impact but that are composed by few com­
petitors and counterparties). In these cases, we need to apply
specific techniques to give more robustness to our estimates
(Wehrspohn 2004, Basel Committee 2005b, Pluto and Tasche,
2004); among them, 'bootstrap procedures' have an important
place. These procedures randomly generate many samples.
Retaining the number of (the few) available defaults, many bal­
anced samples can be iteratively generated by extracting an
equal number of units from the non-defaulted group, without
re-introduction. On each of these samples the rating model is
completely re-assessed, extracting the entire set of statistical
information (variables selected, means, standard deviations, like­
lihood tests, and so on). The set of models is then analyzed. If
a clear convergence on a final stable result (i.e., same final vari­
able selected, equivalent parameters, and so on) is found, we
can infer that the model solution is stable and robust enough.
If not, there would be a severe risk of instability and a more
in-depth analysis would be needed. A way to overcome these
problems is to find more homogenous subsets (applying cluster
analysis, for instance). The model could be adapted to the spe­
cific features of these subsets, adopting different calibrations
or integrating a specific successive qualitative analysis, maybe
based on experts' judgments.
The term 'discriminatory power' refers to the fundamental ability
of a rating model to differentiate between defaulting and per­
forming borrowers over the forecasting horizon. Note that the
forecasting horizon is usually set at 12 months for PD estimation
(this also is a Basel II requirement) but the relevant time horizon
for rating validation is the one set for rating assessment: in this
last case, Basel II also requires a longer time horizon. Therefore,
it is necessary to use longer forecasting horizons in order to
validate discriminatory power. For example, the discriminatory
power of a scoring model for installment loans is often calcu­
lated for the entire period of the credit transaction.
The discriminatory power of a model can only be reviewed
ex post using data on defaulted and non-defaulted cases
(back testing). Therefore, using a longer time horizon means
using an 'observation period' that is more distant from 'time
zero' and from the collection time of data which feeds model
explanatory variables.
On the basis of the resulting sample, various analyses of the
rating discriminatory power are possible. The list of methods in
Basel Committee (2005a) is:
• statistical tests such as Fisher's r2, Wilks' A,
Hosmer-Lemeshow;
• migration matrices;
• accuracy indexes such as Lorentz's concentration curves
and Gini ratios (in different variants, for instance ROC and
AuRO C);
• classification tests (binomial test, type 1 and type 2 errors, x 2
test, normality test and so forth).
The frequency distribution of good and bad cases is particularly
important. In fact, error rates are the best way to offer a glimpse
on model performances. The validation unit has to carefully
verify the cut-off choice, its calibration, and its consequence in
daily operations (as 'false good' cases create loss given default,
and 'false bad' cases cause opportunity costs).
Ratings stability can be assessed by observing 'migration
matrices'. They can be built once the rating system has been
operational for at least two years. Desirable properties of annual
migration matrices are:
• Transition rates to default should be in ascending order as
rating classes worsen.
• High values should be on the diagonal and low values off-
diagonal, which would signal that ratings are stable over
time. This is also an indication of a through-the-cycle rating
model, as opposed to point-in-time ratings, which are much
more dynamic during the credit cycle, moving frequently
from one class to another.
• Off-diagonal values should be in descending order when
departing from the diagonal. That is to say, migration rates of
plus or minus one class should be higher than migration rates
of plus or minus two classes, and so forth. This means that
rating movements are gradual whereas sudden leaps of many
classes at one time are not that frequent.
These properties have to also hold for longer time horizons
than one year, despite a natural reduction in on-diagonal values
and an increase in off-diagonal values. This means that ratings
change over time but without large leaps.
If analyses of firms' fundamentals are dominant in rating assign­
ment, ratings change slowly over time because they are less
sensitive to credit cycles and to transitory circumstances. There­
fore, stability of the migration matrix is generally assumed as an
indicator of an analytical process which is mainly centered on
Chapter 10 Validating Rating Models ■ 169
counterparty's fundamentals, and hence as an expression of a
forward looking rating system.
This is a desirable technical property for many economic rea­
sons, such as lower pro-cyclical effects (on banks, firms and,
hence, on the economy as a whole) and longer 'far-sightedness'
of credit allocation (Draghi, 2009).
Calibration is a key topic in quantitative validation. It is also a
critical issue because of the scarcity of statistical tools that are
available. A document issued by the Basel Committee which is
entirely dedicated to the validation of internal rating systems,
clearly states that: 'compared with the evaluation of the discrimi­
natory power, methods for validating calibration are at a much
earlier stage . . . Due to the limitations of using statistical tests
to verify the accuracy of the calibration, benchmarking can be a
valuable complementary tool for the validation of estimates for
the risk components PD, LGD and EAD. Benchmarking involves
the comparison of a bank's ratings or estimates to results from
alternative sources. It is quite flexible in the sense that it gives
banks and supervisors latitude to select appropriate bench­
marks' (Basel Committee, 2005a, p. 3).
Therefore, validating calibration means analyzing differences
between forecasted PDs and realized default rates. The Basel
Committee paper indicates a few tests to assess proper cali­
bration: Binomial test, Chi-square test (or Hosmer-Lemeshow),
Normal test, and Traffic lights approach. While the Binomial test
is applied to one rating category at a time, the Chi-square test
simultaneously checks several rating categories. The normal test
is applied to a single rating class but is a multiperiod test of cor­
rectness of default probability forecasts; it is based on a normal
approximation of the distribution of the time-averaged default
rates (and on the assumptions that the mean default rate does
not vary too much over time and that default events in different
years are independent). The Traffic light approach is a multipe­
riod back testing tool for a single rating category introduced
with the 1996 Market Risk Amendment as a supervisory evalu­
ation tool of internal market risk models. Each of these tests
bears important limitations. Therefore, we can conclude with the
Basel Committee's words: 'at present no really powerful tests of
adequate calibration are currently available' (Basel Committee,
2005a, p. 34).
Back Testing, Benchmarking and Stress Testing
Back testing (accuracy of risk parameter estimates when com­
pared with ex p o s t empirical evidence), benchmarking (relative
performance of systems and risk parameter estimates against
benchmarks), and stress testing (adequacy of models when
stress tests are applied) are three fundamental activities for vali­
dating rating systems.
170 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
When back testing, realized default rates must regularly be com­
pared with estimated PDs for each rating grade. Where they do
not fall within the expected range for that grade, the validation
unit should analyze the reasons of deviations. Internal standards
should be set for situations where deviations from expectations
in realized PDs become significant enough to call the validity
of estimates into question. These standards may take account
of business cycles and similar systematic variability in default
experiences. Where actual values continue to be higher than
expected values, the bank should revise estimates upwards to
reflect their default experience.
When benchmarking, the validation unit establishes procedures
to specify acceptable deviations between internal estimates and
benchmark data and identifies, at least in general terms, the
actions to be taken when such deviations significantly exceed
acceptable levels. Banks should also identify possible sources
of unexpected volatility that could affect benchmarking results
over time. This analysis should be conducted at least once a
year. The adequacy and reliability of benchmarks is obviously
critical. The comparisons of synthetic measures of rating perfor­
mance must be carefully considered, as some very common indi­
cators are sample dependent (such as Gini ratio and AuRO C). It
is much better to have benchmark datasets for testing different
models on the same set of data.
Regarding a model's stress testing, the validation unit should
assess the robustness and reliability of models' results when
their independent variables are set to indicate extreme
conditions.
Benchmarking, stress testing and, above all, back testing should
be reported in an effective, easy to understand and transpar­
ent way to top managers. This would enhance the internal
communication strategy of the validation unit: the clearer the
communication, the more effective a top manager's contribu­
tion (to improve rating systems and to enhance rating validation
activities) is.
As an example, suppose a bank has 15,000 internally rated cus­
tomers; the internal rating system is based on 17 classes, with­
out considering defaulted counterparties (Table 10.2).
Table 10.3 shows the loan portfolio by rating class at the begin­
ning and at the end of the observation period. As indicated
throughout this book, a number of performance measures and
statistical tests can be calculated.
Effective and simple representation of this data is important to
communicate to top managers and other bank personnel as
well. Table 10.4 and Figure 10.4 illustrate a comparison between
expected and actual default rates per rating classes. Deviations
from means are highly frequent, mainly because of the effects
of credit cycles. In periods of economic expansion, lower quality
Table 10.2 Internal Rating C lassificatio n

Probability of Default (%) Range (%)

Rating Class Min Mean Max Lower Bound Upper Bound
1 0.01 0.03 0.04 - 0 .0 2 0.01
2 0.04 0.05 0.06 - 0 .0 1 0.01
3 0.06 0.07 0.08 - 0 .0 1 0.01
4 0.08 0.10 0.12 - 0 .0 2 0.02
5 0.12 0.15 0.19 - 0 .0 3 0.04
6 0.19 0.25 0.30 - 0 .0 5 0.05
7 0.30 0.40 0.50 - 0 .1 0 0.10
8 0.50 0.60 0.75 - 0 .1 0 0.15
9 0.75 0.90 1.15 - 0 .1 5 0.25
10 1.15 1.35 1.70 - 0 .2 0 0.35
11 1.70 2.00 2.50 - 0 .3 0 0.50
12 2.50 3.00 3.75 - 0 .5 0 0.75
13 3.75 4.50 5.50 - 0 .7 5 1.00
14 5.50 7.00 8.50 - 1.50 1.50
15 8.50 10.00 13.00 - 1.50 3.00
16 13.00 15.00 20.00 - 2 .0 0 5.00
17 20.00 25.00 50.00 - 5.00 25.00

Table 10.3 Ex a m p le of Portfolio Evolution in th e O b se rv a tio n Period

Rating Initial Portfolio at Observation Period End Frequency Distribution by Class (%)
Classes Portfolio Defaults Non-defaulted Default Non-default
# Units % Cumulated Cumulated Cumulated Cumulated
1 15 0.1 0 0 15 15 0.0 0.0 0.1 0.1
2 38 0.3 0 0 38 53 0.0 0.0 0.3 0.4
3 23 0.2 1 1 22 74 0.3 0.3 0.1 0.5
4 105 0.7 0 1 105 179 0.0 0.3 0.7 1.2
5 150 1.0 0 1 150 329 0.0 0.3 1.0 2.2
6 375 2.5 3 4 372 701 0.8 1.1 2.5 4.8
7 1170 7.8 4 8 1166 1.867 1.1 2.2 8.0 12.8
8 2138 14.3 6 14 2132 3.999 1.6 3.8 14.6 27.3
9 1725 11.5 5 19 1720 5.719 1.4 5.2 11.8 39.1
10 1650 11.0 15 34 1635 7.354 4.1 9.3 11.2 50.3
11 2100 14.0 32 66 2068 9.422 8.7 18.0 14.1 64.4
12 2250 15.0 55 121 2195 11.617 15.0 33.0 15.0 79.4
13 1200 8.0 56 177 1144 12.761 15.3 48.2 7.8 87.2
14 750 5.0 58 235 692 13.453 15.8 64.0 4.7 91.9
15 675 4.5 72 307 603 14.056 19.6 83.7 4.1 96.1
16 525 3.5 45 352 480 14.536 12.3 95.9 3.3 99.3
17 113 0.7 15 367 98 14.633 4.1 100.0 0.7 100.0
15000 100.0 367 14633 100.0 100.0

Chapter 10 Validating Rating Models ■ 171

Table 10.4 Exam p le of A ctu al V alu es ag ain st E x p e cte d V alu es in a Portfolio during a Fav o ra b le C re d it C y cle

Default Rate (%)

Defaults Actual A Actual versus
Rating Classes # Central PD (%) Expected Defaults Actual Expected Survival Rate (%)
1 0.03 0 0 0.0 0.0 100.0
2 0.05 0 0 0.0 0.0 100.0
3 0.07 0 1 4.4 4.4 95.6
4 0.10 0 0 0.0 -0.1 100.0
5 0.15 0 0 0.0 -0.2 100.0
6 0.25 1 3 0.8 0.6 99.2
7 0.40 5 4 0.3 -0.1 99.7
8 0.60 13 6 0.3 -0.3 99.7
9 0.90 16 5 0.3 -0.6 99.7
10 1.35 22 15 0.9 -0.4 99.1
11 2.00 42 32 1.5 -0.5 98.5
12 3.00 68 55 2.4 -0.6 97.6
13 4.50 54 56 4.7 0.2 95.3
14 7.00 53 58 7.7 0.7 92.3
15 10.00 68 72 10.7 0.7 89.3
16 15.00 79 45 8.6 -6.4 91.4
17 25.00 28 15 13.3 - 11.7 86.7
447 367 2.4 97.6

deviations have a meaningful impact on portfolio performance.

Therefore, these effects need to be carefully managed to avoid
miscommunication (from this perspective, indicators like ROC
curve are particularly suitable).

Linking crude data of rating classifications to bank's lending

policy is useful for managers and for effective communication.
Figure 10.5 offers a way to illustrate this analysis. On the graph

Frequency distribution of default and no-default per rating classes

PD min Confidence at 67% (dx)
25.0%
PD central Confidence at 90% (dx)

PD max Confidence at 99% (dx)

20 . 0 %
£
Actual def.Rate Confidence at 99,9% (dx)

Fiqure 10.4
c/>

D efau lt rates p e r rating class and

c/>
J5
o
o> 15.0%
statistical co n fid en ce intervals. £5
0)
k_
Q_

£
0)
10 . 0 % Credit
restriction/
classes perform better than expected; the reverse would be true S'
recall/
withdrawal
in periods of recessions. This is a well known phenomenon, well <
~o 5.0% -

documented by rating agencies migration matrices observed in 0 .0 %

i— i— i— i— i— i— i— i— r
different periods. 7 8 9 10 11 12 13 14 15 16 17 18

Internal rating classes

When classes have few units, unexpected events hugely effect Type 2 errors ■ ■ ■ Actual default frequency

relative deviations but have a small economic impact (see class 3 Type 1 errors Actual non-default frequency

for instance). The opposite is true for larger classes: even small Figure 10.5 D efau lt rates and lending policy.

172 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the frequency distributions of actual defaulted and non-defaulted
counterparts are shown. O f course, the two groups have different
distributions and there is a large overlapping area. Rating classes
are often the main drivers for bank lending policies. Different
commercial policies are put into practice in respect of counter­
party's credit risk, favoring aggressive marketing for safer clients
and conservative lending behaviors for riskier ones. Suppose that
aggressive marketing is pursued for better classes up to class 6,
while a conservative approach is recommended from class 14
onwards. This policy neither protects against defaults in classes
that benefit from aggressive marketing, nor avoids restricting
lending to solvent counterparties. In our example, the target for
aggressive marketing is around 700 clients (the first 5% of the
portfolio) but three defaults were experimented (the first 1.1%
of total defaults); see the gray area on the left in Figure 10.5. At
the same time, if we withdraw credit to the worst three classes,
130 defaults could be avoided but business with 1200 clients
would be lost (gray area on the right in Figure 10.5).
The importance of a model's discriminatory power and ade­
quate calibration becomes evidently clear. The usefulness of
having clues on these performance measures of rating systems
becomes apparent. Also, the value of a prompt detection of
fading discriminatory power and calibration becomes evident.
Chapter 10 Validating Rating Models ■ 173
Assessing the
Quality of Risk
Measures
Learning Objectives
After completing this reading you should be able to:

Describe ways that errors can be introduced into models.
Explain how model risk and variability can arise through
the implementation of VaR models and the mapping of
risk factors to portfolio positions.
Explain major defects in model assumptions that led
to the underestimation of systematic risk for residential
mortgage backed securities (RMBS) during the 2007-2009
financial crisis.

Identify reasons for the failure of the long-equity tranche,

short-mezzanine credit trade in 2005 and describe how
such modeling errors could have been avoided.

E x c e rp t is from C h a p ter 11 o f Financial Risk Management: Models, History, and Institutions, b y Allan M . Malz.
VaR has been subjected to much criticism. Previously we
reviewed the sharpest critique: that the standard normal return
model underpinning most VaR estimation procedures is simply
wrong. But there are other lines of attack on VaR that are rele­
vant even if VaR estimates are not based on the standard model.
This chapter discusses three of these viewpoints:
1. The devil is in the details: Subtle and not-so-subtle differ­
ences in how VaR is computed can lead to large differences
in the estimates.
2. VaR cannot provide powerful tests of its own accuracy.
3. VaR is "philosophically" incoherent: It cannot do what it
purports to be able to do, namely, rank portfolios in order
of riskiness.
We will also discuss a pervasive basic problem with all models,
including risk models: the fact that they can err or be used
inappropriately.
11.1 MODEL RISK*
The basic modeling problem facing VaR is that the actual dis­
tribution of returns doesn't conform to the model assumption
of normality under which VaR is often computed. Using a VaR
implementation that relies on normality without appreciating
the deviations of the model from reality is an example of m odel
risk. Models are used in risk measurement as well as in other
parts of the trading and investment process. The term "model
risk" describes the possibility of making incorrect trading or risk
management decisions because of errors in models and how
they are applied. Model risk can manifest itself and cause losses
in a number of ways. The co n se q u e n ce s of model error can be
trading losses, as well as adverse legal, reputational, accounting,
and regulatory results.
All social science models are "w rong," in the sense that model
assumptions are always more or less crude approximations to
reality. In Friedman's (1953) view on the methodology of eco­
nomics, deviation from reality is a virtue in a model, because the
model then more readily generates testable hypotheses that
can be falsified empirically, adding to knowledge. The so-called
Black-Scholes biases provide very useful insights into return
behavior, and yet are defined as violations of the model predic­
tions. A model may, however, be inherently wrong, in that it is
based on an incorrect overall view of reality. The data inputs can
be inaccurate, or may be inappropriate to the application.
Error can be introduced into models in any number of ways.
A seemingly trivial channel, but one that can have large conse­
quences, is that the programming of a model algorithm can
contain bugs. An example occurred in the ratings process for
176 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
structured credit products, and was revealed during the sub­
prime crisis. The press reported in May 2008 that Moody's had
incorrectly, given their own ratings methodology, assigned A A A
ratings to certain structured credit products using materially
flawed programming. Another example occurred when AXA
Rosenberg Group LLC, an asset-management subsidiary of the
French insurance company A XA , using a quantitative investment
approach, discovered a programming error in its models that
had likely induced losses for some investors.1
These episodes also provide examples of the linkages between
different types of risk. In the Moody's case, the model risk was
closely linked to the reputational and liquidity risks faced by
Moody's. The error had been discovered by Moody's before
being reported in the press, but had coincided with changes in
the ratings methodology for the affected products, and had not
resulted in changes in ratings while still known only within the
firm. Moody's therefore, once the bugs became public knowl­
edge, came under suspicion of having tailored the ratings model
to the desired ratings, tarnishing its reputation as an objective
ratings provider. Within a few days of the episode being
reported, S&P placed Moody's-issued commercial paper on
negative watch, illustrating the economic costs that reputational
risk events can cause. In the A X A Rosenberg episode, the dis­
covery of the error had not been communicated in a timely fash­
ion to investors, resulting in loss of assets under management,
an SEC fine, and considerable overall reputational damage.
Even when software is correctly programmed, it can be used in
a way that is inconsistent with the model that was intended to
be implemented in the software. One type of inconsistency that
arises quite frequently concerns the mapping of positions to risk
factors, which we'll discuss in a moment. Such inconsistencies
can contribute to differences in VaR results.
Valuation Risk
Model errors can occur in the valuation of securities or in hedging.
Errors in valuation can result in losses that are hidden within
the firm or from external stakeholders. A portfolio can be more
exposed to one or more risk factors than the portfolio manager
realizes because of hedging errors.
Valuation errors due to inaccurate models are exam ples of
market risk as well as of operational risk. As a market risk phe­
nomenon, they lead, for exam ple, to buying securities that
are thought to be cheaply priced in the market, but are in fact
A
On Moody's, see Sam Jones, Gillian Tett, and Paul J. Davies, "CPDOs
expose ratings flaw at Moody's," Financial Times, May 20, 2008. On
AXA Rosenberg, see Jean Eaglesham and Jenny Strasburg, "Big Fine
Over Bug in 'Quant' Program," Wall Street Journal, Feb. 4, 2011.
fairly priced or overpriced. As an operational risk phenomenon,
the difficulty of valuing some securities accurately makes it pos­
sible to record positions or trades as profitable that have in fact
lost money.
Model errors can, in principle, be avoided and valuation risk
reduced, by relying on market prices rather than model prices.
There are several problems with this approach of always
marking-to-market and never m arking-to-m odel. Some types
of positions, such as longer-term bank commercial loans, have
always been difficult to mark-to-market because they do not
trade frequently or at all, and because their value is determined
by a complex internal process of monitoring by the lender.
Accounting and regulatory standards mandating marking such
positions to market have been held responsible by some for
exacerbating financial instability.
Variability of VaR Estimates
VaR also faces a wide range of practical problems. To understand
these better, we'll first briefly sketch the implementation process
for risk computation. This entire process and its results are some­
times referred to as the firm's "VaR model." We'll then discuss how
implementation decisions can lead to differences in VaR results.
Risk management is generally carried out with the aid of com­
puter systems that automate to some extent the process of
combining data and computations, and generating reports.
Risk-measurement systems are available commercially. Vendor
systems are generally used by smaller financial firms. Large firms
generally build their own risk-measurement systems, but may
purchase some components commercially.
One particular challenge of implementing risk-measurement sys­
tems is that of data preparation. Three types of data are involved:
M arket data are time series data on asset prices or other data
that we can use to forecast the distribution of future portfolio
returns. Obtaining appropriate time series, purging them
of erroneous data points, and establishing procedures for
handling missing data, are costly but essential for avoiding
gross inaccuracies in risk measurement. Even with the best
efforts, appropriate market data for some exposures may
be unobtainable.
Secu rity m aster data include descriptive data on securi­
ties, such as maturity dates, currency, and units. Corporate
securities such as equities and, especially, debt securities
present particular challenges in setting up security master
databases. To name but one, issuer hierarchy data record
which entity within a large holding company a transaction is
with. Such databases are difficult to build and maintain, but
are extremely important from a credit risk management point
Chapter 11 Assessing the Quality of Risk Measures
of view. Netting arrangements, for example, may differ for
trades with different entities. Such issues become crucial if
counterparties file for bankruptcy. One important example
from the subprime crisis: Recovery by Lehman's counterpar­
ties depended in part on which Lehman subsidiary they had
faced in the transactions.
Position data must be verified to match the firm's books and
records. Position data may have to be collected from many
trading systems and across a number of geographical loca­
tions within a firm.
To compute a risk measure, software is needed to correctly
match up this data, and present it to a calculation engine. The
engine incorporates all the formulas or computation procedures
that will be used, calling them from libraries of stored proce­
dures. The calculations have to be combined with the data
appropriately. Results, finally, must be conveyed to a reporting
layer that manufactures documents and tables that human man­
agers can read. All of these steps can be carried out in myriad
ways. We focus on two issues, the variability of the resulting
measures, and the problem of using data appropriately.
The computation process we've just described applies to any
risk measure, not just to VaR, but for concreteness, we focus on
VaR. The risk manager has a great deal of discretion in actually
computing a VaR. VaR techniques— modes of computation and the
user-defined parameters— can be mixed and matched in different
ways. Within each mode of computation, there are major variants,
for example, the so-called "hybrid" approach of using historical
simulation with exponentially weighted return observations. This
freedom is a mixed blessing. On the one hand, the risk manager has
the flexibility to adapt the way he is calculating VaR to the needs of
the firm, its investors, or the nature of the portfolio. On the other
hand, it leads to two problems with the use of VaR in practice:
1. There is not much uniformity of practice as to confidence
interval and time horizon; as a result, intuition on what con­
stitutes a large or small VaR is underdeveloped.
2. Different ways of measuring VaR would lead to different
results, even if there were standardization of confidence
interval and time horizon. There are a number of computa­
tional and modeling decisions that can greatly influence VaR
results, such as
• Length of time series used for historical simulation or to
estimate moments
• Technique for estimating moments
• Mapping techniques and the choice of risk factors, for
example, maturity bucketing
• Decay factor if applying EW M A
• In Monte Carlo simulation, randomization technique and
the number of simulations
■ 177
Dramatic changes in VaR can be obtained by varying these
parameters. In one well-known study (Beder, 1995), the VaRs of
relatively simple portfolios consisting of Treasury bonds and S&P
500 index options were computed using different combinations
of these parameters, all of them well within standard practice.
For example, 100 or 250 days of historical data might be used
to compute VaR via historical simulation, or Monte Carlo VaR
might be computed using different correlation estimates. For a
given time horizon and confidence level, VaR computations dif­
fered by a factor of six or seven times. Other oddities included
VaR estimates that were higher for shorter time horizons.
A number of large banks publish VaR estimates for certain of
their portfolios in their annual reports, generally accompanied
by backtesting results. These VaR estimates are generated
for regulatory purposes. Perusing these annual reports gives
a sense of how different the VaR models can be, as they use
inconsistent parameters and cannot be readily compared.
Mapping Issues
Mapping, the assignment of risk factors to positions, can also
have a large impact on VaR results. Some decisions about map­
ping are pragmatic choices among alternatives that each have
their pros and cons. An example is the choice between cash
flow versus duration-convexity mapping for fixed-income. Cash
flow mappings are potentially more accurate than duration map­
pings, since, in the former, each cash flow is mapped to a fixed
income security with a roughly equal discount factor, to which
the latter is clearly only an approximation. But cash flow map­
ping requires using many more risk factors and more complex
computations, which are potentially more expensive and entail
risks of data errors and other model risks.
In other cases, it may be difficult to find data that address cer­
tain risk factors. Such mapping problems may merely mirror
the real-world difficulties of hedging or expressing some trade
ideas. An example is the practice, said to be widespread prior
to the subprime crisis, of mapping residential mortgage-backed
securities (RMBS) and other securitized credit products to time
series for corporate credit spreads with the same rating. Market
data on securitization spreads generally is sparse, available only
for very generic types of bonds and hard to update regularly
from observed market prices. Prior to the crisis, the spread vola­
tility of investment-grade securitizations was lower than those of
corporate bonds with similar credit ratings. Yet during the finan­
cial crisis, spreads on securitizations widened, at least relatively,
far more than corporate spreads. This episode illustrates not
only the model risks attendant on proxy mapping, but also the
inefficacy of VaR estimates in capturing large moves in market
prices and the importance of stress testing.
178 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Another example is convertible bond trading. Convertible
bonds can be mapped to a set of risk factors including, among
others, implied volatilities, interest rates, and credit spreads.
Such mappings are based on the theoretical price of a convert­
ible bond, which is arrived at using its replicating portfolio.
However, at times theoretical and market prices of converts can
diverge dramatically. These divergences are liquidity risk events
that are hard to capture with market data, so VaR based on the
replicating portfolio alone can drastically understate risk. This
problem can be mitigated through stress testing.
In some cases, a position and its hedge might be mapped to the
same risk factor or set of risk factors. The mapping might be jus­
tified on the grounds that the available data do not make it pos­
sible to discern between the two closely related positions. The
result, however, will be a measured VaR of zero, even though
there is a significant basis risk; that is, risk that the hedge will
not provide the expected protection. Risk modeling of securi­
tization exposures provides a pertinent example of basis risk,
too. Securitizations are often hedged with similarly-rated corpo­
rate CDS indexes. If both the underlying exposure and its CD X
hedge are mapped to a corporate spread time series, the mea­
sured risk disappears.
For some strategies, VaR can be misleading for reasons over and
above the distribution of returns and VaR's dependence on spe­
cific modeling choices. For some strategies, outcomes are close
to binary. One example is event-driven strategies, a broad class
of strategies that includes trades that depend on the occurrence
of terms of a corporate acquisition or merger, the outcome of
bankruptcy proceedings, or of lawsuits. For many such trades,
there is no historical time series of return data that would shed
light on the range of results. Another example are dynamic
strategies, in which the risk is generated by the trading strategy
over time rather than the set of positions at a point in time.
Case Study: The 2005 Credit Correlation
Episode
An episode of volatility in the credit markets that occurred in the
late spring of 2005 provides a case study of model risk stemming
from misinterpretation and misapplication of models. Some trad­
ers suffered large losses in a portfolio credit trade in which one
dimension of risk was hedged in accordance with a model, while
another dimension of risk was neglected. We start by reviewing
the mechanics of the trade, which involved credit derivatives
based on C D X .N A .IG , the investment grade CDS index.
Description of the Trade and Its Motivation
A widespread trade among hedge funds, as well as proprietary
trading desks of banks and brokerages, was to sell protection on
the equity tranche and buy protection on the junior mezzanine
tranche of the C D X .N A .IG . The trade was thus long credit and
credit-spread risk through the equity tranche and short credit
and credit-spread risk through the mezzanine. It was executed
using several C D X.N A .IG series, particularly the IG3 introduced
in September 2004 and the IG4 introduced in March 2005.
is —$6,880. The defaultOI of the mezzanine is —0.07212 times
the notional value, so the defaultOI of a $1,000,000 notional
position is —$721. With a hedge ratio of about 9.54—that is,
by shorting $9,540,000 of par value of the mezzanine for every
$1,000,000 notional of long equity— we create a portfolio that,
at the margin, is default-risk neutral.

The trade was designed to be default-risk-neutral at initiation, Figure 11.1 illustrates how the trade was set up. At a default
by sizing the two legs of the trade so that their credit spread rate of 0.003, the portfolio has zero sensitivity to a small rise or
sensitivities were equal. The motivation of the trade was not decline in defaults. But the trade has positive convexity. The
to profit from a view on credit or credit spreads, though it was equity cheapens at a declining rate in response to spread widen­
primarily oriented toward market risk. Rather, it was intended ing. A noteworthy feature is that, because at low default rates,
to achieve a positively convex payoff profile. The portfolio of the mezzanine tranche has negative convexity, the short position
two positions would then benefit from credit spread volatility. adds positive convexity to the portfolio. The trade benefits from
In addition, the portfolio had positive carry; that is, it earned a changes in the default rate in either direction. The actual CD X
positive net spread. Such trades are highly prized by traders, for trade benefitted from large credit spread changes. It behaved,
whom they are akin to delta-hedged long option portfolios in in essence, like an option straddle on credit spreads. In contrast
which the trader receives rather than paying away time value. to a typical option, however, this option, when expressed using
the CD X standard tranches at the market prices prevailing in
To understand the trade and its risks, we can draw on the tools
early 2005, paid a premium to its owner, rather than having
we developed earlier. The securities in the extended example
negative net carry.
are similar enough in structure to the standard tranches of the
C D X.N A .IG that we can mimic the trade and understand what In the actual standard tranche trade, the mechanics were
went wrong. Let's set up a trade in tranches of illustrative CLO slightly different. Since the securities were synthetic CD O
that is similar in structure and motivation to the standard tranche liabilities, traders used spread sensitivities; that is, spreadOls
trade we have been describing. The trade takes a long credit or risk-neutral defaultOls, rather than actuarial defaultOls. The
risk position in the equity tranche and an offsetting short credit sensitivities used were not to the spreads of the underlying
position in the mezzanine bond. Bear in mind that
we would unlikely be able, in actual practice, to
take a short position in a cash securitization, since
the bond would be difficult to locate and bor­
row. We might be able to buy protection on the
mezzanine tranche through a CD S, but the dealer
writing it would probably charge a high spread
to compensate for the illiquidity of the product
and the difficulty of hedging it, in addition to the
default and correlation risk. The standard tranches
are synthetic CDS and their collateral pools also
consist of CDS. They are generally more liquid
than most other structured products, so it is eas­
ier to take short as well as long positions in them.

To determine the hedge ratio, that is, the amount

of the mezzanine we are to short, we use the
default sensitivities, the defaultOls. These are
credit-risk sensitivities, while the 2005 CD X trade
employed market-risk sensitivities, the spreadOls.
But the mechanics of hedging are similar. We
assume that, at the time the trade is initiated,
the expected default rate and implied correla­
tion are 7r = 0.03 and p = 0.30. The defaultOI
of a $1,000,000 notional position in the equity
Fiaure 11.1 C o n v e x ity of C L O liabilities.
The graph plots the P&L, for varying default rates, of a portfolio consisting of (1) a long
credit position in the equity tranche of the CLO with a notional amount of $1,000,000,
and (2) a short credit position in the mezzanine tranche of the same CLO with a notional
amount of $1,000,000 times the hedge ratio of 9.54, that is, a par value of $9,540,000.
The P&Ls of the constituent positions are also plotted. The default rates vary in the graph,
but the correlation is fixed at 0.30. That is, the hedge ratio is set at a default rate of
3 percent, and a correlation of 0.30, but only the default rate is permitted to vary in
the plot. The default rates are measured on the horizontal axis as decimals. The P&L is
expressed on the vertical axis in millions of dollars.

Chapter 11 Assessing the Quality of Risk Measures ■ 179

constituents of the C D X .N A .IG , but to the tranche spread. The
hedge ratio in the actual trade was the ratio of the P&L impact
of a 1bp widening of C D X.N A .IG on the equity and on the junior
mezzanine tranches. The hedge ratio was between 1.5 and 2 at
the beginning of 2005, lower than our example's 9.54, and at
the prevailing tranche spreads, resulted in a net flow of spread
income to the long equity/short mezz trade. However, the trade
was set up at a particular value of implied correlation. As we will
see, this was the critical error in the trade.
One additional risk should be highlighted, although it did not in
the end play a crucial role in the episode we are describing: The
recovery amount was at risk. In the event of a default on one or
more of the names in the index, the recovery amount was not
fixed but a random variable.
The Credit Environment in Early 2005
In the spring of 2005, the credit markets came under pressure,
focused on the automobile industry, but not limited to it. The
three large U.S.-domiciled original equipment manufacturers
(OEM s), Ford, General Motors (GM), and Chrysler, had long
been troubled. For decades, the O EM s had been among the
most important companies in the U.S. investment-grade bond
market, both in their share of issuance and in their benchmark
status. The possibility of their being downgraded to junk was
new and disorienting to investors. They had never been constit­
uents of the C D X .N A .IG , but two "captive finance" companies,
General Motors Acceptance Co. (GM AC) and Ford Motor Credit
Co. (FM CC), were.
A third set of companies at the core of the automotive indus­
tries were the auto parts manufacturers. Delphi Corp. had been
a constituent of IG3, but had been removed in consequence of
its downgrade below investment grade. American Axle Co. had
been added to IG4.
From a financial standpoint, the immediate priority of the OEM s
had been to obtain relief from the UAW auto workers union
from commitments to pay health benefits to retired workers.
The "hot" part of the 2005 crisis began with two events in mid-
April, the inability of GM and the UAW to reach an accord on
benefits, and the announcement by GM of large losses. On May
5, GM and Ford were downgraded to junk by S&P. Moody's did
the same soon after. The immediate consequence was a sharp
widening of some corporate spreads, including G M A C and
FM CC and other automotive industry names. Collins and Aik-
man, a major parts manufacturer, filed for Chapter 13 protection
from creditors in May. Delphi and Visteon, another large parts
manufacturer, filed later in 2005.
The two captive finance arms and the two auto parts manufac­
turers American Axle and Lear together constituted 4 out of the
180 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
125 constituents of the IG4. The market now contemplated the
possibility of experiencing several defaults in the IG3 and IG4.
The probability of extreme losses in the IG3 and IG4 standard
equity tranches had appeared to be remote; it now seemed a
distinct possibility. Other credit products also displayed sharp
widening; the convertible bond market, in particular, was experi­
encing one of its periodic selloffs, as seen in Figure 17-2.
The automotive and certain other single-name spreads w id­
ened sharply, among them G M AC and FM CC. The IG indexes
widened in line with the widening in their constituents, many of
which did not widen at all. The pricing of the standard tranches,
however, experienced much larger changes, brought about by
the panicky unwinding of the equity-mezzanine tranche trade.
Figure 11.3 shows the behavior of credit spreads and the price
of the standard equity tranche during the episode.
• The mark-to-market value of the equity tranche dropped
sharply. This can be seen in the increase in points upfront
that buyers of protection had to pay.
• The implied correlation of the equity tranche dropped
sharply. Stated equivalently, its mark-to-market value
dropped more and its points upfront rose more sharply than
the widening of the IG4 spread alone would have dictated.
• The junior mezzanine tranche experienced a small widen­
ing, and at times even some tightening, as market partici­
pants sought to cover positions by selling protection on
the tranche, that is, taking on long credit exposures via the
tranche.
• The relative value trade as a whole experienced large losses.
The implied correlation fell for two reasons. The automotive
parts supplier bankruptcies had a direct effect. All were in the
IG4, which meant that about 10 percent of that portfolio was
now near a default state. But the correlation fell also because
the widening of the IG4 itself was constrained by hedging. The
short-credit position via the equity tranche could be hedged
by selling protection on a modest multiple of the mezzanine
tranche, or a large multiple of the IG4 index. Although spreads
were widening and the credit environment was deteriorating, at
least some buyers of protection on the IG4 index found willing
sellers among traders long protection in the equity tranche who
were covering the short leg via the index as well as via the mez­
zanine tranche itself.
Modeling Issues in the Setup of the Trade
The relative value trade was set up in the framework of the stan­
dard copula model, using the analytics described earlier. These
analytics were simulation-based, using risk-neutral default prob­
abilities or hazard-rate curves derived from single-name CDS.
The timing of individual defaults was well modeled. Traders
 generally used a normal copula. The cor­
relation assumption might have been
based on the relative frequencies of dif­
ferent numbers of joint defaults, or, more
likely, on equity return correlations or
prevailing equity implied correlations.

In any event, the correlation assump­

tion was static. This was the critical flaw,
rather than using the "wrong" copula
function, or even the "wrong" value
of the correlation. The deltas used to
set the proportions of the trade were
partial derivatives that did not account
for changing correlation. Changing cor­
relation drastically altered the hedge
ratio between the equity and mezzanine
tranches, which more or less doubled to
nearly 4 by July 2005. In other words,
traders needed to sell protection on
nearly twice the notional value of the
mezzanine tranche in order to maintain
spread neutrality in the portfolio.

Figure 11.2 displays the P&L profile of

the trade for different spreads and cor­
relations, again using the CLO example.
F iq u re 1 1 .2 C o rrela tio n risk of th e co n vexity tra d e .
The portfolio P&L plotted as a solid line
The graph plots the P&L of the convexity trade for default rates from 0.0075 to 0.0825 per annum in Figure 11.1 is a cross-section through
and constant pairwise Gaussian copula correlations from 0.0 to 0.5. The P&L is expressed on the
Figure 11.2 at a correlation of 0.30.
vertical (z) axis in millions of dollars.
Figure 11.2 shows that the trade was
profitable for a wide range of spreads,
but only if correlation did not fall. If correlation fell
abruptly, and spreads did not widen enough, the
trade would become highly unprofitable.

The model did not ignore correlation, but the trade

The graph plots the implied or base correlation of the equity (0-3 percent) tranche (solid
line, percent, left axis), the price of the equity tranche (dashed line, points upfront, right
axis), and the CDX IG 4 spread (dotted line, basis points, right axis).
Source: JPMorgan Chase.
thesis focused on anticipated gains from convexity.
The flaw in the model could have been readily cor­
rected if it had been recognized. The trade was put
on at a time when copula models and the concept
of implied correlation generally had only recently
been introduced into discussions among traders,
who had not yet become sensitized to the potential
losses from changes in correlation. Stress testing
correlation would have revealed the risk. The trade
could also have been hedged against correlation
risk by employing an overlay hedge: that is, by
going long single-name protection in high default-
probability names. In this sense, the "arbitrage"
could not be captured via a two-leg trade, but
required more components.

Chapter 11 Assessing the Quality of Risk Measures ■ 181

Case Study: Subprime Default
Models
Among the costliest model risk episodes was the
failure of subprime residential mortgage-based
security (RMBS) valuation and risk models. These
models were employed by credit-rating agencies to
assign ratings to bonds, by traders and investors to
value the bonds, and by issuers to structure them.
While the models varied widely, two widespread
defects were particularly important:

• In general, the models assumed positive future

house price appreciation rates. In the stress
case, house prices might fail to rise, but would
not actually drop. The assumption was based
Rolling indexes of AAA, A, and BBB- ABX. For each index, the graph displays the most
on historical data, which was sparse, but sug­ recent vintage.
gested there had been no extended periods
Source: JPMorgan Chase.
of falling house prices on a large scale in any
relevant historical period. House prices did in fact drop very
severely starting in 2007. Since the credit quality of the loans
depended on the borrowers' ability to refinance the loans
without additional infusions of equity, the incorrect assump­
tion on house price appreciation led to a severe underesti­
mate of the potential default rates in underlying loan pools in
an adverse economic scenario.
• Correlations among regional housing markets were assumed
to be low. Bonds based on pools of loans from different geo­
graphical regions were therefore considered well-diversified.
In the event, while house prices fell more severely in some
regions than others, they fell— and loan defaults were much
higher than expected in a stress scenario— in nearly all.
Together, these model errors or inappropriate parameters led to
a substantial underestimation of the degree of systematic risk in
subprime RMBS returns. Once the higher-than-expected default
rates began to materialize, the rating agencies were obliged to
downgrade most RMBS. The large-scale downgrades of A A A
RMBS were particularly shocking to the markets, as it was pre­
cisely these that revealed the extent to which systemic risk had
been underestimated and mispriced. As of the end of 2009,
about 45 percent of U.S. RMBS with original ratings of A A A had
been downgraded by Moody's.2
The inaccuracy of rating agency models for subprime RMBS is a
complex phenomenon with a number of roots. Some observers
2 See Moody's Investors Service (2010), p. 19.
have identified the potential conflict of interest arising from
compensation of rating agencies by bond issuers as a factor in
driving ratings standards lower. Others have focused on reach­
ing for yield and the high demand for highly rated bonds with
even modestly higher yields.
As we saw earlier in this chapter, a number of instances of
mapping problems, contributing to seriously misleading risk
measurement results, arose in securitization and structured
credit products. Up until relatively recently, little time-series
data was available covering securitized credit products. Highly
rated securitized products were often mapped to time series
of highly rated corporate bond spread indexes in risk measure­
ment systems, or, less frequently, to the A B X index family,
introduced in 2006. VaR measured using such mappings would
have indicated that the bonds were unlikely under any circum­
stances to lose more than a few points of value. As can, how­
ever, be seen in Figure 11.4, the A B X index of the most highly
rated RMBS lost 70 percent of their value during the subprime
crisis. Somewhat lower, but still investment-grade RMBS lost
almost all their value. Securitizations suffered far greater losses
than corporate bonds. Losses varied greatly by asset class, the
year in which they were issued, or "vintage," and position in
the capital structure. The corporate-bond and A B X mappings
were highly misleading and would have understated potential
losses by several orders of magnitude for investment-grade
bonds. Similar issues arose for CM BS, and their relationship
to the ratings curves and the CM BX, an index of CM BS prices
analogous to the A BX.

182 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Risk Capital
Attribution and
Risk-Adjusted
Performance
Measurement
Learning Objectives
After completing this reading you should be able to:

Define, compare, and contrast risk capital, economic
capital, and regulatory capital, and explain methods and
motivations for using economic capital approaches to
allocate risk capital.
Describe the risk-adjusted return on capital (RAROC)
methodology and its use in capital budgeting.
Compute and interpret the RAROC for a project, loan, or
loan portfolio and use RARO C to compare business unit
performance.
Explain challenges that arise when using RARO C for
performance measurement, including choosing a time
horizon, measuring default probability, and choosing a
confidence level.
Calculate the hurdle rate and apply this rate in making
business decisions using RAROC.
Compute the adjusted RARO C for a project to determine
its viability.
Explain challenges in modeling diversification benefits,
including aggregating a firm's risk capital and allocating
economic capital to different business lines.
Explain best practices in implementing an approach that
uses RAROC to allocate economic capital.

E x c e rp t is rep u b lish ed with perm ission o f M cGraw -Hill C om panies, from The Essentials of Risk Management, M ichel Crouhy, Dan
Galai, and R o b e rt M ark, 2n d edition (2014).

183
This chapter takes a look at the roles of risk capital and at how
risk capital can be attributed to business lines as part of a risk-
adjusted performance measurement (RAPM) system. RAPM rep­
resents a key challenge for financial institutions and nonfinancial
firms around the world today. Only by forging a connection
between risk measurement, risk capital, risk-based pricing, and
performance measurement can firms ensure that the decisions
they take reflect the interests of stakeholders such as bondhold­
ers and shareholders.
12.1 WHAT PURPOSE DOES RISK
CAPITAL SERVE?
Risk capital is the cushion that provides protection against the
various risks inherent in the business of a corporation so that
the firm can maintain its financial integrity and remain a going
concern even in the event of a near-catastrophic worst-case
scenario. Risk capital gives essential confidence to the corpora­
tion's stakeholders, such as suppliers, clients, and lenders (for an
industrial firm), or claimholders, such as depositors and counter­
parties in financial transactions (for a financial institution).
Risk capital is often called eco n o m ic capital, and in most
instances the generally accepted convention is that risk capital
and economic capital are identical (although later in this chapter
we introduce a slight wrinkle by defining economic capital as
risk capital plus strategic capital).
We should be careful not to confuse the concept of risk capital,
which is intended to capture the economic realities of the risks a
firm runs, and regulatory capital. First, regulatory capital only
applies to a few regulated industries, such as banking and insur­
ance companies, where regulators are trying to protect the
interests of small depositors or policy holders. Second, while
regulatory capital performs something of the same function as
risk capital in the regulators' eyes, it is calculated according to a
set of industrywide rules and formulas and sets only a minimum
required level of capital adequacy. It rarely succeeds in captur­
ing the true level of risk in a firm—the gap between a firm's reg­
ulatory capital and its risk capital can be quite wide.
Furthermore, even if regulatory and risk capital are similar num­
bers at the level of the firm, they may not be similar for each
constituent business line (i.e., regulatory capital may suggest
that an activity is much riskier than management believes to be
the case, or vice versa).1
This leads to various conundrums in allocating capital and capital costs
A
to business lines. For example, some practitioners square the circle by
allocating the higher of regulatory capital or economic capital to the
business line.
184 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The new regulatory capital requirements imposed by Basel III
make it likely that for some activities, such as securitization,
regulatory capital may end up much higher than economic capi­
tal. Still, economic capital calculation is essential for senior man­
agement as a benchmark to assess the economic viability of the
activity for the financial institution. When regulatory capital is
much larger than economic capital, then it is likely that over time
the activity will migrate to the shadow banking sector, which can
price the transactions at a more attractive level.
Risk capital measurement is based on the same concepts as the
value-at-risk (VaR) calculation methodology. Indeed, risk capital
numbers are often derived from, or supported by, sophisticated
internal VaR models. However, the choice of the confidence
level and time horizon when using VaR to calculate risk capital
are key policy parameters that should be set by senior manage­
ment (or the senior risk management committee). Usually, these
decisions should be endorsed by the board.
Risk capital should be calculated in such a way that the institu­
tion can absorb unexpected losses up to a level of confidence in
line with the requirements of the firm's various stakeholders. No
firm can offer its stakeholders a 100 percent guarantee (or confi­
dence level) that it holds enough risk capital to ride out any
eventuality. Instead, risk capital is calculated at a confidence
level set at less than 100 percent— say, 99.9 percent for a firm
with conservative stakeholders. In theory, this means that there
is a probability of around 1/10 of 1 percent that actual losses will
exceed the amount of risk capital set aside by the firm over the
given time horizon (generally one year).2 The exact choice of
confidence level is typically associated with some target credit
rating from a rating agency such as Moody's, Standard & Poor's,
and Fitch as these ratings are themselves explicitly associated
with a probability of default. It should also be in line with the
firm's stated risk appetite.
12.2 EMERGING USES OF RISK
CAPITAL NUMBERS
Risk capital is traditionally used to answer the question, "How
much capital is required for our firm to remain solvent, given our
risky activities?" As soon as a firm can answer this question, it
can move on to solve many other management problems.
Recently, therefore, risk capital numbers have been used to
answer more and more questions, particularly in banks and
2 In reality, risk capital model suffers from the model risks we discussed
in Chapter 10, and the results require careful interpretation. Most firms
use the output of their capital model as one key input into a wider set of
judgments about the amount of capital the firm should hold.
 BOX 12.1 WHY IS ECONOMIC CAPITAL SO IMPORTANT TO FINANCIAL
INSTITUTIONS?
Allocating risk capital using economic capital approaches is
important for financial institutions for at least four reasons.
First, capital is primarily used in a financial institution not only
to provide funding for investments (as for a manufacturing
corporation) but also to absorb risk. The fundamental reason
for this is that financial institutions can leverage themselves
to a much higher degree than other corporations at a much
lower cost without raising equity, by taking retail deposits
or issuing debt securities. (Their debt-to-equity ratio might
be as high as 20 to 1, compared to perhaps 2 to 1 for an
industrial corporation.) Moreover, many activities undertaken
by financial institutions, such as derivatives trading, writing
guarantees, issuing letters of credit, and other contingent
commitments, do not require significant financing. Yet all
these activities draw to some extent on the bank's stock of
risk capital, and therefore a risk capital cost must be imputed
to each activity.
This brings us to the second reason: a bank's target solvency
is a vital part of the product the bank is selling. In contrast
to an industrial company, the primary customers of banks
and other financial institutions are also their primary liabil­
ity holders— e.g., depositors, derivatives counterparties,
insurance policy holders, and so on. These customers are
concerned about default risk on contractually promised pay­
ments. Customers make deposits with the expectation that
the safety of their deposits does not depend on the eco­
nomic performance of the bank. In over-the-counter markets,
institutions are concerned about counterparty risk: a bank
other financial institutions.3 (Box 12.1 explains why risk-based
calculations are so important for financial institutions.) These
new uses include:
• Perform ance m easurem ent and incentive com pensation at
the firm, business unit, and individual levels. Risk capital can
be plugged into risk-based capital attribution systems, often
grouped together under the acronym RAPM (risk-adjusted
performance measurement) or RARO C (risk-adjusted return
on capital). These systems, a key focus of this chapter, pro­
vide both management and external stakeholders with a risk-
adjusted measure of performance of various businesses. The
measure can be used to compare the economic profitability,
as opposed to the accounting profitability (such as return on
book equity) of different activities. At the same time, RAROC
3 For an informal survey of how firms use economic capital and RAROC,
see T. Baer et. al., The Use o f Economic Capital in Performance Man­
agement for Banks: A Perspective, McKinsey Working Papers on Risk,
No. 24, January 2011.
Chapter 12 Risk Capital Attribution and Risk-Adjusted Performance Measurement
with a poor credit rating will find itself excluded from many
markets. Maintaining good creditworthiness is therefore an
ongoing cost of doing business for a bank.
Third, although bank creditworthiness is critical, banks are
also highly opaque institutions. Banks use proprietary tech­
nology for pricing and hedging financial instruments, espe­
cially complex financial transactions. A typical bank's balance
sheet is relatively liquid and can change very quickly. Any
outside assessment of the creditworthiness of a bank is there­
fore difficult to develop and rapidly becomes obsolete (as
the risk profile of the bank keeps on changing). Maintaining
enough risk capital and implementing a strong risk manage­
ment culture allows the bank to reduce these "agency costs"
by convincing external stakeholders, including rating agen­
cies, of the bank's financial integrity.
Fourth, banks operate in highly competitive financial mar­
kets. Increasingly, this makes bank profitability very sensitive
to the bank's cost of capital. Banks don't want to carry too
much risk capital, because risk capital represents the money
invested in the bank that does not have to be repaid under
any fixed contractual agreement (e.g., equity capital). This
flexibility, which allows risk capital to act as a safety buffer for
the bank if times are hard, means that risk capital is relatively
expensive to raise and hold (e.g., compared to debt capital).
But banks can't carry too little risk capital, for reasons we've
already made clear. So understanding the dynamic balance
between the capital the bank carries and the riskiness of its
activities is very important.
numbers can be used as part of scorecards to compensate
the senior management of particular business lines, as well as
the infrastructure group, for their contribution to shareholder
value. Since the 2007-2009 financial crisis, firms have laid a
greater emphasis on compensation schemes that adjust for
risk in some manner (as well as on complementary mecha­
nisms such as deferral periods and clawbacks).
• A ctive p o rtfo lio m anagem ent for entry/exit d ecision s. The
decision to enter or exit a particular business should be
based on both risk-adjusted performance measurement and
the "risk diversification effect" of the business. For example,
a firm that is focused on corporate lending in a particular
region is likely to find that its returns fluctuate in accordance
with that region's business cycle. Ideally, the firm might
diversify its business geographically or in terms of business
activity. Capital management decisions seek an answer to the
question, "How much value will be created if the decision is
taken to allocate resources to a new or existing business, or
alternatively to close down an activity?"
■ 185
• Pricing transactions. Risk capital numbers can be used to
calculate risk-based pricing for individual transactions.
Risk-based pricing is attractive because it ensures that a
firm is compensated for the economic risk generated by a
transaction. For example, common sense tells us that a loan
to a non-investment-grade firm that is in relatively fragile
financial condition must be priced higher than a loan to an
investment-grade firm. However, the am ount of the differ­
ential can be determined only by working out the amount of
expected loss and the cost of the risk capital that has to be
set aside for each transaction. Trading and corporate loan
desks in many banks rely on the "marginal economic capital
requirement" component in the RARO C calculation to price
deals in advance— and to decide whether those deals will
increase shareholder value rather than simply add to the vol­
ume of transactions.
One problem is that a single measure of risk capital cannot
accommodate the four different purposes that we have just
described. We'll look at the solution to this later on.
12.3 RAROC: RISK-ADJUSTED RETURN
ON CAPITAL
RAROC is an approach— simple at the conceptual level— that is
used to allocate risk capital to business units and individual trans­
actions for the purpose of measuring economic performance.
Originally proposed by Bankers Trust in the late 1970s, the
approach makes clear the trade-off between risk and reward for
BOX 12.2 RAPM (RISK-ADJUSTED PERFORMANCE MEASUREMENT) ZOOLOGY
It's long been recognized that traditional accounting-based
measures of performance at the consolidated level and for
individual business units, such as return on assets (ROA) or
return on book equity (ROE), fail to capture the risk of the
underlying activity. The amounts of both book assets and
book equity, which are accounting measures, are poor prox­
ies for risk measures. Furthermore, accounting income misses
some critical risk adjustments, such as expected loss.
RAPM (risk-adjusted performance measurement) is a generic
term describing all the techniques used to adjust returns for
the risk incurred in generating those returns. It encompasses
many different concepts, risk adjustments, and performance
measures, with RARO C being the form that is most widely
used in the banking sector. These RAPM measures are not
fully consistent with one another. In the main text, we pro­
pose an adjusted RARO C measure that is consistent with the
capital asset pricing model (CAPM) and, therefore, with the
NPV measure defined here.
186 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
a unit of capital and, therefore, offers a uniform and comparable
measure of risk-adjusted performance across all business activi­
ties. If a business unit's RAROC is higher than the cost of the
bank's equity (the minimum rate of return on equity required by
the shareholders), then the business unit is deemed to be add­
ing value to shareholders. Senior management can use this mea­
sure to evaluate performance for capital budgeting purposes,
and as an input to the compensation for managers of business
units.
The generic RARO C equation is really a formalization of the
trade-off between risk and reward. It reads:
after-tax expected risk-adjusted net income
RAROC = t 77 |
econom ic capital
We can see that the RARO C equation employs economic
capital as a proxy for risk and after-tax expected risk-adjusted
net income as a proxy for reward. Later, we elaborate on how
to measure both the numerator and the denominator of the
RAROC equation, and on how to tackle the "hurdle-rate"
issue—that is, once we know our RARO C number, how do
we know if this number is good or bad from a shareholder's
perspective?
Before beginning this discussion, however, we must acknowl­
edge that the generic RARO C equation is one of a family of
approaches, all with strengths and weaknesses. The definition
of RARO C that we've just offered corresponds to industry prac­
tice and can be thought of as the traditional RARO C definition.
Box 12.2 presents several variants grouped under the label
RAPM (risk-adjusted performance measures).
• R A R O C (risk-adjusted return on capital ) = risk-adjusted
e x p e c te d n et in com e/econ om ic capital. RARO C makes
the risk adjustment to the numerator by subtracting a risk
factor from the return— e.g ., expected loss. RARO C also
makes the risk adjustment to the denominator by substi­
tuting economic capital for accounting capital.
• R O R A C (return on risk-adjusted capital ) = n et incom e/
eco n o m ic capital. RO RAC makes the risk adjustment
solely to the denominator. In practical applications,
P&L(profit and loss)
RO RAC -------------------------
VaR
• R O C (return on capital) = R O R A C . It is also called ROCAR
(return on capital at risk).
• R O R A A (return on risk-adjusted assets) = n et incom e/
risk-adjusted assets.
• R A R O A ( risk-adjusted return on risk-adjusted a ssets ) =
risk-adjusted e x p e c te d n et incom e/risk-adjusted assets.
 S (Sharpe ratio ) = (e x p e c te d return — risk-free rate)/
volatility. The ex post Sharpe ratio— i.e., that based on
actual returns rather than expected returns— can be
shown to be a multiple of R O C .1
N PV (n et p re se n t value ) = d isco u n te d value o f future
e x p e c te d cash flow s, using a risk-adjusted expected rate
of return based on the beta derived from the CAPM ,
where risk is defined in terms of the covariance of changes
in the market value of the business with changes in the
value of the market portfolio. In the CAPM , the definition
of risk is restricted to the systematic component of risk
that cannot be diversified away. For RARO C calculations,
the risk measure captures the full volatility of earnings,
systematic and specific. NPV is particularly well suited for
12.4 RAROC FOR CAPITAL BUDGETING
The decision to invest in a new project or a new business ven­
ture, or to expand or close down an existing business line,
has to be made before the true performance of the activity is
known— no manager has a crystal ball. When implementing the
generic after-tax RARO C equation for capital budgeting, indus­
try practice therefore interprets it as meaning
expected revenues - costs - expected losses
R A R O C - ~~ taxes + return on risk capital + / - transfers
econom ic capital
where
• E x p e c te d revenues are the revenues that the activity is
expected to generate (assuming no losses).
• C o sts are the direct expenses associated with running the
activity (e.g., salaries, bonuses, infrastructure expenses, and
so on).
• E x p e c te d lo sses, in a banking context, are primarily the
expected losses from default; they correspond to the loan
loss reserve that the bank must set aside as the cost of doing
business. Because this cost, like other business costs, is
priced into the transaction in the form of a spread over fund­
ing cost, there is no need for risk capital as a buffer to absorb
this risk. Expected losses also include the expected loss from
other risks, such as market risk and operational risk.
• Taxes are the expected amount of taxes imputed to the activ­
ity using the effective tax rate of the company.
• Return on risk capital is the return on the risk capital allo­
cated to the activity. It is generally assumed that this risk
capital is invested in risk-free securities, such as government
bonds.
Chapter 12 Risk Capital Attribution and Risk-Adjusted Performance Measurement
ventures in which the expected cash flows over the life of
the project can be easily identified.
• EVA (econ om ic value a d d ed ), or N IA C C (net incom e after
capital charge), is the after-tax adjusted net income less
a capital charge equal to the amount of economic capital
attributed to the activity, times the after-tax cost of equity
capital. The activity is deemed to add shareholder value,
or is said to be EVA positive, when its N IACC is positive
(and vice versa).12 An activity whose RARO C is above the
hurdle rate is also EVA positive.
1 See David Shimko, "See Sharpe or Be Flat," Risk 10(6), 1997, p. 33.
2 EVA is a registered trademark of Stern Stewart & Co.
• Transfers correspond to transfer pricing mechanisms, primar­
ily between the business unit and the treasury group, such as
charging the business unit for any funding cost incurred by
its activities and any cost of hedging interest rate and cur­
rency risks; it also includes overhead cost allocation from the
head office.
• Eco n o m ic capital is the sum of risk capital and strategic capi­
tal where
strategic risk capital = goodwill + burned-out capital
Our last bullet point deserves some explanation. Risk capital is the
capital cushion that the bank must set aside to cover the worst-
case loss (minus the expected loss) from market, credit, opera­
tional, and other risks, such as business risk and reputation risk, at
the required confidence threshold (e.g., 99 percent). Risk capital is
directly related to the value-at-risk calculation at the one-year time
horizon and at the institution's required confidence level.
Strategic risk capital refers to the risk of significant investments
about whose success and profitability there is high uncertainty.
If the venture is not successful, then the firm will usually face
a major write-off, and its reputation will be damaged. Cur­
rent practice is to measure strategic risk capital as the sum of
burned-out capital and goodwill. Burned-out capital refers to
the idea that capital is spent on, say, the initial stages of start­
ing up a business but the business may ultimately not be kicked
off due to projected inferior risk-adjusted returns. It should be
viewed as an allocation of capital to account for the risk of stra­
tegic failure of recent acquisitions or other strategic initiatives
built organically. This capital is amortized over time as the risk of
strategic failure dissipates. The goodwill element corresponds
to the investment premium— i.e., the amount paid above
the replacement value of the net assets (assets — liabilities)
when acquiring a company. (Usually, the acquiring company is
■ 187
prepared to pay a premium above the
E x p e c te d R e v e n u e s
fair value of the net assets because it - Cost____________
places a high value on intangible assets ^ E xpected Losses
- Taxes
that are not recorded on the target's bal­ + Return on
After-Tax Economic Capita Loss (Outside of the
ance sheet.) Goodwill is also depreciated Risk-Adjusted -♦-/-Transfer Confidence Level)
Expected Return
over time.

Some banks also allocate risk capital for RAROC =

Capital = Difference
unused risk limits, because risk capacity E c o n o m ic C a p it a l : = 150 bp
15 bp
that can be tapped at any moment by R is k C a p i t a l
165 bp
* Credit Risk -► Expevted Loss
the business units represents a poten­ * Market Risk Probability of Losses
tially costly facility (in terms of the adjust­ * Operational Risk Greater than This Amount is
* Etc. Equal to 1%
ments to risk capital the firm as a whole
S t r a t e g i c R is k C a p i t a l (Confidence Level of 99%)
might have to make if the credit line
were drawn upon). Figure 12.1 T h e R A R O C eq u atio n .
Figure 12.1 shows the linkage between a
risk loss distribution and the RARO C calculation. We show both the $1 billion in borrowed funds). $10 million is the expected
the expected loss— in this example, 15 basis points (bps)— and loss, and $3.75 million (= 0.05 X $75 million) is the return on
the worst-case loss, 165 bps, at the desired confidence level (in economic capital.
this example, 99 percent) for the loss distribution derived over
The RAROC for this loan portfolio is 14 percent. This number
a given horizon, say one year. The unexpected loss is, there­
can be interpreted as the annual after-tax expected rate of
fore, the difference between the total loss and the expected
return on equity needed to support this loan portfolio.
loss— that is, 150 bps at the 99 percent confidence level— over
a one-year horizon. The unexpected loss corresponds to the risk
capital allocated to the activity. 12.5 RAROC FOR PERFORMANCE
Now that we understand the trickiest part of the RAROC equa­ MEASUREMENT
tion, unexpected loss, we can look at a practical example of how
to plug numbers into the RAROC equation. We should emphasize at this point that RARO C was first sug­
gested as a tool for capital allocation on an anticipatory or ex
Let us assume that we want to identify the RAROC of a $1 billion
ante basis. Hence, e x p e c te d revenues and losses should be
corporate loan portfolio that offers a headline return of 9 percent.
plugged into the numerator of the RARO C equation for capital
The bank has an operating direct cost of $9 million per annum and
budgeting purpose. When RARO C is used for ex post, or after
an effective tax rate of 30 percent. We'll assume that the portfo­
the fact, performance evaluation, we can use realized revenues
lio is funded by $1 billion of retail deposits with a transfer priced
and realized losses, rather than expected revenues and losses, in
interest charge of 6 percent. Risk analysis of the unexpected
our calculation.
losses associated with the portfolio tells us that we need to set
economic capital of around $75 million (i.e., 7.5 percent of the
loan amount) against the portfolio. We know that this economic RAROC Horizon
capital must be invested in risk-free securities, rather than being
All of the quantities that we plug into the RARO C equation must
used to fund risky activities, and that the risk-free interest rate
be calculated on the basis of a particular time horizon, such as a
on government securities is 5 percent. The expected loss on this
one-year horizon or over the lifetime of a deal.4 Box 12.3
portfolio is assumed to be 1 percent per annum (i.e., $10 million).

If we ignore transfer price considerations, then the after-tax

RARO C for this loan is: 4 This chapter focuses on single-period RAROC models, while some
large banks have moved to a multiperiod RAROC modeling approach in
(9 0 - 9 - 6 0 - 10 + 3.75)(1 - 0.3) order to better measure RAROC over the life of long-running transac­
R A R O C = -------------------------- —-------------------------- tions and loans. However, major methodological issues are still unre­
/b
solved when the risk of a transaction, such as a swap, or a portfolio
= 0.14 = 14% changes substantially from one period to the next. In that case, which
amount of economic capital should be allocated to the transaction or
where $90 million is the expected revenue, $9 million is the the portfolio? Allocating some average amount of capital would lead to
operating cost, $60 million is the interest expense (6 percent of undercapitalization and overcapitalization depending on the period.

188 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 BOX 12.3 RISK TYPES AND TIME HORIZONS
Risk capital can be characterized as the one-year value-at-risk Figure 12B.1 illustrates the calculation of risk capital when
exposure of the firm, at a confidence level consistent with the the core risk level is lower than the current risk position.
firm's target credit risk rating. But how does the time horizon in
Across every bank, there are many other activities that must
this characterization relate to the risk measurement approaches
be allocated capital in a way that is sensitive to time horizons.
for market risk, for credit risk, and for operational risk?
For example, the bank should allocate capital to cover the
For credit risk, there is a straightforward equivalence risk of options that are embedded in many of its products.
between the one-year VaR produced by credit portfolio The option to prepay a mortgage is one obvious example,
models, such as CreditM etrics or KMV, and risk capital. The but there are many subtle twists on the risks generated by
same is also true for operational risk: most internal models different types of products. For example, mortgage port­
used by institutions have a one-year horizon. Therefore, for folios in Canada often incur commitment risks. These arise
both credit risk and operational risk, there is no need for any because the consumer automatically receives the lowest
adjustment in the one-year VaR to determine risk capital. mortgage rate looking backward over a prescribed commit­
ment period, as a function of the specific type of mortgage.
However, this is not the case for market risk. For trading
In effect, the consumer has what derivatives practitioners call
businesses, market risk is measured using only short-term
a "look-back option." The seriousness of the commitment
horizons— one day for risk monitoring on a daily basis and 10
risk is governed by the length of the commitment period; it
days for regulatory capital. So how do we translate a one-day
represents the component that cannot be entirely eliminated
risk measure into one-year risk capital attribution?
by delta hedging (e.g., the basis risk between the whole­
One approach might be to use what is commonly called the sale rates and the mortgage rate). All these considerations
"square root of tim e" rule. That is, the risk analyst might need to be taken into account in determining the risk capital
approximate the one-year VaR by multiplying the one-day needed to support a Canadian mortgage business.
VaR by the square root of the number of business days in one
year— e.g., 252 days. If we did this, however, we'd be miss­
ing the point of risk capital. Risk capital is there to limit the VaR
risk of failure during a period of crisis, when the bank has
suffered huge losses. As a worst-case scenario unfolds, the
bank will naturally reduce its risk exposures in any way that
it can. In the case of a proprietary trading desk, with highly
liquid positions and no clients to service, this risk reduction
can take place very quickly indeed. For other activities, risk
can often be reduced only to a core risk level for the remain­
der of the year, defined as the minimum realistic size at
which the business can be considered to be a going concern
(i.e., can maintain its franchise).
Thus, to work out a meaningful one-year economic capital
allocation, we need to analyze the business in question so
that we can understand the tim e to red u ce from the current
risk position to the core risk level, which in turn reflects the
relative liquidity of positions during adverse market condi­ Risk capital = square root [sum of squares (100, 97.62, 95.24, ... , 52.38)
tions. Estimations of the time to reduce should not make the + 502 x 231]
assumption that there will be a fire sale, but instead assume = 839
a relatively orderly unwinding of positions. This can take = 52.8% x annualized VaR
where annualized VaR = 100 x square root (252)
considerable time in some markets, as firms discovered to
their cost in the 2007-2009 financial crisis. Fiaure 12B.1 Risk capital calculation fo r m arket risk.

discusses one problem that this brings up: how to harmonize the
different time horizons used to measure credit, market, and
operational risk. Practitioners usually adopt a one-year time hori­
zon, as this corresponds to the business planning cycle and is
also a reasonable approximation of the length of time it might
take to recapitalize the company if it were to suffer a major
unexpected loss.
However, the choice of a risk horizon for RARO C is somewhat
arbitrary. One could choose to measure the volatility of risk and
returns over a longer period of time, say 5 or 10 years, in order
to capture the full effect of the business cycle in measuring risk.
Calculating economic capital over a longer period of time does
not necessarily increase capital, as the level of confidence in any
firm's solvency that we require decreases as the time horizon

Chapter 12 Risk Capital Attribution and Risk-Adjusted Performance Measurement ■ 189

is extended. If this seems surprising, consider the probability
of default of an AA-rated firm to be around 3 basis points over
a one-year period; while this probability of default naturally
increases if we look at the same firm over a two-year or five-
year period, this increase clearly does not affect the one-year
credit rating of the firm. However, one of the practical chal­
lenges is that the risk and return data beyond one year may be
of low quality.
Default Probabilities: Point-in-Time (PIT)
vs. Through-the-Cycle (TTC)
A point-in-time (PIT) probability of default (PD), which is the
approach of KMV and other econom ic/structural approaches,
is reasonable for calculating near-term expected losses
(EL) and for pricing financial instruments that are subject to
credit risk. A through-the-cycle (TTC) PD, which is largely the
approach taken by the rating agencies, is more reasonable for
calculating econom ic capital, current profitability, and strate­
gic decisions regarding products, geographies, and new busi­
ness ventures.
The probability of a firm's staying in the same rating when
it is assessed using a PIT approach is smaller than when it is
assessed using a T TC approach. The T TC approach therefore
reduces the volatility of economic capital, compared to PIT
approaches. It is useful on a periodic basis to compare the
impact of using PIT PD versus T TC PD in the RARO C calculation
for both a normal part of the economic cycle and the worst part
of the cycle.
Confidence Level
We mentioned earlier that the confidence level in the economic
capital calculation should be consistent with the firm's target
credit rating. For exam ple, most banks today hope to obtain
an A A credit rating from the agencies for their debt offerings,
which implies a one-year probability of default of 3 to 5 basis
points. This, in turn, corresponds to a confidence level in the
range of 99.95 to 99.97 percent. We can think of this confi­
dence level as the quantitative expression of the risk appetite
of the firm.
Setting a lower confidence level may significantly reduce the
amount of risk capital allocated to an activity, especially when
the institution's risk profile is dominated by operational, credit,
and settlement risks (for which large losses occur only with some
rarity). Therefore, the choice of the confidence level can materi­
ally affect risk-adjusted performance measures and the resulting
capital allocation decisions of the firm.
190 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BOX 12.4 TECHNICAL DISCUSSION:
CALCULATING THE HURDLE RATE
Most firms use a single hurdle rate, hAT, for all business
activities, based on the after-tax weighted-average cost of
equity capital:
CE x + P E x r DP
r rP___________________________________
r E
AT~ C E + PE
where C E and PE denote the market value of common
equity and preferred equity, respectively, and rCE and
rPE are the cost of common equity and preferred equity,
respectively.
The cost of preferred equity is simply the yield on the firm's
preferred shares. The cost of common equity is determined
via a model such as the capital asset pricing model:
r CE = rf + " O
where ry is the risk-free rate, RM is the expected return on
the market portfolio, and /3Ce is the firm's common equity
market beta.
Hurdle Rate and Capital Budgeting
Decision Rule
Most firms use a single hurdle rate for all business activities:
the after-tax weighted-average cost of equity capital. Box 12.4
explains in more technical detail how this hurdle rate is calcu­
lated. The hurdle rate should be reset periodically, say every six
months, or when it has changed by more than 10 percent.
When a firm is considering investing in a business or closing
down an activity, it computes the after-tax RARO C for the busi­
ness or activity and compares it to the firm's hurdle rate. In
theory, the firm can then apply a simple decision rule:
• If the RARO C ratio is greater than the hurdle rate, the activity
is deemed to add value to the firm.
• In the opposite case, the activity is deemed to destroy value
for the firm and the activity should be closed down or the
project rejected.
However, one can show that applying this simple rule can lead
to a firm's accepting high-risk projects that will lower the value
of the firm and rejecting low-risk projects that will increase the
value of the firm .5 High-risk projects, such as oil exploration, are
characterized by very volatile returns, while low-risk projects,
such as properly risk-managed retail banking, produce steady
revenues with low volatility.
5 See Michel Crouhy, Stuart Turnbull, and Lee Wakeman, "Measuring
Risk-Adjusted Performance," Journal of Risk 2(1), 1999, pp. 5-35.

BOX 12.5 ADJUSTING RAROC
FOR THE RISK OF RETURNS
Ideally, we would like to adjust the traditional RAROC
calculation to obtain a RARO C measure that takes into
account the systemic riskiness of returns, and for which the
hurdle rate (the critical benchmark above which a business
adds value) is the same across all business lines. To correct
the inherent limitations of the traditional RARO C measure,
let's adjust the RARO C ratio as follows:
Adjusted RA RO C = RA RO C - - rf )
where RM is the expected rate of return on the market
portfolio, rf denotes the risk-free interest rate— say, the
interest rate paid on three-month Treasury bills— and /3E is
the beta of the equity of the firm. The new decision rule is:
A ccept (re je ct) projects whose adjusted
R A R O C is greater (sm aller) than rf
The risk adjustment, (3{Rm — rf), is the excess return above
the risk-free rate required to compensate the sharehold­
ers of the firm for the nondiversifiable systematic risk they
bear when investing in the activity, assuming that the
shareholders hold a well-diversified portfolio. When the
returns are thus adjusted for risk, the hurdle rate becomes
the risk-free rate.
To overcome this, we need to make an important adjustment
to the RARO C calculation so that the systematic riskiness of the
returns from a business activity is fully captured by the decision
rule (see Box 12.5).
Diversification and Risk Capital
The risk capital for a particular business unit within a larger firm
is usually determined by viewing the business on a stand-alone
basis, using the top-of-the-house hurdle rate that we discussed
earlier. However, intuition suggests that the risk capital for the
firm should be significantly less than the sum of the stand-alone
risk capital of the individual business units, because the returns
generated by the various businesses are unlikely to be perfectly
correlated.6
Measuring the true level of this "diversification effect" is
extremely problematic. As of today, there is no fully integrated
VaR model that can produce the overall risk capital for a firm,
6 It should be noted that from a purely economic point of view, disre­
garding strategic considerations, the decision to enter or exit a business
activity should be based on the risk and return parameters of the single
business activity.
Chapter 12 Risk Capital Attribution and Risk-Adjusted Performance Measurement
taking into account all the correlation effects between market
risk, credit risk, and operational risk across all the business units
of a company. Instead, banks tend to adopt a bottom-up decen­
tralized approach, under which distinct risk models are run for
each portfolio or business unit.
For capital adequacy purposes, running these business-specific
models at the confidence level targeted at the top of the house,
for example 99.97 percent, produces an unnecessarily large
amount of overall risk capital, precisely because it neglects
diversification effects (across both risk types and business
activities). It is therefore common practice to adjust for the
diversification effects by lowering the confidence level used
at the business level to, say, 99.5 percent or lower— an adjust­
ment that is necessarily more of an educated guess than a strict
risk calculation.
If this sounds unsatisfactory, we can at least put some boundar­
ies around the problem. The aggregate VaR figure obtained
by this approach should fall in between the two extreme cases
of perfect correlation and zero correlation between risk types
and across businesses. For example, ignoring business risk,
reputation risk, and strategic risk, for illustrative purposes, sup­
pose that we've calculated the risk capital for each type of risk
as follows:
Market risk = $ 2 0 0
Credit risk = $700
Operational risk = $ 3 0 0
Then aggregate risk capital at the top of the house is either
Simple summation of the three risks
(perfect correlation) = $1,200
or
Square root of the sum of squares of the three risks
(zero correlation) = $787
We can say with some confidence, therefore, that any proposed
approach for taking diversification effects into account should
produce an overall VaR figure in the range of $787 to $1,200.
While the simple logic of our boundary setting makes sense,
these boundaries are pretty wide! They also leave us with the
reverse problem: how do we allocate any diversification benefit
that we calculate for the business as a whole back to the busi­
ness lines? The allocation of the diversification effect can be
important for certain business decisions, such as determining
the performance of each unit.
Logically, a business whose operating cash flows are strongly
correlated with the earnings of the other activities in the firm
should require more risk capital than a business with the same
■ 191
 Combination of Economic Marginal Marginal
Businesses Capital Business Economic Capital
X +Y $100
X X
$60 $40
Y $70 Y $30
Diversification $30 Total $70
Effect
F ig u re 1 2 .2 D iversificatio n effect.
volatility whose earnings move in a countercyclical fashion.
Bringing together countercyclical business lines produces stable
earnings for the firm as a whole; the firm can then operate to
the same target credit rating with less risk capital.
In truth, institutions continue to struggle with the problem of
attributing capital back to business lines, and there are diverg­
ing views as to the appropriate approach. For the moment, as a
practical solution, most institutions allocate the portfolio effect
pro rata with the stand-alone risk capital.
Diversification effects also complicate matters within busi­
ness units. Let's look at this and other issues in relation to an
example business unit, BU, which comprises two activities, X
and Y (Figure 12.2). When calculating the risk capital of the busi­
ness unit, let's assume that the firm's risk analysts have taken
into account all the diversification effects created by combining
activities X and Y and that the risk capital for BU is $100. The
complication starts when we try to allocate risk capital at the
activity level within the business unit. There are three different
measures of risk capital:
• Stand-alone capital is the capital used by an activity taken
independently of the other activities in the same business
unit— that is, risk capital calculated without any diversification
benefits. In our example, the stand-alone capital for X is $60
and that for Y is $70. The sum of the stand-alone capitals of
the individual constituents of the business unit is generally
higher than the stand-alone risk capital of the business unit
itself (it is equal only in the case of perfectly correlated activi­
ties X and Y) .
• Fully d iversified capital is the capital attributed to each
activity X and Y, taking into account all diversification
benefits from combining them under the same leader­
ship. In our example, the overall portfolio effect is $30
($60 + $70 — $100). Allocating the diversification effect is
an issue here. Following our earlier discussion, we'll allocate
the portfolio effect pro rata with the stand-alone risk capital,
$30 X 60/130 = $14 for X and $30 X 70/130 = $16 for Y, so
that the fully diversified risk capital becomes $46 for X and
$54 for Y.
192 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• M arginal capital is the additional capital required by an
incremental deal, activity, or business. It takes into account
the full benefit of diversification. In our example, the mar­
ginal risk capital for X (assuming that Y already exists) is $30
($100 - $70), and the marginal risk capital for Y (assuming
that X already exists) is $40 ($100 — $60). In the case where
more than two activities are included in the business unit BU,
marginal capital is calculated by subtracting the risk capital
required for the BU without this business from the risk capital
required for the full portfolio of businesses. Note that the
summation of the marginal risk capital, $70 in our example, is
less than the full risk capital of the BU.
As this example shows, the choice of capital measure depends
on the desired objective. Fully diversified measures should be
used for assessing the solvency of the firm and minimum risk
pricing. Active portfolio management or business mix decisions,
on the other hand, should be based on marginal risk capital,
taking into account the benefit of full diversification. Finally,
performance measurement should involve both perspectives:
stand-alone risk capital for incentive compensation, and fully
diversified risk capital to assess the extra performance gener­
ated by the diversification effects.
However, we must be cautious about how generous we are in
attributing diversification benefits.7 Correlations between risk
factors drive the extent of the portfolio effect, and these corre­
lations tend to vary over time. During market crises, in particular,
correlations sometimes shift dramatically toward either 1 or —1,
reducing or totally eliminating portfolio effects for a period
of time.
12.6 RAROC IN PRACTICE
Economic capital is increasingly a key element in the assessment
of business line performance, in the decision to exit or enter a
business, and in the pricing of transactions. It also plays a critical
role in the incentive compensation plan of the firm. Adjusting
incentive compensation for risk in this way is important, because
managers tend to align their performance to maximize whatever
performance measures are imposed on them.
Needless to say, in firms in which RARO C has been imple­
mented, business units often challenge the risk management
function about the fairness of the amount of economic capital
attributed to them. The usual complaint is that their economic
7 For a discussion of the common economic capital aggregation tech­
niques and how they capture diversification benefits, see Range of
Practices and Issues in Economic Capital Frameworks, BIS, March 2009,
pp. 24-31.
capital attribution is too high (never that it is too low!). Another
complaint is that economic capital attribution is sometimes too
unstable— the numbers can move up and down in a way that is
disconcerting for a business trying to hit a target.
The best way to defuse this debate is for the RARO C group to
be transparent about the methodology used to assess risk and
to institute forums where the issues related to the determination
of economic capital can be debated and analyzed. From our
own experience, the VaR methodologies for measuring market
risk and credit risk that underpin RARO C calculations are gener­
ally well accepted by business units (although this is not yet true
for operational risk). It's the setting of the parameters that feed
into these models, and that drive the size of economic capital,
that causes acrimony.
Here are a number of recommendations for implementing a
RARO C system:
1. Sen io r m anagem ent com m itm ent. Given the strategic
nature of the decisions steered by a RAROC system, the
marching orders must come from the top management of
the firm. Specifically, the C EO and his or her executive team
should sponsor the implementation of a RARO C system and
should be active in the diffusion, within the firm, of a new
culture in which performance is measured in terms of con­
tribution to shareholder value. The message to push down
to the business lines is this: What counts is not how much
income is generated, but how well the firm is compensated
for the risks that it is taking on.
2. Com m unication and education. The RAROC group should
be transparent and should explain the RARO C methodol­
ogy not only to the business's heads but also to the busi­
ness line managers and the CFO 's office, in order to gain
acceptance of the methodology throughout all the manage­
ment layers of the firm.
3. O ngoing consultation. The firm should institute a forum such
as a "parameter review group" that periodically reviews the
key parameters that drive risk and economic capital. This
group, composed of key representatives from the business
units and the risk management function, will bring legiti­
macy to the capital allocation process. For credit risk, the
parameters that should be reviewed include probabilities
of default, credit migration frequencies, loss given default,
and credit line usage given default. These parameters evolve
over the business cycle and should be adjusted as more
data become available. An important issue to settle is the
choice of a historical period over which these parameters
are calibrated— i.e., should this be the whole credit cycle (in
order to produce stable risk capital numbers) or a shorter
period of time to make capital more procyclical (capital goes
Chapter 12 Risk Capital Attribution and Risk-Adjusted Performance Measurement
down when the credit environment improves and goes up
when it deteriorates)? For market risk, volatility and correla­
tion parameters should be updated at least every month,
using standard statistical techniques. Other key factors, such
as the core risk level and "time to reduce" (see Box 12.3),
should be reviewed on an annual basis. For operational risk,
the risk measurement approach is currently more judgmental
and, as such, more open to heated discussions!
4. Maintaining the integrity o f the process. A s with other risk
calculations, the validity of RAROC numbers depends critically
on the quality of the data about risk exposures and positions
collected from the management systems (e.g., in a trading
business, the front- and back-office systems). Only a rigorous
process of data collection and centralization can ensure accu­
rate risk and capital assessment. The same rigor should also
be applied to the financial information needed to estimate the
adjusted-return element of the RAROC equation. Data collec­
tion is probably the most daunting task in risk management.
But the best recipe for failure in implementing a RAROC sys­
tem is to base calculations on inaccurate and incomplete data.
The RAROC group should be accountable for the integrity of
the data collection process, the calculations, and the report­
ing process. The business units and the finance group should
be accountable for the integrity of the specific data that they
produce and feed into the RAROC system.
5. C om bine R A R O C with qualitative factors. Earlier in this
chapter, we described a simple decision rule for project
selection and capital attribution— i.e., accept projects where
the RARO C is greater than the hurdle rate. In practice,
other qualitative factors should be taken into consideration.
All the business units should be assessed in the context of
the two-dimensional strategic grid shown in Figure 12.3.
The horizontal axis of this figure corresponds to the RAROC
Quality of Earnings: Strategic Importance/Long-Term Growth Potentia
F ig u re 1 2 .3 S tra te g ic grid.
■ 193
 return calculated on an ex ante basis. The vertical axis
is a qualitative assessment of the quality of the earnings
produced by the business units. This measure takes into
consideration the strategic importance of the activity for
the firm, the growth potential of the business, the sustain­
ability and volatility of the earnings in the long run, and any
synergies with other critical businesses in the firm. Priority
in the allocation of balance sheet resources should be given
to the businesses in the upper right quadrant. A t the other
extreme, the firm should try to exit, scale down, or fix the
activities of businesses that fall into the lower left quadrant.
The businesses in the category "managed growth," in the
lower right quadrant, are high-return activities that have low
strategic importance for the firm. In contrast, businesses in
the category "investm ent," in the upper left quadrant, are
currently low-return activities that have high growth poten­
tial and high strategic value for the firm.
6 . Put an active capital m anagem ent p ro cess in place. Balance
sheet requests from the business units, such as economic cap­
ital, leverage ratio, liquidity ratios, and risk-weighted assets,
should be channeled to the RAROC group every quarter. Lim­
its are then set for economic capital, leverage ratio, liquidity
ratios, and risk-weighted assets based on the kind of analysis
we've discussed in this chapter. The treasury group often
reviews limits to ensure that they are consistent with fund­
ing limits. This limit-setting process is a collaborative effort,
with any disagreements about the amount of balance sheet
resources attributed to a business put to arbitration by the
senior executive team. Leverage ratios may restrain manage­
ment from growing the bank beyond a certain level, but this
in itself makes it more important that banks work every dollar
of capital hard— and RAROC analysis is one way to do this.
CONCLUSION
RARO C systems, developed first by large financial institutions,
are being implemented in smaller banks and other trading firms,
194 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Bank Management
Safety < ► Profitability
• Debt Holders • Shareholders
• Deposit Holders • Analysts
• Counterparties on Derivatives
• Transaction
• Regulators
• Deposits Insurance Company
• Rating Agencies
Fiq u re 1 2 .4 H ow R A R O C b alan ce s th e d e sire s
various sta k e h o ld e rs.
such as energy trading companies. W herever risk capital is an
important concern, RARO C balances the divergent desires of
the various external stakeholders, while also aligning them with
the incentives of internal decision makers (Figure 12.4). When
business units (or transactions) earn returns in excess of the
hurdle rate, shareholder value is created, while the allocated risk
capital indicates the amount of capital required to preserve the
desired credit rating.
RAROC information allows senior managers to better under­
stand where shareholder value is being created and where it is
being destroyed. It promotes strategic planning, risk-adjusted
profitability reporting and incentive compensation schemes,
proactive allocation of resources, better management of con­
centration risk, and better product pricing.
Because RAROC is not just a common language of risk, but a
quantitative technique, we can also think of a RAROC-based
capital budgeting process as akin to an internal capital market
in which businesses are competing with one another for scarce
balance sheet resources— all with the objective of maximizing
shareholder value. This makes RAROC a useful tool for capital
allocation, both for banks and for nonbank corporations.
Range of Practices
and Issues in
Economic Capital
Frameworks
Learning Objectives
After completing this reading you should be able to:

Within the economic capital implementation framework, Explain benefits and impacts of using an economic capital
describe the challenges that appear in: framework within the following areas:
Defining and calculating risk measures Credit portfolio management
Risk aggregation Risk based pricing
Validation of models Customer profitability analysis
Dependency modeling in credit risk Management incentives
■ Evaluating counterparty credit risk
■ Assessing interest rate risk in the banking book Describe best practices and assess key concerns for the
governance of an economic capital framework.
Describe the BIS recommendations that supervisors
should consider to make effective use of internal risk
measures, such as economic capital, that are not designed
for regulatory purposes.

E x c e rp t is rep rin ted by perm ission from the Basel C om m ittee on Banking Supervision.

195
13.1 EXECUTIVE SUMMARY
Economic capital can be defined as the methods or practices
that allow banks to consistently assess risk and attribute capital
to cover the economic effects of risk-taking activities. Economic
capital was originally developed by banks as a tool for capital
allocation and performance assessment. For these purposes,
economic capital measures mostly need to reliably and accu­
rately measure risks in a relative sense, with less importance
attached to the measurement of the overall level of risk or capi­
tal. Over time, the use of economic capital has been extended
to applications that require accuracy in estimation of the level of
capital (or risk), such as the quantification of the absolute level
of internal capital needed by a bank. This evolution in the use of
economic capital has been driven by both internal capital man­
agement needs of banks and regulatory initiatives, and has been
facilitated by advances in risk quantification methodologies and
the supporting technological infrastructure.
While there has been some convergence in the understand­
ing of key concepts of economic capital across banks with such
frameworks in place, the notion of economic capital has broad­
ened overtim e. This has occurred in terms of the underlying
risks (or building blocks) that are combined into an overall eco­
nomic capital framework and also in terms of the relative accep­
tance and use of economic capital across banks.
Economic capital can be analysed and used at various levels—
ranging from firm-wide aggregation, to risk-type or business-line
level, and down further still to the individual portfolio or expo­
sure level. Many building blocks of economic capital, therefore,
are complex and raise challenges for banks and supervisors.
In particular, Pillar 2 (supervisory review process) of the Basel
II Framework may involve an assessment of a banks' economic
capital framework. Accordingly, this paper makes recommen­
dations of particular interest to supervisors and bankers where
economic capital models are used in the supervisory dialogue.
In addition, supervisors have an interest in promoting robust,
transparent and effective risk management, which in many cases
requires an understanding of banks economic capital fram e­
works. Nevertheless, it is recognised that economic capital is a
business tool developed and used by individual institutions for
internal risk management purposes.
This paper emphasises the importance of understanding the
relationship between overall economic capital and its building
blocks, as well as ensuring that the underlying building blocks
(individual risk assessments) are measured in a consistent and
coherent fashion. The main body of the paper focuses on issues
associated with the overall economic capital process, rather
than on the component risks measured by economic capital.
196 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Therefore it covers issues related to the use and governance
of economic capital, the choice of risk measures, aggregation
of risk, and validation of economic capital. In addition, three
important building blocks of economic capital (dependency
modelling in credit risk, counterparty credit risk and interest
rate risk in the banking book) are examined in separate, stand­
alone annexes. This list of building blocks is chosen due to the
significance and complexity of the topics, and (with the excep­
tion of counterparty credit risk) partly because the topics are not
covered in Pillar 1 of the Basel II Framework. This list is by no
means exhaustive.
Use of Economic Capital and Governance
The robustness of economic capital and the governance and
controls surrounding the process have become more critical as
the use of economic capital has extended beyond relative risk
measurement and performance to the determination of the
adequacy of a bank's absolute level of capital.
The viability and usefulness of a bank's economic capital pro­
cesses depend critically on the existence of a credible com­
mitment or "buy-in" on the part of senior management to the
process. In order for this to occur, it is necessary for senior
management to recognise the importance of using economic
capital measures in conducting the bank's business. In addition,
adequate resources are required to ensure the existence of a
strong, credible infrastructure to support the economic capital
process. Economic capital model results should be transparent
and taken seriously in order to be useful for business decisions
and risk management. A t the same time, management should
fully understand the limitations of economic capital measures.
Moreover, senior management needs to take measures to help
ensure the meaningfulness and integrity of economic capital
measures. It should also seek to ensure that the measures com­
prehensively capture all risks and implicit and/or explicit man­
agement actions embedded in measurement processes are both
realistic and actionable.
Risk Measures
Banks use a variety of risk measures for economic capital pur­
poses with the choice of risk measure dependent on a number
of factors. These include the properties of the risk measure, the
risk- or product-type being measured, data availability, trade­
offs between the complexity and usability of the measure, and
the intended use of the risk measure. While there is general
agreement on the desirable properties a risk measure should
have, there is no singularly preferred risk measure for economic
capital purposes. All risk measures observed in use have
advantages and disadvantages which need to be understood
within the context of their intended application.
Risk Aggregation
One of the more challenging aspects of developing an eco­
nomic capital framework relates to risk aggregation.
Practices and techniques in risk aggregation are generally less
sophisticated than the methodologies that are used in measur­
ing individual risk components. They rely heavily on ad-hoc
solutions and judgment without always being theoretically
consistent with the measurement of the components. Most
banks rely on the summation of individual risk components
either equally-weighted (i.e., assuming no diversification or a
fixed percentage of diversification gains across all components)
or weighted by an estimated variance-covariance matrix that
represents the co-movement between risks. Few banks attempt
technically more sophisticated aggregation methods such as
copulas or even bottom-up approaches that build overall eco­
nomic estimates from the common relationship of individual risk
components to underlying factors.
Validation is a general problem with aggregation techniques.
Diversification benefits embedded in inter-risk aggregation
processes (including in the estimation of entries in the variance-
covariance matrix) are often based on (internal or external)
"expert judgm ent" or average industry benchmarks. These have
not been (and very often cannot be) compared to the actual his­
torical or expected future experience of a bank, due to lack of
relevant data.
Since individual risk components are typically estimated without
much regard to the interactions between risks (e.g., between
market and credit risk), the aggregation methodologies used
may underestimate overall risk even if "no diversification"
assumptions are used. Moreover, harmonisation of the measure­
ment horizon is a difficult issue. For example, extending the
shorter horizon applied to market risk to match the typically-
used annual horizon of economic capital assessments for other
types of risk is often performed by using a square root of time
rule on the economic capital measure. This simplification can
distort the calculation. Similar issues arise when risk measured
at one confidence level is then scaled to become (nominally)
comparable with other risk components measured at a different
confidence level.
Validation
Economic capital models can be complex, embodying many
component parts and it may not be immediately obvious that
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
a complex model works satisfactorily. Moreover, a model may
embody assumptions about relationships between variables or
about their behaviour that may not hold in all circumstances
(e.g., under periods of stress). Validation can provide a degree
of confidence that the assumptions are appropriate, increasing
the confidence of users (internal and external to the bank) in
the outputs of the model. Additionally, validation can be also
useful in identifying the limitations of economic capital models,
i.e., where embedded assumptions do not fit reality.
The validation of economic capital models is at a very prelimi­
nary stage. There exists a wide range of validation techniques,
each of which provides evidence for (or against) only some of
the desirable properties of a model. Moreover, validation tech­
niques are powerful in some areas such as risk sensitivity but not
in other areas such as overall absolute accuracy or accuracy in
the tail of the loss distribution. Used in combination, particularly
in combination with good controls and governance, a range of
validation techniques can provide more substantial evidence for
or against the performance of the model. There appears to be
scope for the industry to improve the validation practices that
shed light on the overall calibration of models, particularly in
cases where assessment of overall capital is an important appli­
cation of the model.
Dependency Modelling in Credit Risk
Portfolio credit risk models form a significant component of
most economic capital frameworks. A particularly important and
difficult aspect of portfolio credit risk modelling is the modelling
of the dependency structure, including both linear relationships
and non-linear relationships, between obligors. Dependency
modelling is an important link between the Basel II risk weight
function (with supervisory imposed correlations) and portfolio
credit risk models which rely on internal bank modelling of
dependencies. Understanding the way dependencies are mod­
elled is important for supervisors when they examine a bank's
internal capital adequacy assessment process (ICAAP) under
Pillar 2, since these dependency structures are not captured in
regulatory capital measures.
The underlying methodologies applied by banks in the area of
dependency modelling in credit risk portfolios have not changed
much over the past ten years. Rather, improvements have been
made in the infrastructure supporting the methodologies (e.g.,
improved databases) and better integration with internal risk
measurement and risk management. The main concern in this
area of economic capital continues to centre on the accuracy
and stability of correlation estimates, particularly during times of
stress. The correlation estimates provided by current models still
depend heavily on explicit or implicit model assumptions.
■ 197
Counterparty Credit Risk
The measurement and management of counterparty credit risk
creates unique challenges for banks. Measurement of counter­
party credit risk represents a complex exercise, as it involves
gathering data from multiple systems; measuring exposures
from potentially millions of transactions (including an increas­
ingly significant percentage that exhibit optionality) spanning
variable time horizons ranging from overnight to thirty or more
years; tracking collateral and netting arrangements; and cat­
egorising exposures across thousands of counterparties.
This complexity creates unique market-risk-related challenges
(requiring calculations at the counterparty level and over mul­
tiple and extended holding periods) and credit risk-related
challenges (estimation of credit risk parameters for which the
institution may not have any other exposures). In addition,
wrong-way risk, operational risk-related challenges, differences
in treatment between margined and non-margined counterpar­
ties, and a range of aggregation challenges need to be over­
come before a firm can have a bank-wide view of counterparty
credit risk for economic capital purposes. Banks usually employ
one of two general modelling approaches to quantify coun­
terparty credit risk exposures, a value-at-risk (VaR)-type model
or a Monte Carlo Simulation approach. The decision of which
approach to use involves a variety of trade-offs. The VaR-type
model cannot produce a profile of exposures over time, which
is necessary for counterparties that are not subject to daily
margining agreements, whereas the simulation approach uses
a simplified risk factor representation and may therefore be
less accurate. While these models may be supplemented with
complementary measurement processes such as stress testing,
such diagnostics are frequently not fully comprehensive of all
counterparty credit risk exposures.
Interest Rate Risk in the Banking Book
The main challenges in the calculation of economic capital for
interest rate risk in the banking book relate to the long holding
period for balance sheet assets and liabilities and the need to
model indeterminate cash flows on both the asset and liability
side due to embedded optionality in many banking book items.
If not adequately measured and managed, the asymmetrical
payoff characteristics of instruments with embedded option fea­
tures can present risks that are significantly greater than the risk
measures suggest.
The two main techniques for assessing interest rate risk in the
banking book are repricing schedules (gap and duration analy­
ses) and simulation approaches. Although commonly used, the
simple structure and restrictive assumptions make repricing
198 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
schedules less suitable for the calculation of economic capital.
Most banks use simulation approaches for determining their
economic capital, based on losses that would occur given a set
of worst case scenarios. The magnitude of such losses and their
probability of occurrence determine the amount of economic
capital. The choice of the techniques depends on the bank's
preference towards either economic value or earnings, and
also on the type of business. Some businesses, such as com­
mercial lending or residential mortgage lending, are managed
on a present value basis, while others such as credit cards are
managed on an earnings basis. The use of an earnings based
measure creates aggregation challenges when other risks are
measured on the basis of economic capital. Conversely, the use
of an economic value based approach may create inconsisten­
cies with business practices.
Summary
Economic capital modelling and measurement practices
continue to evolve. In some aspects, practices have converged
and become more consistent over time, however the notion of
economic capital has broadened as its use has expanded. There
remain significant methodological, implementation and business
challenges associated with the application of economic capital in
banks, particularly if economic capital measures are to be used
for internal assessments of capital adequacy. These challenges
relate to the overall architecture of economic capital modelling
and to the underlying building blocks.
13.2 RECOMMENDATIONS*1
Economic capital models and the overall frameworks for their
internal use can provide supervisors with information that is
complementary to other assessments of bank risk and capital
adequacy. While there is benefit from engaging with banks on
the design and use of the models, supervisors should guard
against placing undue reliance on the overall level of capital
implied by the models in assessing capital adequacy. The follow­
ing recommendations identify issues that should be considered
by supervisors in order to make effective use of internal mea­
sures of risk that are not designed for regulatory purposes.
1. Use of economic capital models in assessing capital
adequacy. A bank using an economic capital model in its
dialogue with supervisors, should be able to demonstrate
how the economic capital model has been integrated into
the business decision-making process in order to assess
its potential impact on the incentives affecting the bank's
strategic decisions about the mix and direction of inherent
 risks. The bank's board of directors should also be able to
demonstrate conceptual awareness and understanding of
the gap between gross (stand alone) and net enterprise
wide (diversified) risk when they define and communicate
measures of the bank's risk appetite on a net basis.
2. Senior management. The viability, usefulness, and ongoing
refinement of a bank's economic capital processes depend
critically on the existence of credible commitment or "buy-
in" on the part of senior management to the process. In
order for this to occur, senior management should recog­
nise the importance of using economic capital measures
in conducting the bank's business and capital planning,
and should take measures to ensure the meaningfulness
and integrity of economic capital measures. In addition,
adequate resources should be committed to ensure the
existence of a strong, credible infrastructure to support the
economic capital process.
3. Transparency and integration into decision-making. A
bank should effectively document and integrate economic
capital models in a transparent way into decision-making.
Economic capital model results should be transparent and
taken seriously in order to be useful to senior management
for making business decisions and for risk management.
A bank should take a careful approach to its use of eco­
nomic capital in internal assessments of capital adequacy.
For this purpose, greater emphasis should be placed on
achieving robust estimates of stand-alone risks on an abso­
lute basis, as well as developing the flexible capacity for
enterprise-wide stress testing.
4. Risk identification. Risk measurement begins with a robust,
comprehensive and rigorous risk identification process. If
relevant risk drivers, positions or exposures are not cap­
tured by the quantification engine for economic capital,
there is great room for slippage between inherent risk and
measured risk.
Not all risks can be directly quantified. Material risks that
are difficult to quantify in an economic capital framework
(e.g., funding liquidity risk or reputational risk) should be
captured in some form of compensating controls (sensitivity
analysis, stress testing, scenario analysis or similar risk con­
trol processes).
5. Risk measures. All risk measures observed in use have
advantages and disadvantages which need to be under­
stood within the context of their intended application.
There is no singularly preferred risk measure for economic
capital purposes. A bank should understand the limitations
of the risk measures it uses, and the implications associated
with its choice of risk measures.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
6. Risk aggregation. A bank's aggregation methods should
address the implications stemming from the definition and
measurement of individual risk components. The accuracy of
the aggregation process depends on the quality of the mea­
surement of individual risk components, as well as on the
interactions between risks embedded in the measurement
process. Aggregation of individual risk components often
requires the harmonisation of risk measurement parameters
such as the confidence level or measurement horizon.
Care must be taken to ensure that the aggregation meth­
odologies used (e.g., variance-covariance matrices, use of
broad market proxies, and simple industry averages of cor­
relations) are, to the extent possible, representative of the
bank's business composition and risk profile.
7. Validation. Economic capital model validation should be
conducted rigorously and comprehensively. Validation of
economic capital models should be aimed at demonstrating
that the model is fit for purpose. Evidence is likely to come
from multiple techniques and tests. To the extent that a
bank uses models to determine an overall level of economic
capital, validation tools should demonstrate to a reason­
able degree that the capital level generated by the model
is sufficient to absorb losses over the chosen horizon up to
the desired confidence level. The results of such validation
work should be communicated to senior management to
enhance economic capital model usage.
8. Dependency modelling in credit risk. Since the depen­
dency structures embedded in portfolio credit risk models
have an important impact on the determination of eco­
nomic capital needs for credit risk, banks should carefully
assess the extent to which the dependency structures they
use are appropriate for their credit portfolio. Banks should
identify and understand the main limitations of their credit
portfolio models and their implementation. They should
address those limitations by using adequate supplementary
risk management approaches (e.g., sensitivity analysis, sce­
nario analysis, timely review of parameters).
9. Counterparty credit risk. A bank should understand the
trade-offs involved in choosing between the currently used
methodologies for measuring counterparty credit risk. Com ­
plementary measurement processes such as stress testing
should also be used, though it should be recognised that such
approaches may still not fully cover all counterparty credit
risk exposures. The measurement of counterparty credit risk
is complex and entails unique market and credit risk related
challenges. A range of aggregation challenges needs to be
overcome before a firm can have a bank-wide view of coun­
terparty credit risk for economic capital purposes.
■ 199
10. Interest rate risk in the banking book. Close attention
should be paid to measuring and managing instruments
with embedded option features, which if not adequately
performed can present risks that are significantly greater
than suggested by the risk measure. Trade-offs between
using an earnings-based or economic value based approach
to measuring interest rate risk in the banking book need to
be recognised. The use of an earnings based measure cre­
ates aggregation challenges when other risks are measured
on the basis of economic value. Conversely, the use of an
economic value based approach may create inconsistencies
with business practices.
13.3 INTRODUCTION1
Economic capital, which can be defined as the methods or prac­
tices that allow financial institutions to consistently assess risk
and to attribute capital to cover the economic effects of risk­
taking activities, has increasingly become an accepted input into
decision-making at various levels within banking organisations.
Economic capital measures may be one of several key factors
used to inform decision-making in areas such as profitability,
pricing, and portfolio optimisation— particularly at the business­
line level. Economic capital measures may also feed into senior
management decisions relating to issues such as acquisitions
and divestitures. Such measures are also used, primarily at the
consolidated entity level, to assess overall capital adequacy. The
increased use of economic capital by banks has been driven by
rapid advances in risk quantification methodologies, greater
complexity and sophistication of banks' portfolios, and super­
visory expectations that banks must develop internal processes
to assess capital adequacy, beyond regulatory capital adequacy
guidelines that are not designed to fully reflect all the underly­
ing material risks in a given bank's business activities.
Across banks there has been a narrowing in the range of defini­
tions and treatment of the majority of risks that form the build­
ing blocks of economic capital models, particularly the risks that
are more readily quantifiable. At the same time, however, the
notion of economic capital is broadening in terms of the risks
that it encompasses and the extent to which it is gaining accep­
tance across banks. That is, the inputs (or risks) that feed into
the measurement of economic capital are subject to ongoing
change and evolution.
1 This paper was prepared by the Basel Committee's Risk Management
and Modelling Group (RMMG). The RMMG comprises risk management
specialists and supervisors from member countries within and outside
the Basel Committee. The RMMG has developed its views based on
information sourced from a wide range of presentations and documents
provided by banks, supervisors and other industry participants.
200 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Many banks appear to be sufficiently comfortable in using their
economic capital framework in discussions with external stake­
holders. Moreover, to varying degrees of granularity, banks have
in recent years disclosed qualitative and quantitative aspects of
their economic capital, including economic capital model
descriptions, risk thresholds, methodologies for particular risks,
use of economic capital, capital allocation by risk type and busi­
ness units, and diversification estim ates.2
Despite the advances that have been made by banks in devel­
oping their economic capital models, the further use and rec­
ognition of risk measures derived from these models remain
subject to significant methodological, implementation and busi­
ness challenges. These challenges stem from:
• the wide variety of applications of economic capital models
(from business-line use to firm-wide decision-making to capi­
tal adequacy assessments);
• methodological challenges (particularly in the area of risk
aggregation, coverage of risks, validation challenges, and
risks that are not easily quantifiable);
• the ability of economic capital models to adequately reflect
business-line operating practices and therefore provide
appropriate incentives to business units;
• potential gaps in the coverage of risks (e.g., valuation risks in
structured credit products);
• the feasibility of any single risk measure to capture ade­
quately all the complex aspects of banking risks; and
• the ability of economic capital models to be extended from
being used as a common metric for relative risk measurement
and performance to the determination of the adequacy of
the absolute level of capital.
This paper provides an overview of the range of practices in
economic capital modelling at large banking organisations, and
based on this review discusses a range of issues and challenges
surrounding economic capital models. The paper also discusses
practices implemented by banks that attempt to address these
challenges, and supervisory concerns relating to the current
state of practice.
As economic capital has to varying degrees become a com­
ponent of many banks' internal capital adequacy assessment
processes (ICAAP), this paper is addressed to banks that have
implemented or are considering implementing economic capi­
tal into their internal processes. The paper is also addressed
to supervisors, who are required under Pillar 2 of the Basel II
Framework, to review and evaluate banks' internal capital ade­
quacy assessments.
2 See Samuel (2008).
The main body of this paper focuses on aspects of the overall
architecture of economic capital models. First, the paper cov­
ers the use of economic capital models and the governance and
control framework. Second, it reviews the range of risk measures
used by banks in their economic capital models. Next, it cov­
ers the range of practice in risk aggregation methods before
the paper moves to issues arising in the validation of economic
capital models. The main body of the paper therefore focuses on
issues that are at a level above that of individual risks. The paper
does not discuss the estimation of important building blocks of
economic capital models, such as the estimation of probability
of default (PD), loss given default (LGD) and exposure at default
(EAD) in credit risk models. This is not to say that estimation of
these parameters is simple or without issues. Rather, these issues
are outside the scope of this work and have been covered in
detail in other publications. Nevertheless, the annexes to this
chapter discuss three building blocks of economic capital models,
namely dependency modelling in credit risk, counterparty credit
risk and interest rate risk in the banking book. These topics are
given closer attention in this paper due to a combination of their
significance, inherent challenges and (with the exception of coun­
terparty credit risk) partly because the topics are not covered in
Pillar 1 (minimum capital requirements) of the Basel II Framework.
Should the need arise, further work on other significant elements
of economic capital may be undertaken in the future.
Finally, it is worth noting that this work was initiated well before
the market turmoil that began in August 2007. This paper there­
fore examines general issues that are deemed to be relevant for
economic capital modelling. It does not attempt to analyse or
assess the performance of economic capital models during the
market turmoil.
13.4 USE OF ECONOMIC CAPITAL
MEASURES AND GOVERNANCE
In order to achieve a common measure across all risks and busi­
nesses, economic capital is often parameterised as an amount
of capital that a bank needs to absorb unexpected losses over
a certain time horizon at a given confidence level. Because
expected losses are accounted for in the pricing of a bank's
products and loan loss provisioning, it is only unexpected losses
that require economic capital. Economic capital analysis typically
involves an identification of the risks from certain activities or
exposures, an attempt to measure and quantify those risks, the
aggregation of those risks, and an attribution or allocation of
capital to those risks.
Historically, banks have followed a path in their use of eco­
nomic capital that begins with (i) business unit-level portfolio
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
measurement and pricing profitability analysis followed by
(ii) enterprise-wide relative performance measurement that
migrates to capital budgeting/planning, acquisition/divestiture
analysis, external reporting and internal capital adequacy assess­
ment processes.
Business-Level Use
The effective use of economic capital at the business-unit level
depends on how relevant the economic capital allocated to
or absorbed by a business unit is with respect to the decision­
making processes that take place within it. Frequently, the
success or failure of an economic capital framework in a bank
can be assessed by looking at how business line managers
perceive the constraints economic capital imposes and the
opportunities it offers in the following areas: (i) credit portfolio
management; (ii) risk-based pricing; (iii) customer profitability
analysis, customer segmentation, and portfolio optimisation;
and (iv) management incentives.
Credit Portfolio Management
Credit portfolio management refers to activities in which banks
assess the risk/return profiles of credit portfolios and enhance
their profitability through credit risk transfer transactions and/
or control of the loan approval process. In credit portfolio man­
agement, the creditworthiness of each borrower is assessed in
a portfolio setting. A loan with a higher stand-alone risk does
not necessarily contribute more risk to the portfolio. A loan's
marginal contribution to the portfolio, as a result, is critical to
assessing the concentration of the portfolio. Economic capital
is a measurement of the level of concentration. It is one of the
factors used to determine which hedging facilities to employ
in reducing concentration. According to the results presented
in Rutter Associates LLC (2004), the use of credit portfolio
management for reducing economic capital seems to be less
dominant than for "management of concentrations" and for
"protection against risk deterioration."
Risk-Based Pricing
The relevance of allocated economic capital for pricing certain
products (especially traditional credit products) is widely recog­
nised. In theory, under the assumption of competitive financial
markets, prices are exogenous to banks, which act as price-
takers and assess the expected return (ex ante) and/or perfor­
mance (ex post) of deals by means of risk-adjusted performance
measures, such as the risk-adjusted return on capital (RAROC).
In practice, however, markets are segmented. For example, the
market for loans can be viewed as composed of a wholesale
segment, where banks tend to behave more as price-takers,
■ 201
and a commercial banking segment, where, due to well-known
market imperfections (e.g., information asymmetries, monitor­
ing costs, etc.), banks have a greater ability to set prices for
their customers.
From an operational point of view, the difference is not so
straightforward, as decisions on deals will be based on ex ante
considerations with regard to expected RARO C in a price-taking
environment (leading to rejection of deals whose RAROC is
below a given threshold) and on the proposal of a certain price
(interest rate) to the customer in a price-setting environment. In
both cases, decisions are driven by a floor (the minimum RAROC
or minimum interest rate) computed according to the amount of
economic capital allocated to the deal.
Risk-based pricing typically incorporates the variables of a
value-based management approach. For example, the pricing
of credit risk products will include the cost of funding (such as
an internal transfer rate on funds), the expected loss (in order
to cover loan loss allowances), the allocated economic capital,
and extra-return (with respect to the cost of funding) as required
by shareholders. Economic capital influences the credit process
through the computation of a (minimum) interest rate consid­
ered to be adequate for increasing (or, at least, not decreasing)
shareholders' value. Depending on the product and the internal
rules governing the credit process, decisions regarding prices
can sometimes be overridden. For example, this situation could
occur because of consideration about the overall profitability
of the specific customer relationship, or its desirability (e.g.,
due to reputational side-effects stemming from maintenance of
the customer relationship, even when it proves to be no longer
economically profitable). Generally, these exceptions to the rule
are strictly monitored and require the decision be elevated to a
higher level of management.
Customer and Product Profitability Analysis,
Customer Segmentation and Portfolio
Optimisation
Regardless of the role played by the bank as a price-taker or a
price-maker, the process cannot be considered complete until
feedback has been provided to management about the final
outcome of the decisions taken. The measurement of perfor­
mance can be extended down to the customer level, through
the analysis of customer profitability. Such an analysis aims at
providing a broad and comprehensive view of all the costs, reve­
nues and risks (and, consequently, economic capital absorption)
generated by each single customer relationship.
While implementation of this kind of analysis involves complex
issues related to the aggregation of risks at the customer level,
its use is evident in identifying unprofitable or marginally profit­
able customers who attract resources that could be allocated
202 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
more efficiently to more profitable relationships. This task is
generally accomplished by segmenting customers in terms of
ranges of (net) return per unit of risk. Provided the underlying
inputs have been properly measured and allocated (not a simple
task as it concerns risks and, even more, costs), this technique
provides a straightforward indication of areas for intervention in
assessing customer profitability.
By providing evidence on the relative risk-adjusted profitabil­
ity of customer relationships (as well as products), economic
capital can be used in optimising the risk-return trade-off in
bank portfolios.
Management Incentives
To become deeply engrained in internal decision-making
processes, the use of economic capital needs to be extended
in a way that directly affects the objective functions of decision­
makers at the business unit level. This is achieved by influenc­
ing the incentive structure for business-unit management.
Anecdotal evidence suggests that incentives are the most
sensitive element for the majority of bank managers, as well
as being the issue that motivates their getting involved in the
technical aspects of the economic capital allocation process.
However, evidence suggests that compensation schemes rank
quite low among the actual uses of economic capital measures
at the business unit level.
Enterprise-Wide or Group-Level Use
Economic capital provides banks with a common currency for
measuring, monitoring, and controlling: (i) different risk types;
and (ii) the risks of different business units. The risk types that
are typically covered by banks' economic capital models are
credit risk, market risk (including interest rate risk in the bank­
ing book— IRRBB) and operational risk. Concentration risk as an
aspect of credit risk is also common. Other risks included are
business/strategic risk, counterparty credit risk, insurance risk,
real estate risk and model risk.
Quantitative approaches are generally applied to credit risk
(including concentration and counterparty credit risk), market
risk, interest rate risk in the banking book and operational
risks. Strategic and reputational/legal risks are more likely to
be assessed by non-quantitative approaches (with an exception
being where reputational/legal risks are subsumed in opera­
tional risk). For these risks, no best practices have emerged so
far within the industry. Challenges lie mainly in insufficient data
and difficulties in modelling.
Some risks are viewed by banks as better covered by ensuring
that internal control procedures are in order to mitigate risk
and/or prepare contingency funding plans (e.g., liquidity risk).
Consequently, capital typically is not allocated for such risks.
Relative Performance Measurement
In order to assess relative performance on a risk-adjusted basis,
banks calculate risk-adjusted performance measures, where eco­
nomic capital measures play an important role. The most com­
monly used risk-adjusted performance measures are
risk-adjusted return on capital (RAROC) and shareholder value
added (SVA).3 Many banks calculate these measures at various
levels of the enterprise (e.g., entity level, large business unit
level and portfolio level). The major difference between these
two measures is that RARO C is a relative measure, while SVA is
an absolute measure. RARO C provides information which is use­
ful in comparing the performances of two portfolios with the
same amount of economic net income, but with substantially
different economic capital measures.
One of the key issues in using both RARO C and SVA for perfor­
mance measurement is how to set the hurdle rate that reflects
the bank's cost of capital. In this regard practices vary across
banks. Some banks set a single cost of capital (e.g., weighted
average cost of capital or target return on equity— ROE) across
all business units, while other banks set required returns that
vary according to the risks of the business units.
Some banks use lower confidence levels for performance assess­
ment of business units than for their enterprise-wide capital
adequacy assessment. This approach is based on the view
that economic capital measures calculated at high confidence
levels focus on extreme events and do not always provide
appropriate information for senior management. Calculation
of risk-adjusted performance measures at the large business
unit levels (e.g., wholesale banking, trading) is more commonly
observed than at the smaller business unit levels. In calculating
economic net income, one of the challenges is how to allocate
profits and costs to each unit, if more than one unit contrib­
utes a profit-generating transaction or benefits from a cost
generating activity.
Banks use risk-adjusted performance measures in their perfor­
mance assessment (e.g., comparing performance with a target,
analysing historical performance) and compensation setting.
Use of economic capital measures for risk-adjusted performance
measures in a capital budgeting process is much more common
practice than incorporating economic capital measures into the
determination of compensation for business managers and staff.
3 There are other risk-adjusted performance measures that could be
used. Some of these measures include RORAC (return on risk-adjusted
capital), ROCAR (return on capital at risk) and RAROA (risk-adjusted
return on risk-adjusted assets). See Crouhy et. al. (2006).
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
Capital Budgeting, Strategic Planning, Target
Setting and Internal Reporting
Many banks allocate (hypothetical) capital to each business unit
in their budgeting process, where economic capital measures
play an important role. This process is also part of strategic
planning (e.g., defining the bank's risk appetite) and target
setting (e.g., profit, capital ratio or external rating). In order to
facilitate business growth that improves risk-adjusted profit­
ability, while operating within an overall risk appetite set by
the board, many banks have established internal reporting/
monitoring frameworks.
Generally, banks have a number of ways to conduct capital
planning, most of which are not empirically-based, but instead
are based on judgm ent and stress testing exercises. These
include scenario analysis and sensitivity analysis, which intro­
duce forward-looking elements into the capital planning pro­
cess. That is, banks place more emphasis on qualitative rather
than quantitative tools and expect to rely on management
actions to deal with future events. It seems that banks take only
a rough, judgmental approach to reviewing the performance
and interaction of economic capital "dem and" figures and
available capital "supply" figures during times of stress. It does
not appear that banks have a rigorous process for determining
their capital buffers, although some banks systematically set
their capital buffers at levels above regulatory minimums (about
120%—140%). Banks' capital planning scenarios differ by chosen
time horizon, with some choosing one year, and others choos­
ing three to five years. Banks usually look at adverse events
that would affect the bank individually or would affect markets
more broadly (a pandemic is one scenario chosen by some
banks for the latter). Some banks stress certain parameters in
their economic capital models (e.g., they shock PDs based on
a severe recession scenario) to assess the potential impact on
economic capital.
Acquisition/Divestiture Analysis
In corporate development activities, such as mergers and acqui­
sitions, some banks use the targets' economic capital measures
as one of the factors in conducting due diligence. However, the
number of banks using economic capital measures for corporate
development activities is relatively smaller than the number of
those using economic capital measures for the other purposes
described above. According to the results of the IFRI and CRO
Forum (2007) survey, only 25% of participating banks use eco­
nomic capital measures for corporate development activities,
such as mergers and acquisitions. On the other hand, it seems
that this approach is more often used for mergers and acquisi­
tions in emerging markets, where information on the targets'
market values is far less readily available.
■ 203
External Communication
The major external communication channels where economic
capital measures could be used include disclosure (e.g., annual
reports, presentation materials for investors), dialogue with
supervisory authorities and dialogue with rating agencies. Some
banks disclose economic capital measures for each business unit
and/or risk category and provide comparisons with allocated
capital in their annual reports. Many more banks disclose this
kind of information in other documents, such as presentation
materials for investors.
Capital Adequacy Assessment
Economic capital is a measure of risk, not of capital held. As
such, it is distinct from familiar accounting and regulatory capital
measures. Nevertheless, banks have extended the use of this
enterprise-wide metric beyond performance measurement and
strategic decision-making to include an assessment of the ade­
quacy of the institution's overall capitalisation. This practice is
commonly observed at banks, including those whose economic
capital implementation is in the earlier stages of development.
The comparison of an internal assessment of capital needs
against capital available is part of banks' overall ICAAP. Large
banks (which are likely to adopt internal ratings-based— IRB—
approaches under Basel II) tend to use an economic capital model
for their ICAAP, whereas some smaller banks primarily use the
minimum regulatory capital numbers for the ICAAP. Some of these
banks adjust the Pillar 1 numbers (using multiples of the regula­
tory capital requirements, using different model parameters, look­
ing at different confidence levels, etc.). Beyond risks that feature
in regulatory capital computations, approaches are rather het­
erogeneous. Larger banks may use economic capital models for
quantifiable risks while relying upon more subjective approaches
for less quantifiable risks like reputational risk. Traditional eco­
nomic capital methods are used in some cases to calculate risks
beyond minimum regulatory capital requirements. In other cases,
stress tests based on scenario analysis are used (e.g., for IRRBB).
Governance
The corporate governance and control framework surround­
ing economic capital processes is an important indicator of
the reliability of economic capital measures used by banking
institutions. Important parts of an effective economic capital
framework include strong controls for making changes in risk
measurement techniques, thorough documentation regarding
risk measurement and allocation methodologies and assump­
tions, sound policies to ensure that economic capital practices
adhere to expected procedures, and the meaningful applica­
tion of economic capital measures to day-to-day business
204 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
decision-making. Moreover, the viability of a bank's economic
capital processes depends critically on the existence of a cred­
ible commitment on the part of senior management to the
process. In order for this to occur, however, senior management
must recognise the importance of using economic capital mea­
sures in running the bank's business.
This section examines the current range of practices with regard
to governance in the following areas: (i) senior management
involvement and experience in the economic capital process;
(ii) the unit involved in the economic capital process, e.g., risk
management, strategy planning, treasury, etc. and its level of
knowledge; (iii) the frequency of economic capital measure­
ments; and (iv) policies, procedures, and approvals relating to
economic capital model development, validation, on-going
maintenance and ownership.
Senior Management Involvement and Experience
in the Economic Capital Process
The most widely cited reasons for adopting an economic capi­
tal framework are to improve strategic planning, define risk
appetite, improve capital adequacy, assess risk-adjusted busi­
ness unit performance and set risk limits. For those institutions
that have adopted or plan to adopt economic capital, the risk
management team, senior management, supervisors and the
board of directors were the most influential parties behind the
decision. However, not all banks choose to adopt an economic
capital framework, citing difficulties inherent in collecting and
modelling data on infrequent and often unquantifiable risk at
extremely high confidence levels.
There are clear signs that acceptance of the role played by eco­
nomic capital is increasingly embedded in the business culture
of banks, driven both by industry progress and supervisory pres­
sure. In addition, banks now seem to be broadly comfortable
with the accuracy of the economic capital measures. This has
resulted in increased use of economic capital in management
applications and business decisions, as well as use in discussions
with external stakeholders.
The barriers to the successful implementation of economic capi­
tal vary widely. However, according to the PricewaterhouseCoo-
pers Survey (2005) only 14% of respondents cite lack of support
from senior management as a barrier to successful implementa­
tion of an economic capital fram ework.4
4 Among the other barriers selected by respondents, 64% cite difficulty
of integrating economic capital within management decision-making;
62% cite difficulty in quantifying certain risk types; 59% cite problems
with data integrity; 31% cite lack of incentives for specific business lines
and product areas to co-operate; 23% cite lack of in-house expertise;
and 23% cite uncertainty regarding supervisors attitudes toward
economic capital.
Unit Involved in the Economic Capital Process and
Its Level of Knowledge
There is a wide range of organisational governance structures
responsible for the economic capital framework at banking insti­
tutions. These governance structures range from involving highly
concentrated responsibilities to involving highly decentralised
responsibilities. For example, some banking institutions house a
centralised economic capital unit within corporate Treasury, with
formal responsibilities. However, components of the overall eco­
nomic capital model or some parameters are outside the direct
control of the economic capital owner. Other banks share
responsibility for the economic capital framework between the
risk function and the finance function, while others have a more
decentralised structure, with responsibilities spread among a
wider range of units.5
Once capital has been allocated, each business unit then man­
ages its risk so that it does not exceed its allocated capital. In
defining units to which capital is allocated, banks sometimes
take into account their governance structure. For example,
banks that delegate broader discretion to business unit heads
tend to allocate capital to the business unit, leaving the business
unit's internal capital allocation within the business line's control.
On the other hand, management is likely to be more involved in
the allocation of capital within business units if the bank's gov­
ernance structure is more centralised. There seems to be diver­
gence in the approach to this process. Some banks prefer rigid
operation, where allocation units adhere to the original capital
allocation throughout the budgeting period. On the other hand,
other banks prefer a more flexible framework, allowing reallo­
cation of capital during the budgeting period, sometimes with
thresholds that trigger reallocation before consuming all the
allocated capital.
Frequency of Economic Capital Measurements
and Disclosure
Economic capital calculations have a strong manual component
and data quality is a prominent concern. Hence, most banks cal­
culate economic capital on a monthly or quarterly basis.
Implementation of Basel II has fostered public disclosure of
quantitative information on economic capital measures among
banks. Although disclosure of quantitative economic capital
measures is not mandatory under Pillar 3 (market discipline) of
Basel II, the aim of Pillar 3 is to encourage market discipline by
5 According to the IFRI and CRO Forum (2007) survey, about 80% of the
economic capital work is undertaken centrally, and about 20% by the
business units. About 60% of the banks participating in the survey have
economic capital functions that report directly to the Chief Risk Officer,
while others have reporting lines to the Chief Financial Officer or the
Corporate Treasury.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
accurately conveying the actual financial condition of banks to
the market. In addition to quantitative economic capital mea­
sures, qualitative information on the governance surrounding
the economic capital framework of banks is becoming more
important, since external market participants take into account
the sophistication of the economic capital framework and bank
management in their assessments of banks.
Policies, Procedures, and Approvals Relating to
Economic Capital Model Development, Validation,
On-Going Maintenance and Ownership
Most banks have formalised policies and procedures for eco­
nomic capital governance and analytics to ensure the consistent
application of economic capital across the enterprise. For those
banks that have adopted enterprise-wide policies and proce­
dures, it is the responsibility of the business units to ensure that
those policies and procedures are being followed. Some insti­
tutions that do not have formal policies and procedures have
economic capital processes and analytics (e.g., coverage of off-
balance sheet items, confidence level and holding period) that
are inconsistent across organisational units.
Change-control processes for economic capital models are
generally less formalised than for pricing or risk management
models. They typically leverage off change-control processes of
the underlying models and parameters. Changes to economic
capital-specific methodologies (e.g., aggregation methodolo­
gies) are managed by the bank's economic capital owner, and
may not be the same as the change control processes in other
areas on the banking institution. Diagnostics procedures are
typically run after an economic capital model change. Some
banks require responsible parties to sign-off on any changes to
methodology. However, formalised validation processes after
changes, or internal escalation procedures in the event of unex­
pectedly large differences in the economic capital numbers,
are uncommon.
Some banks specifically name an owner of the economic capi­
tal model. Typically, the owner provides oversight of the eco­
nomic capital framework. However, few formal responsibilities
are assigned the owner other than ensuring reports from all
model areas are received in a timely manner and mechanically
aggregating the individual components of the economic capital
framework into a report.
Supervisory Concerns Relating to Use of
Economic Capital and Governance
Senior management needs to ensure that there are robust con­
trols and governance surrounding the entire economic capital
process. There are several supervisory concerns relating to the
■ 205
use of economic capital measures and governance surrounding
the economic capital framework.
Standard for Absolute versus Relative Measures
of Risk
The robustness and conservativeness of economic capital as an
estimate of risk becomes more important when a bank extends
the use of measures designed initially as a common metric for
relative risk measurement and performance to the determination
of the adequacy of the absolute level of capital. Critical issues
include: (i) comprehensive capture of the risks by the model; (ii)
diversification assumptions; and (iii) assumptions about manage­
ment actions.
Comprehensive Capture of Risks
The types of risk that are included in economic capital models
and the ICAAP vary across banks in a given country as well as
across countries (partly because some risk types are more pro­
nounced in some countries). Risks that the economic capital
model cannot easily measure may be considered as a separate
judgmental adjustment in the ICAAP. W hether a risk type is
included in the ICAAP may depend on the risk profile of the
individual bank, and whether the individual bank regards these
risks as material.
There can be variation between banks in the risks covered by
their economic capital models, since an identically named risk
type may be defined differently across banks and across coun­
tries. The term business risk, for example, is sometimes con­
fused with or lumped together with less quantifiable legal and
reputational risk.
Diversification Assumptions
In most cases, intra-risk diversification assumptions are built into
the models for individual risk types. For inter-risk diversification
assumptions, current practices vary among banks and the bank­
ing industry does not seem to have agreed on best practices.
Thus, the methods remain preliminary and require further analy­
sis. In light of the uncertainty in estimating diversification effects,
especially for inter-risk diversification, due consideration for con­
servatism may be important. The issue of inter-risk diversification
is addressed in detail later in the chapter and intra-risk diversifica­
tion (within portfolio credit risk modelling) is discussed in Annex I.
Assumptions about Management Actions
In some banks, potential management actions are taken into
account in economic capital models. However, one of the
main reasons that banks do not include management actions
in their economic capital models is that these actions are
206 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
difficult to model. Even if management actions are not explicitly
included in economic capital models due to unreliability, banks
would nevertheless prepare for them via contingency plans in
stress situations.
Potential management actions are grouped into two catego­
ries: (i) those actions that increase capital supply; and (ii) those
actions that reduce capital demand. Examples of the former
are raising new capital, reducing costs and cutting dividends.
Examples of the latter include reducing new investment or
selling assets with positive risk weights. In addition to explicit
actions, actions may be implicitly accounted for in the economic
capital model itself. In measuring market risk, for example, some
assumptions may be made to adjust the short time horizon in
the model to the typically longer time horizon used in an eco­
nomic capital framework.
Finally, banks do not seem to take into account constraints that
could impede the effective implementation of management
actions. Such constraints may relate to legal issues, reputa­
tional effects, and cross-border operations. Further analysis
of the range and plausibility of these built-in assumptions
about management action, particularly in times of stress, may
be warranted.
Role of Stress Testing
Currently, many banks apply stress tests, including scenario
analysis and sensitivity analysis, to individual risks, although the
framework and procedures still need to be improved. The use
of integrated stress tests is gradually becoming more wide­
spread in the industry, probably reflecting the need to assess
the impact of stress events on overall economic capital mea­
sures and to provide complementary estimates of capital needs
in the context of ICAAR At present, there exists wide variation
among banks in the level and extent of integrated stress tests
being utilised. In general however, practices are still in the
development stage.
Stress test results do not necessarily lead to additional capital.
Rather, it seems more common that stress tests are used to
confirm the validity of economic capital measures, to provide
complementary estimates of capital needs, to consider contin­
gency planning and management actions, and gradually to for­
mulate capital planning. In some cases, banks use stress tests to
determine the effects of stressed market conditions on earnings
rather than on economic capital measures.
Economic Capital Should Not Be the Sole
Determinant of Required Capital
In general, both rating agencies and shareholders influence
the level of a bank's capital, with the former stressing higher
capital for solvency and the latter lower capital for profitability.
Banks also look to peers in targeting their capital ratios. Nearly
all large, internationally active banks set their economic capital
solvency standard at a level they perceive to be required to
maintain a specific external rating (e.g., AA). Banks tend to look
to peers in choosing external ratings and associated solvency
standards. There is not a lot of evidence that bank counterparties
have an impact on capital levels, other than indirectly through
the need to deal with institutions having an acceptably high
external rating. Many banks claim to target a high external rating
because of their desire to access capital and derivatives markets.
Definition of Available Capital
There is no common definition of available capital across banks,
either within a country or across countries. Some of the confu­
sion surrounding the notion of available capital may arise from
the fact that economic capital has its origin in assessing relative
profitability for the shareholder on a risk-adjusted basis. To the
extent that a bank recognises its capital needs are not limited
by the more quantifiable risks in its economic capital model, the
broader it may choose to define available capital.
While no common definition of available capital exists, there are
several elements that many banks have in common with regard
to their available capital. At the root of many banks' definitions
of available capital are tangible equity, tier 1 capital or capital
definitions used by rating agencies. In order to cover losses at
higher levels of confidence, some banks consider capital instru­
ments that may be loss-absorbing, more innovative or uncertain
forms of capital such as subordinated debt. Among the various
items that can be included in the definition of available capital
(some of them included in the regulatory definition of capital)
are common equity, preferred shares, adjusted common equity,
perpetual non-cumulative preference shares, retained earning,
intangible assets (e.g., goodwill), surplus provisions, reserves,
contributed surplus, current net profit, planned earning, unre­
alised profits and mortgage servicing rights.
This range of practices is confirmed by the IFRI and CRO Forum
(2007) survey of enterprise-wide risk management at banks and
insurance companies, which found 80% of participants adjusted
their tier 1 capital in arriving at available capital resources
against which economic capital was compared.
Banks do not limit themselves to a single capital measure. Some
banks manage their capital structure against external demands,
such as regulatory capital requirements or credit rating agency
expectations. Often banks' definition of capital aligns with the
more tangible capital measures such as those used by rating
agencies and are, therefore, more restrictive than regulatory
definitions of capital.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
Senior Management Commitment to the
Economic Capital Process
The viability and usefulness of a bank's economic capital pro­
cesses depend critically on the existence of credible commit­
ment or "buy-in" on the part of senior management to the
process. In order for this to occur, senior management must
recognise the importance of using economic capital measures in
conducting the bank's business and capital planning. In addition,
adequate resources must be committed to ensure the existence
of a strong, credible infrastructure to support the economic
capital process.
Transparency and Meaningfulness of Economic
Capital Measures
Economic capital model results need to be transparent and taken
seriously in order to be useful to senior management for making
business decisions and for risk management. The level of docu­
mentation and integrity of calculations and model version control
increase with the scope and significance of economic capital
models in a bank's decision-making process. Internal transpar­
ency is a necessary condition for internal acceptance and use.
13.5 RISK MEASURES
While risk is a notion with a clear intuitive meaning, it is less clear
how risk should be quantified. Current practice in banks com­
monly involves trying to identify ways to characterise entire loss
distributions (i.e., going beyond estimating selected moments of
the loss distribution, such as the mean and standard deviation),
resulting in a wide range of potential risk measures that may be
used. The choice of risk measure has important implications for
the assessment of risk. For example, the choice of risk measure
could have an impact on the relative risk levels of asset classes
and thus on the bank's strategy. Comparisons between ICAAP
measures of capital under Pillar 2 with minimum regulatory capi­
tal requirements under Pillar 1 should consider the impact of
using different measures of risk in the two approaches.
Desirable Characteristics of Risk Measures
An ideal risk measure should be intuitive, stable, easy to com­
pute, easy to understand, coherent and interpretable in eco­
nomic terms. Additionally, risk decomposition based on the risk
measure should be simple and meaningful.
Intuitive: The risk measure should meaningfully align with some
intuitive notion of risk, such as unexpected losses.
Sta b le: Small changes in model parameters should not produce
large changes in the estimated loss distribution and the risk
■ 207
measure. Similarly, another run of a simulation model in order
to generate a loss distribution should not produce a dramatic
change in the risk measure. Also, it is desirable for the risk mea­
sure not to be overly sensitive to modest changes in underlying
model assumptions.
Easy to co m p u te: The calculation of the risk measure should be
as easy as possible. In particular, the selection of more complex
risk measures should be supported by evidence that the incre­
mental gain in accuracy outweighs the cost of the additional
complexity.
Easy to understan d: The risk measure should be easily under­
stood by the bank's senior management. There should be a link
to other well-known risk measures that influence the risk man­
agement of a bank. If not understood by senior management,
the risk measure will most likely not have much impact on daily
risk management and business decisions, which would limit its
appropriateness.
C o h eren t: The risk measure should be coherent and satisfy the
conditions of: (i) monotonicity (if a portfolio V is always worth at
least as much as X in all scenarios, then Y cannot be riskier
than X); (ii) positive homogeneity (if all exposures in a portfolio
are multiplied by the same factor, the risk measure also multi­
plies by that factor); (iii) translation invariance (if a fixed, risk-free
asset is added to a portfolio, the risk measure decreases to
reflect the reduction in risk); and (iv) subadditivity (the risk mea­
sure of two portfolios, if combined, is always smaller or equal to
the sum of the risk measures of the two individual portfolios). O f
particular interest is the last property, which ensures that a risk
measure appropriately accounts for diversification.6
Sim ple and m eaningful risk d eco m p o sitio n (risk contributions or
capital allocation): In order to be useful for daily risk manage­
ment, the risk measured for the entire portfolio must be able
to be decomposed to smaller units (e.g., business lines or indi­
vidual exposures). If the loss distribution incorporates diversifica­
tion effects, these effects should be meaningfully distributed to
the individual business lines.
Types of Risk Measures
In practical applications, a wide range of risk measures are used.
This section examines standard deviation, value-at-risk (VaR),
expected shortfall (ES), and spectral and distorted risk mea­
sures.7 All the risk measures have strengths and weaknesses,
6 See Artzner et. al. (1997) on coherent risk measures for a complete
discussion.
7 See Hull (2007) for a detailed discussion of the various risk measures.
208 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
since no single measure can capture all the complex elements of
risk measurement. As such, there is no ideal risk measure.
Table 13.1 presents (with some degree of subjective judgment)
the characteristics of the main types of risk measures.
In practice, VaR and ES are the two most widely used risk
measures. W hile VaR is more easily explained and understood,
it may not always satisfy the subadditivity condition and this
(lack of coherence) can cause problems in banks' internal capi­
tal allocation and limit setting for sub-portfolios.8 ES, on the
other hand, is coherent, making capital allocation and internal
limit setting consistent with the overall portfolio measure of
risk. However, ES does not lend itself to easy interpretation
and does not afford a clear link to a bank's desired target rat­
ing. A newer class of risk measures, known as spectral and
distorted risk measures, allow for different weights to be
assigned to the quantiles of a loss distribution, rather than
assuming equal weights for all observations, as is the case
for E S .9
Banks typically use several of the aforementioned risk measures,
and sometimes different measures for different purposes. How­
ever, VaR is the most widely used risk measure. Some banks
use VaR for measuring the absolute risk level, but increasingly
ES is used (at a confidence level consistent with overall VaR) for
capital allocation within the bank. The argument is often made
that VaR as an absolute risk measure or loss limit is still easier to
communicate to senior management due to its link to a bank's
target rating. On the other hand, ES is a more stable measure
than VaR with respect to allocating the overall portfolio capital
to individual facilities. ES is a loss measure estimate given a loss
range in the tail of the loss distribution, while VaR is a loss mea­
sure estimated given a particular point in the tail of the loss dis­
tribution. It should be noted that, while a bank may use different
risk measures, these measures are typically based on the same
estimated loss distribution.
8 VaR is subadditive for elliptical distributions, such as the Gaussian (or
normal) distribution, whereas it is not subadditive for non-elliptical dis­
tributions. The non-subadditivity of VaR can occur when assets in port­
folios have very skewed loss distributions; when the loss distributions
of assets are smooth and symmetric, but their dependency structure
or copula is highly asymmetric; and when underlying risk factors are
independent but very heavy-tailed. The lack of subadditivity for VaR is
probably more of a concern for credit risk and operational risk than for
market risk, where an elliptical model may be a reasonable approximate
model for various kinds of risk-factor data. For a detailed discussion,
see McNeil et. al. (2005). Many practitioners note however, that the
technical reservations concerning VaR are mainly academic in nature
and that the problems described are encountered by banks only rarely
in practice.
9 Spectral and distorted risk measures are not widely used in practice
and are currently largely of academic interest.
Table 13.1 Risk M easu res

Spectral and Distorted

Standard Deviation VaR Expected Shortfall Risk Measures

Intuitive Sufficiently intuitive Yes Sufficiently intuitive No (involves choice of

spectrum or distortion
function)

Stable No, depends on No, depends on Depends on the loss Depends on the loss
assumptions about loss assumptions about loss distribution distribution
distribution distribution

Easy to compute Yes Sufficiently easy Sufficiently easy Sufficiently easy

(requires estimate of loss (requires estimate of (weighing of loss
distribution) loss distribution) distribution by spectrum/
distortion function)

Easy to understand Yes Yes Sufficiently Not immediately

understandable

Coherent Violates monotonicity Violates subadditivity Yes Yes

(for non-elliptical loss
distributions)

Simple and meaningful Simple, but not very Not simple, might Relatively simple and Relatively simple and
risk decomposition meaningful induce distorted choices meaningful meaningful

Calculation of Risk Measures
Confidence Level
In their internal use of risk measures, banks need to deter­
mine an appropriate confidence level for their economic capi­
tal models that may vary for different business models. The
banks' target rating plays an important role in the choice of
confidence level.
The link between a bank's target rating and the choice of con­
fidence level may be interpreted as the amount of economic
capital that must be exceeded by available capital resources to
prevent the bank from eroding its capital buffer at a given con­
fidence level. According to this view, which can be interpreted
as a going concern view, capital planning is seen more as a
dynamic exercise than a static one, where it is the probability
of eroding such a buffer (rather than all available capital) that is
linked to the target rating. This would reflect the expectation (by
analysts, rating agencies and the market) that the bank operates
with capital that exceeds the regulatory minimum requirement.
Establishing the link between a bank's target rating and the
choice of confidence level, however, is far from being an easy
exercise. It involves the mapping between ratings and PDs,
which can change, depending on the rating agency scale
adopted, and it suffers from significant statistical noise, espe­
cially at the higher rating grades which are typically targeted by
banks. Banks can use a range of confidence levels for the same
target rating, with overlaps between different rating classes.
For example, the IFRI and CRO Forum (2007) survey found that
PDs mapped to a A A target rating range from two to seven
basis points, while the range for an A target rating is four to ten
basis points.
Apart from considerations about the link to a target rating, the
choice of a confidence level might differ based on the question
to be addressed. On the one hand, high confidence levels reflect
the perspective of creditors, rating agencies and supervisors in
that they are used to determine the amount of capital required
to minimise bankruptcy risk. On the other hand, banks may use
lower confidence levels for management purposes in order to
allocate capital to business lines and/or individual exposures and
to identify those exposures that are critical for profit objectives
in a normal business environment. Consequently, banks typically
use different confidence levels for different purposes.
Another interesting aspect of the internal use of different risk
measures is that the choice of risk measure and confidence
level heavily influences relative capital allocations to individual
exposures or portfolios. In short, the farther out in the tail of
a loss distribution, the more relative capital gets allocated to
concentrated exposures. As such, the choice of the risk measure
as well as the confidence level can have a strategic impact since
some portfolios might look relatively better or worse under risk-
adjusted performance measures than they would based on an
alternative risk measure.

Chapter 13 Range of Practices and Issues in Economic Capital Frameworks ■ 209

Time Horizon supervisors should consider the advantages and disadvantages
of the risk measure used at each bank. Stability in computation
All risk measures depend on the time horizon used in their mea­
is an important issue, as the calculation of risk measures typically
surement. The choice of an appropriate time horizon depends
involves the use of simulation techniques. The ability to easily
on a range of factors: the liquidity of the bank's assets under
and sensibly aggregate and decompose risk also determines the
consideration; the risk management needs of the bank; the
effective use of risk measures in the bank. The degree to which
bank's standing in the markets; the risk type, etc. Market risk
economic capital is engrained in the decision-making processes
is typically estimated over a very short time horizon (days or
is strongly affected by the availability of a broad assessment of
weeks). In contrast, credit risk is typically measured using a
risks at the senior management level, where strategic decisions
one-year time horizon, while an even longer time horizon may
are made with respect to capital management. In contrast, more
be appropriate for other portfolios (e.g., project finance). The
granular measures of risk are needed at the risk-taking levels
choice of time horizon is also influenced by regulatory require­
where economic capital is likely to influence operational deci­
ments. For example, a one-year time horizon is specified for
sions through factors such as capital allocation, limit setting, and
operational risk, while a 10-day time horizon is specified for gen­
performance measurement.
eral and specific market risk.
While each bank chooses both the risk measure and the confi­
The heterogeneity of time horizons used in risk measurement
dence level it deems most appropriate for its economic capital
poses an important challenge to banks in aggregating economic
purposes, the bank must be able to provide a convincing eco­
capital across different risk types. According to the IFRI and
nomic rationale for the choice. If different risk measures and/
CRO Forum (2007) survey about 80% of participants use a time
or confidence levels are used for external and internal manage­
horizon of one year for their economic capital calculations, with
ment purposes, a clear and convincing link must be established
the remainder using various time horizons.
between the two risk measures.

Aggregation/Decomposition Supervisors should be aware of differences between internal and

regulatory measures of capital that stem from different risk mea­
Measurement of risk is typically performed at the portfolio
sures and/or confidence levels and take these into account when
level. However the ability to easily and sensibly aggregate and
evaluating a banks' ICAAP. A simple comparison of internal and
decompose risks is an important feature of any risk measure.
regulatory capital figures will not tell supervisors much about the
In order to be effectively used, risk measures should be flex­ underlying risks in a bank's portfolio.
ible and able to be computed at either a broad or narrow level.
More specifically:

• Decomposition: Within a portfolio, risk needs to be decom ­

13.6 RISK AGGREGATION
posed in order to establish for each subset (e.g., positions
Typically, economic capital is calculated using an approach that
assigned to each desk) its risk contribution (taking into
first assesses individual risk components, and then proceeds to
account any diversification effects). Decomposition of risk
aggregate these components up to the level of the entire bank.
is fundamental for capital allocation, limit setting, pricing of
The aggregation process is characterised by identification of the
products, risk-adjusted performance measurement and value-
individual risk types and by the methodological choices made in
based management.
aggregating these risk types.
• Aggregation: Adopting a wider point of view, risks arising
from several portfolios need to be aggregated in order to con­
vey a representation of risk at the business unit or entity level. Aggregation Framework
Aggregation also deals with different types of risk (credit, mar­
Risk aggregation begins with a classification of risk types that
ket, operational, liquidity, legal, etc.). Typically, the outcome of
are combined to produce the overall economic capital measure.
risk aggregation is the bank's total economic capital.
Banks typically classify risk into different types along two dimen­
sions: (i) the economic nature of the risk (market risk, credit risk,
Supervisory Concerns Relating to Risk operational risk, etc.); and (ii) the organisational structure of the
Measures bank (along business lines or legal entities).

From a supervisory point of view, there is no obvious prefer­ In contrast to classification along organisational lines, which
ence for one risk measure over another among the measures presents few conceptual difficulties, classification along risk
most widely used for calculating economic capital. Rather, types can be imprecise. Definitions of risk types may differ

210 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
across institutions, or even across portfolios within a single bank­
ing organisation, often reflecting the nature of the bank's busi­
ness or the degree of sophistication of its risk measurement. As
discussed below, this imprecision has implications for the aggre­
gation process.
The following list provides a brief description of the main cat­
egories into which the typical framework classifies risks.
M arket risk: Refers to portfolio value changes due to changes
in rates and prices that are perceived as exogenous from the
viewpoint of the bank. These comprise exposures to asset
classes such as equities, commodities, foreign exchange and
fixed-income, as well as to changes in discount factors such as
the risk-free yield curve and risk premiums. A specific type of
market risk is IRRBB, which stems from repricing risk (arising
from differences in the maturity and repricing terms of customer
loans and liabilities), yield curve risk (stemming from asymmetric
movements in rates along the yield curve), and basis risk (arising
from imperfect correlation in the adjustment of the rates earned
and paid on different financial instruments with otherwise similar
repricing characteristics). IRRBB also arises from the em bed­
ded option features of many financial instruments on banks'
balance sheets.
C red it risk: Refers to portfolio value changes due to shifts in the
likelihood that an obligor (or counterparty) may fail to deliver
cash flows (principal and interest) as previously contracted. The
distinction between market and credit risk, while fairly clear
on the surface, is less so in practice since individual exposures
typically contain elements of both risks. For example, prices of
corporate bonds can vary because of changes in the perceived
likelihood of issuer default but also because shifts in the risk-free
yield curve. In addition, credit and market risk factors can inter­
act in ways that complicate the distinction between the two (see
the next section).
O perational risk: Refers to the risk of loss associated with human
or system failures, as well as fraud, natural disaster and litiga­
tion. While not a pure economic risk it does represent losses
(either outright outlays or foregone earnings) from all types of
activity where banks engage, and it is indirectly linked to the
level, intensity and complexity of these activities.
Business risk: Captures the risk to the firm's future earnings, divi­
dend distributions and equity price. In leading practice banks,
business risk is more clearly defined as the risk that volumes
may decline or margins may shrink, with no opportunity to offset
the revenue declines with a reduction in costs. For example,
business risk measures the risk that a business may lose value
because its customers sharply curtail their activities during a
market down-turn or because a new entrant takes market share
away from the bank. Moreover, this risk increasingly extends
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
beyond balance-sheet items to fee-generating services, such as
origination, cash management, asset management, securities
underwriting and client advisory services.
For business or (local) regulatory reasons, some banks may
select to distinguish individual types of risk within the listed cat­
egories. For example, they may isolate real estate risk, or pen­
sion risk. Some banks may also distinguish other risk types such
as liquidity risk and legal risk.
Range of Practices in the Choice of Risk Types
All the risk types discussed above can be simultaneously pres­
ent in a bank's portfolio. For example, a traded bond portfolio
will have an important credit and market risk component, as well
as operational risk related to the efficiency of trading execution
and settlement. In practice, however, risks are often measured
by reference to different lines of business and/or portfolios.
A loan portfolio that is held to maturity and managed on an
accrual accounting basis is often considered as representing
credit risk and not market risk. By contrast, a trading portfolio
of credit derivatives is often taken to represent mainly market
risk by virtue of it containing actively traded exposures that are
marked-to-market.
The majority of banks prefer to aggregate risk initially into silos
by risk-type across the entire bank before combining the silos.
This approach, however, is by no means the only approach fol­
lowed, with the business unit silo approach preferred by other
banks. Some banks use a mixed approach, which combines
elements of both approaches. This practice is observed where
either particular business units or risk exposures are too small to
be meaningfully measured separately.
Grouping of risks first across homogeneous risk types has a
benefit of addressing these questions at a single stage and in
a centralised and potentially more consistent way. By compari­
son, grouping risks first by business unit leverages the existing
organisational structures within the bank and deals with inter­
risk relationships at an earlier stage of aggregation.
Aggregat i° n Methodologies
The risk aggregation methodology used by a bank has two
(interrelated) components: the choice of the unit of account and
the approach taken to combining risk components.
The Unit of Account
Before risk types are aggregated into a single measure, they
need to be expressed in comparable units, often referred to as a
common risk currency. Meaningful aggregation requires that the
underlying risk measures conform to each other, especially when
■ 211
they relate to single number summaries of the corresponding
risk distributions. There are three main characteristics of the unit
of risk accounting.
Risk m etric: The choice of the risk metric for economic capital
depends on the metrics that are used in the quantification of dif­
ferent risk components. In particular, whether the chosen metric
satisfies the subadditivity property is relevant for quantifying
diversification across risk typ es.101
C o n fid en ce level: The fact that the loss distribution for different
risk types are typically assumed to have different shapes (i.e.,
different families of probability distributions are assumed to bet­
ter capture the characteristics of different types of risk) may also
suggest a difference in terms of the relevant confidence levels.
For example, long-tailed risk distributions would suggest using
higher confidence levels. Lack of harmonisation in terms of the
choice of confidence level creates additional complexity in
aggregation approaches.11 Moreover, the choice of confidence
level can influence the ranking of risks since risk types that have
a loss distribution with a longer loss tail tend to dominate as the
confidence level increases.
Tim e horizon: The choice of the horizon over which risk is mea­
sured is one of the thorniest issues in risk aggregation. Business
practice, accounting standards and regulatory requirements
combine to imply that different types of risk are managed over
different horizons. Traded portfolios are managed over horizons
that are typically measured in days. Less liquid exposures, such
as loans, are managed over longer horizons of one year or lon­
ger.12 Combining risk measures that have been calculated on
the basis of different horizons is problematic regardless of the
specific methodology used. The conflict between business prac­
tices and risk aggregation requirements is typically resolved by
using a common (usually one year) horizon. This means that it is
necessary for time aggregation of certain types of risk (most
often market risk) by using scaling-up methods such as the
square-root-of-time rule. It should be noted that there is no con­
ceptual inconsistency in the use of different horizons for risk
measurement and EC purposes, on the one hand, and for the
actual management of underlying exposures, on the other. Deci­
sions related to the management of portfolios are based on the
10 See the section on risk measures for a more detailed discussion of the
properties of different metrics of risk.
11 More sophisticated methods that use full simulation approaches or
those that describe the entire loss distribution (such as those based on
copulas) would not be influenced by this choice.
12 Even with the same time horizon for default, the practice of active
credit portfolio management can result in the use of point-in-time
default probabilities for day-to-day risk management with through-the-
cycle estimates for economic capital computations.
212 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
characteristics of the exposures (including their liquidity) and on
the purpose for which they are held. However, for the purpose
of risk measurement and, especially, risk aggregation the use of
different horizons will result in improper comparisons between
risk components. The difficulty that arises for the latter purposes
can be overcome by methods similar to the constant level of risk
over a common horizon approach outlined in the consultative
paper of the BCBS on computing incremental risk in the trading
book.13
Inter-Risk Diversification
The way that individual risks are combined relates closely to the
scope of inter-risk diversification, namely to the notion that the
combination of two portfolios would result in lower risk per unit
of investment in the combined portfolio than the (weighted)
average of the two component portfolios. The basic intuition
stems from the fact that the variance of the pooled portfolio's
return will be no greater (and typically smaller) than a similarly
sized portfolio which is exposed to only one or the other risk
factor. This logic will carry over to measures of risk that are
directly related to variance.
In the context of risk aggregation across different portfolios
or business units, some of the assumptions that underpin the
above logic may fail to hold. One issue is purely technical and
relates to the choice of VaR as a metric because it can fail to sat­
isfy the subadditivity property. That is, it is possible for the VaR
of a pooled portfolio to be higher than the sum of the VaR of
the individual constituent portfolios.
A more important reason why aggregate risk may be larger than
the sum of its components is independent of the choice of met­
ric (i.e., it applies to metrics other than VaR) and relates to the
economic underpinnings of the portfolios that are pooled. The
logic outlined above assumes that covariance (a linear measure
of dependence) fully captures and summarises the dependen­
cies across risks. While this may be a reasonable approximation
in many cases, there are instances where the risk interactions are
such that the resulting combination may represent higher, not
lower, risk. For example, measuring separately the market and
credit risk components in a portfolio of foreign currency denom­
inated loans can underestimate risk, since probabilities of obli­
gor default will also be affected by fluctuation in the exchange
rate, giving rise to a compounding effect.14 Similar types of
13 Basel Committee on Banking Supervision (2009).
14 See Breuer et. al. (2008) for further details. The forthcoming working
paper on the "Interactions between market and credit risk" produced by
the Research Task Force of the Basel Committee also offers an elabora­
tion on this set of issues.
"wrong-way" interactions could occur in the context of portfolio
positions that may be simultaneously affected by directional
market moves and the failure of counterparties to a hedging
position.15 From a more "macro" perspective, asset price volatil­
ity often interacts with the risk appetite of market participants
and feeds back to market liquidity leading to a magnification of
risk rather than diversification.
A final issue that relates to the degree of diversification has to
do with the granularity of the classification system of risks. The
more granular the classification system (i.e., the finer the system
of categories where risk is slotted) the more reduced should be
the scope for intra-risk diversification and the higher the scope
for inter-risk diversification. For example, holding everything
else equal, some of the overall diversification between the retail
and wholesale credit portfolio of a bank will be subsumed in
the measure of overall credit risk for a bank that does not dis­
tinguish between the two types of risks in its economic capital
framework, while it will be picked up by the aggregation pro­
cess in the case that the bank maintains a separation between
the two components until the final aggregation stage.
Typically Used Aggregation Methodologies
Banks differ in their choice of methodology for the aggregation
of economic capital. The list below provides an overview of the
main approaches followed by a brief discussion of their advan­
tages and disadvantages. The approaches are listed in increas­
ing order of complexity (decreasing order of restrictiveness).
(i) Sim ple sum m ation: This simple approach involves adding
the individual risk components. Typically, this is perceived
as a conservative approach since it ignores potential diver­
sification benefits and produces an upper bound to the
true economic capital figure. Technically, it is equivalent
to assuming that all inter-risk correlations are equal to one
and that each risk component receives equal weight in the
summation.
(ii) Applying a fixe d diversification percentage: This approach
is essentially the same as the simple summation approach
with the only difference that it assumes the sum delivers a
fixed level of diversification benefits, set at some pre-speci-
fied level of overall risk.
(iii) Aggregation on the basis of a risk variance-covariance
m atrix: The approach allows for a richer pattern of inter­
actions across risk types. However, these interactions are
still assumed to be linear and fixed over time. The overall
diversification benefit depends on the size of the pairwise
correlations between risks.
15 See Annex 2 on counterparty credit risk for a fuller discussion.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
(iv) C opulas: This is a much more flexible approach to combin­
ing individual risks than the use of a covariance matrix. The
copula is a function that combines marginal probability
distributions into a joint probability distribution. The choice
of the functional form for the copula has a material effect
on the shape of the joint distribution and can allow for rich
interactions between risks.
(v) Full modelling of common risk drivers across all portfolios:
This represents the theoretically pure approach. Common
underlying drivers of risk are identified and their interac­
tions modelled. Simulation of the common drivers (or
scenario analysis) provides the basis for calculating the dis­
tribution of outcomes and economic capital risk measure.
Applied literally, this method would produce an overall risk
measure in a single step since it would account for all risk
interdependencies and effects for the entire bank. A less
comprehensive approach would use estimated sensitivities
of risk types to a large set of underlying fundamental risk
factors and construct the joint distribution of outcomes
by tracking the effect of simulating these factors across all
portfolios and business units.
Table 13.2 provides a summary of the trade-offs between
numerical accuracy, methodological consistency, intuitive
appeal, practicality, flexibility, and resource implications associ­
ated with each of the aggregation methodologies.
Although the most restrictive of the alternative m ethod­
ologies, the main advantages of the summation and fixed
diversification m ethodologies are sim plicity in term s of data
and com putational requirem ents, and ease of com m unica­
tion about the method and interpretation of the outcom e.
Abstracting from the possibility of m ism easurem ent and
negative correlation between the underlying risk com ponents,
the simple summation approach could also produce a conser­
vative measure of overall risk (i.e ., overstatem ent of risk). The
degree of conservatism associated with the fixed diversifica­
tion method depends on the chosen diversification param ­
eter. Both methods are relatively crude and do not allow for
meaningful interactions between risk types or for differences
in the way these risk types may create diversification benefits.
In addition, both methods ignore com plications stemming
from using different confidence levels in measuring individual
risk com ponents.
The use of a variance-covariance matrix (or correlation matrix)
which summarises the interdependencies across risk types
provides a more flexible framework for recognising diversifica­
tion benefits, while still maintaining the desirable features of
being intuitive and easy to communicate. The correlation matrix
between risks is of key importance. This matrix can vary across
■ 213
Table 13.2 C o m p ariso n of Risk A g g re g a tio n M eth o d o lo g ie s

Aggregation Methodology Advantages Disadvantages

Summation: Adds together individual
capital components
Constant diversification: Similar
to summation but subtracts fixed
percentage from overall figure
Simplicity
Typically considered to be conservative
Simplicity and recognition of
diversification effects
It does not discriminate across risk types;
imposes equal weighting assumption
Does not capture nonlinearities
The fixed diversification effect is not
sensitive to underlying interactions between
components.
Does not capture nonlinearities

Variance-Covariance: Weighted sum Better approximation of analytical method Estimates of inter-risk correlations difficult
of components on basis of bilateral Relatively simple and intuitive to obtain
correlation between risks Does not capture nonlinearities

Copulas: combine marginal More flexible than covariance matrix Parameterisation very difficult to validate
distributions through copula functions Allows for nonlinearities and higher order Building a joint distribution very difficult
dependencies

Full modelling/Simulation: Simulate
the impact of common risk drivers on
all risk components and construct the
joint distribution of losses
Theoretically the most appealing method Practically the most demanding in terms of
Potentially the most accurate method inputs
Intuitive Very high demands on IT
Time consuming
Can provide false sense of accuracy

banks reflecting differences in their business mix, and the cor­
relations that reflect these institution-specific characteristics
can be difficult as well as costly to estimate and validate. This
is particularly true for operational risk, where data are scarce
and do not cover long time periods. In addition, by focusing on
average covariance between risks, the linearity assumption will
tend to underestimate dependence in the tail of loss distribu­
tions and underestimate the effects of skewed distributions and
non-linear dependencies.
Copulas offer even greater flexibility in the aggregation of risks
and promise a better approximation of the true risk distribu­
tion. This comes at the expense of more demanding input
requirements: complete distributions of the individual risk
components rather than simple summary statistics (such as VaR)
and at least as much data as the variance-covariance approach
for estimating the copula param eters. As for the variance-
covariance method, these estimates are hard to derive and to
validate. Many of the same drawbacks apply to the case of full
models of economic capital, including full simulation methods.
The input requirements in terms of data on exposures and
underlying risk factor dynamics, as well as the computational
demands associated with large scale simulations represent a
strain for most banks, especially those banks with more com­
plex business risk profiles.
Range of Practices in the Choice of
Aggregation Methodology
Currently, there is no established set of best practices con­
cerning risk aggregation in the industry. Generally the cho­
sen approaches tend to be towards the simpler end of the
spectrum, with very few (typically large) banks using the more
sophisticated methodologies. The vast majority of banks use
some form of the summation approach, where risks are either
explicitly weighted, as in the case of the variance-covariance
approach, or implicitly weighted (as in the case of simple aggre­
gation). The IFRI and CRO Forum (2007) survey suggests that
more than 60% of banks use the variance-covariance approach
while less than 20% use the simulation approaches. Reportedly,
the stability of the latter approach over time is an attractive
aspect from a governance perspective, since it leads to a more
stable allocation of diversification benefits back to individual
business units.
Banks use a variety of approaches in setting values for the inter­
risk variance-covariance matrix. These approaches include direct
estimation using historical time series on underlying risks, expert
judgment, and industry benchmarks (frequently supplied by con­
sulting firms). The estimation based on internal data is arguably
more appropriate since it reflects the actual experience of the

214 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
bank and is more directly applicable to its business and risk pro­ sophisticated economic capital methodologies to follow a prin­
file. As suggested above, the interactions between risk compo­ ciple of conservatism in their approaches.
nents can be complex, non-linear, time varying, and dependent
W hatever the method and the estimates used, there are a num­
on measurement choices. If the bank possesses relevant data of
ber of commonalities in the assumptions made by banks. For
sufficient quality and length, these data should provide the most
instance, a high correlation between market and credit risks is
appropriate indicators of inter-risk dependencies. These data
usually assumed, a lower correlation between business risk and
can be related to the performance of portfolios (P&L, earnings,
credit or market risk, and a very low correlation between opera­
loss history, etc.). Often risks that present greater quantification
tional risk and all other risks.
challenges need to be approximated by banks with less well
developed IT systems. In these cases, the correlation between Related to the calibration of the covariance matrix of risks is
risk components is in practice often approximated by the co­ the overall level of diversification across risk types. Accord­
movement of asset price indices representative of these risk fac­ ing to the IFRI and CRO Forum (2007) survey, the estimated
tors, or similar proxies. range of inter-risk diversification is 10% to 30% for banking
organisations (with 40% of banks reporting gains between 15%
Very often bank-specific data are simply not available or of poor
and 20%). This range depends on the method used by banks
quality. In this case the entries in the variance-covariance matrix
in order to take into account inter-risk diversification and the
are filled on the basis of expert judgm ent, in the form of param­
varying estimates of correlation between risk types. Academ ic
eters that reflect the consensus of risk officers and business
studies on this issue indicate that this range can vary very sub­
managers within the firm, and this is frequently complemented
stantially depending on the applied methodology and the data
with input from external consultants and industry benchmarks.
used. Rosenberg and Schuermann (2006) estimate this diver­
This is particularly true when it applies to some risk compo­
sification at more than 40% at the 99.9% confidence level but
nents such as operational risk or business risk. The reliance on
underscore that this might vary depending on the specific port­
externally supplied inputs may be a necessity for medium and
folio composition. Dimakos and Aas (2004) on the other hand
small-sized institutions that lack the capacity, scope and scale
find only 10%—12% diversification at confidence intervals of
economies to develop risk correlation measures based on their
95% to 99%, but a number closer to 20% at confidence interval
own experience. The same applies to proportionately small
of 99.97% .
exposures in the case of larger institutions.

There is a tendency for banks to use what they consider as a

"conservative" variance-covariance matrix. The correlations are Supervisory Concerns Relating to Risk
often reported to be approximate (e.g., rounded up to multiples Aggregation
of 25 percentage points) and biased upwards (i.e., towards
An important overall message is that meaningful aggregation
unity). In an effort to reduce the need for expert judgment
of risk necessarily involves co m p ro m ises and ju d g m e n t to aug­
banks might consciously limit the dimensionality of the matrix by
ment quantitative methods. Risk measurement in portfolios
consolidating risk categories to a small number, not recognising
that are more homogeneous in terms of their risk drivers can
that such consolidation itself represents a form of aggregation
be quite detailed and can address different facets of risk. The
and embeds correlation assumptions. One drawback of this
combination of different types of risk into a common metric,
practice is that each category becomes less homogeneous and
however, presents many more complications stemming either
thus harder to quantify. In light of uncertainties for estimating
from the different statistical profiles of risk types or from dif­
inter-risk diversification effects as well as the possibility that cor­
ferences in the perspective and requirements of the business
relations may be time-varying, some (but not all) banks use
units that manage different portfolios (e.g., the use of different
stressed values that refer to the periods when these correlations
metrics and/or management horizons). Aggregation, therefore,
may be higher than they are on average, or even set equal to
typically requires that some of the richness of assessments
unity.16*Even in those cases where average values are used,
made on the individual components is sacrificed in order to
banks report that they examine the effect on the calculated eco­
achieve comparability.
nomic capital from using such stressed correlations as a robust­
ness check. Generally, there is a tendency for banks with less In particular, supervisory concerns with the economic capital
aggregation relate to validation of the inputs, methodology, and
outputs of the process.
16 Using stressed correlations is also justified on the basis that, in peri­
ods of stress, available capital resources might be less "fungible" across Economic capital frameworks are very difficult to validate. Eco­
risks/business units as implicitly assumed in the aggregation of its uses. nomic capital refers to holistic measures of risk in often very

Chapter 13 Range of Practices and Issues in Economic Capital Frameworks ■ 215

diverse business environments. Moreover, the more tailored the
process to the character and needs of the individual bank, the
more difficult for an external observer to independently vali­
date the inputs. Additionally, the short history of available data
renders backtesting impracticable in most cases. Many supervi­
sors report that validation processes typically do not meet their
expectations. In particular, many supervisors are sceptical as to
the validity of the size of diversification benefit estimates and do
not accept them for supervisory use.
As mentioned above, the degree of diversification is linked to
the measurement methodology of individual components. From
an applied point of view the potential complications with risk
measurement are primarily related to the common practice of
identifying risk categories with individual portfolios. For a num­
ber of practical reasons that have to do with the way banks man­
age different types of risk, with financial reporting practices, and
with the regulatory framework, different types of risk are often
identified with single portfolios. For example, market risk is
thought of being primarily associated with portfolios that are
held with the intention of active trading, are managed on a short
risk horizon, and are often marked-to-market. Credit risk is asso­
ciated mainly with the banking book which contains exposures
with a longer holding horizon, that they are often illiquid and
valued on an accrual basis. This simplistic distinction can give
rise to mistaken assessments of market and credit risk compo­
nents that can bias the aggregation process.17 The main mes­
sage from the supervisory perspective is that diversification
cannot be taken as given irrespective of the portfolio of risks
and risk measurement practices. There is a theoretical possibility
that risk components may be mis-measured and that aggregate
risk may be higher than the sum of the risk components. This
may be the exception rather than the rule, but the fact remains
that mis-measurement can often lead to under-estimation of
overall risk.
Finally a possible drawback of the more sophisticated method­
ologies is more of a behavioural nature. Often greater meth­
odological sophistication leads to greater confidence in the
accuracy of the outcomes. Given the diversity in the nature of
inputs, the importance of assumptions that underline the param­
eters used, and the scale of the task in practical applications,
the scope for hard-to detect and quantify inaccuracies is con­
siderable. Com plex approaches that are not accompanied by
robustness checks and estimates of possible specification and
measurement error can prove misleading.
17 A working paper of the Basel Committee's Working Group on the
Interaction of Market and Credit Risk contains a more in-depth discus­
sion of these issues and references to relevant papers.
216 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
13.7 VALIDATION OF INTERNAL
ECONOMIC CAPITAL MODELS
In some cases the term validation is used exclusively to refer to
statistical ex post validation, while in other cases it is seen as
a broader but still quantitative process that also incorporates
evidence from the model development stage. In this paper, the
term "validation" is used in a broad sense, meaning all the p ro ­
ce sse s that p ro vid e evid en ce-b a sed assessm ent about a m odel's
fitness fo r p u rp o se . This assessment might extend to the man­
agement and systems environment within which the model is
operated. Moreover, it is advisable that validation processes are
designed alongside development of the models, rather than
chronologically following the model building process.
Validation provides evidence that a model works as planned.
Economic capital models can be complex, embodying a lot of
moving parts and it may not be immediately obvious that a com­
plex model works satisfactorily. Moreover, a model may embody
assumptions about relationships between variables or about
their behaviour under periods of stress. Validation can permit
a degree of confidence that the assumptions are appropriate,
increasing the confidence of users (internal and external to the
bank) in the outputs of the model. Notably, validation also aids
in identifying model limitations, since no model (even when fully
validated) is ever a perfect representation of reality. While vali­
dation can provide powerful tools for the assessment of many
aspects of models, such as its risk sensitivity, it is less powerful
where other aspects of models are concerned, such as confirm­
ing the accuracy of high quantiles in a loss distribution.
Achieving an accurate fit may not always be the prime consider­
ation. For example, some models may be developed because of
their usefulness as a framework for analysis or decision-making
rather than because of their ability to fit historical data. Some
macroeconomic models of economic behaviour may fall into
this category.
Our interpretation of validation is consistent with that devel­
oped by the Basel Committee (2005a) in relation to the Basel II
Framework, which is phrased in terms of the IRB param eters18
and was developed in the context of assessment of risk esti­
mates for use in minimum capital requirements. However, valida­
tion of economic capital models differs to the validation of an
IRB model as the output is a distribution rather than a single
18 From the 2005 Validation principles: "In the context of rating systems,
the term 'validation' encompasses a range of processes and activities
that contribute to an assessment of whether ratings adequately differen­
tiate risk, and whether estimates of risk components (such as PD, LGD or
EAD) appropriately characterise the relevant aspects of risk."
predicted forecast against which actual outcomes may be com­
pared. Economic capital models are conceptually similar to VaR
models, though the long time horizon, high confidence levels,
and the scarcity of data force validation methods to differ in
practice to those used for VaR. Full internal economic capital
models are not used for Pillar 1 minimum capital requirements,
and so fitness for purpose needs to cover a range of uses, most
of which and perhaps all are internal to the firm in question. It
should also be noted that economic capital models and regula­
tory capital serve different objectives and so may reasonably dif­
fer in some of the details of their implementation for these
differing purposes.
Principle 1 of the Basel Committee's validation principles refers
to assessment of the predictive ability of credit rating system s.19
The emphasis is on the performance of forecasts generated by
the model. As it stands, Principle 1 is about rating systems: the
natural development of this principle for economic capital mod­
els is that validation is concerned with the predictive properties
of those models. Economic capital models embody forward-
looking estimates of risk and their validation is intimately bound
up with assessing those estimates and so this (re-stated) princi­
ple remains appropriate. The validation processes as set out in
this paper are, in their different ways, all providing insight into
the likely predictive ability of the model, interpreted broadly.
The other Basel II principles related to validation principles are:
the bank has primary responsibility for validation; validation is an
iterative process, there is no single method, validations should
encompass both quantitative and qualitative elements; and
validation processes and outcomes should be subject to inde­
pendent review. The notion of validation expressed in this paper
is consistent with these principles. Our discussion of validation
does not address, however, the question of who needs to per­
form the model assessment or which party needs to be satisfied
by that model assessment.
What Validation Processes Are in Use?
Most of this section describes the types of validation processes
that are in use or could be used. The list is not comprehensive,
and it is not suggested that all techniques should be used by
banks. Other surveys that provide fuller descriptions of tech­
niques are available.20 Our purpose is to make two points. First,
to demonstrate that there is a wide range of techniques that
19 Principle 1 reads: "Validation is fundamentally about assessing the
predictive ability of a bank's risk estimates and the use of ratings in
credit processes."
20 See BCBS (2005b).
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
would be covered by our broad definition of validation, creating
a layered approach. The more layers that can be provided, the
more comfort that validation is able to provide evidence for or
against the performance of the model. Conversely, where fewer
layers of validation are used, the level of comfort diminishes.
Second, that each validation process provides evidence for (or
against) only some of the desirable properties of a model. The
list presented below moves from the more qualitative to the
more quantitative validation processes, and the extent of use is
briefly discussed.
Qualitative Processes
(i) Use test. The philosophy of the use test has been fully
incorporated into the Basel II Framework. Its relevance as a
tool of validation is straightforward. If a bank is actually
using its risk measurement systems for internal purposes,
then supervisors can place more reliance on the systems'
outputs for regulatory capital. Applying the use test suc­
cessfully will entail gaining a careful understanding of which
model properties are being used and which are not.21
(ii) Q ualitative review. Banks tend to subject their models to
some form of qualitative assessment process. This process
could entail review of documentation, review of develop­
ment work, dialogue with model developers, review and
derivation of any formulae, comparison with what other
firms are known to do, comparison with publicly avail­
able information. Qualitative review is best able to answer
questions such as: Does the model work in theory? Does it
incorporate the right risk drivers? Is any theory underpin­
ning it conceptually well-founded? Is the mathematics of
the model right?
(iii) System s im plem entation. Production-level risk measure­
ment systems should go through extensive testing prior to
implementation, such as user acceptance testing, check­
ing of model code, etc. These processes could be viewed
as part of the overall validation effort, since they would
assist in evaluating whether the model is implemented with
integrity.
21 Paragraph 4 of the Basel Committee's validation principles sets out
some of the uses of capital models. In discussing the use test for IRB,
the paper notes " . . . as a quality check of IRB components and under­
lying processes, the use test is a necessary supplement to the overall
validation process. . . . the use test plays a key role in ensuring and
encouraging the accuracy, robustness and timeliness of a bank's IRB
components, confirms the bank's trust in those components and allows
supervisors to place more reliance on their robustness and thus on the
adequacy of regulatory capital." We think that this philosophy still holds
true when considering internal capital models.
■ 217
(iv) M anagem ent oversight. Management oversight refers to
the involvement of senior management in the validation
process, in reviewing output from the model, and using the
results in business decisions. Senior management need to
be clear how the model is used and how the model outputs
are interpreted, taking account of the specific implementa­
tion framework that their firm has adopted and the assump­
tions underlying the model and its parameterisation.
(v) Data quality checks. Not traditionally viewed by the industry
as a form of validation but increasingly forming a major part
of regulatory thinking. Data quality checks refers to the pro­
cesses designed to provide assurance of the completeness,
accuracy and appropriateness of data used to develop, vali­
date and operate the model. These processes could include
qualitative review (e.g., of data collection and storage), data
cleaning processes such as identifying errors, reviews of the
extent of proxy data, review of any processes that need to
be followed to convert raw data into suitable model inputs
(e.g., scaling processes), and verification of transaction data
such as exposure levels. Such a list is often a helpful indica­
tion of the level of understanding of the model.
(vi) Exam ination o f assum ptions— sensitivity testin g. Models
rest on assumptions of various kinds, some of which are
obvious, but some are less so. As such, certain aspects of
models are "built-in" and cannot be altered without chang­
ing the model. To illustrate, these assumptions could be:
assumptions about fixed model parameters such as cor­
relations or recovery rates; assumptions about the shape
of tail distributions; and assumptions about the behaviour
of senior management or of customers. Some banks go
through a deliberate process of detailing the assumptions
underpinning their models. This should include examination
of the impact on model outputs, and the limitations that the
assumptions place on model usage and applicability.
Quantitative Processes
(i) Validation o f inputs and param eters. Some model param­
eters may be estimated. Examples include the main IRB
parameters and correlation parameters. A complete model
validation would involve validation of the inputs themselves.
Validation of input parameters to economic capital models
would entail validation of those parameters not included in
IRB, such as correlations. Techniques could include check­
ing model parameters against historical data, comparison
of parameters against outcomes over time, comparison of
model parameters to market-implied parameters such as
implied volatility or implied correlation, and assessing mate­
riality of model output to input and parameters through
sensitivity testing. Testing of input parameters would be a
218 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
complement to the examination of assumptions and sensi­
tivity testing described in the preceding paragraph.
It is worth noting that checking of model inputs is unlikely
to be fully satisfactory since every model is based on
underlying assumptions. The richer or more sophisticated
the model, the more susceptible it may be to model error.
Checking of input parameters will not shed light on this
area. However, model accuracy and appropriateness can
be assessed, at least to some degree, using the processes
described in this section.
(ii) M o d e l replication. A useful quantitative technique is to try
to replicate the model results obtained by the bank. A truly
independent replication would use independently devel­
oped algorithms and an alternative source of data but in
practice replication might be done by leveraging some of
the bank's processes. For example, it could be done by run­
ning the bank's algorithms on a different data set or using
the bank's own databases with independently derived algo­
rithms, once the banks' processes have been validated and
are reliable. This technique (and the questions that often
arise in attempting to replicate results) can help to identify
whether or not the definitions and the algorithms that the
bank says it is using are correctly understood by staff in
the bank who develop, maintain, operate and validate the
model and that they are used in practice by the bank. The
technique also facilitates code checking and may be help­
ful in determining whether the databases analysed in the
validation process are those used by the bank to obtain its
results. This technique is rarely sufficient to validate mod­
els and in practice there is little evidence of it being used
by banks for either validation or to explore the degree of
accuracy of their models. Note that replication simply by
re-running a set of algorithms to produce an identical set
of results would not be sufficient model validation due
diligence.
(iii) Benchm arking and hypothetical p o rtfo lio testin g. This refers
to the examination of whether the model produces results
comparable to a standard reference model or comparing
models on a set of reference portfolios. Examples of bench­
marking could include comparison of risk ranking provided
by internal rating systems and agency ratings, or compari­
son of an in-house portfolio credit model to other well-
known models after standardisation of parameters. In the
regulatory field, this permits comparison of several banks'
models against the same reference model. It would allow
identification of models that produce outliers. Hypotheti­
cal portfolio testing means comparison of models against
the same reference portfolio. It is capable of addressing
similar questions to benchmarking by different means. The
 technique is a powerful one and can be adapted to anal­
yse many of the preferred model properties such as rank­
ordering and relative risk quantification. But there are also
limitations. In particular, benchmarking can only compare
one model against another and may provide little assurance
that the model accurately reflects reality or about the abso­
lute levels of model output. In a benchmarking exercise,
there may be good reasons why models produce outliers.
They may, for example, be designed to perform well under
differing circumstances, or may be conservatively param-
eterised, or may differ in their economic foundations, all of
which complicate interpretation of the results.
Benchmarking is a commonly used form of quantitative
validation. Comparisons are made with industry survey
results, against alternative models such as a rating agency
model, industry-wide models, consultancy firms, academic
papers and regulatory capital models. However, as a valida­
tion technique, benchmarking has limitations, providing
comparison of one model against another or one calibration
to others, but not testing against "reality." It is therefore
difficult to assess the degree of comfort provided by such
benchmarking methods, as they may only be capable of
providing broad comparisons confirming that input param­
eters or model outputs are broadly comparable.
(iv) Backtesting. Backtesting addresses the question of how
well the model forecasts the distribution of outcomes. Back­
testing may take many forms and there is a wide literature
on the subject. All backtesting approaches entail some
degree of comparison of outcomes to forecasts, and there
is a wide literature on the subject.
For portfolio credit models, the weak power of backtesting
is noted in BCBS (1999). As has been suggested by some
authors, there are variations to the basic backtesting
approach which can increase the power of the tests. Exam ­
ples include: performing backtesting more frequently over
shorter holding periods (e.g., using a one-day market risk
backtesting standard versus the 10-day regulatory capital
standard); using cross-sectional data by backtesting on a
range of reference portfolios;22 using information in fore­
casts of the full distribution;23 testing expected losses only;
and comparing outcomes against the expected values of
distributions as opposed to high quantiles.
Backtesting is useful principally for models whose outputs
can be characterised by a quantifiable metric with which
to compare an outcome. There may be risk measurement
22 See Lopez and Saidenberg (1999).
23 See Frerichs and Loffler (2002) and Berkowitz (2000).
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
systems in use whose outputs cannot be interpreted in
this way. Examples could include rating systems, sensitivity
tests and aggregated stress losses. Such risk measurement
approaches might nevertheless be valuable tools for banks.
The role of backtesting for such models, if they were to be
used, would need elaboration.
In practice, backtesting is not yet a key component of
banks' validation practices for economic capital purposes.
(v) Profit and loss attribution. Analysis of profit and loss on
a regular basis (e.g., annually) and comparison between
causes of actual profit and loss and the risk drivers in the
model. Attribution is not widely used except for market risk
pricing models.
(vi) Stress testing. This covers both stressing of the model and
comparison of model outputs to stress losses.
The outputs of the model might be examined under conditions
of stress, where model inputs and model assumptions might be
stressed. This process can reveal model limitations or highlight
capital constraints that might only become apparent under
stress. Stress testing of regulatory capital models, particularly
IRB models, is undertaken by banks but there is more limited
evidence of stress testing of economic capital models.
Through a complementary programme of stress testing, the
bank may be able to quantify the likely losses that the firm
would confront under a range of stress events. Comparison of
stress losses against model-based capital estimates may provide
a modest degree of comfort of the absolute level of capital.
Banks report some use of this stress testing technique to vali­
date the approximate level of model output.
Internal audit is not included in the above list, however vali­
dation of the overall implementation framework and process
should also be subject to independent and periodic review and
this work should be made by parties within the banking organ­
isation that are independent of those accountable for the design
and implementation of the validation process. One possibility
could be that internal audit would be in charge of undertaking
this review process. As such it could be viewed as comprising
a part of the management oversight process listed above. The
paper does not otherwise discuss the role of internal audit in the
validation process.
The list of validation tools does not address the issue of ade­
quate standards. Banks may operate internal standards that are
relevant for validation. For example, a description of the issues
that need to be addressed as part of validation, the standards
that capital models are expected to achieve, a series of quanti­
tative thresholds that models need to meet, warning indicators
for particular monitoring metrics, assessment against model
development standards.
■ 219
What Aspects of Models Does Validation
Cover?
The validation steps presented above can be used in assessing
most of the desirable properties of models. This is an encourag­
ing observation and stands in contrast to the fairly negative view
of validation taken in BCBS (1999).
Opinions may reasonably differ about the strength or weakness
of any particular process in respect of any given property. The
properties that could be assessed using a powerful tool and
hence that are capable of robust assessment include: integrity of
implementation; grounded in historical experience; risk sensitiv­
ity; sensitivity to the external environment; good marginal prop­
erties; rank ordering; and relative quantification. The properties
for which only weaker processes are available include: concep­
tual soundness; forward-looking; and absolute risk quantifica­
tion. Again, it is important to stress the judgmental evaluation of
the power of individual tests and to acknowledge that views as
to strength and weakness are likely to differ.
The difficulty of validating the conceptual soundness of a capital
model needs some elaboration. In developing a model, sev­
eral assumptions about the model and its inputs are likely to
be made. These could include assumptions about the family of
statistical distributions, the economic processes driving default
or loss, the dependency structure among defaults or losses,
the likely behaviour of management or other economic agents,
and the extent to which these vary over time. Moreover, some
internal capital models are risk aggregation models, where risk
estimates for individual categories (e.g., market, credit and
operational risk) are aggregated to generate a single total eco­
nomic capital figure, with the method of aggregation relying on
some underpinning assumptions. These assumptions, however,
may be untestable. As a result it may be impossible to be cer­
tain that a model is conceptually sound. While the conceptual
underpinnings may appear coherent and plausible, they may in
practice be no more than untested hypotheses.
This section presented the main validation tools available with
which to assess internal capital models and provided some eval­
uation of their power and their use in practice. The conclusion is
that tools are powerful in some areas such as risk sensitivity but
not in other areas such as overall absolute accuracy.
Supervisory Concerns Relating to
Validation
Compared to practice at the time of the BCBS (1999) report,
there is greater emphasis currently on the validation of mod­
els. The main areas of improvement are in benchmarking of
model parameters and the conduct of cross-firm comparisons of
220 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
models, typified by the IACPM and ISDA study (2006) on portfo­
lio credit risk models. There is some evidence that banks wish to
ensure that models are sensitive to the expected drivers of risk,
and that models generate outputs that permit adequate evalu­
ation of the relative risk between business lines and to provide
suitable trend analysis. Although there is scope for practices to
improve further, the signs of progress in these areas are moder­
ately encouraging.
In other respects industry validation practices are weak, par­
ticularly when the total capital adequacy of the bank and the
overall calibration of the model is an important consideration. It
is recognised that this validation task is intrinsically difficult since
it will typically require evaluation of high quantiles of loss distri­
butions over long periods combined with data scarcity coupled
with technical difficulties such as tail estimation. Moreover, it is
recognised that validation practices will depend on what the
model is being used for. Nevertheless, difficult as the validation
task might be, weaknesses in validation practices targeted at
evaluation of overall performance might result in banks operat­
ing with inappropriately calibrated models. This could be of con­
cern if assessment of overall capital adequacy is an important
application of the model. Improvements in these areas could
include further benchmarking and industry-wide exercises, back­
testing, profit and loss analysis and stress testing.
Additionally, institutions should recognise clearly that when vali­
dation is difficult and has limitations, i.e., when for one reason or
another models cannot be appropriately validated, users of those
models and senior management should be informed that full
validation could not be conducted. Such communication is nec­
essary so that model users and senior management understand
that there is greater uncertainty around the output from models
that have not been validated and that such model output should
generally be treated with extra conservatism. In that vein, model
users and senior management should understand and explore the
potential costs of using models that have not been fully validated
(i.e., if key assumptions in the models prove to be inaccurate).
13.8 ANNEX 1: DEPENDENCY
MODELLING IN CREDIT RISK MODELS*
A particularly important and difficult aspect of portfolio credit
risk modelling is the modelling of the dependency structure
between borrowers. This encompasses linear and non-linear
dependency relationships between obligors. Dependency
modelling is important because it forms an important distinc­
tion between the Basel II risk weight function (with supervisory
imposed correlations) and portfolio credit risk models which rely
on banks' internal modelling of dependencies.
Understanding the way dependencies are modelled is important
for supervisors when they assess a bank's ICAAP under Pillar 2,
since internal bank modelling of portfolio credit risk may be an
important element of a bank's ICAAP and can generate the big­
gest reduction of capital needs in comparison with the Pillar 1
minimum capital requirement for credit risk.
This annex briefly describes the main methods used for model­
ling credit dependencies and discusses progress since the pub­
lication of the BCBS (1999) report. It also discusses the impact
that different methods have on banks' economic capital, and
makes some observations linked to recent developments in
dependency modelling. Finally, it raises some supervisory con­
cerns about the current state of industry practice.
Types of Models
The majority of banks use one of three types of credit models.
These models, often referred to by their commercial names, are
Moody's/KMV (MKMV), CreditM etrics, and CreditRisk-h The
annex follows the same convention even though other vendors
offer similar models and some banks have developed their own
internal models that are consistent with the structure of one of
these model types.24
Most models of credit portfolio risk estimate asset correla­
tions among obligors in terms of common dependence on
systematic risk factors. The assumption is that these underlying
factors— e.g., country, region, or industry of a borrower— fluctu­
ate over time and typically follow a (joint) normal distribution. All
borrowers are linked to these underlying systematic risk factors
to varying degrees and tend to move in a correlated way. Thus,
by modelling dependencies, banks account implicitly for con­
centration (both single name and sectoral) because large parts
of their books are subject to the same underlying risk factors or
to multiple risk factors.
Extensions of the three credit portfolio models are used by
some banks. For example, this is the case for a few banks with
specialised portfolios (e.g., small and medium-size European
corporate loans) which have integrated a contagion approach
into variants of the standard credit portfolio models (see
Box 13.1). By integrating information on business relationships
among borrowers into the credit portfolio model, this approach
tries to address the clustering of defaults observed within their
24 The discussion of these model types is descriptive and is not intended
as an endorsement of any of the vendor models. Reference to these
prototype models should not be construed as an endorsement of these
models, or as an indication of their standing relative to other models
that might be used by banks or offered by other vendors.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
BOX 13.1 CONTAGION APPROACH
Motivated by the financial crises in South East Asia and
the US in the 1990s, and the Enron default crisis in late
2001, where the downfall of a small number of firms had
an economy-wide impact, academic researchers have
attempted to incorporate counterparty relationships, or
microstructure correlation, into portfolio credit models
(Davis and Lo (2001), and Jarrow and Yu (2001)). The com­
mon feature of contagion models is that they distinguish
between macrostructure and microstructure dependencies.
In contrast to macrostructure dependencies, microstruc­
ture dependencies attempt to capture business relation­
ships and legal dependencies within and across sectors.
This approach is also relevant for pricing CDSs, CD O s, and
basket derivatives, since the prices for these products are
influenced by dependencies between the firms in a basket,
a business (e.g., suppliers and competitors), etc.
The microstructure contagion effect can be integrated
using different approaches, (e.g., reduced-form models).
The idea behind contagion models is that contagion risk
produces upward jumps in the default intensity of non-
defaulted firms, implying a higher conditional default
probability for these firms given additional information
on other firms' defaults. The driving principle behind
such modelling is that considering only macroeconomic
dependencies for a portfolio subject to microstructure
dependencies could potentially underestimate credit
risk. By integrating microstructure dependencies into the
model, the standard deviation of rating changes over time
is increased, even for well-diversified credit portfolios with
moderate microstructure dependencies.
Generally, the contagion approach is supposed to be con­
servative since it lengthens the tail of the loss distribution
and therefore increases the capital needed to cover credit
risk. However, it is difficult to gauge whether the increase
in capital is sufficient to capture the risk dependencies.
Additionally, practical and theoretical issues need to be
addressed, such as the reliability of the required expert
judgment and ability to identify the frailty/contagion factors.
portfolios that are linked to bank specific portfolio concentration
and exposure mix.
In addition, few banks model dependencies using copulas (see
Box 13.2), at least for their economic credit risk modelling. This
technique can be used to capture several alternative general
types of dependencies, as opposed to the more restrictive
Gaussian copula models.25
Some banks also use models that are based on the asymptotic
single-risk-factor (ASRF) model, which is the basis for the Basel II
25 See for example Hull (2007) for a discussion of copulas.
■ 221
 BOX 13.2 COPULAS
Some banks model dependencies using copulas. Within the
context of credit risk modelling, copulas are used to model
dependencies between the defaults of credit obligations in
a portfolio. Given that one obligor has defaulted, other obli­
gors in the portfolio might be more likely to default because
they are connected to the defaulted obligor directly (e.g., if
the defaulted obligor is the creditor of another) or indirectly
(e.g., if another obligor is in the same industry).
For a collection of random variables with given marginal
distributions (the univariate probability distribution of each
random variable) a copula specifies how these random vari­
ables combine into a multivariate distribution, and thus speci­
fies the dependencies between the random variables. Some
copulas like the Gaussian copula are characterised by a corre­
lation matrix, while other copulas describe dependencies that
are non-linear or too complicated to be accurately described
by correlation parameters. A copula is a mapping that trans­
forms the marginal distributions for a collection of random
variables into a joint distribution for all the random variables.
When copulas are used in credit risk modelling, the underly­
ing random variables of interest may be the time to default
of each obligation in a portfolio, or in Merton type models,
the asset values of the obligors. In the latter case, the obligor
defaults when its asset value falls below a certain threshold.
These underlying variables are continuous random variables,
and they express the likelihood of default in a different way
from the more familiar (discrete) indicator random variables,
risk weights for credit risk.26 Within this modelling approach,
banks may use their own estimates of correlations or may use
multiple systematic risk factors in order to address concentra­
tions. Such a modelling approach raises several supervisory con­
cerns about the method used to calibrate the correlations and
the ways in which the bank addresses the infinite granularity and
single-factor structure of the ASRF model.
Under the impetus of the Basel II Framework, banks have also
increased their use of bottom-up approaches in their credit risk
dependency modelling. As a result, credit portfolio models are
much more integrated into daily risk measurement and manage­
ment than was the case in 1999.
The IACPM and ISDA Study
Given the differing approaches to modelling dependencies
between borrowers described above, the question arises as to
26 The ASRF model is also referred to as a single-factor Gaussian copula
model. For this model, the capital charge for an exposure depends on
the risk characteristics of this exposure only (i.e., PD, LGD, EAD, matu­
rity) and does not depend on the composition of the portfolio to which
the exposure is added.
222 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
which are 1 if default occurs during a specified period and 0
otherwise. If q, is the underlying random variable denoting
for example the time to default of obligor /', and li T is the
indicator random variable denoting default before time T, the
relation between q ,■and li T is:
\ if q < T
/i j
0, if g. > T
If the distributions of these time-to-default variables are
combined using a copula, a joint distribution function for the
time-to-default variables is obtained. Taking random samples
from this joint distribution, and given a specified time hori­
zon, each sample from the distribution will translate into a set
of defaulting and non-defaulting obligations within the port­
folio over that time period.
The first copula to be widely used in the context of credit
modelling was the Gaussian copula. One important short­
coming of the Gaussian copula is that it displays zero tail
dependence. Besides the Gaussian copula, copulas based
on other multivariate distributions (particularly the Student-t
distribution) are often used with the goal of capturing depen­
dencies between defaults that have a stronger impact on the
tail of the loss distribution. For example, the t-copula has a
parameter for "tail association" or dependence. The distribu­
tions produced by copulas are usually not tractable analyti­
cally, and as a result, copulas are most frequently used in
running portfolio default simulations.
what extent the economic capital estimates produced by the
models differ from each other. To shed some light on this empiri­
cal question, the International Association of Credit Portfolio
Managers (IACPM) and International Swaps and Derivatives Asso­
ciation (ISDA) conducted a study in 2006 to explore the economic
credit capital models in use by their member institutions.
The IACPM and ISDA (2006) study evaluated the degree of con­
vergence of economic capital estimates across commercially
available credit portfolio models and across internally developed
credit risk models implemented by banks. Given that most
banks use one of the three main commercially available credit
risk models mentioned above or internally developed imple­
mentations of the same types of models, the study was effec­
tively a comparison of the economic capital estimates generated
by these commercially available models, run either in default
mode or in mark-to-market m ode.27 The study applied the
27 Credit RiskH- is exclusively a "default mode" model. Default mode
refers to the situation where credit losses arise only if a borrower
defaults within the planned time horizon. Mark-to-market credit losses
can arise in response to deterioration in an asset's credit quality before
the end of the planning horizon.
different credit models to a representative portfolio of transac­
tions that was assembled with pre-specified data assumptions
regarding risk characteristics. By eliminating different data char­
acteristics and portfolio composition as sources of potential dif­
ferences in economic capital estimates, remaining differences
are largely due to differences in the modelling approaches. O ut­
comes of the study may also be dependent on the composition
and characteristics of the test portfolios used in the study.
The study showed significant differences in economic capital
estimates between the different models, in default-only mode
as well as in mark-to-market mode. The differences in economic
capital estimates between the models can be explained in
terms of the following factors: correlation structure; treatment
of interest payments due between time zero (point of valua­
tion) and the time horizon (point of default) and whether this
was accounted for in the definition of loss; and other modelling
differences.
O f special interest in the context of this annex is the question:
How much of the difference in economic capital is due to corre­
lation structure/dependency modelling assumptions? In default-
only mode, the differences could be explained to a large extent
by the different treatment of interest payments (i.e., by the dif­
ference in definition of loss), with the correlation structure play­
ing only a minor role. However, in mark-to-market mode, where
changes in revaluations at the horizon for non-defaulted assets
may also be correlated, and where the impact of differences in
the modelling of correlations is larger, roughly a quarter of the
observed difference in economic capital estimates is attributable
to correlation assumptions.
Another issue involves the sensitivity of economic capital esti­
mates to changes in portfolio concentrations and model param­
eters. Sensitivity analysis performed in the IACPM and ISDA
study showed that a change in the sector or country composi­
tion of the representative portfolio had a large impact on eco­
nomic capital estim ates.28 Furthermore, the impact differed
between the different types of credit risk models. This evidence
provides empirical support for the notion that the output of
credit risk models significantly depends on the underlying corre­
lation structure. Differences in correlations could be structural in
nature since different models may use different data to calibrate
correlations (e.g., historical equity returns versus default rate
data), or could be due to time-varying correlations.29
28 For example, it could double the amount of economic capital for
credit risk.
29 The IACPM and ISDA study concludes that when loss assumptions are
aligned across both vendor and internal credit portfolio models, esti­
mates of economic capital for credit risk can be shown to converge for
default-mode models. Differences in the capital estimates for mark-to-
market models can be reduced, but not eliminated.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
Supervisory Concerns Relating to
Currently Used Credit Portfolio Models
Shortcomings of Dependency Modelling
Regarding dependency assumptions used in credit portfolio
models, supervisors can question the accuracy and robustness
of correlation estimates used by banks since these estimates
depend heavily on (explicit or implicit) model assumptions and
can significantly influence economic capital calculations. These
assumptions are even more problematic when the dependency
modelling and calibration methods used are embedded in pro­
prietary third-party vendor credit risk models, which essentially
can be viewed as "black boxes."
Beyond the issues raised by the basic approaches used in struc­
tural and reduced-form credit portfolio models, the validity of
several other assumptions has been examined in the academic
literature. For example, the validity of the following assump­
tions has been drawn into question: the asymptotic single-factor
Gaussian copula approach; the normal distribution for the vari­
ables driving default; the stability of correlations through time;
and the joint assumptions of correctly specified default probabil­
ities and doubly-stochastic processes, which imply that default
correlation is adequately captured by common risk factors.
Several academic papers question the ability of some models
using such assumptions to explain the time-clustering of defaults
that is observed in some markets. This in turn, when combined
with inadequately integrating the correlation between PD and
LGD in the models and inadequately modelling LGD variability,
can lead to an underestimation of economic capital needed. In
addition, it will make it difficult to identify the different sources
of correlations and the clustering of defaults and losses.
For example, Das et. al. (2007) found that U.S. corporate default
rates between 1979 and 2004 vary beyond what can be
explained by a model that only includes observable covariates.
Moreover, Duffie et. al. (2006) found evidence of the presence
among U.S. corporate default rates of one or more unobserv­
able common sources of default risk that increase default corre­
lation and extreme portfolio loss beyond that implied by
observable common and correlated macroeconomic and firm-
specific sources of default risk.30 However, there are practical
limitations of the "frailty approach" (i.e., modelling default clus­
tering with latent risk factors) including the computational cost,
and the failure to identify the frailty factor, hampering the ability
30 As pointed out by Das et. al. (2007) and others, known factors
account for a very large fraction of the default correlation observed in
the data. As a result, a practical approach to overcoming the shortcom­
ing of the frailty factor is to use conservative estimates of asset correla­
tions and to conduct stress testing.
■ 223
of banks to make practical decisions in managing the risk from
the frailty factor.
With respect to the stable correlation hypothesis, Bangia et. al.
(2000) found that rating transitions are sensitive to the business
cycle and are explained by different models during expansion­
ary and recessionary periods. Therefore, the sample period and
approach used to calibrate the dependency structure could be
important in assessing whether correlation estimates are overes­
timated or underestimated, and therefore whether they should
be reviewed.
Other assumptions can also impact correlation calibration.
For example, when a model assumes that unobservable asset
returns can be approximated by changes in equity prices, it
does not account for the fact that the relationship between
asset returns and equity prices is unobservable and could also
be non-linear. Similarly, when equity prices are used to estimate
credit default probability, the issue arises that although such
prices can cover a wide range of industries and geographical
locations, they also reflect information that is unrelated to credit
risk. Consequently, the use of equity prices can introduce some
noise in the correlation estimates.
On the other hand, when banks use a regulatory-type approach,
with single or multiple risk factors, the assumptions of such
an approach poses two important issues for both banks and
supervisors:
• Since the correlation estimates are explicit parameters in the
Basel ASRF model, they would need to be estimated. There
may be limited historical data on which to base the correla­
tion estimates, and the assumptions used to generate the
correlations may not align with the underlying assumptions of
the Basel II credit risk model.
• If a bank uses the Basel II risk weight model (either with
supervisory or with its own correlations), it must account for
concentration risk (single name and industry/regional con­
centrations) by other measures and/or management methods
(e.g., limit setting), and supervisors will have to evaluate
these approaches.
The concern about assumptions is important since they can have
a significant impact on measures of portfolio credit risk and the
measurement of economic capital. For example, Tarashev and
Zhu (2007) demonstrate, by comparing the loss distributions
produced by the KMV and the ASRF models, that the single­
risk-factor and infinite granularity assumptions of the ASRF
model have small impacts on measurement of capital needs,
especially for large, well-diversified portfolios. By contrast, the
use of misspecified or incorrectly calibrated correlations and the
use of a normal distribution (which fails to replicate the tails of
224 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the distribution of asset returns)31 can lead to significant inaccu­
racies in measures of portfolio credit risk and economic capital.
Use of Credit Dependency Modelling
One of the main supervisory concerns is that some banks use
credit portfolio models without always having a full understand­
ing of all the underlying assumptions and modelling techniques
embedded in them. W hether such models are suitable for differ­
ent portfolios (retail, structured products, etc.) as well as for the
specific concentration and exposure mix characteristics of their
own portfolios should be assessed.
For example, it seems that the use of asset return correlations
derived from equity prices has become a market standard for
portfolios of large corporates, despite the limitations associated
with such an approach.
It is important to consider whether the uncritical use of asset
correlations for other portfolios such as SME and retail borrow­
ers is adequate. The estimated correlations could be meaning­
fully used as long as they are applied to large, publicly traded
borrowers. The appropriateness of using such data to estimate
correlations for other exposures such as non-traded, small and
medium-sized enterprises and retail borrowers is less clear. Spe­
cifically, corporate, SME and retail portfolios are data-rich, which
means that the derivation of different default correlations from
internal bank data could be envisaged in some cases. For non
traded SME portfolios, there are third-party vendors that might
also provide relevant data for some local markets.
However, banks do not generally calibrate their retail and SME
correlations separately. Instead they use shortcuts, such as assign­
ing retail borrowers to the no industry category in a credit portfo­
lio model. It remains to be seen whether these shortcuts provide
a meaningful measure of risk for SME and retail portfolios.
The use of more complex models (e.g., contagion models and
Gaussian and non-Gaussian copulas), which need technical,
judgmental and modelling expertise, could also be viewed as
too burdensome, uncertain, unstable or inappropriate to imple­
ment. Assuming that banks gather enough data to estimate
more reliable correlations using internal data in the future, it
would be useful for the industry to make progress in estimating
correlations for other exposures, such as SM E, retail, and struc­
tured products, and to analyse which data, models, and tech­
niques are the most relevant for these portfolios.
31 With respect to the loss distributions, they are more likely to follow
double-t distributions with medium to high degrees of freedom instead
of normal distributions. Such misspecification can imply an underestima­
tion of economic capital that ranges from 22-86%.
13.9 ANNEX 2: COUNTERPARTY
CREDIT RISK
Counterparty credit risk (CCR) at large, complex banks centres
on the measurement and management of financial exposure
and the resulting credit risk associated with core credit exten­
sion activities of these financial institutions to a wide range of
counterparty types. Counterparty credit risk takes a variety of
forms, including credit risk emanating from activities in O TC and
exchange-traded derivatives, from securities financing activities,
and from foreign exchange settlements. The counterparties to
these financial institutions take a wide variety of forms, ranging
from sovereigns and local government entities, to regulated
financial concerns and potentially unregulated financial parties
such as hedge funds, to corporate entities (both investment-
grade and below-investment-grade).
This annex is organized in two sections. The first section high­
lights the challenges that the industry faces in quantifying coun­
terparty credit risk for economic capital purposes, while the
second section addresses the range of practices that financial
institutions undertake in quantifying this risk. The primary focus
is on modelling challenges in the quantification of counterparty
credit risk, and thus there is no explicit consideration of the
comprehensive set of risk management practices that are meant
to mitigate risks or to provide compensating controls for model
deficiencies, unless those practices (such as initial margin and
ongoing collateral practices related to counterparty credit risk)
directly influence the quantification of risk.
Counterparty Credit Risk Challenges
Measurement of counterparty credit risk represents a complex
exercise, as it involves gathering data from multiple systems;
measuring exposures from potentially millions of transactions
(including an increasingly significant percentage that exhibit
optionality) spanning variable time horizons ranging from over­
night to thirty or more years; tracking collateral and netting
arrangements; and categorising exposures across thousands of
counterparties. The complexities of the processes highlighted
below indicate a need for institutions to have specialised pro­
cesses and personnel to tackle these issues and challenges.
Measuring Exposure and Measuring Risk
A bank's counterparty credit measurement can be conceptually
broken down into two distinct steps. First is the measurement
of counterparty cred it exp o su re — that is, how much money the
counterparty will owe the bank in the event of default. This
exposure number is further broken down into current exp o su re,
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
which measures the exposure if the counterparty were to default
today, and potential exp o su re, which measures the potential
increase in exposure that could occur between today and some
time horizon in the future. One feature of derivatives and securi­
ties financing relationships is that, while the amount of current
exposure to a counterparty is known, the amount of potential
exposure to a counterparty is an unknown quantity (in fact,
given the nature of derivatives contracts and securities financing
arrangements, there may be no exposure to the financial institu­
tion at the time of a counterparty default). Therefore, counter­
party credit exposure is generally measured as some statistic
(such as a mean or a percentile) of the distribution of possible
future exposures to the counterparty.
The second part of the counterparty credit measurement is
converting the exposure to a risk amount for economic capital
purposes or risk management purposes more generally (for
example, to inform a counterparty credit risk limit system). The
risk measurement will be a function of the probability of default
(PD) for the counterparty, the loss given default (LGD) for the
exposure, and the exposure measurement, which is effectively
the exposure at default (EAD) value. The EAD value is driven by
market-risk-related factors (the volatility and correlation among
market risk factors and how they affect the derivative contract
or valuation of the securities being financed), while the PD and
LGD are effectively determined by firm's assessment of the
credit quality of the counterparty.
Counterparty credit risk measurement, therefore, necessarily
combines the tools from standard market risk measurement with
the tools from standard credit risk determination. Market risk mea­
surement practices are used, for example, in mapping derivatives
exposures to a set of market risk factors, simulating those factors
out to a forward-looking time horizon, and determining the distri­
bution of the level of exposures over various risk factor realisations
in the simulation. Separately, standard credit risk processes provide
assessments of the credit quality of the counterparty, frequently
resulting in a credit rating of the counterparty, both from the PD
and LGD perspectives. Counterparty credit risk measurement
offers unique challenges related to both the market-risk-related
and the credit-risk-related processes, which are described next.
Market-Risk-Related Challenges to Counterparty
EAD Estimation
Counterparty credit exposure measurement requires simulation
of market risk factors and the revaluation of counterparty posi­
tions under the simulated risk factor shocks, much like a value-
at-risk (VaR) model requires. Two unique challenges present
themselves when attempting to leverage a VaR model technol­
ogy for counterparty credit exposure measurement.
■ 225
First, market risk VaR models combine all positions in a port­
folio into a single simulation, so that gains from one position
are allowed to fully offset the losses in another position in the
same simulation run. Counterparty credit risk exposure mea­
surement, however, cannot allow netting across counterparties
(e.g ., a decline in exposure to one counterparty cannot be net­
ted against an increased exposure to another counterparty).
Therefore, the analysis of counterparty exposure must be done
at the "netting set" level (that is, on each set of transactions
that form the basis of a legally enforceable netting agree­
ment). Most banks have many thousands of counterparties,
and each of these counterparties may have many different
netting agreem ents (segregated, for exam ple, by product type
or legal jurisdiction). This situation, therefore, requires the
counterparty exposure measurement to perform a calculation
at the netting-set level, thereby increasing the computational
intensity of the calculation.
Second, market risk VaR calculations are traditionally performed
for a single short-term holding period— for example, for a single
day or a ten-day holding period. Counterparty credit exposure
measurement, however, must be performed for multiple hold­
ing periods into the future, as certain derivatives contracts, for
example, can extend years, or even decades, into the future.
As a result, market risk factors have to be simulated over much
longer time periods than in the standard VaR calculation, and
revaluation of the potential exposure in the future must be done
for the entire portfolio at certain points in the future.
The combination of the large number of counterparties and the
large number of holding periods in the future implies that the
computation challenges in effectively measuring VaR are dra­
matically increased when financial institutions attem pt to mea­
sure counterparty exposures for derivatives transactions. As a
result, a bank may decide to reduce the number of market risk
factors considered in the simulation for counterparty credit risk
relative to the number considered in the market risk VaR calcu­
lation. The resulting simplification can result in a reduction in
precision of the final result, but the materiality of the reduced
precision is highly dependent on the circumstances of the posi­
tions relative to the model. For exam ple, ignoring the volatil­
ity smile in a business with few trades might not be material,
but using a single-factor term structure of interest rate model
may result in significant reduction in accuracy of the model for
these exposures.
Credit-Risk-Related Challenges to PD and LGD
Estimation
Frequently, counterparties to financial firms for derivatives or
securities financing transactions have other credit-risk-related
relationships, so that the financial firm would already have a
226 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
credit rating, and an associated PD and ability to calculate an
LGD for the exposure. However, some important derivatives
and securities financing activities are done with counterparties
(such as hedge funds) with which the financial institution may
have no other exposures. In those cases, the financial firm must
determine a PD and LGD associated with the counterparty and
the facility. In the case of hedge funds, the counterparty may
have little transparency in terms of underlying fund volatility,
leverage, or types of investment strategies employed, which
creates a significant challenge. In the cases of counterparties to
which the institution has other credit exposures (e.g., a corpo­
rate client), the institution will typically be using the same PD
used for the other exposures, but will need to arrive at a facility-
specific LGD.
Interaction between Market Risk and Credit
Risk—Wrong-Way Risk
While counterparty credit risk can conceptually be broken down
into a market-risk-driven EAD calculation and a credit-risk-driven
PD-LGD determination, these two processes are frequently not
independent. This interaction, where PD and LGD may tend
to rise at the same time as the exposure to the counterparty is
rising, is known as "wrong-way risk." For counterparty credit
exposure systems that separate EAD estimation from PD-LGD
estimation, the incorporation of wrong-way risk in the economic
capital calculation is not directly feasible, but may be incorpo­
rated via an add-on in the economic capital process. Challenges
arise when trying to capture wrong-way risk. Wrong-way risk
is sometimes difficult to identify, as it requires understanding
the market risk factors that the counterparty is exposed to, and
relating those factor sensitivities to the factor sensitivities of the
institution's own exposures to the counterparty. Understanding
the counterparties' risk factor sensitivities can be challenging,
especially for counterparties (such as some hedge funds) that
tend to be opaque. Even when wrong-way risk can be identified
directionally, it is often difficult to quantify its magnitude in an
economic capital model (in particular, over a one-year horizon at
a high confidence level).
Operational-Risk-Related Challenges in Managing
Counterparty Credit Risk
Managing counterparty credit risk is a very resource-intensive
activity, and requires specialised systems and personnel to effec­
tively implement. Daily limit monitoring, marking-to-market,
collateral management processes, and intraday liquidity and
credit extensions are all complicated and interlinked processes
that give rise to the possibility of operational risk difficulties.
Such operational risk exposure is generally not captured for eco­
nomic capital purposes within counterparty credit risk, but may
be captured within an operational risk quantification process.
Operational risks related to counterparty risk that are particu­
larly difficult to quantify involve risks of new or rapidly growing
businesses, risks in new products or processes, risks in intraday
extensions of credit which are not properly captured in systems
designed for end-of-day exposure capture, and risks in areas
where there have been few historical instances of losses but
where potential "tail events" may have severe consequences.
Differences in Risk Profiles between Margined
and Non-Margined Counterparties
One important input in the measurement of counterparty
credit risk among firms' counterparties is whether the coun­
terparty is a margined counterparty or not. A margined coun­
terparty has agreed to post collateral, either in the form of
cash or securities, when their exposure to the financial firm is
positive. W hile there are wide variations in the practices sur­
rounding margining of counterparties (minimum thresholds
before a margin call is made, the frequency of margin calls,
the treatm ent of valuation of illiquid products, etc.), an impor­
tant distinction in the modelling approaches must be made
between counterparties who have agreed to margining (also
known as "having a C S A "— a credit support annex to the
master netting agreem ent that lays out the terms of the mar­
gining agreement) and those who have not. Frequently, the
modelling difference between these classes of counterparties
surrounds the treatm ent of the look-ahead forecasting period:
For margined counterparties, the forecasting period is short,
associated with a reasonable "cure period" between when a
counterparty misses a margin call and when the underlying
positions can be closed out; for non-margined counterparties,
the forecasting period is generally much longer, as long as the
life of the contract. The variation in modelling horizons makes
the aggregation of risk across these two classes of counterpar­
ties a challenge, as most risk modelling approaches take a sin­
gle modelling horizon (e.g., one day for VaR models, one year
for economic capital models) for all positions. Aggregation is
further com plicated if, for a given counterparty, some positions
are margined but others are not.
Note that there still is a gap risk, even for margined counterpar­
ties, which needs to be modelled and accounted for. In stress
situations that adversely affect the assets being financed, there
could be a risk of market gapping and rapid loss of value. Banks
may need to take possession of collateral at a time when its
value is deteriorating and the market for it may be illiquid. This
risk may be amplified by the presence of exposure concentra­
tions within the firm, or by "crowded trades," where several
firms may be taking possession of similar collateral and seeking
to liquidate it at the same time.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
Aggregation Challenges
While calculation of counterparty credit risk for an individual
counterparty has its challenges, these challenges are magnified
when attempting to get a firm-wide view of risk for economic
capital purposes. Independently of the challenges in arriving at
a counterparty credit risk economic capital measure outlined
above, this risk measure must be aggregated in a sensible, rigor­
ous, and risk-sensitive way with other exposures at the financial
firm in order for the overall economic capital measure to be a
reliable indicator of the aggregate inherent risk-taking by the
firm. If a single counterparty has both derivatives and securities
financing transactions, the firm may face challenges in aggrega­
tion across the counterparty's exposures, as the various models
and systems architectures may not be conducive to aggregation.
Furthermore, a firm's counterparty credit risk must be aggre­
gated with other credit risk-taking activities of the firm, both in
terms of loans in the banking book and credit risk in the trading
book. Finally, these more comprehensive credit risk measures
must be aggregated with overall market and operational risk in
order to arrive at the final economic capital measure.
A related challenge involves the ability of the counterparty credit
risk system to allow risk management to have a detailed under­
standing of the various breakdowns of risk that are common in
the market risk world. Breakdowns by product, by risk factor, by
geography, by business line, or by legal entity are difficult for
many firms to produce, for a variety of reasons. The computation
intensity of the calculations makes the provision of such "drill
down capabilities" expensive in terms of time to produce on a
daily basis. Fragmented computer systems and IT infrastructures,
frequently driven by a variety of legacy infrastructures from
merger and acquisition activity, are frequently cited culprits to
the limitations associated with counterparty credit risk systems'
lack of flexibility. The IT requirements associated with Basel
M's internal models approach to the use of counterparty credit
risk for regulatory capital purposes were often mentioned as a
possible mechanism to address some of the existing systems'
rigidities, but it remains uncertain how much of the planned IT
investments will address the existing systems' limitations.
Range of Practices
Given the variation in size and complexity of counterparty credit
exposures across large financial firms, these institutions display
a range of practices in measuring CCR for economic capital pur­
poses. Firms employ one of two general modelling approaches
to quantify the counterparty credit risk exposures. While these
models may be supplemented with complementary measure­
ment processes, firms typically have adopted one of two mea­
surement "engines":
■ 227
The first is a stand-alone simulation engine, typically im ple­
menting a Monte Carlo approach ("M onte Carlo M odel"). This
simulation normally spans a long forecasting horizon— often
encompassing the contractual life of the transaction— and then
selects an average exposure measurement or a percentile of
the resulting exposure distribution to quantify the exposure
for a transaction or a portfolio of transactions at different
points in time over the forecasting horizon. The banks em ploy­
ing this approach for collateralised counterparties will typically
use the same approach to measure uncollateralised counter­
party exposures.
The second approach is a "value-at-risk" ("VaR")-type CCR
exposure engine ("VaR M odel"), typically achieved by leverag­
ing the firm's existing market risk VaR processes. This approach
estimates the distribution of CCR exposures over a relatively
short-term liquidation (or "closeout") horizon. The banks
employing this approach for collateralised counterparties still
typically use a Monte Carlo approach to measure uncollater­
alised exposures with longer-term horizons.
The decision of whether to use Monte Carlo Model or VaR-type
model to quantify CCR exposures for collateralised counterpar­
ties involves a variety of trade-offs.
The VaR-type model leverages well-developed and already vali­
dated data and analytical systems, thereby permitting usage of
a large set of risk factors deployed for market risk measurement.
Due to the computational intensity, however, the VaR-type model
is practical only for quantifying the exposure profile over a single
short-term forecasting horizon, which can be utilised for collat­
eralised counterparty credit risk assessments. Consequently, the
VaR-type model exhibits the limitation that it cannot produce a
profile of exposures over time, which is necessary for counterpar­
ties that are not subject to daily margining agreements.
The Monte Carlo model, on the other hand, allows for the quan­
tification of longer-term exposures but at the potential expense
of a less accurate measurement of CCR exposure given the nec­
essary use of simplified risk factor representation.
Use of Add-Ons
Counterparty credit risk engines may not effectively capture
the risks of all financial products. For products not effectively
captured by counterparty credit exposure measurements, many
firms revert to an "add-on" factor, which provides a simplified
but conservative measurement of the exposure for that product.
While generally calibrated to be conservative, the add-on factors
are frequently not risk sensitive (e.g., the factors may not change
as market volatility rises and falls) and frequently do not allow for
netting, hedging or diversification effects across risk factors.
228 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Counterparty Credit Risk Processes for High Risk
Counterparties
Firms continue to be challenged by the opacity of risks for cer­
tain counterparties, such as hedge funds, and have developed
enhanced processes to identify, measure, monitor, limit, control
and report the risks from these counterparty relationships.
Ancillary Processes to View Counterparty
Credit Risk
Due to the challenges of developing a highly nuanced view of
counterparty credit risk for economic capital purposes, banks
have developed ancillary processes to help manage and measure
these risks. Concentration risk identification and stress testing
are two of the key risk management processes that attempt to
quantify the risks in counterparty credit relationships that may be
poorly measured by the core counterparty credit risk engines.
Concentration risk identification involves a set of ancillary analyt­
ics, mostly outside of the main counterparty credit risk engine,
which attempts to identify large exposures by individual coun­
terparty, by the set of counterparties of lower credit ratings,
by underlying risk factor, or by other dimensions that the firms
have identified as important measures of concentration that are
deemed worthy of monitoring. However, one should keep in mind
that concentration of positions with larger counterparties— ones
that may actually enjoy enhanced diversification benefits dur­
ing moments of stress— may be less harmful than the aggregate
exposure of trades with a collection of smaller counterparties.
Stress testing, also performed outside of the main counterparty
credit risk engines, involves a variety of diagnostic tools designed
to identify risk vulnerabilities that the main risk engine may not cap­
ture or identify. Stress tests, however, are frequently not fully com­
prehensive of all counterparty credit risk exposures. Stress tests
may be performed on a subset of the entire universe of counter­
parties (for example, on only counterparties that do not have daily
margining agreements, or on only "highly leveraged" counterpar­
ties). Sometimes, not all counterparty positions are included in the
stress tests (for example, positions that are treated with "add-ons"
may be excluded from the stress tests, as the simple add-on may
deemed to be a sufficiently conservative treatment of the risks for
stress testing purposes). Finally, stress tests are frequently treated
as a diagnostic tool of risk management, and may have no associ­
ated limits or escalation procedures associated with them.
Additionally, while wrong-way risk may be missed in the main
counterparty credit risk quantification process, many firms have
separate processes to measure and to limit the level of wrong­
way risk in their counterparty credit risk relationships, where it
can be measured.
Haircut Determination for Securities Financing
Activities
The processes for determining haircuts for securities financing
activities generally do not consider stressful market conditions,
but are based on the range of historical experience, including
normal market environments. When economic capital is calcu­
lated for these positions, however, the market risk factors are
shocked to a stressed level, and the risks beyond the haircut are
included in the determination of economic capital of the securi­
ties financing activity.
Counterparty Credit Risk Model Validation
Counterparty credit risk models for economic capital purposes
generally do not have specialised validation processes associ­
ated with them, but rather use the results of validation work
done by others, such as by risk management, to support the use
of the counterparty credit risk model. When there is a difference
between the counterparty credit risk model for economic capital
purposes and the counterparty credit risk model for risk man­
agement purposes (for example, the holding period may vary),
there appears to be little additional testing or validation to
support the difference, as the differences are generally viewed
as mechanic differences in implementation and not as separate
models requiring separate validation. For example, backtesting,
an established practice for market risk exposures, is still in the
early stages of development for counterparty credit risk models.
13.10 ANNEX 3: INTEREST RATE RISK
IN THE BANKING BOOK
Interest rate risk refers to the exposure of a bank's financial con­
dition to adverse movements in interest rates. It should be inter­
preted for the purposes of this annex as the current or
prospective risk to both the earnings and capital of an institution
arising from adverse movements in interest rates, which affect
the institution's banking book. Changes in interest rates affect
an institution's earnings by altering interest-sensitive income and
expenses, and the underlying value of an institution's assets, lia­
bilities, and off-balance sheet instruments because the present
value of future cash flows changes when interest rates change.32
32 Interest rate risk arises from the natural mismatch between repricing
characteristics desired by investors and depositors and those desired
by borrowers. As such, interest rate risk derives from the mismatched
maturities or durations of assets which are typically longer than the
liabilities. A sudden change in the shape of the term structure will affect
the values of assets differently from those of liabilities.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
An indirect effect can also occur, which is linked to the impact
that rate changes can have on business volumes. Although inter­
est rate risk in the banking book is a normal part of financial
intermediation, excessive interest rate risk poses a significant
threat to an institution's earnings and capital adequacy.
The main challenges in the calculation of economic capital for
interest rate risk in the banking book come from the long hold­
ing period assumed for a bank's structural balance sheet and the
need to model indeterminate cash flows on both the asset and
liability side due to the embedded optionality of many banking
book items.
Many banks use some type of internal transfer funds pricing
to move structural interest rate into a centralised place within
the organisation, typically the bank's treasury unit, in order to
achieve matched funds transfer pricing between all other busi­
ness units of the bank. This unit is responsible for interest rate
modelling and maintaining gap positions within agreed upon
risk limits.
Sources of Interest Rate Risk
The main sources of interest rate risk in the banking book
are repricing risk (arising from differences in the maturity and
repricing terms of custom er loans and liabilities), yield curve
risk (stemming from asym m etric movements in rates along
the yield curve), and basis risk (arising from im perfect cor­
relation in the adjustment of the rates earned and paid on
different financial instruments with otherwise similar repricing
characteristics).
Interest rate risk in the bankinq book also arises from the option
features of many financial instruments.33 Retail products in the
banking book that have embedded options include bonds and
notes with call or put provisions, loans such as mortgages which
give borrowers the option to prepay balances, adjustable-rate
loans with explicit interest rate caps and floors that limit the
amount by which the rate may adjust, and various types of non­
maturity deposits which give depositors the option to withdraw
funds at any time often without penalty. If not adequately mea­
sured and managed, the asymmetrical payoff characteristics of
instruments with embedded option features can pose significant
interest rate risks.
33 According to Principle 16 of the Basel Committee's Principles for the
Management and Supervision of Interest Rate Risk (BCBS, 2004), "An
additional and increasingly important source of interest rate risk arises
from the options embedded in many bank assets, liabilities, and off-
balance sheet portfolios."
■ 229
Interest Rate Measurement Techniques may be adapted to allow for the rolling over of current posi­
tions. In its dynamic version EVE may provide forward risk mea­
and Indicators
sures that also take into account future growth in existing or
There are two basic techniques for assessing interest rate risk in new business activities.
the banking book: repricing schedules (gap and duration analy­
When the EVE model is complemented with an estimate of the
ses) and simulation approaches. Although commonly used, the
probabilities of the interest-rate scenarios used, the EVE model
simple structure and restrictive assumptions make repricing
becomes a value-at-risk (VaR) model, which builds a statistical
schedules less suitable for the calculation of economic capital.34
distribution of profit and losses that may occur over a specified
Most banks use simulation approaches for determining their
time horizon at a given confidence level owing to movements in
economic capital, based on estimated losses occurring in case
interest rates. The method not only measures the magnitude of
of a set of worst case scenarios. The magnitude of such losses
the loss, but also the probability of the loss.
and their probability of occurrence determine the amount of
economic capital. In practice the calculation of economic capital follows three
steps: in the first step, the change in economic value of both
The banking book is traditionally based on accrual accounting
assets and liabilities is modelled as a result of changes in interest
and measures such as earnings volatility or Earnings at Risk (EaR)
rates and an EVE is derived. The second step involves modelling
are used. EaR measures the loss of net interest income result­
the term structure of interest rates or the yield curve.37 Some
ing from interest rate movements, either gradual movements
banks model volatility changes o vertim e, while other banks
or one-off large interest rate shock, over a given time horizon
assume volatility is constant. In the third step the economic
(typically one to two years). A disadvantage of the EaR method
value of assets and liabilities and the term structure of interest
is that it only measures the short-term earnings effect (accrued
rates are combined to produce the final value distribution which
interest) resulting from interest rate fluctuations and not the
can be used to compute VaR or economic capital. It is worth
economic value effects (capital gains/capital losses).
mentioning that many of the assets and liabilities in the banking
Some banks have moved towards an economic value orientation book are not regularly traded and are therefore difficult to value
and measures based on Economic Value of Equity (EVE), VaR, at market prices. Most assets and liabilities are valued on a
and Extreme Value Theory (EVT) are becoming popular. EVE, mark-to-model basis, using path-dependent projections of run­
which is defined as the present value of assets minus liabilities, off and future cash flows.38
measures the change in the market value of equity resulting
In contrast to EVE, EVT is well suited to the estimation of
from interest rate shock scenarios, compared with the market
extreme probabilities and quantiles of a distribution. This
value of equity under a base scenario. It is a comprehensive risk
approach is based on the extreme value theorem, which indi­
measure, consistent with the Basel standard interest rate shock
cates what the limiting distribution of extreme values should
used to identify outliers.35 The accuracy of the valuation of bal­
look like and importantly demonstrates that it is not the nor­
ance sheet positions is strongly dependent upon the calculated
mal distribution. Drawbacks are the scarcity of extreme value
cash flows and discount rates used.36 For practical purposes,
observations, and the model risk associated with EVT estimates,
most EVE models use static or liquidation concepts, in the sense
which are usually very sensitive to the precise assumptions
that they show a snapshot in time of the risk based upon the
made by users.
current portfolio or balance sheet composition. In principle, EVE
The choice of techniques used in assessing interest rate risk
depends on the bank's orientation towards either economic
value or earnings, and also on the type of business model pur­
34 Particularly for larger banks, gap analysis is nothing more than the first
sued by the bank. Some businesses, such as commercial lend­
step (in this case, the distribution of the relevant assets and liabilities
according to maturity) in analyzing the interest rate risk in the banking ing or residential mortgage lending, are managed on a present
book.
35 Under current guidelines, interest rate risk is identified as the banking
book economic value sensitivity with respect to a standard interest rate 37 Single-factor models, such as Cox et. al. (1985), Black and Karasin-
shock of plus/minus 200 basis points; outlier banks are then identified sky (1991), or Black et. al. (1990) may be used, or more advanced term
as those having greater than 20% sensitivity with respect to regulatory structure models, such as Heath et. al. (1992), Dai and Singleton (2000),
capital. and the lognormal forward-LIBOR model of Brace et. al. (1997) may be
used.
36 When the cash flows are calculated, account needs to be taken of the
fact that the size and the timing of the cash flows may differ under the 38 Although this can be true also for instruments held in the trading
various scenarios as a result of customer behavior regarding changes in book, the typical short term horizon of the instruments held in the trad­
deposit balances and also prepayment speeds. ing book provides a more frequent test of model prices.

230 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
value approach, while others, such as credit cards, are managed
on an earnings approach. This poses issues when the bank
wants to convert risk measures to a common metric, for aggre­
gation purposes.
Modelling Issues
The main modelling issues involve the type of simulation, the
assumptions surrounding the timing of interest rate shocks, the
holding period and time horizon. As for simulation, computa­
tional intensity derives from the large number of points along
the term structure of interest rates, the large number of curren­
cies to track, with different implied volatilities for each currency/
term structure combination, the availability of many related,
but not identical interest rate curves. Many banks adopt some
dimension-reduction techniques, such as principal component
analysis, to address the magnitude of the computational burden.
Simulation can be static or dynamic. Static simulation models
are mostly based on the current on- and off-balance sheet expo­
sures, although they generally do take into account interest rate
sensitivities of prepayments and rollovers. Some models include
also expected balance sheet growth, but generally not the
interest-tare-induced changes in the rate of growth, which are
difficult to project. Dynamic simulation models allow for changes
in business activities, incorporate optionality, prepayments, sav­
ing behaviour, etc. under different scenarios, explicitly model­
ling management and customer action. Although this approach
offers a more realistic setting, it comes at a cost. Dynamic
models require the use of more assumptions, lead to a loss of
tractability and an increase in computing time. Moreover, the
longer the horizon of the analysis, the less accurate assumptions
regarding future business may be. In order for economic capi­
tal numbers to be realistic, the assumptions need to be tested
against internal processes and management action.
As for the type of interest rate shock, it is important to consider
whether a scenario is assumed to occur gradually, giving banks
time to actively manage their interest rate position, or whether
an interest rate shock is assumed to occur suddenly. The pace of
the interest rate movements affects interest income during the
horizon of the analysis and may also affect customer behaviour,
resulting in an impact on the result of the (dynamic) simulation.
When using simulation-based approaches, a time horizon should
be considered that is consistent with the policy intention of
holding asset and liability positions for a long period of time.
For capital calculations in the banking book, typically an eco­
nomic capital measure (VaR) over a short time horizon (one to
ten days) is scaled up to the one-year horizon used in the eco­
nomic capital framework. When scaling up VaR numbers, often
the assumption is made that VaR realisations are independently
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
and identically distributed over time. Factors to be taken into
account in the calculation are that interest rates may be serially
correlated39 and that management intervention may affect the
interest rate risk profile over the course of the time horizon.
Although most economic capital models are calibrated over a
one-year holding period, many banks that use simulations will
run multi-year simulations in order to value those instruments
held at the one-year horizon which are not valued via closed
form analytical formula.
Main Challenges for the Measurement of
Interest Rate Risk in the Banking Book
Optionality in the Banking Book
One of the most fundamental challenges in the measurement
of interest rate risk in the banking book is the identification and
incorporation of non-linear risk deriving from long-dated fixed-
income obligations with embedded options for the borrower
to prepay, frequently without penalty, and from the embedded
options in non-maturity deposits.
Prepayment risk options are the predominant form of em bed­
ded optionality on the asset side of the balance sheet. Con­
sumer loans, mortgages, and mortgage-backed securities
(MBSs) are examples of assets with prepayment risk. Prepayment
risk arises because borrowers have a call option on the loans:
for example, in the case of fixed-rate mortgages, borrowers
will choose to exercise this option and prepay their mortgages
as interest rates fall sufficiently below the contract mortgage
coupon rates. Because of the prepayment option, the cash flows
associated with a mortgage are uncertain and the expected life
of a mortgage is much shorter than its stated maturity.
Since the rate of prepayments increases as rates fall (especially
as they fall below the mortgage contract rate), the price-yield
curve for mortgages exhibits negative convexity and price com­
pression. This occurs because interest rate decreases do not
produce increases in the values of mortgages as large as those
of option-free bonds. In addition, holders of mortgages are
forced to invest the cash flows that are prepaid at a lower rate
of interest.40 When interest rates increase above mortgage con­
tract coupon rates, the speed of mortgage prepayments by
39 There are different reasons underlying this serial correlation of interest
rate risk factors returns: the bid-ask spreads, the discontinuity in trading
volumes of some interest rate sensitive instruments, the structural fac­
tors of some markets (i.e., low thickness and liquidity), etc.
40 Contraction risk is that part of prepayment risk that derives from the
decrease in the duration of mortgages and the reinvestment risk associ­
ated with the speedup of prepayments resulting from a decline in inter­
est rates within the negatively convex region of the price-yield curve.
■ 231
borrowers slows. The rate increase produces an increase in the
duration of mortgages and a steeper decline in the value of
these instruments than is the case for option-free bonds. This
occurs because holders of mortgages are not able to reinvest
the expected principal cash flows at the higher interest rate
because of slower actual prepayments.41 Prepayment risk is
therefore related to the variability or uncertainty in the rate at
which the borrowers will prepay, depending on the evolution of
the interest rates. It should be observed that mortgages also
contain a second type of embedded option, whereby borrowers
have a put option to default on their mortgage loans.42
On the liability side of the balance sheet, the embedded options
in non-maturity deposits are the most common. In effect, non­
maturity deposits contain two embedded options: (i) the institu­
tion holds the option to determine the interest rate offered to
depositors and when to change the rate; and (ii) the depositor
holds the option to withdraw all or part of the balance in the
deposit account at par. The first option makes the deposit
behave as a floating-rate bond, while the second option allows
the depositor to put the bond back to the institution.43 As such,
non-maturity deposits can be viewed essentially as floating-rate,
putable bonds. Moreover, the two embedded options induce a
volume risk, which cannot be hedged directly since the volume
is not traded in the market.
Although non-maturity deposits can be withdrawn by deposi­
tors on demand, most of these deposits stay at the institution
for months or years. In addition, while banking institutions may
change the offered deposit rates when market interest rates
change, they do so with a lagged response, and by less than
the full amount of the change in market rates. This is particu­
larly true when rates increase. The interaction between the two
embedded options found in non-maturity deposits makes the
valuation and interest rate sensitivity of these liabilities one of
the most widely debated issues currently in measuring interest
rate risk in the banking book.
Although optionality is an important issue, the degree of
sophistication in the techniques used by the institutions varies,
depending not only on the type of institution, but also on the
41 Extension risk is that part of prepayment risk that derives from the
increase in the duration of mortgages and the reinvestment risk associ­
ated with a rise in interest rates.
42 Typically, they will choose to exercise this option when the remain­
ing loan balance exceeds the market value of the property. As such,
mortgage lenders are essentially selling embedded American straddle
options (i.e., combined call and put options) to mortgagors.
43 Holding other things equal, customer's options have an impact on
both principal and interest cash flows, while issuer's options have a
direct impact on interest cash flows only.
232 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
evolution of the legislation and prevailing market practices in
the jurisdictions.
Income simulation models, such as EaR, are generally unable
to analyse option risk fully and generally are only accurate for
the short-term (i.e., two to three years) earnings component.
Economic value approaches, such as EVE, provide better mea­
surements of exposures with embedded options. However,
accurately representing these exposures requires the use of
stochastic-path evaluation techniques, which are computation­
ally demanding, and mostly developed in the jurisdictions where
market practice makes the optionality issues, such as mortgage
prepayment, more relevant. Standard practice is to use dis­
counted cash flows on those positions that have linear or highly
uncertain valuation profiles, and use stochastic-path techniques
on those parts of the balance sheet that have non-linear valua­
tion profiles.
In such instances, most firms combine in simulation models
stochastic interest rate modelling techniques with behavioural
assumptions on prepayments and on decisions to remain cus­
tomers or not (deposit modelling or credit card customer reten­
tion modelling). A prepayment model must not only be able to
predict current prepayment speeds, but also expected future
prepayment speeds, which are largely a function of expected
future mortgage interest rates. Larger institutions use more
sophisticated statistical prepayment models to forecast prepay­
ment speeds and account for the statistical relationships among
the factors that drive prepayments. A modelling approach is
required in which prepayment models are often combined with
a term structure model of interest rates and dynamic simulation
models, in producing mortgage valuations based on option-
adjusted spreads. The prepayment/non-maturity deposit mod­
elling may be carried out at local business level, to generate
sensitivity to rate shocks at various stress levels, producing dif­
ferent prepayment/customer retention forecasts across interest
rate shocks. Incorporating such assumptions should involve also
considering model uncertainty on those assumptions, and incor­
porating a measure of model risk (e.g., prepayment error risk).
Industry use of competing risks models for mortgage prepay­
ment and default is in its infancy, although several of the largest
institutions have embraced this approach.
Banks' Pricing Behaviour
An important aspect of interest rate risk modelling is the effec­
tive responsiveness of individual bank interest rates to changes in
market rates. The measurement of the interest rate risk of bank­
ing book items requires: (i) a model for the analysis of the persis­
tence of the volumes of different non-maturity banking products;
and (ii) a model for the determination of bank interest rates,
taking into account general market conditions, customer relation­
ships, bank commercial power, and optimal commercial policies.
The degree by which the interest rates set by banks react to
market rates (interest rates pass-through) may depend on indi­
vidual bank characteristics and may differ for different products.
Changes in market interest rates may also result in changes in
banks' interest rate policy, driven by changes in the competitive
environment and the need to defend market share.44
A typical finding in the literature is that banking interest rates
pass-through is relatively slow and heterogeneous across both
products and countries. It is slower for retail banking products
(e.g., deposits, consumer loans, mortgages) than for corporate
products; short-term products are more responsive than long­
term products.45 Individual bank characteristics, such as the
bank's liability structure, its liquidity, and capitalisation position
or the proportion of long-term lending, are also relevant for
interest rate determ ination; heterogeneity in the banking rates
pass-through exists only in the short run.46 There is also some
evidence of asymmetries in the interest rate pass-through,
existing also in the short run: banks adjust their loan lending
rate faster during periods of monetary tightening, and their
deposit rates faster during periods of monetary easing.47
A relevant aspect for determining bank interest rates is the pric­
ing for credit risk, which influences the duration of bank loans
and represents a "spread duration" component with a non-mar­
ginal effect on economic value, especially on longer term loans.
To determine the price of credit risk applied on different bank­
ing products would ultimately require a pricing rule that links
the credit spread to changes in macroeconomic conditions and
interest rate variations.48 This also indicates that interest rate
risk on the banking book is not independent from credit risk,
and that interest rate stress scenarios should also incorporate
the possible interaction of interest rate and credit risk factors.
The Choice of Stress Scenarios
Stress testing is commonly used in interest rate modelling as a
way to complement the complexities of interest rate risk
44 As such, some banks may not regard such policy changes as part of
their interest rate risk, but rather as part of business risk.
45 For Europe, see Campa and Gonzales-Minguez (2006).
46 Gambacorta (2007).
47 Gambacorta and lannotti (2007).
48 The price of credit risk varies with the counterparty credit rating in
a way which is also influenced by the level of interest rates and more
generally by the position in the economic cycle, especially if the banks
adopt forward-looking economic capital calculations and provisioning
and pricing policies.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
systems with transparent interest rate shocks. As such, stress
test results serve as a benchmark risk measure.49
Following the guiding principles of the Basel Committee, the
current regulatory choice of a stress scenario focuses on parallel
shifts in the yield curve of + /— 200 basis points.50 The Commit­
tee acknowledges that the parallel shifts of + /— 200 basis points
are relatively simplistic, but it argues that these shocks appear
to adequately cover volatilities across G10 countries, even
though the appropriateness of the proposed shock needs to be
monitored on an onqoinq basis, and recalibrated should the rate
environment shift materially.51
The benefits of using simple interest rate shocks of + /— 200
basis points are that these shocks are very simple and easy to
communicate and that it is easier to compare the impact of
these shocks on different portfolios. The drawbacks are that the
shocks are not probabilistic and hence very hard to integrate
into economic capital models based on VaR;52 it is not
49 The Committee on Global Financial Stability survey on stress test­
ing (CGFS, 2005) reveals that a majority of banks run interest rates risk
stress tests. Popular historical scenarios are the bond market sell-offs
in 1994 and 2003; the Asian crisis in 1997, LTCM and Russia in 1998,
or September 11, 2001. hypothetical scenarios look at changes in the
national or global economic outlook, increases in inflation expectations
or unexpected changes in monetary policy. Scenarios generally cover
environments where not only the level but also the slope and curvature
of the yield curve are changing.
50 The Basel Committee (BCBS, 2004) has suggested several guiding
principles for the selection of interest rate risk scenarios. The three most
important are: the rate shock should reflect a fairly uncommon and stress­
ful rate environment; the magnitude of the rate shock should be signifi­
cant enough to capture the effects of embedded options and convexity
within bank assets and liabilities so that underlying risk may be revealed;
and the rate shock should be straightforward and practical to implement,
and should be able to accommodate the diverse approaches inherent in
single-rate-path simulation models and statistically driven value-at-risk
models for banking book positions. As a practical guidance, in addition to
considering 200 bps scenarios, the Committee also suggests looking at
parallel shifts using the 1st and 99th percentile of observed interest rate
changes with a one year horizon and five years of data.
51 Further, the Committee argues that, "while more nuanced rate
scenarios (such as twists and turns in the yield curve) might tease out
certain underlying risk characteristics, for the more modest objectives
of supervisors in detecting institutions with significant levels of interest
rate risk, a simple parallel shock is adequate. Such an approach also
recognises the potential for spurious precision that occurs when undue
attention to fine detail is placed on one aspect of a measurement sys­
tem without recognition that assumptions employed for certain asset
and liability categories, such as core deposits, are by necessity blunt
and judgmental. Such judgmental aspects of an interest rate risk model
often drive the resulting risk measure and conclusion, regardless of the
detailed attention paid to other aspects of the risk measure."(Annex 3,
para7, BCBS, 2004).
rq
Even though the scenario has been calibrated on the 1°/99° percen­
tile of observed interest rate changes.
■ 233
necessarily sensitive to the current rate or economic environ­
ment; it doesn't take into account changes in the slope or curva­
ture of the yield curve; and that it doesn't allow for an
integrated analysis of interest rate and credit risk on banking
book items.
Among the possible developments are: (i) scenarios based on
historical distributions; (ii) scenarios based on principal compo­
nent (PC) decomposition of the yield curve; (iii) scenarios based
on the GARCH models; (iv) scenarios based on options; (v) sce­
narios based on macroeconomic factors; and (vi) scenarios link­
ing credit and interest rate risk.
Scenarios Based on Historical Distributions
The suggestion in BCBS (2004) to use the 1st and 99th per­
centile of the observed interest rate changes over the last five
years would be an easy way to look at a probabilistic scenario.
However the historical distribution is backward-looking, which is
inherently problematic for a forward-looking risk measurement.
For example, given long interest rate cycles it may be the case
that there are limited observations in one direction. It should
also be observed that the empirical distribution generally does
not include both a plus and minus 200 basis points shock.
Scenarios Based on Principal Component
Decomposition of the Yield Curve
A possible solution is to build a scenario simulation procedure
based on PC decomposition of the yield curve in order to pro­
duce realistic scenarios of interest rates changes along various
points of the term structure.53
The PC distribution functions are used in a Monte Carlo simula­
tion in order to reproduce the correlation observed between the
original risk factors. The usual assumption is that the PC are nor­
mally distributed; some recent work has applied a non-paramet-
ric simulation to account for the fact that PCs are skewed and
heavy-tailed, recovering the empirical distribution through a ker­
nel density estimation.54
In the context of PC representation, stress testing analysis can
be performed by changing the volatility of interest rates along
53 In the PC representation, interest rate changes at different maturities
are expressed as a function of the new risk factors PCs, where the weight­
ing coefficients (the so called "factor loading") capture the correlation in
the system. The factor loadings account for the contribution of each risk
factor to the overall variance. The PC decomposition of the yield curve
usually reveals the existence of three underlying risk factors explaining
a large part of total variance (around 95%): the parallel shift of the yield
curve; the tilt or rotation; the twist, that is a change in the curvature.
54 See Fiori and lannotti, 2007.
234 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the yield curve and/or the correlation structure of the data.
Correlation can be stressed by modifying the matrix of factor
weights (the so called factor loadings), while assuming constant
volatility. Conversely, one can shock the volatility of interest rate
changes while maintaining the matrix of factor loading fixed at
historical values.
The main advantage of this simulation procedure is that it
assigns a level of confidence to all plausible scenarios (in terms
of percentiles of the simulated distributions). The plausibility of
scenarios is derived from the calibration of the procedure to the
correlation structure observed in the market.
Scenarios Based on GARCH Models
Simple autoregressive (AR) models with GARCH effects could be
used to simulate the evolution of individual interest rates over a
specific horizon. Such an approach would be forward looking and
partially condition on the current environment in terms of level
and volatility. At the same time it is relatively easy to implement.
Scenarios Based on Options
A distribution of future changes of interest rates could also be
extracted from options. The key (and so far not successfully
solved) problem for such an approach is to translate the risk-
neutral PDs (necessary for trading and pricing) to real-world or
physical PDs (important for risk management).55
Scenarios Based on Macroeconomic Factors
Similar to credit risk models, it is conceptually possible to simu­
late a distribution of future yield curve changes based on macro-
economic fundamentals.56 Whereas there has been much
progress in this field, explanatory power of macroeconomic fac­
tors remains weak and forecast and estimation errors are sub­
stantial. Even though these models could be used to condition
changes on the current and future macroeconomic environment,
technical difficulties could impede a consistent use of these
models for economic capital calculation.
Scenarios Linking Credit and Interest Rate Risk
It is a well established fact that interest rates are an important
negative driver of the credit quality of banks' assets— one
55 It has to be noted however that for stochastic-path modelling, risk
neutral implied volatilities are necessary to validate the model by check­
ing for convergence to market prices at a reasonable Option Adjusted
Spread (OAS), a key validation test for mortgage models.
56 See for example Ang and Piazzesi (2003), Cochrane (2007). Rude-
busch and Williams (2007) provide an up-to date survey of the literature
linking macro factors to yield curves.
indication that credit risk and interest rate risk in the banking
book are interdependent.57 The integration of credit and interest
rate risk requires a sophisticated framework. First, the loss distri­
bution of credit risk must condition on the macro and interest
rate environment. Second, decreased net interest income due to
default must be taken into account. Finally, for an earnings per­
spective, future cash flows need to be simulated. This necessi­
tates a robust framework to price assets in the future conditional
on the simulated macro and interest rate environment.
Banking versus Trading Book
The exclusion of the trading book from the measurement of
interest rate risk eliminates the problem of double counting
arising from the presence of a market risk requirement for inter­
est rate sensitive positions held in the trading book. However
it should be pointed out that the problem of double counting
does not preclude the possibility that the exposures in the trad­
ing book and in the banking book offset each other.
In certain cases, the interest rate risk exposure of the trading
book compensates partially the exposure of the banking book.
For example, it is possible that the trading book has a short
position with respect to interest rate shocks (in the sense that
a rise in interest rates causes an increase in the economic value
of the trading book), while the position in the banking book is
long with respect to interest rate shocks (in the sense that a rise
in interest rates causes a decrease in the economic value of the
banking book). In cases such as this, it might be appropriate to
consider the net exposure of the entire balance sheet.
References
Akhavein, J D and A E Kocagil (2005): "A comparative empirical
study of asset correlation", Fitch Ratings: Q uantitative Financial
Research Sp ecia l R ep o rt, 14 July.
Ang, A and M Piazzesi (2003): "A no-arbitrage vector autore­
gression of term structure dynamics with macroeconomics and
latent variables", Jou rn a l o f M on etary Eco n om ics, vol 50, no 5.
Artzner, P, F Dalbaen, J M Eber and D Heath (1999): "Coherent
measures of risk", M athem atical Finance, no 9, pp 203-228.
Bangia, A , F X Diebold and T Schuermann (2000): "Rating
migration and the business cycle, with applications to credit
portfolio stress testing", The W harton Sch ool, working paper
00-26.
57 Drehmann et. al. (2007) show that interactions between credit risk
and interest rate risk can indeed be substantial and should be taken into
account.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks
Bank of Japan (2005): A dvan cin g In teg ra ted Risk M anagem ent,
http ://www. boj .or.jp.
Bank o f Ja p a n (2007): E co n o m ic Capital W orkshop Sum m ary
R eco rd , http://www.boj.or.jp.
Basel Committee on Banking Supervision (1999): C red it risk
m odelling: current p ra ctices and applications, Basel, April.
— (2004): Principles for the m anagem ent and supervision o f
in terest rate risk, Basel, July.
— (2005a): "Update on work of the Accord Implementation
Group related to validation under the Basel II Fram ework", Basel
C om m ittee N ew sletter, No 4, January.
— (2005b): "Studies on the validation of internal rating systems"
W orking Paper, no 14, May.
— (2009): G uidelines for com puting capital for increm ental risk
in the trading b o o k, Consultative Document, Basel, January.
Berkowitz, J (2000): "Testing Density Forecasts, with Applica­
tions to Risk M anagement", U niversity o f California, December,
mimeo.
Black, F, E Derman and W Toy (1990): "A one-factor model of
interest rates and its application to treasury bond options",
Financial A nalysts Journal, vol 46.
Black, F and P Karasinski (1991): "Bond and Option Pricing when
Short Rates are Lognormal", Financial A nalysts Journal, vol 47.
Brace, A, D Gatarek and M Musiela (1997): "The Market Model
of Interest Rate Dynamics", M athem atical Finance, vol 7.
Breuer, T, M Jandacka, K Rheinberger and M Summer (2008):
"Regulatory capital for market and credit interaction: is current
regulation always conservative?", forthcoming, Jou rn a l o f Bank­
ing and Finance.
Burns, R L (2004): "Econom ic Capital and the Assessment of
Capital Adequacy", Su p erviso ry Insights, vol 1, no 2, pp 5-16.
Burtschell, X, J Gregory and J P Laurent (2007): B eyo n d the
Gaussian C opula: Sto ch a stic and Local Correlation, January,
mimeo.
Campa, J M and J M Gonzalez Minguez (2006): "Differences in
exchanges rate pass-through in the euro area", European E c o ­
nom ic Review , vol 50.
Cochrane, J H (2007): "Com m entary", Fed era l R eserve Bank o f
S t Louis Review , July/August.
Committee of the Global Financial System (2005a): Stress te st­
ing at m ajor financial institutions: su rvey results and p ractice,
Basel, January.
— (2005): The role o f ratings in stru ctu red finance: issues and
im plications, Basel, January.
■ 235
Cox, J C, J E Ingersoll and S A Ross (1985): "A theory of the
term structure of interest rates", Econom etrica 53, pp 385-467.
Crouhy, M, D Galai and R Mark (2006): The Essentials o f Risk
M anagem ent, McGraw-Hill.
Dai, Q, and K J Singleton (2000): "Specification Analysis of
Affine Term Structure M odels", Jou rn a l o f Finance, vol 55.
Das, S R, D Duffie, N Kapadia and L Saita (2007) "Common fail­
ings: how corporate defaults are correlated", Jou rn a l o f Finance,
vol LXII, no 1, February.
Davis, M and V Lo (2001): "Infectious Default", Q uantitative
Finance, vol 1, no 4, pp 382-387.
De Nederlandsche Bank (2005): G uidelin es on In terest Rate Risk
in the Banking Book, Amsterdam.
Diebold, F X, G D Rudebush and S B Arouba (2006) "The
macroeconomy and the yield curve: a dynamic latent factor
approach", Jou rn a l o f Eco n o m etrics, vol 131.
Dimakos X K and K Aas (2004): "Integrated risk modelling", Sta ­
tistical M o dellin g 4, pp 265-277.
Drehmann, M, S Sorensen and M Stringa (2008): "The inte­
grated impact of credit and interest rate risk on banks: An
economic value and capital adequacy perspective", Bank o f
En gland W orking Paper 339.
Duffie, D, A Eckner, G Horel and L Saita (2006): "Frailty corre­
lated default", October 19, mimeo.
Duffie, D and D Lando (2001): "Term structures of credit spreads
with incomplete accounting information", Econ om etrica, vol 69,
no 3, pp 633-664.
Duffie, D, L Saita and K Wang (2005): "Multi-period corporate
default prediction with stochastic covariates", September, mimeo.
Egloff, D, M Leippold and P Vanini (2004): "A simple model of
credit contagion", mimeo.
Fabozzi, F (2000): B o n d M arkets, Analysis and Stra teg ies, Fourth
Edition, Prentice Hall, New Jersey.
Fender, I and J Kiff (2004): "C D O rating methodology: Some
thoughts on model risk and its implications", BIS W orking Paper,
no 163, Basel, November.
Fermanian, J D and M Sbai (2005): A comparative analysis of
dependence levels in intensity based and Merton style credit
risk models.
Fiori, R and S lannotti S (2007): "Scenario based Principal Com ­
ponent Value-at-Risk: an application to Italian banks' interest
rate risk exposure", Jou rn a l o f Risk, vol 9, no 3, pp 63-99.
Frerichs, H and G Loffler (2002): "Evaluating credit risk models:
A critique and a proposal", May, mimeo.
236 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Frey, R and A J McNeil (2003): "Dependence modelling, model
risk and model calibration in models of portfolio credit risk",
Jou rn a l o f Risk 6(1).
Gambacorta L (2007) "How do banks set interest rates", Eu ro ­
pean Eco n o m ic Review , forthcoming.
Gambacorta L and S lannotti (2007): "Are There Asymmetries
in the Response of Bank Interest Rates to Monetary Shocks?",
A p p lie d Econ om ics, forthcoming.
Heath, D, R Jarrow and A Morton (1992): "Bond Pricing and the
Term Structure of Interest Rates: A New M ethodology", E c o n o ­
m etrica, vol 60.
Hull, J C (2007): Risk m anagem ent and financial institutions,
Pearson Prentice Hall, New Jersey.
IACPM and ISDA (2006): C o n verg e n ce o f C red it Capital M o d els.
IFRI and CRO Forum (2007): Insights from the Jo in t IFRI/C R O
Forum Su rvey on Eco n om ic Capital Practice and A pplications.
Jarrow, R A and F Yu (1999): "Counterparty risk and the pricing
of defaultable securities," September, mimeo.
Jarrow, R A and F Yu (2001): "Counterparty risk and pric­
ing of defaultable securities", Jou rn a l o f Finance, vol 53,
p p .2225-2243.
Lopez J A and M R Saidenberg (1999): "Evaluating Credit Risk
M odel", Fed era l R eserve Bank o f San Francisco, Working paper
no 99-06.
McNeil, A, R Frey and Embrechts (2005): Q uantitative Risk M an­
a g em en t; C o n ce p ts, Techniques, and Tools. Princeton Series in
Finance.
PriceW aterhouseCoopers (2005): E ffe ctive Capital M anagem ent:
Eco n o m ic Capital as an Industry Stan dard?
Rosenberg J V and T Schuermann (2006): "A general approach
to integrated risk management with skewed, fat-tailed risks",
Jou rn a l o f Financial Econ om ics, vol 9, no 3, pp 569-614.
Rudebusch, G D and J C Williams (2007): "Forecasting reces­
sions: The puzzle of the enduring power of the yield curve",
Fed era l R eserve Bank o f San Francisco, Working Paper, No
2007-16.
Rutter Associates LLC (2004): 2004 R utter A sso cia te s Survey o f
C red it Portfolio M anagem ent Practices.
Samuel (2008): "Disclosure of Economic Capital", Fed era l
R eserve Bank o f N ew York, Available from the author or Policy
Department, Federal Reserve Bank of New York, email: Jeffrey.
[email protected]. April 18.
Tarashev, N and H Zhu (2007): "Modelling and calibration errors in
measures of portfolio credit risk", BIS Working Paper, Number 230.
Capital Planning at
Large Bank Holding
Companies
Supervisory Expectations and
Range of Current Practice

Learning Objectives
After completing this reading you should be able to:

Describe the Federal Reserve's Capital Plan Rule and
explain the seven principles of an effective capital
adequacy process for bank holding companies (BHCs)
subject to the Capital Plan Rule.
Describe practices that can result in a strong and effective
capital adequacy process for a BHC in the following areas:
■ Risk identification
Internal controls, including model review and validation
Corporate governance
Capital policy, including setting of goals and targets
and contingency planning
Stress testing and stress scenario design
Estimating losses, revenues, and expenses, including
quantitative and qualitative methodologies
Assessing the impact of capital adequacy, including
risk-weighted asset (RWA) and balance sheet
projections

E x c e rp t is co u rtesy o f B oard o f G overn ors o f the Fed era l R eserve System .

14.1 INTRODUCTION
The Federal Reserve has previously noted the importance of
capital planning at large, com plex bank holding companies
(BHCs). Capital is central to a BHC's ability to absorb unex­
pected losses and continue to lend to creditworthy businesses
and consumers. It serves as the first line of defense against
losses, protecting the deposit insurance fund and taxpayers.
As such, a large BHC's processes for managing and allocating
its capital resources are critical not only to its individual health
and perform ance, but also to the stability and effective func­
tioning of the U.S. financial system. The Federal Reserve's
Capital Plan Rule and the associated annual Com prehensive
Capital Analysis and Review (CCAR) have emphasized the
importance the Federal Reserve places on BHCs' internal capi­
tal planning processes, and on the supervisory assessment of
all aspects of these processes, which is a key elem ent of a
supervisory program that is focused on promoting resiliency at
the largest B H C s.1
These initiatives have focused not just on the amount of capital
that a BHC has, but also on the internal practices and policies a
firm uses to determine the amount and composition of capital
that would be adequate, given the firm's risk exposures and cor­
porate strategies as well as supervisory expectations and regula­
tory standards. BHCs have long engaged in some form of capital
planning to address the expectations of shareholders, creditors,
customers, and other stakeholders. The Federal Reserve's inter­
est in and expectations for effective capital planning reflect
the importance of the ongoing viability of the largest BHCs
even under stressful financial and economic conditions. Even if
current assessments of capital adequacy suggest that a BHC's
capital level is sufficient to withstand potential economic stress,
robust capital planning helps ensure that this outcome will con­
tinue to hold in the future. Robust internal capital planning can
also help ensure that BHCs have sufficient capital in a broad
range of future macroeconomic and financial market environ­
ments by governing the capital actions— including dividend pay­
ments, share repurchases, and share issuance and conversion— a
BHC takes in these situations.
The Federal Reserve's Capital Plan Rule requires all U.S.-domiciled,
top-tier BHCs with total consolidated assets of $50 billion or
more to develop and maintain a capital plan supported by
a robust process for assessing their capital adequacy.2
1 See SR Letter 12-17, "Consolidated Supervision Framework for Large
Financial Institutions," (December 17, 2012), www.federalreserve.gov/
bankinforeg/srletters/sr1217.htm; 12 CFR 225.8.
2 12CFR 225.8.
238 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
CCAR is the Federal Reserve's supervisory program for assessing
the capital plans. In 2013, CCAR covered 18 BHCs that partici­
pated in the 2009 Supervisory Capital Assessment Program
(SCAP).3 The Federal Reserve's assessment of a BHC's capital
planning process includes an evaluation of the risk-identification,
-measurement, and -management practices that support the
BHC's capital planning and stress scenario analysis, an assessment
of stressed loss and revenue estimation practices, and a review of
the governance and controls around these practices. The pream­
ble to the Capital Plan Rule outlines the elements on which the
Federal Reserve evaluates the robustness of a BHC's internal capi­
tal planning— also referred to as the capital adequacy process, or
"CAP." These principles are summarized in Figure 14.1.4
This publication describes the Federal Reserve's expectations
for internal capital planning at the large, complex BHCs subject
to the Capital Plan Rule in light of the seven CAP principles. It
expands on previous articulations of these supervisory expecta­
tions by providing examples of observed practices among the
BHCs participating in CCA R 2013 and by highlighting those
practices considered to be stronger or leading practices at these
firms. In addition, it identifies practices that the Federal Reserve
deems to be weaker, or in some cases unacceptable, and thus in
need of significant improvement. However, practices identified
in this publication as leading or industry-best practices should
not be considered a safe harbor. The Federal Reserve antici­
pates that leading practices will continue to evolve as new data
become available, economic conditions change, new products
and businesses introduce new risks, and estimation techniques
advance further.
While the supervisory scenarios and supervisory stress tests
that are required under the Dodd-Frank A ct5 play an important
role in C C A R ,6 they are not meant to be and should not be
viewed as providing for an all-encompassing assessment of the
possible risks a BHC may face. A robust internal capital plan­
ning process should include modeling practices and scenario
assumptions that reflect BHC-specific factors. In certain
instances, these practices and assumptions may differ consider­
ably from those used by the Federal Reserve. Indeed, design­
ing an internal capital planning process that simply seeks to
mirror the Federal Reserve's stress testing is a weak practice.
3 The plans of the remaining BHCs subject to the Capital Plan Rule have
been assessed through a separate process (the Capital Plan Review).
Beginning in 2014, the capital plans of all BHCs subject to the Capital
Plan Rule will be evaluated in a single, unified process through CCAR.
4 See 76 Fed. Reg. 74631, 74634 (December 1, 2011).
5 12 CFR part 225, subpart F.
6 See 12 CFR 225.8(d)(2), 225.8(e)(1).
Figure 14.1 Seven principles of an effective capital adequacy process.

Principle 1: Sound foundational risk management

The BHC has a sound risk-measurement and risk-management infrastructure that supports the identification, measurement,
assessment, and control of all material risks arising from its exposures and business activities.

Principle 2: Effective loss-estimation methodologies

The BHC has effective processes for translating risk measures into estimates of potential losses over a range of stressful scenarios
and environments and for aggregating those estimated losses across the BHC.

Principle 3: Solid resource-estimation methodologies

The BHC has a clear definition of available capital resources and an effective process for estimating available capital resources
(including any projected revenues) over the same range of stressful scenarios and environments used for estimating losses.

Principle 4: Sufficient capital adequacy impact assessment

The BHC has processes for bringing together estimates of losses and capital resources to assess the combined impact on capital
adequacy in relation to the BHC's stated goals for the level and composition of capital.

Principle 5: Comprehensive capital policy and capital planning

The BHC has a comprehensive capital policy and robust capital planning practices for establishing capital goals, determining
appropriate capital levels and composition of capital, making decisions about capital actions, and maintaining capital
contingency plans.

Principle 6: Robust internal controls

The BHC has robust internal controls governing capital adequacy process components, including policies and procedures; change
control; model validation and independent review; comprehensive documentation; and review by internal audit.

Principle 7: Effective governance

The BHC has effective board and senior management oversight of the CAP, including periodic review of the BHC's risk
infrastructure and loss- and resource-estimation methodologies; evaluation of capital goals; assessment of the appropriateness
of stressful scenarios considered; regular review of any limitations and uncertainties in all aspects of the CAP; and approval of
capital decisions.

Many lagging practices identified in this publication involve
modeling approaches or BHC stress scenarios that fail to reflect
BHC-specific factors or that rely on generic assumptions or
"standard" modeling techniques, without sufficient consider­
ation of whether those assumptions or techniques are the most
appropriate ones for the BHC.
The supervisory expectations summarized here are broad and
reflect, at a general level, the key characteristics of a sound and
robust internal capital planning process. While certain aspects
of the detailed discussion that follows may be less relevant to
individual BHCs based on their business mix and risk profile, the
core tenets espoused are broadly applicable to all BHCs subject
to the Capital Plan Rule.
Importantly, the Federal Reserve has tailored expectations for
BHCs of different sizes, scope of operations, activities, and
systemic importance in various aspects of capital planning.
For example, the Federal Reserve has significantly heightened
supervisory expectations for the largest and most complex
BHCs— in all aspects of capital planning— and expects these
BHCs to have capital planning practices that are widely consid­
ered to be leading practices. In addition, the Federal Reserve
recognizes the challenges facing BHCs that are new to CCAR
and further recognizes that these BHCs will continue to develop
and enhance their capital planning systems and processes to
meet supervisory expectations.
The purpose of this publication is two-fold. First, it is intended
to assist BHC management in assessing their current capi­
tal planning processes and in designing and implementing
improvements to those processes. Second, it is intended to
assist a broader audience in understanding the key aspects of
capital planning practices at large, complex U.S. BHCs and the
importance the Federal Reserve puts on ensuring that these
firms have robust capital resources.
The sections that follow provide greater detail on supervisory
expectations and the range of current practice across several
dimensions of BHCs' internal capital planning processes. The
first section discusses foundational risk management, including
identification of risk exposures. The next two sections focus on
controls and governance around internal capital planning pro­
cesses. The fourth section covers expectations and the range of
current practice concerning BHCs' capital policies— the internal
guidelines governing the capital action decisions made by a
BHC under a range of potential future conditions for the firm
and for the macroeconomic and financial market environments

Chapter 14 Capital Planning at Large Bank Holding Companies ■ 239

in which it operates. The subsequent three sections focus on
the key elements of BHCs' internal enterprise-wide scenario
analysis: design of the stress scenarios and modeling the impact
of the scenarios on losses, revenues, balance sheet composition
and size, and capital. The final section summarizes the Federal
Reserve's conclusions on the current range of practice at BHCs.
14.2 FOUNDATIONAL RISK
MANAGEMENT
BHCs are expected to have effective risk-identification, -mea­
surement, -management, and -control processes in place to sup­
port their internal capital planning.7 In addition to the
assessments of a BHC's stress scenario analysis and stressed
loss- and revenue-estimation practices, supervisory assessments
of BHCs' internal capital planning will continue to focus on fun­
damental risk-identification, -measurement, and -management
practices, as well as on internal controls and governance. W eak­
nesses in these areas may contribute to a negative supervisory
assessment of a BHC's capital planning process that could lead
to an objection to a BHC's capital plan.8
A key lesson from the recent financial crisis is that many financial
companies simply failed to adequately identify the potential
exposures and risks stemming from their firm-wide activities.
This was in part a failure of information technology and man­
agement information systems (MIS), the often fractured nature
of which made it difficult for some companies to identify and
aggregate exposures across the firm. But more importantly,
many companies failed to consider the full scale and scope
of exposures, and to analyze how the size and risk character­
istics of their exposures and business activities might evolve
as economic and market conditions changed. Combining a
comprehensive identification of a firm's business activities and
associated positions across the organization with effective
techniques for assessing how those positions and activities may
evolve under stressful economic and market conditions, and
assessing the potential impact of that evolution on the capital
needs of the firm, are critical elements of capital planning. A
robust internal capital adequacy assessment process relies on
the underlying strength of each of these elements.
Risk Identification
BHCs should have risk-identification processes that ensure that
all risks are appropriately accounted for when assessing capital
7 12CFR 225.8(d)(2).
8 12CFR 225.8(e)(2).
240 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
needs.9 These processes should evaluate the full set of potential
exposures stemming from on- and off-balance sheet positions,
including those that could arise from provisions of noncontrac­
tual support to off-balance-sheet entities, and risks conditional
on changing economic and financial market conditions during
periods of stress. BHCs should have a systematic and repeatable
process to identify all risks and consider the potential impact to
capital from these risks. In addition, BHCs should closely assess
any assumptions about risk reduction resulting from risk transfer
and/or mitigation techniques, including, for example, analysis of
the enforceability and effectiveness of any guarantees or netting
and collateral agreements and the access to and valuation of
collateral as exposures and asset values are changing rapidly in
a stressed market.
Stronger risk-identification practices include standardized pro­
cesses through which senior management regularly update risk
assessments, review risk exposures and consider how their risk
exposures might evolve under a variety of stressful situations.
For example, many BHCs maintain a comprehensive inventory
of risks to which they are exposed, and refresh it as conditions
warrant (such as changes in the business mix and the operat­
ing environment) with input from various units across the BHC.
Senior representatives from major lines of business, corporate
risk management, finance and treasury, and other business and
risk functions with perspectives on BHC-wide positions and risks
provide input to the process. Consideration of the risks inherent
in new products and activities should be a key part of risk-iden­
tification and -assessment programs, which should also consider
risks that may be associated with any change in the BHC's stra­
tegic direction.
Risk measures should be able to capture changes in an institu­
tion's risk profile— whether due to a change in the BHC's strate­
gic direction, specific new products, increased volumes, changes
in concentration or portfolio quality, or the overall economic
environment— on a timely basis. These risk measures should
support BHCs' assessments of capital adequacy and may be
helpful in capital contingency plans as early warning indicators
or contingency triggers, where appropriate.
BHCs should be able to demonstrate how their identified risks
are accounted for in their capital planning processes. If certain
risks are omitted from the enterprise-wide scenario analysis,
BHCs should note how these risks are accounted for in other
aspects of the capital planning process (see Box 14.1 for illustra­
tion of how BHCs identified and captured certain risks that are
more difficult to quantify in their capital planning process). If
a BHC employs risk quantification methodologies in its capital
9 12 CFR 225.8(d)(2).

BOX 14.1 INCORPORATING RISKS
THAT ARE MORE DIFFICULT TO
QUANTIFY
Scenario-based stress testing is a critical element of
robust capital planning. However, stress testing based on
a limited number of discrete scenarios cannot and is not
expected to capture all potential risks faced by a BHC,
and therefore, it should serve as one of several inputs to
the capital planning process. Given the scope of opera­
tions at and the associated breadth of risks facing large,
complex BHCs— including the risk of losses from expo­
sures and of reduced revenue generation—they are often
exposed to risks, other than credit or market risk, that are
either difficult to quantify or not directly attributable to
any of the specific integrated firm-wide scenarios that are
evaluated as part of the BHC's scenario-based stress test­
ing ("other risks"). Examples of these other risks include
reputational risk, strategic risk, and compliance risk. As
noted in the section on risk identification, a BHC should
identify and assess all risks as part of its risk-identification
process and should capture the potential effect of all risks
in its capital planning process. A BHC's capital planning
process should assess the potential impact of these other
risks on the BHC's capital position to ensure that its capital
provides a sufficient buffer against all risks to which the
BHC is exposed.
There is a wide range of practices around how BHCs
account for other risks as part of their capital planning
process. Many BHCs used internal capital tar gets to
account for such risks, putting in place an incremental
cushion above their targets to allow for difficult-to-
quantify risks and the inherent uncertainty represented
by any forward-looking capital planning process. Other
BHCs assessed the effect of in terms of some combination
of reduced revenue, added expenses, or a management
overlay on top of loss estimates. BHCs with lagging prac­
tices did not even attempt to account for other risks in
their capital planning process.
To the extent possible, BHCs should incorporate the effect
of these other risks into their projections of net income
over the nine-quarter planning horizon. BHCs should
clearly articulate and support any relevant assumptions
and the methods used to quantify the effect of other risks
on their revenue, expenses, or losses.
For those BHCs that did not incorporate the potential
impact of these other risks into their capital targets, stron­
ger practices included a clear articulation of which risks
were being addressed by putting in place a cushion above
the capital target, and how this cushion is related to identi­
fied risks. BHCs should clearly support the method they
used to measure the potential effect of such risks. Using
a simple rule (such as a percent of capital) or expert judg­
ments to determine the cushion above the capital target,
without providing analysis or support, is a lagging practice.
Chapter 14 Capital Planning at Large Bank Holding Companies
planning that are not scenario-based, it should identify which
risks each of the methodologies covers, to facilitate comparabil­
ity and informed decision-making with respect to overall capital
adequacy. BHCs with lagging practice did not transparently link
their evaluation of capital adequacy to the full range of identi­
fied risks. These BHCs were not able to show how all their risks
were accounted for in their capital planning processes. In some
cases, staff responsible for capital planning operated in silos
and developed standalone risk inventories not linked to the
enterprise-wide risk inventory or to other risk governance func­
tions within their BHCs.
14.3 INTERNAL CONTROLS
As with other aspects of key risk-management and finance area
functions, a BHC should have a strong internal control fram e­
work that helps govern its internal capital planning processes.
These controls should include (1) regular and comprehensive
review by internal audit; (2) robust and independent model
review and validation practices; (3) comprehensive documenta­
tion, including policies and procedures; and (4) change controls.
Scope of Internal Controls
A BHC's internal control framework should address its entire
capital planning process, including the risk measurement and
management systems used to produce input data, the models
and other techniques used to generate loss and revenue esti­
mates; the aggregation and reporting framework used to pro­
duce reports to management and boards; and the process for
making capital adequacy decisions. While some BHCs may natu­
rally develop components of their internal capital planning along
separate business lines, the control framework should ensure
that BHC management reconciles the separate components in a
coherent manner. The control framework also should help assure
that all aspects of the capital planning process are functioning as
intended in support of robust assessments of capital needs.
BHCs with stronger control coverage reviewed the controls
around capital planning on an integrated basis and applied
them consistently. Management responded quickly and
effectively to issues identified by control areas and devoted
appropriate resources to continually ensure that controls were
functioning effectively.
Internal Audit
Internal audit should play a key role in evaluating internal capital
planning and its various components. Audit should perform a
review of the full process, not just of the individual components,
■ 241
periodically to ensure that the entire end-to-end process is func­
tioning in accordance with supervisory expectations and with a
BHC's board of directors' expectations as detailed in approved
policies and procedures. Internal audit should review the man­
ner in which deficiencies are identified, tracked, and remedi­
ated. Audit staff should have the appropriate competence and
influence to identify and escalate key issues, and the internal
audit function should report regularly on the status of all aspects
of the capital planning process— including any identified defi­
ciencies related to the BHC's capital plan—to senior manage­
ment and the board of directors.
BHCs with stronger audit practices provided a comprehensive,
robust review of all components of the capital planning process,
including all of the control elements noted earlier.10*BHCs with
leading internal audit practices around internal capital planning
had strong issue identification and remediation tracking as well.
They also ensured that audit staff had strong technical expertise,
elevated stature in the organization, and proper independence
from m anagem ent.11
Independent Model Review
and Validation
BHCs should conduct independent review and validation of all
models used in internal capital planning, consistent with existing
supervisory guidance on model risk management (SR Letter
11-7).12 Validation staff should have the necessary technical
competencies, sufficient stature within the organization, and
appropriate independence from model developers and business
areas, so that they can provide a critical and unbiased evaluation
of the models they review.
• The model review and validation process should include
• an evaluation of conceptual soundness;
• ongoing monitoring that includes verification of processes
and benchmarking; and
• an "outcomes analysis."
BHCs should maintain an inventory of all models used in the cap­
ital planning process, including all input or "feeder" models that
10 See 12CFR 225.8(d)(1)(iii).
See SR Letter 13-1, "Supplemental Policy Statement on the Internal
11
Audit Function and Its Outsourcing," (January 23, 2013) www.feder-
alrserve.gov/bankinforeg/srletters/sr1301.htm, for detailed guidance
on expectations for the governance and operational effectiveness of an
institution's internal audit function.
12 See SR Letter 11-7, "Supervisory Guidance on Model Risk Manage­
ment," (April 4, 2011), www.federalreserve.gov/bankinforeg/srletters/
sr1107.htm.
242 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
produce projections or estimates used by the models that gener­
ate the final loss, revenue or expense projections. Consideration
should be given to the validity of the use of a model under
stressed conditions as models designed for ongoing business
activities may be inappropriate for estimating net income and
capital under stress conditions. BHCs should also maintain a pro­
cess to incorporate well-supported adjustments to model esti­
mates when model weaknesses and uncertainties are identified.
BHCs continue to face challenges in conducting outcomes
analysis of their stress testing models, given limited realized
outcomes against which to assess loss, revenue, or expense pro­
jections under stressful scenarios. BHCs should attempt to com­
pensate for the challenges inherent in backtesting stress models
by conducting sensitivity analysis or by using benchmark or
"challenger" models. BHCs should ensure that validation covers
all models and assumptions used for capital planning purposes,
including any adjustments management has made to the model
estimates (management overlay).
Supervisory reviews have found that, in general, BHCs should
give more attention to model risk management, including
strengthening practices around model review and validation.
Nonetheless, some BHCs exhibited stronger practices in their
capital planning, including
• maintaining an updated inventory of all models used in the
process;
• ensuring that models had been validated for their intended
use; and
• being transparent about the validation status of all models
used for capital planning and appropriately addressing any
models that had not been validated (or those that had identi­
fied weaknesses) by restricting their use, or using benchmark
or challenger models to help assess the reasonableness of
the primary model output.
BHCs with lagging practices were not able to identify all mod­
els used in the capital planning process. They also did not for­
mally review all of the models or assumptions used for capital
planning purposes (including some high-impact stress testing
models). In addition, they did not have validation staff that were
independent and that could critically evaluate the models.
Policies and Procedures
BHCs should ensure they have policies and procedures covering
the entire capital planning process.13 Policies and procedures
should ensure a consistent and repeatable process for all
13 See FR Y-14A reporting form: Summary Schedule Instructions, pp. 5-7.
components of the capital planning process and provide trans­
parency to third parties regarding this process. Policies should
be reviewed and updated at least annually and more frequently
when warranted. There should also be evidence that manage­
ment and staff are adhering to policies and procedures in prac­
tice, and there should be a formal process for any policy
exceptions. Such exceptions should be rare and approved by
the appropriate level of management.
Ensuring Integrity of Results
BHCs should have internal controls that ensure the integrity of
reported results and the documentation, review, and approval
of all material changes to the capital planning process and its
components. A BHC should ensure that such controls exist at all
levels of the capital planning process. Specific controls should
be in place to
• ensure that MIS are sufficiently robust to support capital
analysis and decision-making, with sufficient flexibility to run
ad hoc analysis as needed;
• provide for reconciliation and data integrity processes for all
key reports;
• address the presentation of aggregate, enterprise-wide
capital planning results, which should describe any manual
adjustments made in the aggregation process and how those
adjustments compensate for identified weaknesses; and
• ensure that reports provided to senior management and the
board contain the appropriate level of detail and are accurate
and timely. The party responsible for this reporting should
assess and report whether the BHC is in compliance with its
internal capital goals and targets, and ensure the rationale for
any deviations from stated capital objectives is clearly docu­
mented and obtain any necessary approvals.14
BHCs with stronger practices in this area ensured that good
information flows existed to support decisions, with significant
investment in controls for data and information. For example,
some BHCs had an internal audit group review the data for
accuracy and ensured that any data reported to the board
and senior management were given extra scrutiny and cross­
checking. In addition, BHCs with stronger practices had strong
MIS in place that enabled them to collect, synthesize, analyze,
and deliver information quickly and efficiently. These systems
also had the ability to run ad hoc analysis to support capital
planning as needed without employing substantial resources.
Other BHCs, however, continue to face challenges with MIS.
14 See id.
Chapter 14 Capital Planning at Large Bank Holding Companies
Many BHCs have systems that are antiquated and/or siloed and
not fully compatible, requiring substantial human intervention to
reconcile across systems.
Documentation
BHCs should have clear and comprehensive documentation for
all aspects of their capital planning processes, including their
risk-measurement and risk-management infrastructure, loss- and
resource-estimation methodologies, the process for making cap­
ital decisions, and efficacy of control and governance func­
tions.15 Documentation should contain sufficient detail,
accurately describe BHCs' practices, allow for review and chal­
lenge, and provide relevant information to decision-makers.16
14.4 GOVERNANCE
BHCs should have strong board and senior management over­
sight of their capital planning processes.17 This includes ensur­
ing periodic review of the BHC's risk infrastructure and loss- and
resource-estimation methodologies; evaluation of capital goals
and targets; assessment of the appropriateness of stress scenar­
ios considered; regular review of any limitations in key processes
supporting internal capital planning, such as uncertainty around
estimates; and approval of capital decisions. Together, a BHC's
board and senior management should establish a comprehen­
sive capital planning process that fits into broader risk-manage­
ment processes and that is consistent with the risk-appetite
framework and the strategic direction of the BHC.
Board of Directors
A BHC's board of directors has ultimate oversight responsibility
and accountability for capital planning and should be in a posi­
tion to make informed decisions on capital adequacy and capital
actions, including capital distributions.18 The board of directors
should receive sufficient information to understand the BHC's
material risks and exposures and to inform and support its deci­
sions on capital adequacy and planning. The board should
receive this information at least quarterly, or when there are
material developments that affect capital adequacy or the man­
ner in which it is assessed. Capital adequacy information
15 See id.
16 See id.
17 See 12 CFR 225.8(d)(1 )(iii)(A)-(B).
18 See 12 CFR 225.8(d)(1)(iii)(C).
■ 243
provided to the board should include capital measures under
current conditions as well as on a post-stress, pro forma basis
and should be framed against the capital goals and targets
established by the BHC.
The information provided to the board should include sufficient
details on scenarios used for the BHC's internal capital plan­
ning so that the board can evaluate the appropriateness of the
scenarios, given the current economic outlook and the BHC's
current risk profile, business activities, and strategic direction.
The information should also include a discussion of key limita­
tions, assumptions, and uncertainties within the capital planning
process, so that the board is fully informed of any weaknesses
in the process and can effectively challenge reported results
before making capital decisions. The board should also receive
summary information about mitigation strategies to address key
limitations and take action when weaknesses in internal capital
planning are identified, applying additional caution and conser­
vatism as needed.
BHCs with stronger practices had boards that were informed of
and generally understood the risks, exposures, activities, and
vulnerabilities that affected the BHC's capital adequacy. They
also understood the major drivers of loss and revenue changes
under the scenarios used. The boards of BHCs with stronger
practices had sufficient expertise and level of engagement
to understand and critically evaluate information provided by
senior management. Importantly, they recognized that internal
capital planning results are estimates and should be viewed as
part of a range of possible results. In addition, the boards of
BHCs with stronger practices discussed weaknesses identified
in the capital planning process, whether they needed to take
immediate action to address those weaknesses, and whether the
weaknesses were material enough to alter their view of current
capital planning results. They also discussed whether a sufficient
range of potential stress events and conditions had been con­
sidered in assessing capital adequacy.
Board Reporting
The board of directors is required to approve a BHC's capital
plan under the Capital Plan Rule.19 In order for boards to carry
out this requirement, management should provide adequate
reporting on key areas of the analysis supporting capital plans.
BHCs with stronger practices included information about the
independent review and validation of models, information on
issues identified by internal audit, as well as key assumptions
underpinning stress test results and a discussion of the sensitiv­
ity of capital levels to those assumptions. BHCs with stronger
19 Id.
244 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
practices also supplied their boards with information about past
capital planning performance to provide a perspective on how
the capital planning process has functioned over time.
BHCs with weaker practices provided insufficient information
to the board of directors. For example, at some BHCs, capital
distribution recommendations did not include all relevant sup­
porting information and appeared to be based on optimistic
expectations about how a given scenario may affect the BHC.
In addition, the information did not specifically identify and
address key assumptions that supported the capital planning
process. In other cases, the board of directors did not receive
information about governance and controls over internal capital
planning, making it difficult to assess the strength of its
capital planning processes and whether results were reliable
and credible.
Senior Management
Senior management is responsible for ensuring that capital plan­
ning activities authorized by the board are implemented in a sat­
isfactory manner and is accountable to the board for the
effectiveness of those activities. Senior management should
ensure that effective controls are in place around the capital
planning process— including ensuring that the BHC's stress sce­
narios are sufficiently severe and cover the material risks and
vulnerabilities facing the BH C .20
Senior management should make informed recommendations
to the board of directors about the BHC's capital, including
capital goals and distribution decisions. Senior management
also should ensure that proposed capital goals have sufficient
analytical support and fully reflect the expectations of important
stakeholders, including creditors, counterparties, investors, and
supervisors. Senior management should identify weaknesses and
potential limitations in the capital planning process and evaluate
them for materiality. In addition, it should develop remediation
plans for any weaknesses affecting the reliability of internal capi­
tal planning results. Both the specific identified limitations and
the remediation plans should be reported to the board.
Senior management with stronger practices recognized
the imprecision and prevalence of uncertainty in predicting
future outcomes when reviewing information and results from
enterprise-wide scenario analysis. At BHCs with stronger prac­
tices, senior management maintained an ongoing assessment of
all capital planning areas, identifying and clearly documenting
any weaknesses, assumptions, limitations, and uncertainties, and
did not consider a one-time assessment of the capital planning
20 12 CFR 225.8(d)(2)(i)(A)-(D).
process to be sufficient. Furthermore, management developed
clear remediation plans with specific timelines for resolving
identified weaknesses. In some cases, based on its review of
the full capital planning process, senior management made
more cautious or conservative adjustments to the capital plan,
such as recommending less aggressive capital actions. Manage­
ment also included key assumptions and process weaknesses in
reports and specifically pointed them out to the board, in some
cases providing analysis showing the sensitivity of capital to
alternative outcomes.
Documenting Decisions
BHCs should document decisions about capital adequacy and
capital actions taken by the board of directors and senior man­
agement, and describe the information used to reach those
decisions.21 Final decisions regarding capital planning of the
board or of a designated committee thereof should be recorded
and retained in accordance with the company's policies and
procedures.
BHCs with stronger documentation practices had board minutes
that described how decisions were made and what informa­
tion was used. Some documentation provided evidence that
the board challenged results and recommendations, including
reviewing and assessing how senior management challenged
the same information. BHCs with weaker documentation prac­
tices had board minutes that were very brief and opaque, with
little reference to information used by the board to make its
decisions. Some BHCs did not formally document key decisions.
14.5 CAPITAL POLICY
As noted earlier, a capital policy is the principles and guidelines
used by a BHC for capital planning, capital issuance, and usage
and distributions. A capital policy should include internal capital
goals; quantitative or qualitative guidelines for dividends and
stock repurchases; strategies for addressing potential capital
shortfalls; and internal governance procedures around capital
policy principles and guidelines.22 The capital policy, as a com­
ponent of a capital plan, must be approved by the BHC's board
of directors or a designated committee of the board.23 It
should be a distinct, comprehensive written document that
addresses the major components of the BHC's capital planning
21 See FR Y-14A reporting form: Summary Schedule Instructions, p. 6.
22 12CFR 225.8(c)(4).
23 See 12 CFR 225.8(d)(1)(iii)(C), 225.8(d)(2)(iii).
Chapter 14 Capital Planning at Large Bank Holding Companies
processes and links to and is supported by other policies (risk-
management, stress testing, model governance, audit, and oth­
ers). A capital policy should provide details on how a BHC
manages, monitors, and makes decisions regarding all aspects
of capital planning. The policy should also address roles and
responsibilities of decision-makers, process and data controls,
and validation standards. Finally, the capital policy should
explicitly lay out expectations for the information included in
the BHC's capital plan.
A capital policy should describe targets for the level and compo­
sition of capital and provide clarity about the BHC's objectives
in managing its capital position. The policy should explain how
the BHC's capital planning practices align with the imperative of
maintaining a strong capital position and being able to continue
to operate through periods of severe stress. It should include
quantitative metrics such as common stock dividend (and other)
payout ratios as maximums or targets for capital distributions.
The policy should include an explanation of how management
concluded that these ratios are appropriate, sustainable, and
consistent with its capital objectives, business model, and capital
plan. It should also specify the capital metrics that senior man­
agement and the board use to make capital decisions. In addi­
tion, a capital policy should include governance and escalation
protocols that are clear, credible, and actionable in the event an
actual or projected capital ratio target is breached.
The policy should describe processes surrounding how common
stock dividend and repurchase decisions are made and how the
BHC arrives at its planned capital distribution amounts. Specifi­
cally, the policy should discuss the following:
• the main factors and key metrics that influence the size, tim­
ing, and form of capital distributions
• the analytical materials used in making capital distribution
decisions (e.g., reports, earnings, stress test results, and
others)
• specific circumstances that would cause the BHC to reduce
or suspend a dividend or stock repurchase program
• factors the BHC would consider if contemplating the replace­
ment of common equity with other forms of capital
• key roles and responsibilities, including the individuals or
groups responsible for producing the analytical material ref­
erenced above, reviewing the analysis, making capital distri­
bution recommendations, and making the ultimate decisions
BHCs should establish a minimum frequency (at least annually)
and other triggers for when its capital policy is reevaluated and
ensure that these triggers remain relevant and current. The
capital policy should be reevaluated and revised as necessary to
address changes to organizational structure, governance struc­
ture, business strategy, capital goals, regulatory environment,
■ 245
risk appetite, and other factors potentially affecting a BHC's
capital adequacy. BHCs should develop a formal process for
approvals, change management, and documentation retention
relating to their capital policies.
Weak capital policies were typically characterized by a limited
scope. They only addressed parts of the capital planning pro­
cess, did not provide sufficient detail to convey clearly how
capital action decisions will be made, were not well integrated
with or supported by other risk and finance policies, and/or did
not contain all of the elements described above (e.g., clearly
defined capital goals, guidelines for capital distributions and
capital composition, etc.). In some cases, the capital policy
was overly generic and not tailored to the BHC's unique
circumstances. For example, the policy appeared to be restat­
ing supervisory expectations without concrete examples or
BHC-specific considerations. In other cases, the more detailed
procedures were not presented to the board, thus limiting the
board's ability to understand the analysis underlying its capital
planning decisions.
Capital Goals and Targets
BHCs should establish capital goals aligned with their risk appe­
tites and risk profiles as well as expectations of internal and
external stakeholders, providing specific goals for the level and
composition of capital, both current and under stressed condi­
tions. Internal capital goals should be sufficient to allow a BHC
to continue its operations during and after the impact of stress­
ful conditions. As such, capital goals should reflect current and
future regulatory capital requirements, as well as the expecta­
tions of shareholders, rating agencies, counterparties, creditors,
supervisors, and other stakeholders.
BHCs should also establish capital targets above their capital
goals to ensure that capital levels will not fall below the goals
during periods of stress. Capital targets should take into consid­
eration forward-looking elements related to the economic out­
look, the BHC's financial condition, the potential impact of stress
events, and the uncertainty inherent in the capital planning pro­
cess. The goals and targets should be specified in the capital
policy and reviewed and approved by the board.24
In developing their capital goals and targets, particularly with
regard to setting the levels of capital distributions, BHCs should
explicitly take into account general economic conditions and
their plans to grow their on- and off-balance-sheet size and risks
organically or through acquisitions. BHCs should consider the
impact of external conditions during both normal and stressed
24 12 CFR 225.8(c)(4).
246 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
economic and market environments and other factors on their
overall capital adequacy and ability to raise additional capital,
including the potential impact of contingent exposures and
broader market or systemic events, which could cause risk to
increase beyond the BHC's chosen risk-tolerance level. BHCs
should have contingency plans for such outcomes.
Additionally, BHCs should calculate and use several capital
measures that represent both leverage and risk, including
quarterly estimates of regulatory capital ratios (including tier 1
common ratio) under both baseline and stress conditions. BHCs
with weaker practices in this area did not clearly link decisions
regarding capital distributions to capital adequacy metrics or
internal capital goals.
Weak practices observed in this area included establishing capi­
tal goals based solely on regulatory minimums and the ratios
required to be considered well-capitalized without consideration
of a BHC's specific capital needs given its risk profile, financial
condition, business model and strategies, overall complexity, and
sensitivity to changing conditions. Some BHCs did not recognize
uncertainties and limitations in capturing all potential sources of
loss and in projecting loss and revenue estimates, which reduced
the BHCs' ability to establish effective capital goals and targets.
Other BHCs were not transparent about how they determined
the capital goals and targets in their capital policies.
Capital Contingency Plan
BHCs should outline in their capital policies specific capital con­
tingency actions they would consider to remedy any current or
prospective deficiencies in their capital position.25 In particular, a
BHC's policy should include a detailed explanation of the
circumstances— including deterioration in the economic environ­
ment, market conditions, or the financial condition of the BHC—
in which it will reduce or suspend a dividend or repurchase
program or not execute a previously planned capital action. The
policy also should define a set of capital triggers and events that
would correspond with these circumstances. These triggers
should be established for both baseline and stress scenarios and
measured against the BHC's capital targets in those scenarios.
These triggers and events should be used to guide the frequency
with which board and senior management will revisit planned
capital actions as well as review and act on contingency capital
plans. The capital contingency plan should be reviewed and
updated as conditions warrant, such as where there are material
changes to the BHC's organizational structure or strategic direc­
tion or to capital structure, credit quality, and/or market access.
25 Id.
Capital triggers should provide an "early warning" of capital
deterioration and should be part of a management decision­
making framework, which should include target ranges for a
normal operating environment and threshold levels that trig­
ger management action. Such action should include escalation
to the board, potential suspension of capital actions, and/or
activation of a capital contingency plan. Triggers should also be
established for other metrics and events that measure or affect
the financial condition or perceived financial condition of the
firm— for example, liquidity, earnings, debt and credit default
swap spreads, ratings downgrades, stock performance, supervi­
sory actions, or general market stress.
Contingency actions should be flexible enough to work in a
variety of situations and be realistic for what is achievable during
periods of stress. The capital plan should be prepared recogniz­
ing that certain capital-raising and capital-preserving activities
may not be feasible or effective during periods of stress. BHCs
should have an understanding of market capacity constraints
when evaluating potential capital actions that require accessing
capital markets, including debt or equity issuance and also con­
templated asset sales. Contingency actions should be ranked
according to ease of execution and their impact and should
incorporate the assessment of stakeholder reactions (e.g.,
impacts on future capital-raising activities).
Weak capital contingency plans provided few options to address
contingency situations and/or did not consider the feasibility of
options under stressful conditions. Plans with overly optimistic
assumptions or excessive reliance on past history (in terms of
both possible contingency situations and options to address
those situations) were also considered weak, as were plans that
lacked support for the feasibility and availability of possible
contingency actions. Other weak practices included establishing
triggers based on actual results but not on projected results, or
based on minimum regulatory capital ratios only with no con­
sideration of the expectations of other stakeholders including
counterparties, creditors and investors, or of other metrics or
market indicators.
14.6 BHC SCENARIO DESIGN
Under the Capital Plan Rule, a BHC is required to use a BHC-
developed stressed scenario that is appropriate for its business
model and portfolios.26 Accordingly, BHCs should have a pro­
cess for designing scenarios for enterprise-wide scenario analy­
sis that reflects the BHC's unique business activities and
associated vulnerabilities.
26 12CFR 225.8(d)(2)(i)(A).
Chapter 14 Capital Planning at Large Bank Holding Companies
The range of observed practice for developing BHC stress sce­
narios was broad. Some BHCs designed stress scenarios using
internal models and expertise. Other BHCs used vendor-defined
macroeconomic scenarios or used vendor models to define
customized macroeconomic scenarios. For BHCs with internally
developed scenarios, those with stronger scenario-design prac­
tices used internal models in combination with expert judgment
rather than relying solely on either models or expert judgment
to define scenario conditions and variables. Among BHCs that
used third-party scenarios, those with stronger practices tai­
lored third-party-defined scenarios to their own risk profiles and
unique vulnerabilities.
Regardless of the method used to develop the scenario, BHCs
should have a scenario-selection process that engages a broad
range of internal stakeholders such as risk experts, business man­
agers, and senior management. Although they are required to sub­
mit only one BHC stress scenario for CCAR, BHCs should develop
a suite of scenarios that collectively capture their material risks and
vulnerabilities under a variety of stressful circumstances and should
incorporate them into their overall capital planning processes.
Scenario Design and Severity
As indicated in the preamble to the Capital Plan Rule, "the bank
holding company-designed stress scenario should reflect an indi­
vidual company's unique vulnerabilities to factors that affect its
firm-wide activities and risk exposures, including macroeconomic,
market-wide, and firm-specific events."27 Thus, BHC stress sce­
narios should reflect macroeconomic and financial conditions that
are tailored specifically to stress a BHC's key vulnerabilities and
idiosyncratic risks, based on factors such as its particular business
model, mix of assets and liabilities, geographic footprint, portfo­
lio characteristics, and revenue drivers. A BHC stress scenario
that simply features a generic weakening of macroeconomic con­
ditions similar in magnitude to the supervisory severely adverse
scenario does not meet these expectations.
BHCs with stronger scenario-design practices clearly and
creatively tailored their BHC stress scenarios to their unique
business-model features, emphasizing important sources of risk
not captured in the supervisory severely adverse scenario. Exam ­
ples of such risks observed in practice included a significant
counterparty default; a natural disaster or other operational-risk
event; and a more acute stress on a particular region, industry,
and/or asset class as compared to the stress applied to gen­
eral macroeconomic conditions in the supervisory adverse and
severely adverse scenarios.
27 See 77 Fed. Reg. 74631, 74636 (December 1, 2011).
■ 247
At the same time, BHC stress scenarios should not feature
assumptions that specifically benefit the BHC. For example,
some BHCs with weaker scenario-design practices assumed that
they would be viewed as strong compared to their competitors
in a stress scenario and would therefore experience increased
market share. Such assumptions are contrary to the supervisory
expectations for and the intent of a stress testing exercise that
informs capital planning.
While a broad-based recession adversely affects a wide range of
most BHCs' business activities, BHCs may have business mod­
els or important business activities that generate vulnerabili­
ties that are not particularly well captured by scenario analysis
based on a stressed macroeconomic environment (or for which
even a severe recession is not the primary source of potential
vulnerability). These BHCs should incorporate into their stress
scenarios elements that address the key revenue vulnerabilities
and sources of loss for their specific businesses and activities.
In combination, the recession incorporated into the BHC stress
scenario and any additional elements intended to address spe­
cific businesses or activities should result in a substantial stress
for the organization, including a significant reduction in capital
ratios relative to baseline projections. However, a BHC stress
scenario that produces post-stress capital ratios lower than
those under the supervisory severely adverse scenario is not,
in and of itself, a safe harbor. The stress scenario included in a
BHC's capital plan should place substantial strains on its abil­
ity to generate revenue and absorb losses, consistent with its
unique risks and vulnerabilities.
Variable Coverage
The set of variables that a BHC includes in its stress scenario
should be sufficient to address all material risks arising from its
exposures and business activities. A business line could face
significant stress from multiple sources, requiring more than one
risk factor or macroeconomic variable. The scenario should gen­
erally contain the relevant variables to facilitate pro forma finan­
cial projections that capture the impact of changing conditions
and environments. BHCs should have a consistent process for
determining the final set of variables and provide this rationale
as part of the scenario narrative.
Overall, BHCs with stronger scenario-design practices gener­
ated scenarios in which the link between the variables included
in the scenario and sources of risk to the BHC's financial outlook
were transparent and straightforward. Clear narratives helped
make these links more transparent. BHCs with weaker scenario-
design practices developed stress scenarios that excluded
some variables relevant to the BHC's risk profile and idiosyn­
cratic vulnerabilities. For example, some BHCs with significant
248 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
trading activities and revenues included a limited set of relevant
financial variables. Other BHCs with significant regional and/or
industry concentrations did not include relevant geographic or
industry variables.
Clear Narratives
The scenario should be supported by a clear narrative describ­
ing how the scenario addresses the particular vulnerabilities
and material risks facing the BHC. BHCs with stronger scenario-
design practices provided narratives describing how the sce­
nario variables related to the risks faced by a BHC's significant
business lines and, in some cases, how the scenario variables
corresponded to variables in the BHC's internal risk-manage­
ment models. The narratives also provided explanations of how
a scenario stressed a BHC's unique vulnerabilities specific to
its business model and how the paths of the scenario variables
related to each other in an economically intuitive way. Weaker
practices included scenario narratives that did not provide any
context for the variable paths as well as scenario narratives that
described features that were not reflected in any variables con­
sidered in a BHC's internal capital planning.
14.7 ESTIMATION METHODOLOGIES
FOR LOSSES, REVENUES, AND
EXPENSES
A BHC's capital plan must include estimates of projected reve­
nues, expenses, losses, reserves, and pro forma capital levels,
including any minimum regulatory capital ratios, the tier 1 com­
mon ratio and any additional capital measures deemed relevant
by the BHC, over the planning horizon under expected condi­
tions and under a range of stressed scenarios.28
General Expectations
Projections of losses, revenues, and expenses under hypotheti­
cal stressed conditions serve as the fundamental building blocks
of the pro forma financial analysis supporting enterprise-wide
scenario analysis. BHCs should have stress testing method­
ologies that generate credible estimates that are consistent
with assumed scenario conditions. It is important for BHCs to
understand the uncertainties around their estimates, including
the sensitivity of the estimates to changes in inputs and key
assumptions. Overall, BHCs' estimates of losses, revenues, and
expenses under each of the scenarios should be supported by
28 12 CFR 225.8(d)(1).
empirical evidence, and the entire estimation process should
be transparent and repeatable. The Federal Reserve generally
expects BHCs to use models or other quantitative methods as
the basis for their estimates; however, there may be instances
where a management overlay or other qualitative approaches
may be appropriate due to data limitations, new products or
businesses, or other factors. In such instances, BHCs should
ensure that such processes are well supported, transparent, and
repeatable over time.
Establishing a Quantitative Basis
for Enterprise-Wide Scenario Analysis
Generally, BHCs should develop and use internal data to esti­
mate losses, revenues, and expenses as part of enterprise-wide
scenario analysis.29 However, in certain instances, it may be
more appropriate for BHCs to use external data to make their
models more robust. For example, BHCs may lack sufficient, rel­
evant historical data due to factors such as systems limitations,
acquisitions, or new products. When using external data, BHCs
should take care to ensure that the external data reasonably
approximate underlying risk characteristics of their portfolios,
and make adjustments to modeled outputs to account for iden­
tified differences in risk characteristics and performance
reflected in internal and external data.
BHCs can use a range of quantitative approaches to estimate
losses, revenues, and expenses, depending on the type of port­
folio or activity for which the approach is used, the granularity
and length of available time series of data, and the materiality
of a given portfolio or activity. While the Federal Reserve does
not require BHCs to use a specific estimation method, each BHC
should estimate its losses, revenues, and expenses at sufficient
granularity so that it can identify common, key risk drivers and
capture the effect of changing conditions and environments.
For example, loss models should be estimated at a sufficiently
granular subportfolio or segment level so that they can capture
observed variations in risk characteristics and performance
across the subportfolios or segments and across time, and
account for changing exposure or portfolio characteristics over
the planning horizon.
While BHCs often segment their portfolios and activities along
functional areas, such as by line of business or product type, the
leading practice is to determine segments based on common
risk characteristics (e.g., credit score ranges or loan-to-value
ratio ranges) that exhibit meaningful differences in historical per­
formance. The granularity of segments typically depends on the
29 BFICs are required to collect and report a substantial amount of risk
information to the Federal Reserve on FR Y-14 schedules. These data
may help to support the BHC's enterprise-wide scenario analysis.
Chapter 14 Capital Planning at Large Bank Holding Companies
type, size, and composition of the BHC's portfolio. For example,
a more diverse portfolio— both in terms of borrower risk char­
acteristics and performance— would generally require a greater
number of segments to account for the heterogeneity of the
portfolio. However, when segmenting portfolios, it is important
to ensure that each risk segment has sufficient data observations
to produce reliable model estimates.
As a general practice, BHCs should separately estimate losses,
revenues, or expenses for portfolios or business lines that are
sensitive to different risk drivers or sensitive to risk drivers in a
markedly different way. For instance, losses on commercial and
industrial loans and commercial real estate (CRE) loans are, in
part, driven by different factors, with the path of property values
having a more pronounced effect on CRE loan losses. Similarly,
although falling property value affects both income-producing
CRE loans and construction loans, the effect often differs mate­
rially due to structural differences between the two portfolios.
Such differences can become more pronounced during periods
of stress. BHCs with leading practices have demonstrated clearly
the rationale for selecting certain risk drivers over others. BHCs
with lagging practices used risk drivers that did not have a clear
link to results, either statistically or conceptually.
Many models used for stress testing require a significant number
of assumptions to implement. Further, the relationship between
macroeconomic variables and losses, revenues, or expenses
could differ considerably in the hypothetical stress scenario from
what is observed historically. As a result, while traditional tools
for evaluating model performance (such as comparing projec­
tions to historical out-of-sample outcomes) are still useful, the
Federal Reserve expects BHCs to supplement them with other
types of analysis. Sensitivity analysis is one tool that some BHCs
have used to test the robustness of models and to help model
developers, BHC management, the board of directors, and
supervisors identify the assumptions and parameters that mate­
rially affect outcomes. Sensitivity analysis can also help ensure
that core assumptions are clearly linked to outcomes. Using
results from different estimation approaches (challenger models)
as a benchmark is another way BHCs can gain greater comfort
around their primary model estimates, as the strengths of one
approach could potentially compensate for the weaknesses of
another. When using multiple approaches, however, it is impor­
tant that BHCs have a consistent framework for evaluating the
results of different approaches and supporting rationale for why
they chose the methods and estimates they ultimately used.
In certain instances, BHCs may need to rely on third-party
models— for example, due to limitations in internal modeling
capacity. In using these third-party models (vendor models or
consultant-developed models), BHCs should ensure that their
internal staff have working knowledge and a good conceptual
■ 249
understanding of the design and functioning of the models and
potential model limitations so that management can clearly
communicate them to those governing the process. An off-the-
shelf vendor model often requires some level of firm-specific
analysis and customization to demonstrate that it produces esti­
mates appropriate for the BHC and consistent with scenario
conditions. Sensitivity analysis can be particularly helpful in
understanding the range of possible results of vendor models
with less transparent or proprietary elements. Importantly, all
vendor and consultant-developed models should be validated in
accordance with SR 11-7 guidelines.30
Some BHCs generated annual projections for certain loss, rev­
enue, or expense items and then evenly distributed them over
the four quarters of each year. This practice does not reflect a
careful estimate of the expected quarterly path of losses, net
revenue, and capital, and thus is only acceptable when a BHC
can clearly demonstrate that the projected item is highly uncer­
tain and the practice likely results in a conservative estimate.
Qualitative Projections, Expert Judgment,
and Adjustments
While quantitative approaches are important elements of
enterprise-wide scenario analysis, BHCs should not rely on
weak or poorly specified models simply to have a modeled
approach. In fact, most BHCs use some forms of expert judg­
ment for some purposes— generally as a management adjust­
ment overlay to modeled outputs. And BHCs can, in limited
cases, use expert judgm ent as the primary method to produce
an estimate of losses, revenue, or expenses. BHCs may use a
management overlay to account for the unique risks of certain
portfolios that are not well captured in their models, or oth­
erwise to compensate for specific model and data limitations.
Material changes in BHCs' businesses or limitations in relevant
data may lead some BHCs to rely wholly on expert judgm ent
for certain loss, revenue, or expense projections. In using
expert judgm ent, BHCs should ensure that they have a trans­
parent and repeatable process, that management judgm ents
are well supported, and that key assumptions are consistent
with assumed scenario conditions.
As with quantitative methods, the assumptions and processes
that support qualitative approaches should be clearly docu­
mented so that an external reviewer can follow the logic and
evaluate the reasonableness of the outcomes.31 Any potential
30 See SR Letter 11-7, "Supervisory Guidance on Model Risk Manage­
ment," (April 4, 2011), www.federalreserve.gov/bankinforeg/srletters/
sr1107.htm.
31 See FR Y-14A reporting form: Summary Schedule Instructions, pp. 5-6.
250 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
shortcomings should be investigated and communicated to
decision-makers. In addition, any management overlay or quali­
tatively derived projections should be subject to effective review
and challenge. BHCs should evaluate a range of potential esti­
mates and conduct sensitivity analysis for key assumptions used
in the estimation process. For example, if a BHC makes exten­
sive adjustments to its modeled estimates of losses, revenue,
and expenses, the impact of such adjustments should be quanti­
fied relative to unadjusted estimates, and these results should
be documented and made available to BHC management and
the board of directors. Finally, extensive use of management
judgment to adjust modeled estimates should trigger review
and discussion as to whether new or improved modeling
approaches are needed. In reporting to the board of directors,
management should always provide both the initial results and
the results after any judgmental adjustments.
Conservatism and Credibility
Given the uncertainty inherent in a forward-looking capital plan­
ning exercise, the Federal Reserve expects BHCs to apply gen­
erally conservative assumptions throughout the stress testing
process to ensure appropriate tests of the BHCs' resilience to
stressful conditions. In particular, BHCs should ensure that mod­
els are developed using data that contain sufficiently adverse
outcomes. If a BHC experienced better-than-average perfor­
mance during previous periods of stress, it should not assume
that those prior patterns will remain unchanged in the stress
scenario. BHCs should carefully review the applicability of key
assumptions and critically assess how historically observed pat­
terns may change in unfavorable ways during a period of severe
stress for the economy, the financial markets, and the BHC.
In the context of C C A R loss and revenue estimates, BHCs
should generally include all applicable loss events in their analy­
sis, unless a BHC no longer engages in a line of business or its
activities have changed such that the BHC is no longer exposed
to a particular risk. BHCs should not selectively exclude losses
based on arguments that the nature of the ongoing business or
activity has changed—for example, because certain loans were
underwritten to standards that no longer apply or were acquired
and, therefore, differ from those that would have been origi­
nated by the acquiring institution.
Similarly, BHCs should not rely on favorable assumptions that
cannot be reasonably assured to occur in stressed environments
given the high level of uncertainty around market conditions.
BHCs should also not assume any foresight of scenario condi­
tions over the projection horizon beyond what would reasonably
be knowable in real-life situations. For example, some BHCs
have used the path of stress scenario variables to make optimis­
tic assumptions about possible management actions ex ante in
anticipation of stressful conditions, such as preemptively rebal­
ancing their portfolios or otherwise adjusting their risk profiles
to mitigate the expected impact. In the event of a downturn,
the future path or progression of economic and market condi­
tions would not be clearly known, and this uncertainty should be
reflected in the capital plans.
Documentation of Estimation Practices
The Federal Reserve expects BHCs to clearly document their
key methodologies and assumptions used to estimate losses,
revenues, and exp enses.32 BHCs with stronger practices pro­
vided documentation that concisely explained m ethodologies,
with relevant macroeconomic or other risk drivers, and dem on­
strated relationships between these drivers and estim ates.
Documentation should clearly delineate among model out­
puts, qualitative overlays to model outputs, and purely qualita­
tive estim ates.33 BHCs with w eaker practices often had limited
documentation that was poorly organized and that relied
heavily on subjective management judgm ent for key model
inputs with limited empirical support for and documentation of
these adjustm ents.
Loss-Estimation Methodologies
As noted earlier, a BHC's internal stress testing processes should
be designed to capture risks inherent in its own exposures and
business activities. Consistent with any good modeling prac­
tices, when developing loss-estimation methodologies, BHCs
should first determine whether there is a sound theoretical basis
for macroeconomic and other explanatory variables (risk drivers)
used to estimate losses, and then empirically demonstrate that
a strong relationship exists between those variables and losses.
For example, most BHCs' residential-mortgage loss models
used some measure of unemployment and a house price index
as explanatory variables, which affect a borrower's ability and
incentive to repay.
Beyond the core set of macroeconomic variables that typically
represents a given scenario, such as gross domestic products
(GDP), unemployment rate, Treasury yields, credit spreads, and
various price indices, BHCs often project additional variables
that have a more direct link to particular portfolios or exposures.
Some examples of these variables include regional macro-
economic variables that better capture the BHC's geographic
exposures and sector-specific variables, such as office vacancy
rates and corporate profits. Using these additional variables to
estimate the model can enhance the sensitivity of loss estimates
32 See id.
33 See id.
Chapter 14 Capital Planning at Large Bank Holding Companies
to a given scenario and also improve the overall fit of the model.
Any models used to produce additional risk drivers are key com­
ponents of the loss-estimation process and, therefore, should be
included in BHCs' model inventories and receive the same model
risk-management treatment as core loss-estimation models.
Generally, BHCs sum up losses from various portfolios and
activities to produce aggregate losses for the enterprise-wide
scenario analysis. BHCs should have a repeatable process to
aggregate losses, particularly when they transform model esti­
mates to combine disparate risk measures (such as accounting-
based and economic loss concepts), different measurement
horizons, or otherwise dissimilar loss estimates.
BHCs with leading practices used automated processes that
showed a clear audit trail from source data to loss estimation
and aggregation, with full reconcilement to source systems and
regulatory reports and mechanisms requiring approval and log­
ging of judgmental adjustments and overrides. These systems
often leveraged existing enterprise-wide financial and regulatory
consolidation processes.
BHCs with lagging practices exhibited a high degree of manual
intervention in the aggregation process, and applied aggregate-
level management adjustments that were not transparent or
well supported.
Retail and Wholesale Credit Risk
BHCs used a range of approaches to produce loss estimates
on loans to retail and corporate customers, often using differ­
ent estimation methods for different portfolios. This section
describes the observed range of practice for the methods used
to project losses on retail and wholesale loan portfolios.
Data and Segmentation
Sources of data used for loss estimation have often differed
between retail and wholesale portfolios. Due to availability
of a richer set of retail loss data, particularly from the most
recent downturn, BHCs generally used internal data to estimate
defaults or losses on retail portfolios and only infrequently used
external data with longer history to benchmark estimated losses
on portfolios that had more limited loss experience in the recent
downturn. For wholesale portfolios, some BHCs supplemented
internal data with external data or used external data to cali­
brate their models due to a short time series (5-10 years) that
included only a single downturn cycle.
BHCs with stronger practices accounted for dynamic changes
in their portfolios, such as loan modifications or changes in
portfolio risk characteristics, and made appropriate adjustments
to data or estimates to compensate for known data limitations
(including lack of historical periods of stress).
■ 251
BHCs with weaker practices failed to compensate for data limi­
tations or adequately demonstrate that external data reasonably
reflect the BHC's actual exposures, often failing to capture geo­
graphic, industry, or lending-type concentrations.
The level of segmentation used for modeling varied depending
on the type and size of portfolio and estimation methods used.
For example, BHCs often segmented the retail portfolio based
on some combinations of product; lien position; risk characteris­
tics such as credit score, loan-to-value ratio, and collateral; and
underlying collateral information (e.g., single-family home ver­
sus condominium), though some models were estimated at the
loan-level and others at the portfolio level.
BHCs with stronger practices had segmentation schemes that
were well supported by the BHC's data and analysis, with suf­
ficient granularity to capture exposures that react differently to
risk drivers under stressed conditions.
BHCs with weaker practices used a single model for multiple
portfolios, without sufficiently adjusting modeling assumptions
to capture the unique risk drivers of each portfolio. For example,
in estimating losses on wholesale portfolios, these BHCs did not
adequately allow for variation in loss rates commonly attributed
to industry, obligor type, collateral, lien position, or other rel­
evant information.
Common Credit Loan Loss-Estimation Approaches
BHCs have used a wide range of methods to estimate credit
losses, depending on the type and size of portfolios and
data availability. These methods can be based on either an
accounting-based loss approach (that is, charge-off and recovery)
or an economic loss approach (that is, expected losses). BHCs
have flexibility in selecting a specific loss or estimation approach;
however, it is important for BHCs to understand differences
between the two loss approaches, particularly in terms of the tim­
ing of loss recognition, and to account for the differences in set­
ting the appropriate level of reserves at the end of each quarter.
Expected Loss Approaches
Under the expected loss approach, losses are estimated as a func­
tion of three components— probability of default (PD), loss given
default (LGD), and exposure at default (EAD). PD, LGD, and EAD
can be estimated at a segment level or at an individual loan level,
and using different models or assumptions. In general, BHCs used
econometric models to estimate losses under a given scenario,
where the estimated PDs were conditioned on the macroeconomic
environment and portfolio or loan characteristics. Some BHCs
used other approaches, such as rating transition models, to esti­
mate stressed default rates as part of an expected loss framework.
252 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
BHCs with leading practices were able to break down losses
into PD, LGD, and EAD components, separately identifying key
risk drivers for each of those components, though they typically
did not demonstrate this level of granularity consistently across
all portfolios. For certain wholesale portfolios, some BHCs used
long-run average PD, LGD, and EAD for a particular segment,
such as a rating grade, to estimate losses. By design, estimates
based on long-run average behavior over a mix of conditions,
including periods of economic expansion and downturn, are not
appropriate for projecting losses under stress and should not be
used for these purposes.
BHCs with leading practices clearly tied LGD to underlying
risk drivers, accounted for collateral and guarantees, and also
incorporated the likelihood of a decline in collateral values
under stress. However, most BHCs have more limited data on
LGD and, as a result, BHCs often applied a simple, conserva­
tive assumption (e.g., 100 percent LGD for credit cards), based
stressed LGD on their experience during the crisis, or scaled
up the historical average LGD using expert judgment. In using
such methods, it is important for BHCs to ensure that the pro­
cess is well supported and transparent in line with the Federal
Reserve's general expectation for expert judgment-based esti­
mates. W herever possible, BHCs should benchmark their esti­
mates with external data or research and analysis.
BHCs with lagging practices modeled LGD using a weighted-
average approach at an aggregate portfolio level, without some
level of segmentation (e.g., by lending product, priority of claim,
collateral type, geography, vintage, or LTV). Or, they failed to
demonstrate that LGD estimates were consistent with the sever­
ity of the scenario.
Although some BHCs found a relationship between EAD and
credit quality, most BHCs did not model EADs to vary according
to the macroeconomic environment, in large part due to data
limitations. Rather, many BHCs applied a static assumption to
estimate stressed EAD.
BHCs with stronger practices included the use of loan equiva­
lent calculations (i.e., estimated additional draw-downs as a
percentage of unused commitments, which are added to the
outstanding or drawn balance) and credit-conversion factors
(i.e., additional drawdowns during the period leading up to
default— usually one year prior— as a percentage of both drawn
and undrawn commitments) to capture losses associated with
undrawn commitments.
BHCs with weaker practices did not project stressed exposures
associated with undrawn commitments and/or relied on the
assumption that they can actively manage down committed lines
during stress scenarios.
Rating Transition Models
Many BHCs have used a rating transition-based approach
to produce a stressed rating transition matrix for each quar­
ter, which is then used to estimate losses for their wholesale
portfolios under stress. These approaches used credit ratings
applied to individual loans by the BHC and projected how
these ratings would change over time given the macroeco­
nomic scenario. Although the details of techniques used to link
rating transitions to scenario conditions varied across firms,
the process usually involved the following steps: (1) convert­
ing the rating transition matrix into a single summary measure;
(2) estimating a time-series model linking the summary mea­
sure to scenario variables; (3) projecting the summary measure
over the nine-quarter planning horizon, using the parameter
estimates from the time-series model; and (4) converting the
projected summary measure into a full set of quarterly transi­
tion matrices. BHCs using such an approach should be able to
demonstrate that the summary measure responds to changes
in economic conditions as expected (that is, worsens as the
economic condition deteriorates) and results in projected rat­
ing transition matrices that are consistent with the severity of
scenario. Judgm entally selecting transition matrices from past
stress periods is a weak practice, as it may produce loss esti­
mates that are not consistent with a given scenario and fails to
recognize that conditions in the future may not precisely mirror
conditions observed by the BHC in the past.
Sound rating transition models require two fundamental build­
ing blocks: a robust time series of data and well-calibrated,
granular-risk rating systems. The Federal Reserve expects
BHCs that use rating transition models to have robust time
series of data that include a sufficient number of transitions,
which allows BHCs to establish a statistically significant rela­
tionship between the transition behavior and macroeconomic
variables. Data availability has been a widespread constraint
inhibiting the developm ent of granular transition models
because a sufficient number of upgrades and downgrades are
necessary to preclude sparse matrices. In order to overcome
these data limitations, BHCs have often relied on third-party
data to develop rating transition models. Consistent with the
Federal Reserve's general expectations, when using third-party
data, BHCs should be able to demonstrate that the transition
matrices estimated with external data are a reasonable proxy
for the migration behavior of their portfolios. Rating transition
models also require granular ratings systems that capture dif­
ferences in the potential for defaults and losses for a given set
of exposures in various economic environments. BHCs that lack
well-calibrated, granular credit-risk rating systems are often
unable to produce useful transition matrices.
Chapter 14 Capital Planning at Large Bank Holding Companies
BHCs with stronger practices typically had more granular ratings
system and accounted for limitations in their data and/or credit
rating systems by making adjustments to model assumptions or
estimates, or by supplementing internal data with external data.
BHCs with weaker practices often failed to demonstrate that
supplemented external data adequately reflected the ratings
performance of the BHC's portfolio. BHCs with weaker practices
also sometimes relied on a risk rating process that historically
resulted in lumpiness in rating upgrades and downgrades or
material concentrations in one or two rating categories. As
a result, these BHCs often produced transition matrices with
limited sensitivity to scenario variables, and resulting estimates
were more consistent with long-term average default rates than
with default rates that would be experienced under severe eco­
nomic stress.
Roll-Rate Models
Many BHCs have used roll-rate models to estimate losses for
various retail portfolios. Roll-rate models generally estimate
the rate at which loans that are current or delinquent in a given
quarter roll into delinquent or default status in the next period.
As a result, they are conceptually similar to rating transition
models. The Federal Reserve expects BHCs that use roll-rate
models to have a robust time series of data with sufficient gran­
ularity. The robust time series data allow the BHC to establish
a strong relationship between roll rates and scenario variables,
while the availability of granular data enables BHCs to model
all relevant loan transitions and to segment the portfolio into
subportfolios that exhibit meaningful variations in performance,
particularly during the period of stress. In general, BHCs should
estimate roll rates using models that are conditioned on sce­
nario variables. For certain transition states where statistical rela­
tionships between roll rates and scenarios are weak (such as late
stage loan delinquency), BHCs should incorporate conservative
assumptions rather than relying solely on statistical relationships.
While roll-rate models have some advantages, including trans­
parency and ease of use, they often have a weak predictive
power outside the near future, particularly if they are not prop­
erly conditioned on scenario variables. As a result, some roll-rate
models have limited usefulness for stress testing over a longer
horizon, such as the nine-quarter planning horizon required in
CC A R. Some BHCs have used roll-rate models in conjunction
with other estimation approaches (such as a vintage model
described below) that project losses for later periods. In general,
it is a weaker practice to combine two different models, as it can
introduce unexpected jumps in estimated losses over the plan­
ning horizon, though some BHCs have judgmentally weighed
two different estimation methods to smooth projected losses. If
■ 253
BHCs combine two models, they should be able to demonstrate
that such an approach is empirically warranted based on output
analysis, including sensitivity analysis, and that the process of
transitioning from one set of results to the other is consistent,
well supported, and transparent.
Vintage Loss Models
Some BHCs use vintage loss models, also known as age-cohort-
time models, to estimate losses for certain retail portfolios.
BHCs that use vintage loss models generally segment their retail
portfolios by vintage and collateral- or credit-quality-based
segments. Losses are estimated using a multistep process—
developing a baseline seasoning curve for each segment and
using a regression model to estimate sensitivity of losses to
macroeconomic variables at each seasoning level (e.g., four
quarters after origination). This technique is commonly used in
several vendor models, but BHCs also have developed and used
proprietary models using this technique.
These models have several advantages (such as natural seg­
mentation of portfolio by cohort and maturity) and ease of
application to credit products (such as auto loans) that exhibit
lifecycle effects. However, vintage models can be very challeng­
ing to construct, calibrate, and validate. In particular, it may be
difficult to separately identify vintage effects from the effects of
macroeconomic variables, which can result in poorly specified
models. These models also assume that different cohorts will
experience similar losses over time, generating results that are
representative of average years, rather than during the period of
stress. In using vintage models, it is important for a BHC to be
able to demonstrate that the approach appropriately reflects its
portfolio composition and history, and that modeled outputs are
consistent with stressed conditions.
Charge-Off Models
A minority of BHCs have used net charge-off (N CO ) models as
either a primary loss-estimation model or a benchmark model.
Typically, the N CO models BHCs used estimated a statistical
relationship between charge-off rates and macroeconomic
variables at a portfolio level, and often included autoregres­
sive terms (lagged N CO rates). W hile some BHCs also incorpo­
rated variables that describe the underlying risk characteristics
of the portfolio, N CO models that BHCs used for capital plan­
ning generally did not capture variation in sensitivities to risk
drivers across important portfolio segm ents nor accounted for
changes in portfolio risk characteristics over tim e. As a mat­
ter of general practice, BHCs should not use models that do
not capture changes in portfolio risk characteristics over time
and in scenarios used for stress testing as part of their internal
capital planning.
254 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
NCO models often exhibit lower explanatory power than mod­
els that consider distinct portfolio risk drivers. In addition, NCO
models implicitly assume that historical charge-off performance
is a good predictor of future performance; however, the histori­
cal relationship between charge-offs and macro variables may
not be realized under very stressful scenarios that fall outside
the portfolio's actual historical experience. Accordingly, a NCO
model that is estimated without using sufficient segmentation or
does not account for current or changing portfolio composition
is unlikely to produce robust loss estimates. Thus, BHCs should
avoid using such a NCO model as the primary loss-estimation
approach for a material portfolio.
Scalar Adjustments
Some BHCs have used simple scalars to adjust portfolio loss
estimate under a baseline scenario upward for stress scenarios.
Scalars have been calibrated based on some combination of
historical performance, the ratio of modeled stressed losses to
baseline losses estimated for other portfolios, and expert judg­
ment. Scalar adjustments are easy to develop, implement, and
communicate; however, the approach has significant shortcom­
ings, including lack of transparency and lack of sensitivity to
changes in portfolio composition and scenario variables. Con­
sequently, the use of these types of approaches should be, at
most, limited to immaterial portfolios.
Available-for-Sale (AFS) and Held-to-Maturity
(HTM) Securities
BHCs should test all credit-sensitive AFS and HTM securities for
potential other-than-temporary impairment (OTTI) regardless of
current impairment status. The threshold for determining OTTI
for structured products should be based on cash-flow analysis
and credit analysis of underlying obligors. Most BHCs used a
ratings-based approach to determine OTTI of direct obligations
such as corporate bonds, based on the projection of ratings
migration under a stress scenario and a ratings-based OTTI
threshold. However, some BHCs with weaker practice used a
ratings-based approach that kept the ratings static over the sce­
nario horizon.
BHCs should have quantitative methods that capture appropri­
ate risk drivers and explicitly translate assumed scenario condi­
tions into estimated losses. Estimation methods should generate
results that conform to standard accounting treatment, are con­
sistent with scenario conditions, and are appropriately sensitive
to changes in key variables. Any assumptions (e.g., assumptions
related to loss recognition) should be consistent with the intent
of a stress testing exercise. Additionally, models should be inde­
pendently validated for their use in projecting OTTI losses for
specific classes of securities.
OTTI processes for A FS and HTM securities portfolios varied in
sophistication across BHCs. BHCs with leading practices used
estimation methods that capture both security-specific and
country-specific performance data for relevant portfolios. For
securitized products, they modeled the credit risk of underlying
exposures (e.g., commercial real estate loans) to estimate poten­
tial losses. Where BHCs used management judgment, it was lim­
ited and well supported in the methodology documentation.
In addition, BHCs with leading practices chose conservative
approaches and assumptions for OTTI loss estimation, such as
recognizing losses in early quarters rather than over the entire
scenario horizon. Though, under current accounting rules, OTTI
losses are recognized only up to the amount of unrealized
losses, some BHCs have taken a conservative approach to allow
OTTI losses to exceed projected unrealized losses.
BHCs with lagging practices did not test all credit-sensitive
securities for potential O TTI; rather, they tested only currently
impaired positions or securities that met a certain criteria (e.g.,
only securities rated below investment grade) for O TTI. BHCs
should not rely solely on a ratings-based threshold to deter­
mine OTTI for structured products. BHCs with lagging practices
had OTTI loss-estimation methodologies that did not capture
appropriate risk drivers or scenario conditions and/or were not
applied at a sufficiently granular level. In some cases, BHCs
excluded key explanatory variables for certain asset classes.
For example, the unemployment rate was used to project OTTI
losses for non-agency residential mortgage-backed securities
(RMBS), but the housing price index (HPI) was excluded even
though the theory and empirical evidence points to a strong
relationship between mortgage losses and housing prices. As a
result of these methodology deficiencies, these BHCs projected
OTTI losses that were inconsistent with the risk characteristics of
the portfolio and assumed scenario conditions.
Operational Risk
Best practices in operational-risk models are still evolving, and
the Capital Plan Rule does not require BHCs to use advanced
measurement approach (AMA) models for stressed operational-
risk loss estimation.34 However, BHCs that have developed a
rich set of data to support the AM A should consider leveraging
the same data and risk-management tools to estimate opera­
tional losses under a stress scenario, regardless of a particular
methodology they choose to estimate losses.
Most operational-risk models use historical data on operational-
risk loss "events"— incidences in which a BHC has experienced a
loss or been exposed to loss due to inadequate or failed internal
34 12 CFR part 225, appendix G.
Chapter 14 Capital Planning at Large Bank Holding Companies
processes, people, or systems or from external events. Generally,
operational-risk events are grouped into one of several event-
type categories, such as internal fraud, external fraud, or damage
to physical assets.35 In general, BHCs should use internal
operational-loss data as a starting point to provide historical per­
spective, and then incorporate forward-looking elements, idio­
syncratic risks, and tail events to estimate losses. Most BHCs
have supplemented their internal loss data with external data
when modeling operational-risk loss estimates and scaled the
losses to make the external loss data more commensurate with
their individual risk profiles. The Federal Reserve expects such
scaling approaches to be well supported. Few BHCs have incor­
porated business environment and internal control factors such
as risk control self-assessments and other risk indicators into their
operational-risk methodology. While the Federal Reserve does
not expect BHCs to use these qualitative tools as direct inputs in
a model, they can help identify areas of potential risk and help
BHCs select appropriate scenarios that stress those risks.
Internal Data Collection and Data Quality
The Federal Reserve expects BHCs to have a robust and com­
prehensive internal data-collection method that captures key
elements, such as critical dates (i.e., occurrence, discovery, and
accounting), event types, and business lines. In general, BHCs
should use complete data sets of internal losses when modeling,
and not judgmentally exclude certain loss data.
Data quality and comprehensiveness have varied consider­
ably across BHCs. BHCs with lagging practices often excluded
certain internal loss data from model input for various reasons.
Examples include
• excluding large items such as legal reserves and tax/ compli­
ance penalties;
• omitting losses from merged or acquired institutions mergers
or acquisitions due to complications in collection and aggre­
gation; and
• excluding loss data from discontinued business lines, even
though the loss events were reasonably generic and appli­
cable to remaining business lines within the organization.
Some BHCs have addressed observed outliers by omitting them
from the data set, modeling them separately, or applying an add­
on based on scenario analysis or management input. If BHCs do
not have the data from potential mergers and acquisitions, one
35 For example, the seven event-type categories used for AMA are inter­
nal fraud; external fraud; employment practices and workplace safety;
clients, products, and business practices; damage to physical assets;
business disruption and system failures; and execution, delivery, and
process management.
■ 255
way to account for this limitation is to scale existing internal data
using the size of operations and apply an add-on to applicable
business lines or units of measure. If a BHC excludes data or uses
data-smoothing techniques, especially as they affect large losses,
it should have a well-supported rationale for doing so, and clearly
document the rationale and the process.36
The Federal Reserve expects BHCs to segment their loss data
into units of measure that are granular enough to capture similar
losses while balancing it with the availability of data. Most BHCs
have segmented datasets by event type; however, some BHCs
have segmented the loss data by consolidated business lines,
event types, or some combination of the two.
Correlation with Macroeconomic Factors
Most BHCs have attempted to identify correlation between
macroeconomic factors and operational-risk losses, but some
have struggled to identify a clear relationship for some types
of operational-risk loss events. BHCs that did not identify a
significant correlation typically developed other methodolo­
gies, such as scenario analysis layered onto modeled results, to
project stressed operational-risk losses. These approaches can
be reasonable alternatives if BHCs can demonstrate that their
approach results in sufficiently conservative loss estimates that
are consistent with the stress scenario.
BHCs that identified correlations between macroeconomic fac­
tors and operational-risk elements typically had large data sets
and often used external loss data to supplement internal data.
These BHCs often identified correlations between loss fre­
quency and macroeconomic factors for certain event types and
adjusted the frequency distributions for the respective event
type accordingly.
Common Operational-Loss-Estimation Approaches
Most BHCs have used their annual budgeting or forecasting
process to estimate operational losses in the baseline scenario.
The process typically uses a combination of historical loss data
and management input at a business-line level. Some BHCs
have used historical averages from internal loss data to estimate
losses in the baseline scenario.
BHCs with stronger practices used a combination of approaches
to incorporate historical loss experience, forward-looking ele­
ments, and idiosyncratic risks into their stressed loss projections.
Using a combination of approaches can help address model
and data limitations. Some BHCs used separate models for
certain events types such as fraud or litigation, and used other
approaches (e.g., using historical averages) for event types
36 See FR Y-14A reporting form: Summary Schedule Instructions, p. 5.
256 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
where no correlation with macroeconomic factors was identified.
A simple approach may be acceptable depending on the size
and complexity of the BHC as well as data and sophistication of
models available to them. Very few BHCs have yet developed
benchmarks to either challenge or further support the projec­
tions provided by their main models.
Regression Models
Most BHCs have used a regression model, either by itself or with
another approach described below, to estimate operational-
risk losses for stress scenarios. Some BHCs also have used a
regression model for the baseline scenarios, albeit with different
parameters. Operational-risk regression models are generally
used to estimate two variables: loss frequency (i.e., the number
of operational-risk losses) and loss severity (i.e., the loss amount).
BHCs that were able to identify significant correlation between
macroeconomic variables and operational-risk losses have
used regression models to stress the loss frequency or total
operational-risk losses. Some macroeconomic variables were
adjusted for the purpose of correlation analysis or to reflect
time-lag assumptions. Most BHCs judgmentally chose time peri­
ods for estimation and model specification rather than justifying
them with statistical evidence.
Most BHCs were not able to find meaningful correlation
between macroeconomic variables and operational-risk loss
severity. As a result, BHCs that used a regression model to esti­
mate loss frequency typically applied the loss-severity assump­
tion (e.g., static or four-quarter moving average) based on the
most recent crisis period to estimate operational losses.
Modified Loss-Distribution Approach (LDA)
The LDA is an empirical modeling technique commonly used
by BHCs subject to the AM A to estimate annual value-at-risk
(VaR) measures for operational-risk losses based on loss data
and fitted parametric distributions. The LDA involves estimat­
ing probability distributions for the frequency and the severity
of operational loss events for each defined unit of measure,
whether it is a business line, an event type, or some combination
of the two.
The estimated frequency and severity distributions are then
combined, generally using a Monte Carlo simulation, to esti­
mate the probability distribution for annual operational-risk
losses at each unit of measure.
For purposes of C C A R , LDA models have generally been used
in one of two ways: (1) by using a lower confidence interval than
the 99.9th percentile used by the AM A, or (2) by adjusting the
frequency based on outcomes of correlation analysis. BHCs
that modified the LDA by using a lower confidence interval
typically have used either the mean or median for the baseline
estimates and higher confidence intervals—typically ranging
from 70th percentile to 98th percentile— for the stressed esti­
mates. Additionally, some BHCs have used different confidence
intervals for different event types. The Federal Reserve does not
require BHCs to use a particular percentile to produce stressed
estimates. However, it expects BHCs to implement a credible,
transparent process to select a percentile; be able to demon­
strate why the percentile is an appropriate choice given the
specific scenario under consideration; and perform sensitivity
analyses around the selection of a percentile to test the impact
of this assumption on model outputs. Some BHCs modified the
LDA by adjusting frequency distributions based on the observed
correlation between macroeconomic variables and operational-
risk losses.
Scenario Analysis
Scenario analysis is a systematic process of obtaining opinions
from business managers and risk-management experts to assess
the likelihood and loss impact of plausible severe operational-
loss events. Some BHCs have used this process to determine a
management overlay that is added to losses estimated using a
model-based approach. BHCs have used this overlay to incor­
porate idiosyncratic risks (particularly for event types where cor­
relation was not identified) or to capture potential loss events
that the BHC had not previously experienced. BHCs should be
able to demonstrate the quantitative effect of the management
overlay on final loss estimates.
Scenario analysis, if used effectively, can help compensate for
data and model limitations, and allows BHCs to capture a wide
range of risks, particularly where limited data are available. The
Federal Reserve expects BHCs using scenario analysis to have a
clearly defined process and provide an appropriate rationale for
the specific scenarios included in their loss estimate. The pro­
cess for choosing scenarios should be credible, transparent, and
well supported.
Historical Averages
Some BHCs used historical averages of operational-risk losses,
in combination with other approaches noted above, to estimate
operational-risk losses under stress scenarios. For example,
BHCs have used historical averages for event types where no
correlation between macroeconomic factors and operational-
risk losses was identified but used a regression model for
event types where correlations were identified. A small number
of BHCs have used historical averages as the sole approach
to develop stressed loss estimates. When used alone, this
approach is backward-looking and excludes potential risks the
BHCs have not experienced. When using historical averages,
Chapter 14 Capital Planning at Large Bank Holding Companies
BHCs should support the chosen time periods, thresholds,
and any excluded or adjusted outliers and demonstrate that
loss estimates are consistent with what are expected in the
stress scenario.
Legal Exposures
Since legal exposure represents a significant portion of opera­
tional losses for many BHCs, a number of BHCs have analyzed
and projected legal losses separately from non-legal losses. The
Federal Reserve expects BHCs to include all legal reserves and
settled legal losses in their total loss estimate for operational
risk. BHCs have used various methods to estimate legal losses,
such as applying a judgment-based add-on for significant losses;
using legal reserves; using historical averages; or creating sepa­
rate regression models for the clients, products, and business
practices event type. To estimate litigation losses resulting from
representations and warranties liabilities related to mortgage
underwriting activities, some BHCs have developed hazard-rate
models based on historical loan performance to estimate default
rates and then estimated repurchase claim rates.
Market Risk and Counterparty Credit Risk
BHCs that have sizeable trading operations may incur significant
losses from such operations under a stress scenario due to valu­
ation changes stemming from credit and/or market risk, which
may arise as a result of moves in risk factors such as interest
rates, credit spreads, or equity and commodities prices, and
counterparty credit risk owing to potential deterioration in the
credit quality or outright default of a trading counterparty.37
BHCs use different techniques for estimating such potential
losses. These techniques can be broadly grouped into two
approaches: probabilistic approaches that generate a distribu­
tion of potential portfolio-level profit/loss (P/L) and deterministic
approaches that generate a point estimate of portfolio-level
losses under a specific stress scenario.
Both approaches have different strengths and weaknesses. A
probabilistic approach can provide useful insight into a range of
scenarios that generate stress losses in ways that a deterministic
stress testing approach may not be able to do. However, the
probabilistic approach is complex and often lacks transparency,
and as a result, it can be difficult to communicate the relevant
scenarios to senior managers and the board of directors. In addi­
tion, the challenges inherent in tying probabilistic loss estimates
37 Under the Federal Reserve's stress testing rules, BHCs with greater
than $500 billion in total consolidated assets who are subject to the
market risk rule (12 CFR part 225, appendix E) are required to apply the
global market shock as part of their annual Dodd-Frank Act company-
run stress tests.
■ 257
to specific underlying scenarios can make it difficult for manage­
ment and the board of directors to readily discern what actions
could be taken to mitigate portfolio losses in a given scenario.
Combined, these factors complicate the use of probabilistic
approaches as the primary element in an active capital planning
process that reflects well-informed decisions by senior manage­
ment and the board of directors. The Federal Reserve expects
BHCs using a probabilistic approach to provide evidence that
such an approach can generate scenarios that are potentially
more severe than what was historically experienced, and also to
clearly explain how BHCs use the scenarios associated with tail
losses to identify and address their idiosyncratic risks.
By comparison, a deterministic approach generally produces
scenarios that are easier to communicate to senior management
and the board of directors. However, a deterministic approach
often uses a limited set of scenarios, and may miss certain
scenarios that may result in large losses. The Federal Reserve
expects BHCs using a deterministic approach to demonstrate
that they have considered a range of scenarios that sufficiently
stress their key exposures.
For CC A R, most BHCs generally relied on a deterministic
approach. BHCs using deterministic approaches often relied
on statistical models— for example, to inform the magnitude of
risk-factor movements and covariances between risk factors—
and also considered multiple scenarios as part of the broader
internal stress testing supporting their capital planning process.
BHCs using deterministic approaches used a three-step process
to generate P/L losses under a stress scenario:
1. Design and selection of stress scenarios
2. Construction and implementation of the scenario (that is,
translation to risk-factor moves)
3. Revaluation (and aggregation) of position and portfolio-
level P&L under the stress scenarios
The Federal Reserve expects BHCs to have robust operational
and implementation practices in all areas, including position
inclusion, risk-factor representations, and revaluation methods.
S tre ss Scenarios
Most BHCs using deterministic approaches developed a set of
broad narratives and considered a number of market shock sce­
narios that address the breadth of the BHCs' risks before select­
ing the scenario included in their capital plans. In general, these
BHCs used some combination of historical events and hypo­
thetical projections to inform and develop the market shock
scenarios. They also developed certain core themes or narra­
tives for each scenario, which was sometimes supplemented
with an overlay to capture additional nuances. BHCs generally
258 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
developed the overlays using expert judgm ent based on the
knowledge of their positions and market developments.
The Federal Reserve expects BHCs to consider multiple market
shock scenarios as part of their internal stress testing. BHCs
should develop and use stress scenarios that severely stress
BHCs' mark-to-market positions and account for BHCs' idiosyn­
cratic risks, in the event of a market-wide or firm-specific stress.
In developing scenarios, BHCs should ensure that stress scenar­
ios appropriately stress positions or products in which the BHC
has a large market share (net or gross) or is a dominant player
and should also consider more unusual basis risks arising from
complex interlocking and interdependent positions, if such
moves could result in large losses. BHCs that only use a scenario
that closely mirrors the Federal Reserve's global market shock
component of the severely adverse and adverse scenarios
should be aware that such an approach may omit significant
risks that are unique to their positions, and that such omissions
could lead to a negative assessment of a firm's capital planning
process. BHCs should clearly document the process they use to
select stress scenarios, with sufficient justification and clear artic­
ulation of key aspects of the scenarios.38
Translating Scenarios to Risk Factor Shocks
Once broad scenarios were developed, BHCs translated these
scenarios into concrete specification of individual risk factors
that were the actual inputs to pricing models, typically using the
existing risk infrastructures and processes used for risk manage­
ment, such as VaR and credit valuation adjustment (CVA). Most
BHCs used instantaneous market shocks for stress testing, which
assumed highly stressful outcomes that have typically occurred
over a period of time (days, weeks, or months) will occur instan­
taneously. Given the uncertainty surrounding a firm's ability to
exit or manage positions during a period of severe market
stress, this is an appropriate practice and suitably conservative
for capital planning. Consistent with general supervisory expec­
tations around risk-measurement processes, BHCs should clearly
document the approximations and assumptions used as part of
their measurement of risks under stress, assess the potential
impacts, and address any deficiencies identified.39
The size of shocks assumed in the stress scenario is often quite
large. As a result, mechanical application of such shocks to cur­
rent levels of risk factors could result in implausible outcomes
such as negative riskfree rates or negative forward rates. BHCs
should ensure that the proposed shocks produce results that are
38 See FR Y-14A reporting form: Summary Schedule Instructions, pp. 5-6.
39 See id., p. 6.
plausible. In particular, BHCs should take care in modeling dislo­
cations and discordant moves of risk factors that normally move
similarly. Additionally, while dislocations and discordant moves
are expected under stress, BHCs should have a process to
assess that the resulting joint moves of risk factors are reason­
able. Also, the dislocations and discordant moves implied by a
stress scenario may require risk-factor mappings that deviate
from the normal mappings. BHCs should clearly document
instances of such deviation and provide support.40
Revaluation Methodologies and P/L Estimates
In principle, revaluation for stress testing can be carried out
using the same infrastructure and calculators as conventional
risk-measurement tools. However, practical revaluation methods
may embed a number of approximations, which could introduce
mismeasurement into the stress test results. In particular, VaR
methodologies often use approximation methods for a number
of reasons— for example, to economize on computational costs
related to running a large number of scenarios daily. Although
approximation methods may perform adequately for the risk-
factor moves that are considered in normal conditions (for a
small number of scenarios), BHCs should generally use "full-
revaluation" methods for stress testing, given the very large
risk-factor moves, especially for nonlinear positions with value
dependent on multiple risk factors. BHCs can use approximation
methods on a limited basis if extensive tests and analyses sug­
gest that the potential mismeasurement from using such meth­
ods is not significant. BHCs should clearly support the process
they use to ascertain the extent of such mismeasurements. Also,
for certain parameters that are not easily "market-observable"
and, therefore, cannot be inferred from traded instruments
(e.g., correlations for credit-default baskets and correlations for
certain interest-rate and exchange-rate pairs), BHCs should con­
sider suitably perturbed values of the model parameters.
In addition, BHCs should ensure that P/L estimates under the stress
scenario are relatively easy to interpret and explain. For example,
BHCs with leading practices easily identified key P&L drivers in
terms of positions, asset classes, and risk types. BHCs should also
conduct sensitivity analysis to ensure that P/L estimates under the
stress scenario are robust, without being unduly sensitive to small
changes in inputs, assumptions, and modeling choices.
Counterparty and Issuer Defaults
Defaults of counterparties or issuers and/or reference entities
are typically not embedded directly within the instantaneous
40 See id., pp. 5-6.
Chapter 14 Capital Planning at Large Bank Holding Companies
market shock scenario. BHCs often use a model similar to that
used for the incremental risk regulatory capital charge— a proba­
bilistic approach based on some measure of PD, LGD, and EAD
of counterparties or issuers—to estimate losses from possible
defaults over some future horizon (e.g., to the typical margin
period of risk). BHCs with leading practices also considered for
their internal stress testing an explicit default scenario of one
or more of their largest counterparties and/or customers. This
approach has the benefit of allowing the BHC to consider tar­
geted defaults of counterparties and customers to which the
BHC has large exposures.
Risk Mitigants and Other Assumptions
Some BHCs have incorporated management responses to the
stress, assuming, for example, some positions would be sold
or hedged over time under the stress scenario. The Federal
Reserve expects any assumptions about risk mitigation to be
conservative. Where BHCs assume management actions that
have the effect of reducing losses under the scenario, they
should be able to demonstrate that such actions are consistent
with established policy, supported by historical experience,
and executable with high confidence in the market environ­
ment contemplated by the scenario. BHCs should recognize
that their ability to take mitigating actions may be more limited
in the stress scenario. For example, it may not be reasonable
to assume that BHCs can easily sell their positions to other
BHCs under the stress scenario. In addition, BHCs should avoid
making unrealistic assumptions about their ability to foresee
precisely how a scenario would play out, and take action on the
basis of that information.
PPNR Projection Methodologies
The Capital Plan Rule requires BHCs to estim ate revenue and
expenses over the nine-quarter planning horizon.41 A cco rd­
ingly, BH Cs should have effective processes for projecting
PPNR and its revenue and expense subcom ponents over the
same range of stressful scenarios and environm ents used for
estim ating losses. In projecting these amounts, BHCs should
consider not only their current positions, but also how their
activities and business focus may evolve over time under the
varying circum stances and operating environm ents reflected
in the scenarios being used.
41 12CFR 225.8(d)(2)(i).
■ 259
General Considerations for Robust
PPNR Projections
As part of a comprehensive enterprise-wide scenario analysis
program, BHCs should have methodologies that generate
robust projections of PPNR consistent with the current and
projected paths of on- and off-balance-sheet exposures, risk-
weighted assets (RWA), and other exposure assumptions used
for related loss estimation. PPNR projections should also be
consistent with assumed scenario conditions and be projected in
accordance with the same accounting basis that would be used
to calculate relevant capital ratios. BHCs should project all key
elements of PPNR at a level of granularity consistent with the
materiality of revenue and expense components and sufficient
to capture differing drivers of revenue and expenses across
the organization. Finally, BHCs should consider the effects that
regulatory changes (e.g., changes in deposit insurance coverage
limits) may have on their ability to replicate historical perfor­
mance or achieve stated goals.
Key assumptions that may materially affect PPNR estimates
should be consistent with assumed scenario conditions and
internally consistent within each scenario, particularly assump­
tions related to the business model and strategy (e.g., deposit
growth, pricing assumptions, expense reductions, and other
management actions). Management is expected to evaluate the
reasonableness and timing of projected strategies, including
mitigating actions taken in a stressful scenario, to ensure that
the assumptions reflect realistic and achievable outcomes for
a given scenario. Where possible, assumptions should be sup­
ported by quantitative analysis or empirical evidence.
In all cases, BHCs should ensure that projections (including
those of PPNR, loss, balance sheet size and composition, and
RWA) present a coherent story within each scenario. BHCs
should clearly establish a relationship among revenue, expenses,
the balance sheet, and any applicable off-balance-sheet items
and document how their process generates a consistent and
coherent evolution of these items over the course of the sce­
nario.42 For example, origination assumptions should be the
same for projecting loan balances, related loan fees, origination
costs, and loan losses. Similarly, there should be coherence
among trading revenue projections, trading assets, trading lia­
bilities, and trading RWA projections. Management should doc­
ument the relationships among these items and avoid cases
where outcomes move in counterintuitive directions.43
42 See 12 CFR 225.8(d)(i)-(ii); FR Y-14A reporting form: Summary
Schedule Instructions, pp. 5-6.
43 See id.
260 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Observed PPNR Projection Practices
The translation of macroeconomic assumptions into projections
of PPNR over a range of stressful scenarios and environments
can take many forms, and BHCs used a variety of approaches
and models to make these projections. BHCs with stronger
practices demonstrated strong interactions among central
planning functions, business lines, and the treasury group, with
an open flow of information and a robust challenge process.
A t these BHCs, the role of the central group was not just to
aggregate components of PPNR projections. In some cases,
the corporate planning areas also provided independent pro­
jections that were compared to the aggregated business line
results as a part of the challenge process. A t other BHCs, the
corporate planning group derived the PPNR projections, which
were then discussed and challenged by business lines. Both
approaches resulted in better-supported assumptions and
projections than approaches in which the central group simply
aggregated projections made by others.
In addition, BHCs with stronger practices made projections
based on a full exploration of the most relevant relationships
between assumed scenario conditions and revenues and
expenses. At these BHCs, business-line expertise was leveraged
in the development of methodologies. A key part of this explo­
ration was determining the way that revenues and expenses
were segmented for projection purposes. BHCs with stronger
practices did not rely exclusively on the line-item definitions in
regulatory reports, though these BHCs often established a pro­
cess to clearly map internal BHC reporting conventions to the
various line items on the FRY-14 schedules.
In contrast, BHCs with lagging practices lacked clear processes
for translating assumed scenario conditions into revenue and
expense projections. Frequently, it was observed that one or
more material components of their projections appeared incon­
sistent with scenario conditions. In some cases, projections of
certain revenue and expense components relied heavily on
management judgment, which was not transparent, well sup­
ported, or subject to a robust challenge process. In other cases,
revenue estimates varied from historical experience and conven­
tional expectations, and management provided no documented
support or analysis around the reasonableness and sensitivity
of modeling assumptions. Overall, data limitations, unclear or
unsubstantiated management assumptions, and poor documen­
tation were the problems most prevalent across the BHCs.
Another commonly observed practice for estimating PPNR
under stressed conditions was the adjustment of budget or
baseline estim ates, with budget estimates largely qualitatively
derived through input from a variety of business lines and/or
stakeholders across the BHC. Although a process of adjusting
baseline estimates is not problematic in itself, some BHCs
relied heavily on baseline estim ates to develop stress scenario
outcomes without considering favorable strategic actions and
assumptions incorporated into baseline results that might not
be realistic or feasible under stressed conditions. If a BHC
derives stressed estimates by applying a stress overlay to base­
line estim ates, it should demonstrate the link between baseline
estimates and baseline conditions, demonstrate the appro­
priateness of the overlay based on the differing conditions
between the scenarios, and appropriately consider changes
in management actions or other related assumptions under a
stress scenario.
BHCs with weaker practices used models with low predictive
power, in part due to data limitations. BHCs should not use
weak models just for the sake of using a modeled approach to
PPNR. Some BHCs used weak models either as a frame of refer­
ence or a starting point to translate economic factors into esti­
mates of key PPNR components, but then adjusted the results
using expert judgment. In such cases, BHCs should thoroughly
explain and document why results, once adjusted, are consistent
with the scenario conditions.44 In cases where models have low
predictive power, BHCs with stronger practices found other
ways to compensate, such as using industry-level models with
BHC-specific market share assumptions to project revenue. In all
cases, BHCs with stronger practices provided supplemental
analysis describing why the approach was appropriate.
In cases where BHC-specific data were limited, BHCs with
stronger practices used external data to augment and extend
their internal data. BHCs with weaker practices relied on
models that were overly influenced by limited data covering a
single economic cycle. This approach is particularly problem ­
atic if the BHC also experienced favorable conditions, such as
a significant recovery, during the single cycle, which might not
recur in future downturns. In some cases, data were limited to
as few as 10 quarters, which would not encompass a period
of economic weakening or be sufficient to estimate a robust
model, and thus would not be appropriate for considering
potential results in a downturn. Many BHCs cited challenges
due to systems mergers or changes that limited data availabil­
ity, but failed to adequately compensate for these limitations
by supplementing internal data with external industry data,
where appropriate, or by considering whether longer time
series of available aggregate data would be preferable to a
shorter time series of more granular data.
Some BHCs with weaker practices made business model and
strategy assumptions (e.g., new business, expense reductions,
44 See id.
Chapter 14 Capital Planning at Large Bank Holding Companies
the assumption of mitigating actions) that were not consistent
with stressed scenario conditions and the intent of a capital
planning and stress testing exercise. For example, management
assumed it would be able to drastically reduce loan origina­
tion activity, cut expenses, or take other mitigating actions in a
severely adverse scenario without considering the longer-term
consequences on the BHC's strategy and operating structure.
The following sections provide specific expectations for project­
ing key components of PPNR, as well as summary points on
observed range of practice.
Net Interest Income
Net interest income projections are closely linked to many other
elements of a BHC's capital plan. Balance sheet assumptions
used to project net interest income should be consistent with
balance sheet assumptions considered as part of loss estimation
as well as with other asset and liability management assump­
tions. Loan pricing should be consistent with both scenario
conditions and competitive and strategic factors, including pro­
jected changes to the size of the portfolio. Deposit projections
should incorporate the impact of strategic plans and pricing on
deposit growth or decline, in addition to scenario factors.
Net interest income projections are expected to incorporate
the balances and contractual terms of current portfolio holdings
as well as the behavioral characteristics of these portfolios. The
methods BHCs use to project their net interest income should
be able to capture dynamic conditions for both current and pro­
jected balance sheet positions. Such conditions include but are
not limited to prepayment rates, new business spreads, re-pric­
ing rates due to changes in yield curves, behavior of embedded
optionality such as caps or floors, call options, and/or changes in
loan performance (that is, transition to nonperforming or default
status) consistent with loss estimates.
Some BHCs specified product characteristics and conducted
analysis around these characteristics (e.g., repricing behavior,
line utilizations) both for current assets and new originations in
order to understand the variance in behaviors under the different
scenarios considered. They also attempted to capture the prod­
uct mix changes that would occur as a result of customer and
market conditions (e.g., changes in domestic deposit mix due to
anticipated growth in demand for time deposits for a specified
scenario). BHCs with stronger documentation practices provided
detailed tables explaining underlying assumptions such as bal­
ance drivers and spread and growth assumptions by product.
Some BHCs partially integrated loss projections into net interest
income projections but did not adequately align all projection-
related assumptions. For example, these BHCs might take the
full loan loss projections and allocate them across the portfolios
■ 261
based on the current mix of nonperformance across those
loan portfolios, without considering the changing relative per­
formance of those portfolios over the course of the scenario.
Other BHCs were unable to demonstrate coherence between
net interest income projections and loss projections, generally
because one or both modeling approaches did not fully capture
the behavioral characteristics of the loan portfolio.
BHCs with stronger practices had net interest income projection
methodologies that captured adjustments in the amortization of
discounts or premiums for assets held at a value other than par
that would occur under various scenarios. Under FASB State­
ment No. 91,45 yields would adjust under varying scenarios as
amortization schedules change due to changes in expected pay­
ment speeds.
For pricing, many BHCs assumed a constant spread to a desig­
nated index. BHCs with stronger practices considered whether
this assumption was consistent with historical experience and
assumed scenario conditions as well as the BHC's strategy as
reflected in the balance sheet projections. Some BHCs rec­
ognized that new business pricing could differ as a result of
tightening or widening of spreads and documented these
assumptions.
Non-Interest Income
BHCs are expected to produce stressed projections of non­
interest income that are consistent with assumed scenario
conditions, as well as with stated business strategies. Due to
inherent challenges in estimating certain non-interest income
components, some BHCs used more than one method and/
or employed benchmark analysis to inform estimates. Stronger
methodologies estimated non-interest income at a granular-
enough level to capture key risk factors or characteristics
specific to an activity or product. For example, for asset man­
agement, many BHCs used different methods to project revenue
from brokerage activities and fund management activities.
Like all aspects of PPNR, internal consistency between non­
interest income and other assumptions such as projected paths
for the balance sheet and RWA is important. BHCs should estab­
lish relationships between material components of non-interest
income and the balance sheet for components that are highly
correlated with the path of the balance sheet, such as some
kinds of loan-related fee income. BHCs with trading assets
should document how trading revenue projections are linked to
trading assets, trading liabilities, and trading RWA and how all
these elements are consistent with conditions in the stress sce­
nario.46 BHCs with business profiles driven by off-balance-sheet
items should document how revenue projections are linked to
on- and off-balance-sheet behavior.47 Although relationships
between revenue and trading assets or off-balance-sheet items
may be weak over short periods, BHCs should nevertheless
establish a procedure for projecting relevant balance sheet and
RWA categories in support of those revenues and test for the
reasonableness of the implied return on assets (ROA). If a BHC
estimates trading or private equity revenue by tying balance
changes to changes in broad indices, the BHC should establish
the level of sensitivity of its positions relative to the indices and
not automatically assume a perfect correlation between the two.
BHCs with mortgage servicing right (MSR) assets should ensure
that delinquency, default, and voluntary prepayment assump­
tions are robust and scenario-dependent. These models should
capture macroeconomic variables, especially home prices. For
those BHCs that routinely hedge MSR exposure, hedge assump­
tions and results for enterprise-wide scenario analysis should
reflect the stress scenario. Some BHCs assumed a perfect or
near-perfect hedge relationship between changes in the value of
their MSR and hedge portfolio, and captured the ineffectiveness
of the hedge under the stress scenario through the net carry,
transaction costs, and/or bid-ask spread components. BHCs with
stronger practices used an optimization routine that dynamically
rebalanced the hedge portfolio each quarter.
BHCs with stronger practices considered individual business
models and client profiles when projecting revenue and fee
income from various business activities. BHCs with stronger
practices also considered capacity constraints when estimating
mortgage loan production and loan sales over the scenario hori­
zon, whereas BHCs with weaker practices assumed significant
increases in volume without regard to market saturation or other
factors. Other weaker practices observed included using the
same strategic business assumptions in both the baseline and
stress scenarios and making favorable assumptions around new
business and/or market share gains. For example, some BHCs
assumed that all baseline initiatives would be implemented
in stress scenarios without interruption or changes to the
outcomes.
In addition, BHCs with weaker practices did not show sufficiently
stressed declines in revenue relative to assumed scenario condi­
tions, despite stated correlations to macroeconomic and other

45 Financial Accounting Standards Board, "Accounting for Nonrefund-

able Fees and Costs Associated with Originating or Acquiring Loans
and Initial Direct Costs of Leases—an Amendment of FASB Statements
No. 13, 60, and 65 and a Rescission of FASB Statement No. 17 (Issued
12/86)," FASB Statement No. 91.
46 See FR Y-14A reporting form: Summary Schedule Instructions, p. 5.
47 12 CFR 225.8(d)(3)(iii); see also FR Y-14A reporting form: Summary
Schedule Instructions, pp. 5-6.

262 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
drivers. For example, while many BHCs showed significant
declines in credit card gross-interchange fee revenue due to
declines in consumer spending, some BHCs also assumed that
significant declines in marketing expenses recorded as contra-
revenue would more than offset the declines in gross inter­
change revenue, resulting in an increase in net revenue. Other
BHCs assumed revenue components, such as fees or trading
revenue, could not fall below historical levels.
Further, BHCs with weaker practices considered only a very lim­
ited set of scenario variables and/or drivers in establishing rela­
tionships, which resulted in estimates that appeared inconsistent
with the scenario. For example, some BHCs used interest rates
only to project origination activity or solely used asset balances
(instead of the number of accounts) to estimate account fees.
Other BHCs simply regressed high-level revenue items against
scenario factors rather than considering how scenario condi­
tions would affect the key drivers of those line items (such as
volume). For instance, modeling interchange revenues or asset
management fees is likely to be less effective than modeling
customer spending or assets under management, respectively,
given the scenario being used, and then considering fee and/or
rate movement.
Non-Interest Expense
BHCs should fully consider the various impacts of the assumed
scenario conditions on their non-interest expense projections,
including costs that are likely to increase during a downturn.
For example, items such as other real estate owned or credit-
collection costs may spike, whereas management may have
some ability to control other expenses. Like other projections,
non-interest expense projections should be consistent with bal­
ance sheet and revenue estimates and should reflect the same
strategic business assumptions. BHCs with weaker practices did
not account for additional headcount needs in certain areas, nor
for any corresponding changes to compensation expense asso­
ciated with increased collections activity resulting from declines
in portfolio quality and/or increased underwriting activity to sup­
port any assumed portfolio growth.
To the extent the projections assume mitigating actions to offset
revenue declines, BHCs should demonstrate that such actions
are attainable in the scenario, given assumed asset levels and
the resources necessary to support operations. If the projections
embed material expense reductions, such assumptions should
be supported with analysis of historical data or empirical evi­
dence and subject to challenge and review. BHCs with weaker
practices assumed mitigating actions consistent with past
actions but failed to consider how differences in the business
environment and the severity of the economic conditions might
affect their ability to execute such actions. BHCs are expected
Chapter 14 Capital Planning at Large Bank Holding Companies
to evaluate the timing of projected strategies and their impact
on future revenue, expenses, and operating structure.
BHCs with stronger practices had estimation methodologies
that considered the drivers of individual expense items and the
sensitivity of those drivers to changing scenario conditions and
business strategies. They considered the timing of non-interest
expense cuts and recognized that the BHC might not be able
to react to a developing stressful scenario immediately or might
be subject to existing contractual obligations that could not be
altered. BHCs with weaker practices generated non-interest
expense estimates that appeared unrealistic in light of assumed
scenario conditions. Some BHCs assumed that they could
immediately reduce costs through dramatic cuts in marketing
and rewards programs, compensation, or other discretionary
expenses. Projecting sizeable reductions in key expense compo­
nents without providing sufficient support as to the reasonable­
ness of the cuts, how management intends to realize the cuts,
and how the cuts will affect future revenue is not acceptable.
Additionally, such assumptions imply perfect knowledge of
the conditions as they unfold, rather than a series of indepen­
dent decisions that would be made by management as the
scenario unfolds.
14.8 ASSESSING CAPITAL
ADEQUACY IMPACT
Balance Sheet and RWAs
BHCs should have a well-documented process for generating
projections of the size and composition of on- and off-balance
sheet positions and RWA over the scenario horizon.48 Balance
projections are a key input to enterprise-wide scenario analysis
given their direct impact on the estimation of losses, PPNR, and
RWA. Estimating the evolution of balance sheet size and com­
position under stress integrates many interrelated features. For
example, loan balances and the stock of A FS securities at a
point in time will depend upon origination, purchase, and sale
activity from period to period, as well as maturities, prepay­
ments, and defaults. Due to complexities related to dynamically
projecting and integrating various components (e.g., origina­
tions, prepayments and defaults), most BHCs made direct pro­
jections of balances for each major segment of the balance
sheet (e.g., loans, deposits, trading assets and liabilities, and
other assets) for each quarter of the scenario horizon.
48 12 CFR 225.8(d)(2)(i)(A); see also FR Y-14A reporting form: Summary
Schedule Instructions, p. 6.
■ 263
BHCs often faced challenges in integrating the ultimate bal­
ance projections with other aspects—for example, borrower
or depositor behavior. BHCs with stronger practices separately
considered the drivers of change to asset and funding balances,
such as contractual paydowns, modeled prepayments, nonper­
formance, and new business activity for assets, rather than sim­
ply projecting targeted balances directly. At these BHCs, each
element was separately assessed for consistency with scenario
conditions and other management assumptions. BHCs with
stronger practices also either directly considered the impact of
these various factors in their balance projections or had proce­
dures to evaluate the reasonableness of any implied behavior
by including input from businessline leaders in the process and
iterating to reasonable estimates in a well-supported and trans­
parent manner.
BHCs should clearly establish and incorporate into their sce­
nario analysis the relationships among and between revenue,
expense, and on- and off-balance-sheet items under stressful
conditions. Most BHCs used asset-liability management (ALM)
software as a part of their enterprise-wide scenario-analysis
toolkit, which helps integrate these items. BHCs that do not use
ALM software must have a process that integrates balance sheet
projections with revenue, loss, and new business projections.
BHCs with more tightly integrated procedures were better able
to ensure appropriate relationships among the scenario condi­
tions, losses, expenses, revenue, and balances.
As noted above, BHCs should not rely on favorable assumptions
that cannot be reasonably assured in stress scenarios given the
high level of uncertainty around market conditions. Examples
of aggressive or favorable balance sheet assumptions include
(1) large changes in asset mix that serve to decrease BHCs' risk
weights and improve post-stress capital ratios but that are not
adequately supported or reflected in PPNR or loss estimates;
(2) "flight-to-quality" assumptions and funding mix changes
that increase deposits and reduce the dollar cost of funding; (3)
significant balance sheet shrinkage with no consideration of the
potential losses associated with reducing positions in periods
of market stress; and (4) operating margin improvement. BHCs
that make favorable assumptions should have sufficient evi­
dence that they can be reasonably assured in the assumed stress
scenario.
BHCs' RWA projections should be based on corresponding pro­
jections of on- and off-balance-sheet exposures and their risk
attributes and should be consistent with the severity of the
stress conditions under each scenario. For general credit-risk
exposures, BHCs should project balances for material asset cat­
egories with sufficient granularity to facilitate application of reg­
ulatory risk-weighting approaches associated with different asset
categories. For trading exposures, BHCs should translate
264 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
changes in scenario variables into risk-parameter estimates that
drive RWA calculations (e.g., the potential for RWA per dollar of
some trading book positions to increase in periods of higher lev­
els of general market volatility). Where RWA projections are
based on internal risk models, BHCs should not assume any
RWA reductions from potential data or model enhancements to
RWA calculation methodologies over the projection period. In
all cases, BHCs should document any assumptions made as part
of the balance sheet and RWA projection process and perform
independent reviews and validations of balance sheet and RWA
projection methodologies and resulting estim ates.49
Allowance for Loan and Lease
Losses (ALLL)
BHCs should maintain an adequate A LLL along the scenario
path and at the end of the scenario horizon. Reserve adequacy
should be assessed against projected size, composition, and
risk characteristics of the loan portfolio throughout the scenario
horizon. In general, the A LLL build and release should be consis­
tent with the scenario path, portfolio credit quality, loss recogni­
tion approach, loan loss estimates, and loan portfolio balance
projections (including any portfolio growth assumptions). If
BHCs use estimation approaches that implicitly delay the rec­
ognition of losses, such as net charge-off models, they should
adequately build reserves to account for losses not recognized
during the scenario horizon. If the approach relies on top-down
coverage levels, BHCs should compare coverage ratios and
loss-emergence periods to historical stress environments and
to internal policies and explain the differences if material differ­
ences exist.
Aggregation of Projections
BHCs should have a well-established and consistently executed
process for aggregating loss, revenue and expense, and on- and
off-balance sheet and RWA estimates, as part of enterprise-wide
scenario analysis, to assess the post-stress impact of those esti­
mates on capital ratios. BHCs that are more effective at imple­
menting such a process have established centralized groups
with responsibility for
• combining loss, revenue, balance sheet, and RWA
projections;
• providing strong governance and controls around the
process;
49 See id.
• ensuring coherence of component estimates and aggregate
results; and
• applying and documenting any adjustments.50
These centralized groups have been able to source estimates from
a range of internal parties involved in enterprise-wide scenario
analysis and develop consolidated pro forma financial results that
are internally consistent and conform to accounting standards.
BHCs should develop a governance structure around the
enterprise-wide scenario analysis process that provides for a
robust analysis and challenge of the coherence of the aggregate
results and determine whether any adjustments need to be
made based on the analysis. In particular, BHCs should assess
whether the paths of individual loss and revenue components
are consistent with the paths of balance sheet and RWA esti­
mates and the overall scenario path. For example, an increase
in PPNR amid declining balances would appear generally
inconsistent and should warrant further investigation. In assess­
ing consolidated financial results, BHCs should account for any
potential changes in relationships between losses and financial
performance drivers during periods of stress.
BHCs should have good understanding of instances when expo­
sures with similar underlying risk characteristics that are part of
different portfolios or business lines exhibit different sensitivities
to scenario conditions. BHCs should identify instances where
the differences are due to inconsistent assumptions or model­
ing approaches that require management attention, rather
than differences in accounting treatment. In addition, if a BHC's
enterprise-wide scenario analysis results in post-stress outcomes
that are more favorable than those under baseline conditions,
BHCs should critically evaluate the reasonableness and consis­
tency of assumptions across portfolios, business lines, and other
areas of loss and revenue estimation.
BHCs that had an effective aggregation process leveraged their
business planning and financial and regulatory reporting systems
as part of that process. Using standalone tools or spreadsheets
in the aggregation process is a weak process. If a BHC needs to
use standalone tools or spreadsheets due to systems limitation,
management should ensure robust controls are in place, includ­
ing access and change controls, and should maintain an audit
trail and document all approvals for any adjustments made.
BHCs should also have reconciliation procedures and data qual­
ity and logic checks in place to ensure that the results from the
enterprise-wide scenario analysis reconcile to both management
reporting and regulatory reports, with a transparent mapping
between various reporting taxonomies.
50 See id.
Chapter 14 Capital Planning at Large Bank Holding Companies
BHCs with weaker practices had limited or no reconciliation
procedures or other controls in place to ensure the integrity,
completeness, and accuracy of the consolidated post-stress
capital metrics. BHCs with weaker practices also had no process
to ensure consistency in the BHC-wide application of scenario
assumptions and management adjustments, and had weak gov­
ernance and documentation standards.
14.9 CONCLUDING OBSERVATIONS
The goal of this publication is to outline the Federal Reserve's
expectations for internal capital planning at large BHCs and to
highlight the range of current practice as observed during the
2013 C C A R. This discussion is intended to provide a more com­
prehensive set of criteria to assist BHC management in assess­
ing their current capital planning processes and in designing and
implementing improvements to those processes, as well as to
provide insight to a broader audience about the key aspects of
BHCs' capital planning practices.
Internal capital planning practices have evolved considerably
since the financial crisis and the implementation of the Federal
Reserve's Capital Plan Rule in 2011. BHCs have made advances
in the identification and measurement of the risks to their capital
and in the integration of stress testing and capital planning into
their broader strategic planning processes. The fundamental
insight governing the Federal Reserve's expectations about capi­
tal planning is the importance of having a forward-looking per­
spective on the risks to a BHC's capital resources under severely
stressful conditions. In particular, a forward-looking perspective
involves understanding how a BHC's revenue-generating capac­
ity and potential losses could be affected in stressed economic
and financial market conditions; understanding the particular
vulnerabilities arising from its business model and activities; and
having a capital policy in place that governs the BHC's capital
actions under both "normal" and stressed economic conditions.
These elements represent substantial conceptual and opera­
tional improvements in capital planning that go well beyond sim­
ple consideration of current and expected future capital ratios.
While many of the large BHCs subject to the Capital Plan Rule
have made substantial improvements in capital planning, there
is still considerable room for advancement across a number of
dimensions. Areas where some BHCs continue to fall short of
leading practice include
• not being able to show how all their risks were accounted for
in their capital planning processes;
• using stress scenarios and modeling techniques that did not
address the particular vulnerabilities of the BHC's business
model and activities;
■ 265
• generating projections for at least some components of loss,
revenue, or expenses using approaches that were not robust,
transparent, and/or repeatable, or that did not fully capture
the impact of stressed conditions;
• having capital policies that did not clearly articulate a BHC's
capital goals and targets, did not provide analytical sup­
port for how these goals and targets were determined to
be appropriate, and/or were not comprehensive or detailed
enough to provide clear guidance about how the BHC would
respond as its capital position changed in different economic
circumstances; and
• having less-than-robust governance or controls around the
capital planning process, including around fundamental risk-
identification, -measurement, and -management practices
that are among the critical elements that support robust capi­
tal planning.
266 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
All the BHCs that participated in CCA R faced challenges across
one or more of these areas. And although many BHCs demon­
strated leading practices in several dimensions of capital plan­
ning, the leading capital planning practices identified in this
paper will continue to evolve as new data become available,
economic conditions change, new products and businesses
introduce new risks, and estimation techniques advance fur­
ther. As the frontier of capital planning practice advances, the
Federal Reserve's expectations for how BHCs implement the
requirements of the Capital Plan Rule and the related company-
run stress testing required under the Dodd-Frank Act will
also evolve.51 Such advances in capital planning practices will
enhance the health and stability of individual BHCs and of the
overall banking system.
51 12 CFR part 252, subpart G.
Stress Testing
Banks
Learning Objectives
After completing this reading you should be able to:

Describe the evolution of the stress testing process Explain challenges in modeling a bank's revenues, losses,
and compare the methodologies of historical European and its balance sheet over a stress test horizon period.
Banking Association (EBA), Comprehensive Capital
Analysis and Review (CCAR), and Supervisory Capital
Assessment Program (SCAP) stress tests.

Explain challenges in designing stress test scenarios,

including the problem of coherence in modeling risk
factors.

E x c e rp t b y Til Schuerm ann is rep rin ted from the International Journal of Forecasting 30, no. 3, (2014) p p . 717-728.

267
ABSTRACT
How much capital and liquidity does a bank need to support its
risk taking activities? During the recent (and still ongoing) finan­
cial crisis, answers to this question using standard approaches,
e.g., regulatory capital ratios, were no longer credible, and thus
broad-based supervisory stress testing became the new tool.
Bank balance sheets are notoriously opaque and susceptible to
asset substitution (easy swapping of high risk for low risk assets),
so stress tests, tailored to the situation at hand, can provide clarity
by openly disclosing details of the results and approaches taken,
allowing trust to be regained. With that trust re-established, the
cost-benefit of stress testing disclosures may tip away from bank-
specific towards more aggregated information. This paper lays
out a framework for the stress testing of banks: why it is useful
and why it has become such a popular tool for the regulatory
community in the course of the recent financial crisis; how stress
testing is done (design and execution); and finally, with stress test­
ing results in hand, how one should handle their disclosure, and
whether it should be different in crisis vs. "normal" times.
15.1 INTRODUCTION
There are three kinds of capital and liquidity: (1) the capital/liquid-
ity you have; (2) the capital/liquidity you need (to support your
business activities); and (3) the capital/liquidity the regulators
think that you need.1 Stress testing, regulatory capital/liquidity
and bank-internal (so-called "economic capital/liquidity") models
all seek to do the same thing: to assess the amount of capital and
liquidity which is needed to support the business activities of the
financial institution. Capital adequacy addresses the right side of
the balance sheet (net worth), and liquidity the left side (share of
assets that are "liquid", however defined). If all goes well, both
the economic and regulatory capital/liquidity are less than the
required regulatory minimum, and their difference (between eco­
nomic and regulatory) is small, that is, regulatory models do not
deviate substantially from the results of internal models.
Prior to their failure or near-failure, financial institutions such as
Bear Stearns, Washington Mutual, Fannie Mae, Freddie Mac,
Lehman and Wachovia were adequately or even well capitalized,
at least according to the regulatory capital rules disclosed in their
public filings.2 This set of institutions spans a broad range of regu­
latory capital regimes and regulators: the SEC and Basel 2 capital
rules (Bear Stearns, Lehman), the O CC and the Federal Reserve
1 This pithy summary I owe to Peter Nakada.
2 Kuritzkes and Scott (2009) make the case for a more market-oriented
assessment of capital adequacy.
268 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
and Basel 1 (Wachovia), the OTS (WaMu), and O FH EO (Fannie and
Freddie)—the last actually based on a narrow stress scenario. All
firms had a broad exposure to residential real estate assets, in the
form of either whole loans (mortgages) or securities (MBS), or
both, and all had internal risk models which may or may not have
deviated materially from the regulatory models (we do not know
this, as it is/was firm proprietary information).3 Yet the answer to
the question of what is the capital you need vs. the capital you
have came out wrong in each case. Of course, neither firm-internal
(economic) nor regulatory capital and liquidity models can guaran­
tee failure prevention; indeed, that is not their purpose, as every
firm accepts some probability of failure, sized by its risk appetite.
Nevertheless, the cascading of defaults, and the resulting deep
skepticism of the market's stated capital adequacy, forced regula­
tors to turn to a new tool for assessing the capital adequacy of
banks in a credible way. That tool turned out to be stress testing.4
This paper lays out a framework for the stress testing of banks:
why it is useful and why it has become such a popular tool for
the regulatory community in the course of the recent financial
crisis; how stress testing is done (design and execution); and
finally, with stress testing results in hand, how one should handle
their disclosure, and whether it should be different in crisis vs.
"normal" times. The framework is equally applicable to capital
and liquidity adequacy, but for the sake of simplicity, the bulk of
the discussion will focus on capital.
A successful macro-prudential stress testing program, particu­
larly in a crisis, has at least two components: first, a credible
assessment of the capital strength of the tested institutions, to
size the capital "hole" that needs to be filled, and second, a
credible way of filling that hole. The US bank stress test in 2009,
the Supervisory Capital Assessment Program or SCAP, may
serve as a useful example. The US entered 2009 with an enor­
mous uncertainty about the health of its banking system. In the
absence of a more concrete and credible understanding of the
problems with bank balance sheets, investors were reluctant to
commit capital, especially given the looming threat of possible
government dilution. With a credible assessment of losses under
a sufficiently stressful macroeconomic scenario, the supervisors
hoped to draw a line in the sand for the markets: fill this hole,
and you won't risk being diluted later because the scenario
wasn't tough enough. Moreover, if some institutions could not
3 Lester, Reynolds, Schuermann, and Walsh (2012) report that, out
of 16 banks (US and non-US) that publicly disclosed their economic
capital before the crisis, four actually experienced losses exceeding
those requirements, all of which were calibrated to at least the 99.9%
level (implying an acceptable annual default probability of no more
than 10bp).
4 Flannery (2012) argues that stress tests should be evaluated on a fair
value (rather than book capital) basis.
convince investors to fill the hole, a US government program,
namely the Treasury's Capital Assistance Program (CAP), stood
ready to supply the required capital. Importantly, the US Trea­
sury was a sufficiently credible debt issuer that the CAP promise
was itself credible.5 All banks with assets greater than $100 bn
(YE 2008) were included, accounting for two-thirds of the total
assets and about half of the total loans in the US banking sys­
tem. In the end, ten of the 19 SCAP banks were required to
raise a total of $75 bn in capital within six months, and indeed
raised $77 bn of Tier 1 common equity in that period.6 None
needed to draw on CAP funds.
The European experience in 2010 and 2011 stands in stark con­
trast to the 2009 SCAP. Against the background of a looming
sovereign debt crisis in the peripheral eurozone countries, the
Committee of European Bank Supervisors (CEBS) conducted a
stress test of 91 European banks in 2010, covering about two-
thirds of the total European bank assets and at least half of that
in any given participating country. The stress test included impos­
ing haircuts on the market value of sovereign bonds held in the
trading book; however, the bulk of the sovereign exposure was
(and is) in the banking book. O f the 91 banks, only seven were
required to raise a total of €3.5 bn (<$5 bn at the time) in capital.
The level of disclosure provided was rather less than in the SCAP.
For instance, loss rates by firm were only made available for two
sub-categories: overall retail and overall corporate.7 By contrast,
the SCAP results released loss rates by major asset class such as
first-lien mortgages, credit cards, commercial real estate, and so
on. Markets reacted benignly nonetheless— until a few months
later, when Ireland requested financial assistance from the EU and
the IMF. Subsequent stress tests of just the Irish banks, con­
ducted largely by outside independent advisors (Black-Rock)
revealed a total capital need of €24 bn; all of these banks had
previously passed the CEBS stress test. Moreover, to help close
the credibility gap, the extent and degree of disclosure was far
greater than in any of the stress testing exercises to date.8 The
markets reacted favorably, with both bank and Irish sovereign
credit spreads tightening. The stakes for the 2011 European
stress test, now conducted by the successor to the C EBS— the
European Banking Authority (EBA)— had risen substantially.
5 Note that the act of a sovereign recapitalizing its banks involves that
sovereign issuing debt and then investing ("downstreaming") it as equity
in the bank(s).
6 http://www.federalreserve.gov/bankinforeg/scap.htm.
7 http://www.eba.europa.eu/EU-wide-stress-testing/2010/2010-EU-wide-
stress-test-results.aspx.
8 http://www.centralbank.ie/regulation/industry-sectors/credit-institutions/
Documents/The%20Financial%20Measures%20Programme%20Report
.pdf.
At first glance, the results of the 2011 EBA stress test of 90
banks in 21 countries were mild, similar to the previous year's.9
Eight banks were required to raise a total of only €2.5 bn.
However, the degree of disclosure was much more extensive,
approaching the high bar set by the Central Bank of Ireland in
March 2011, including information on exposure by asset class
by geography. Importantly, all bank level results were available
to download in spreadsheet form, to enable market analysts to
easily impose their own loss rate assumptions. In this way, the
"official" results were no longer so final: analysts could (and
did) easily apply their own sovereign haircuts on all exposures,
and thus test the solvency of any of the 90 institutions
themselves.
In an uncomfortable parallel to the Irish experience in 2010, the
2011 EBA stress test did nothing to alleviate concerns about the
Spanish banking system. Five of the 25 Spanish banks in the
EBA stress test did not pass, though once provisions and man­
datory bond conversions (to equity) were taken into account,
the required additional capital raise was €0. By the spring of
2012, Spain was engaged in or had announced several addi­
tional stress tests. First was the IMF's Financial Sector Assess­
ment Program (FSAP), conducted jointly with the Banco de
Espana. The results of this were released on June 8, 2012,101
with 11 of the 29 banks requiring a total of €17.7 bn capital
using a post-stress hurdle similar to that of the SCAP (4% core
Tier 1 capital), or 17 banks requiring a total of €37.1 bn using
the higher hurdle of 7% core Tier 1 capital.11 Second was a short
(4-week) top-down exercise conducted by two outside advisers
(working in parallel to provide, ostensibly, two further indepen­
dent assessments), and those results were released on June 21,
2012. No firm-specific results were provided, only an overall
capital need. The first estimate, provided by Roland Berqer, was
€51.8 bn, while Oliver Wyman provided a range of €51-62 bn.12
A more detailed and intensive bottom-up analysis by Oliver
Wyman followed, with results released on September 28, 2012,
showing that 7 of 14 the banking groups needed a total of
€57.3 bn using the post-stress core Tier 1 threshold of 6%;
9 http://www.eba.europa.eu/EU-wide-stress-testing/2011/2011 -EU-wide-
stress-test-results.aspx.
10 http://www.imf.org/external/pubs/ft/scr/2012/cr12137.pdf.
11 Most European exercises have tested to a post-stress hurdle of 6%
core Tier 1; see the discussion in Section 3.
12 Roland Berger: http://www.bde.es/webbde/GAP/Secciones/
SalaPrensa/Informacionlnteres/ReestructuracionSectorFinanciero/
Ficheros/en/informe_rolandbergere.pdf; Oliver Wyman: http://www
.bde.es/webbde/GAP/Secciones/SalaPrensa/lnformacionlnteres/
ReestructuracionSectorFinanciero/Ficheros/en/informe_oliverwymane
.pdf.
Chapter 15 Stress Testing Banks ■ 269
Table 15.1 Summary of Disclosures Across Stress Test Exercises

Exposure detail Bank vs.

Base and stress Bank level Asset/product (asset class, maturity, supervisory/3rd
scenario results level loss rates geography) party estimates

SCAP Stress / / — —

March 2009

CEBS Both / Retail, all — —

corporate only
July 2010

CCAR — — — — —

March 2011

Ireland Both / / Sovereign only /

March 2011

EBA Both / Retail, corporate, High —

CRE
July 2011

CCAR Stress / / — —

March 2012
Spain (IMF) Both — —
Asset class (aggregate) —

June 8, 2012

Spain (top-down) Both —

/ Asset class (aggregate) —

June 21, 2012

Spain (bottom-up) Both / / Asset class (aggregate) —

Sept. 28, 2012

merger activity had resulted in a significant reduction in inde­ Table 15.2 F e a tu re s of S tre ss Testing, Pre- and
pendent banking entities.13 P o st-S C A P

A summary of the major macro-prudential stress tests to date Pre-SCAP Post-SCAP

is provided in Table 15.3, and a summary of their disclosures is
• Mostly single shock • Broad macro scenario and
given in Table 15.1.
• Product or business market stress
The SCAP was the first of the macro-prudential stress tests of this unit level • Comprehensive, firm-wide
crisis, but the changes at the micro-prudential or bank-specific • Static • Dynamic and path dependent
• Not usually tied to • Explicit post-stress common
level were at least equally significant, and they are summarized
capital adequacy equity threshold
in Table 15.2. With the SCAP, stress testing at banks went from
• Losses only • Losses, revenues and costs
mostly single factor shocks (or a handful) to using a broad macro
scenario with market-wide stresses; from product or business
unit stress testing, focusing mostly on losses, to firm-wide and
a discussion of how to design the stress scenario, includ­
comprehensive testing, encompassing losses, revenues and costs;
ing the choice of a post-stress capital hurdle. Section 4
and with all of these tied to a post-stress capital ratio to ensure a
d escribes m odeling approaches for the three com ponents
going concern.
needed to im plem ent stress testin g : losses, net revenues
The rem ainder of the paper proceeds as follow s. Section 2 (profitability), and balance sheet dynam ics. Section 5 reviews
briefly review s the scant literature, and Section 3 provides the disclosure regim es across the different stress tests to
date in more detail, and presents a discussion of disclosure
13 http://www.bde.eS/f/webbde/SSICOM/20120928/informe_ow280912e in "norm al" tim es, after which Section 6 provides some con­
.pdf. cluding rem arks.

270 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 Table 15.3a Summary of Macroprudential Stress Tests to Date

Risk types included:

# of Total required market, credit,
Target capital participating Participation criteria (total Balance sheet capital raise (for liquidity (funding),
ratio3 banks coverage) assumptions # of banks) operational

SCAP • 4% T1C 19 • All bank holding compa­ Constant RWA $75 bn (19) Mb, C
• 6% T1 nies with at least $100 bn
March 2009
total assets
• (~2/3 of total banking
assets)

C EBS • 6% T1 91 (20 countries) • Largest banks in country Constant total €3.5 bn (7) M, C
until at least 50% of total assets
July 2010
assets are included
• (~2/3 of total banking
assets)

CCAR • 5% T1C 19 • Original SCAP-19 None M, C

March 2011

Ireland • 6% T1C 4 • Largest banks not in wind- Allowed for balance €24 bn (4) M, C, L, O
• 10.5% T1C down mode sheet shrinkage
March 2011
(in base)

EBA • 5% T1C 90 (21 countries) • Largest banks in country Constant total €2.5 bn (8) M, C, Lc, O
until at least 50% of total assets
July 2011
Chapter 15 Stress Testing Banks

assets are included

• (~2/3 oftotal banking
assets)

CCAR • 5% T1C 19 • SCAP-19 None __ d M, C, O

• 4% T1; 8% Total; • An additional 11 BHCs
March 2012
3%-4% leverage with assets > $50 bn

a T1: Tier 1 capital ratio; T1C: Tier 1 common (or core) capital ratio.
b Only banks with at least $100 bn in trading assets were required to conduct the market risk stress test.
c Liquidity risk was not assessed directly, though funding stresses were taken into account, especially as they related to sovereign stress impacting the funding costs for financia
institutions.
Four of the 19 did not pass, in the sense of not having gained non-objection to their submitted capital plans.
■ 271
Table 15.3b Summary of Macroprudential Stress Tests to Date—Spain 2012

Risk types
included:
market, credit,
# of Balance Total required liquidity
Target participating Participation criteria sheet capital raise (for (funding),
capital ratio3 banksb (total coverage) assumptions # of banks) operational

IMF • 7% T1C 29 • Large and medium Deleveraging • €37.1 (17) C, L

banks and cajas, under 7% T1C
June 8, 2012
together making
up -9 0 % of total
bank assets

Top-down • 9% T1C 14 entities • Large and medium Deleveraging • €16-25 [base] C, L

[base] banks and cajas, • €51-62 [stress]
June 21, 2012
• 6% T1C together making
[stress] up -9 0 % of total
bank assets

Bottom-up • 9% T1C 14 entities • Large and medium Deleveraging • €24.1 (5) [base] C, L
[base] banks and cajas, • €57.3 (7) [stress]
Sept. 28, 2012
• 6% T1C together making
[stress] up -9 0 % of total
bank assets

a T1:Tier1 capital ratio; T1C: Tier 1 common (or core) capital ratio.
b The 14 entities are the result of mergers.

15.2 STRESS TESTING IN THE Risk management as a technical discipline came into its own with
the publication of the RiskMetrics technical document in 1994,
LITERATURE and stress testing (of both kinds, sensitivities and scenarios) is
mentioned throughout. The first edition of Jorion's
Stress testing has been part of the risk manager's toolkit for a
standard-setting VaR book (Jorion, 1996) had a subsection
long tim e. It is perhaps the most basic of risk-based questions
devoted to the topic (which was elevated to a chapter in subse­
to want to know the resilience of an exposure to deteriorating
quent editions), and there must surely be earlier examples. Stress
conditions, be it a single position or loan or a whole portfolio.
testing as a risk management discipline was found largely in the
Typically, the stresses take the form of sensitivities (spreads
relatively data rich environment of the trading room, with the
double, prices drop, volatilities rise) or scenarios (black
closely related treasury function of conducting interest rate sce­
Monday 1987, autumn of 1998, post- Lehman bankruptcy,
narios and shocks.14 The Committee on Global Financial Systems
severe recession, stagflation). These types of stresses lend
(CGFS) of the BIS conducted a survey on stress testing in 2001,
them selves naturally to understanding financial risks, particu­
and it reinforces this view.15 In their summary of the CG FS report,
larly in a data rich environment such as that found in a trading
Fender et al. (2001) point out that most of the scenarios involve
operation. Nonfinancial risks, such as operational, reputational
shocks to market rates, prices or volatilities. Typical examples are
and other business risks, are much harder to quantify and
equity market crashes such as October 1987, rates shocks such
param eterize yet rely heavily on scenario analysis (earthquakes
as 1994, credit spread widening such as during the fall of 1998,
and other natural disasters, com puter hacking, legal risks, and
and so on. Such stress scenarios have the virtue of being
so on). W hile the original Basel I Accord of 1988 did not make
any formal mention of stress testing, it merited its own sec­
tion in the Market Risk Am endm ent of 1995, and thus became 14 See Berkowitz (2000) and Kupiec (1998) for more extensive discus­
em bedded in the regulatory codex. Indeed, evidence of stress sions of VaR-based stress testing.
testing capabilities is a requirem ent for regulatory approval of 15 See CGFS (2001) and the summary of its principal findings by Fender,
internal models. Gibson, and Mosser (2001).

272 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
unambiguously articulated and defined, and are thus transparent
and easy to implement and communicate, at least on assets that
have themselves natural market prices or analogs, as is mostly
the case in the trading book. More typical banking assets, such
as corporate loans (especially to privately held firms) and con­
sumer loans (e.g. auto loans), are less naturally amenable to this
approach.
Formal stress testing of the banking book, which is dominated by
credit risk, is more recent, partly because quantitative credit risk
modeling is itself a newer discipline.16 Perhaps stimulated by the
success of RiskMetrics, the late 1990s saw a spurt of activity in the
development of credit portfolio models, with the two most promi­
nent examples being CreditMetrics (Gupton, Finger, & Bhatia,
1997) and CreditRisk+ (Wilde, 1997).17 However, stress testing
did not feature in these papers. At the same time, as Koyluoglu
and Hickman (1998) show quite clearly, all of these credit portfolio
models share a common framework of mapping outcomes in the
real economy, often represented by an abstract state vector, to
the credit loss distribution, and thus, they should lend themselves
naturally to stress testing. With that in mind, Bangia, Diebold, Kro-
nimus, Schagen, and Schuermann (2002), broadly following the
CreditMetrics framework, show how to use credit migration matri­
ces to conduct macroeconomic stress tests on credit portfolios.
Foglia (2008) provides a survey of the literature (at least through
to late 2008) of stress testing credit risk, both for individual banks
or portfolios and for banking systems. More recently, Rebonato
(2010), with his suggestively titled book C oherent stress testing
(we return to the problem of coherence below), argues for a
Bayesian approach to financial stress testing, i.e., one which is
able to formally include expert knowledge in the stress testing
design, with an emphasis on exploring causal relationships using
Bayesian networks.
With few exceptions, regulatory requirements for stress testing
were thin prior to the crisis, though considerable expectations of
stress testing capabilities were voiced in supervisory guidance in
the US. Examples include the Joint Policy Statement on Interest Rate
Risk (SR 96-13), guidance on counterparty credit risk (SR 99-0318),
and country risk management (SR 02-05). However, banks had a
significant degree of discretion with regard to the specific design
16 Of course, the credit rating agencies, having been in the business
of rating corporate bonds for nearly a century, probably employ stress
testing in their bond rating methodology, but old documentation to this
effect is hard to come by.
17 For an excellent overview and comparison of these and related mod­
els, see Koyluoglu and Hickman (1998).
18 The most recent guidance on counterparty credit risk, SR 11-10, has
greatly expanded on stress testing expectations. All SR letters can be
found at http://www.federalreserve.gov/bankinforeg/srletters/srletters.htm.
and implementation of their stress tests. Brian Peters, then head of
risk in bank supervision at the New York Fed, observed at an indus­
try conference in March 2007 that no firm had a fully-developed
program of integrated stress testing that captured all major finan­
cial risks on a firmwide basis.19 Market risk stress tests were most
advanced, while corporate or enterprise-wide stress testing,
whereby all businesses were subjected to a common set of stress
scenarios, was in a developmental phase at best.
15.3 STRESS TESTING DESIGN
Perhaps the most fundamental choice in stress testing design is the
risk appetite of the authorities: how severe and how long the stress
scenario should be, and what the post-stress hurdle is. To take a
sailing analogy: how severe and how long is the storm, and how
solid does the boat still need to be once the storm has passed? In
stark contrast to standard capital regimes, the target calibration is
not strict solvency (i.e., just enough capital to have a positive net
worth), but rather some notion of adequate capitalization p o st­
stress. For instance, the 2009 SCAP in the US presented a two-year
scenario with a post-stress hurdle of 4% Tier 1 common capital. The
2012 bottom-up Spanish stress test used a three-year scenario with
a post-stress hurdle of 6% core Tier 1 capital, suggesting a lower
risk appetite by the Spanish authorities than by the American.
While length and post-stress hurdles are easy to compare across
macro-prudential stress tests, scenario severity is not. Authori­
ties are reluctant to make statements like "a 1 in 100 scenario"
which would allow such comparisons, in part because such a
statement is very difficult to make credibly. In its stress testing
program, the Federal Reserve makes available time series of
relevant variables to allow users to assess the severity of a given
scenario, at least for those variables.20 O f course, a multivariate
assessment is much more difficult.
Once the risk appetite has been established, one of the principal
challenges faced by both the supervisors and the firms when
designing stress scenarios is coherence. The scenarios are inher­
ently multi-factor: we are seeking to develop a rich description of
adverse states of the world in the form of several risk factors, be
they financial or real, taking on extreme yet coherent (or possi­
ble) values. It is not sufficient to specify only high unemployment
or only a significant widening of credit spreads or only a sudden
drop in equity prices; when one risk factor moves significantly,
19 Presentation delivered at Marcus Evans conference "Implement­
ing stress tests into the risk management process", Washington DC,
March 1-2, 2007.
20 See http://www.federalreserve.gov/bankinforeg/bcreg20121115a3.xlsx.
Chapter 15 Stress Testing Banks ■ 273
the others move too. The real difficulty is in specifying a coher­
ent joint outcome of all of the relevant risk factors. For instance,
not all exchange rates can depreciate at once; some have to
appreciate. A high inflation scenario needs to account for likely
monetary policy responses, such as an increase in the policy
interest rate. Every market shock scenario resulting in a flight
from risky assets— "flight to quality"— must have a (usually small)
set of assets that can be considered safe havens. These are typi­
cally government bonds from the safest sovereigns (e.g., the US,
Japan, Germany, Switzerland). O f course, as sovereign govern­
ment budgets are increasingly strained, questioning the ultra-low
risk assumption of such treasury instruments would certainly be a
worthwhile stress scenario, but it would need to define an alter­
native "risk-free" asset class to which capital can flee.
While the problem of coherence is generic to scenario design, it is
especially acute when considering stress scenarios for market risk,
i.e., for portfolios of traded securities and derivatives. These port­
folios are typically marked to market as a matter of course, and risk
managed in the context of a value-at-risk (VaR) system. In practice,
this means that the hundreds of thousands (or more) of positions in
the trading book are mapped to tens of thousands of risk factors,
which are tracked on a (usually) daily basis and form the "data"
used to estimate risk parameters like volatilities and correlations.
Finding coherent outcomes in such a high dimensional space,
short of resorting to historical realizations, is daunting indeed.
Compounding the problem is the challenge of finding a scenario
in which the real and financial factors are jointly coherent. The
2009 SCAP had a rather simple scenario specification. The state
space had only three dimensions— GDP growth, unemployment,
and the house price index (HPI)— and the market risk scenario was
based in historical experience: an instantaneous risk factor impact
reflecting changes from June 30 to December 31, 2008. This
period represented a massive flight to quality, with the markets
experiencing the failure of at least one global financial institution
(Lehman), and risk premia at the time arguably placed a signifi­
cant probability on the kind of adverse real economic outcome
painted by the tri-variate SCAP scenario. This solution achieved
a loose coherence of the real and financial stresses. However, the
price that one pays for choosing a historical scenario is the usual
one: it does not test for anything new. Figures 15.3 and 15.4 com­
pare some of these risk factors (real GDP, unemployment, equity
and home prices indices) across the four US stress tests to date,
both to each other and to actual realizations since 2008 Q4.
For the 2011 EBA test, the supervisors specified over 70 risk
factors for the trading book, eight macro-factors for each of
21 countries (macro-factors such as GDP growth, inflation,
unemployment, real estate price indices, both residential and
commercial, short and long term government rates, and stock
prices), plus sovereign haircuts across seven maturity buck­
ets. The macroeconomic stress scenario was generated by
274 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
economists at the ECB with reference to the EU Commission
baseline economic forecast.
All supervisory stress tests to date have imposed the same sce­
nario on all banks. Naturally, any scenario may be more severe for
some banks and much less so for others, depending on the busi­
ness mix and geographic footprint. This one-size-fits-all approach
is analogous to the problem of regulatory vs. internal economic
capital models: the former is the same for all banks by design,
while the latter, being limited to a given bank, takes the particular
business mix of that bank into account directly. This problem of
same vs. specific stress scenarios becomes especially acute when
we move from crisis times, when there may be less debate about
what a relevant adverse scenario might look like, to "normal"
times. The US CCAR program, which has been in operation since
2011, recognized this problem and asks banks to submit results
using their own scenarios (baseline and stress) in addition to results
under the common supervisory stress scenario. This was an impor­
tant step forward from the 2009 SCAP: by asking banks to develop
their own stress scenario(s), thus revealing the particular sensitivi­
ties and vulnerabilities of their specific portfolio and business mix,
supervisors could learn what the banks themselves thought to be
the high risk scenarios. This is useful not just for micro-prudential
supervision— learning about the risk of a given bank— but also
for macro-prudential supervision, by allowing for the possibility
of learning about common risks across banks which may hitherto
have been undiscovered or under-emphasized. With this dual
approach, supervisors could compare results across banks from the
common scenario directly, without sacrificing risk-discovery.
15.4 EXECUTING THE STRESS
SCENARIO: LOSSES AND REVENUES
With the macro-scenario in hand, how does one arrive at the
corresponding micro-outcomes: losses and revenues under
adverse market and macroeconomic conditions? To date, there
has been very little discussion in the public domain on how to
solve this problem, except perhaps for stress testing the trading
book. Indeed, one of the more important contributions of the
supervisory stress tests in the US and Europe has been the
accompanying methodology documents that have been dis­
closed by the supervisors, which are, understandably, more
heavily focused on the banking book.21
21 For SCAP, see http://www.federalreserve.gov/bankinforeg/
bcreg20090424a1.pdf. For EBA, see http://www.eba.europa
.eu/EU-wide-stress-testing/2011/The-EBA-publishes-details-of-it
s-stress-test-scena.aspx. For the 2011 and 2012 CCAR, see http://
www.federalreserve.gov/newsevents/press/bcreg/bcreg20110318a 1
.pdf and http://www.federalreserve.gov/newsevents/press/bcreg/
bcreg20120313a1 .pdf respectively.
Modeling Losses
For a firm which is active in many markets (product and geogra­
phy), the first task is to map from the few macro-factors to the
many intermediate risk factors that drive losses for particular
products by geography. The EBA was forced to confront the
problem of geographic heterogeneity directly, since it spans 21
sovereign nations with rather different economies. US supervisors,
in stress testing an economic region only slightly smaller than that
of the EBA, left the task of accounting for the not-inconsiderable
geographic heterogeneity to individual firms. Regional differences
are critical in modeling losses for real estate lending (residential
and commercial), but are hardly limited to those products. Since
the US experiences regional business cycles—the national busi­
ness cycle obscures a considerable degree of variation across
states— nearly all lending has some geographic component. For
example, credit card losses are especially sensitive to unemploy­
ment, and in July 2011, with the national rate at 9.1%, the state-
level unemployment rate ranged from 3.3% in North Dakota to
12.9% in Nevada. Similar dynamics are at work in wholesale lend­
ing, particularly for SME (small and medium enterprise) lending,
whose performance has a strong geographic component.
The problem of mapping from macro to more intermediate risk
factors is not limited to geography. An interesting example is
auto lending and leasing, where the collateral assets are used
cars. While auto sales invariable decline during a recession, and
the decline in 2008-2009 was unprecedented in the post-war
period, used car sales typically suffer less. Yes, households buy
fewer cars in a recession, but if they do need to purchase a
car, it is relatively more likely to be a used car. Thus, even if the
default rate on auto loans increases significantly during a reces­
sion, the corresponding loss given default (LGD) or loss severity
need not. A useful indicator of the health of the used car mar­
ket, and thus the collateral of an auto lending portfolio, is the
Manheim index. Over the course of the most recent recession
(Dec. 2007-June 2009), the index rose 4%, while total new auto
and light truck sales declined by 37%.
The problem of loose coupling of the loss severity to the busi­
ness cycle is not limited to auto loans. Acharya, Bharath, and
Srinivasan (2007) show that for corporate credit, an important
determinant of LGD is whether the industry of the defaulted
firm is in distress at the time of default. The authors make a
compelling asset specificity argument: if the airline industry is in
distress, and a bank is stuck with the collateral on defaulted air­
craft loans or leases, it will be hard to sell those aircraft except
at very depressed prices. The healthcare sector may be relatively
robust at the time, as indeed it was in the recent recession, but
it is difficult to transform an airplane into a hospital.
The EBA disclosure on methodology is especially rich. In the
March 2011 document, for example, detailed guidance is
provided on stressed probabilities of default (PDs) and stressed
LGDs. Note that such guidance presumes that a bank has imple­
mented an internal credit rating system for its commercial loan
portfolio. For a Basel II bank this may not be unreasonable, since
internal ratings, mapped to a common external scale such as
those used by the rating agencies, are a cornerstone of the
Accord. With a credit rating (internal or external) in hand, com­
puting stressed default rates for the portfolio becomes a straight­
forward exercise, either by assigning higher PDs to a given rating,
or by imposing a downward migration on the current portfolio.22
Since the EBA stress test was based on risk weighted assets
(RWA) computed using Basel II risk weights, which are ratings
sensitive, banks were forced to make use of stress migration
matrices to compute not only increased defaults (the last column
of the matrix), but also the entire future ratings distribution, to
arrive at the correct RWA value. The US stress tests were con­
ducted under Basel I risk weights, which are not obligor ratings
sensitive. The fuss about RWA calculations is important, since the
denominator of capital ratios, used to determine whether or not
a bank needs to raise capital, is RWA. Clearly, this complicates
any comparison of US and European stress test results.
Implementation in the trading book is more straightforward, and
has been discussed extensively in the public domain; see inter
alia Allen, Boudoukh, and Saunders (2004), Jorion (2007), or
Rebonato (2010). In a nutshell, existing positions are simply
repriced using the stress scenario risk factors, subject to the pro­
viso that the risk factor mapping problem, discussed in Section 3,
has been solved. The corresponding problem of stressing the
counterparty credit risk that comes with the activities of deriva­
tives has received less attention.23 Counterparty credit risk arises
when, in a derivative transaction which is revalued to the stress
scenario, the bank finds itself in the money (i.e., enjoys a deriva­
tive receivable), but cannot be sure that the counterparty to the
transaction will be solvent in order to make good on the pay­
ment. Thus, the value is discounted, where the discount is a func­
tion of the expected default likelihood of the counterparty under
the stress scenario, which is presumably higher than today. This
adjustment is called a credit value adjustment (CVA), and banks
with significant derivative activities manage CVA as a matter of
course. As Canabarro (2010) and Hopper (2010) point out, the
modeling challenge of stress testing counterparty credit risk is
considerable. Not only does the PD of the counterparty change
in a stressful environment, the exposure does likewise. Thus, any
CVA stress test involves two distinct simulation exercises. If the
22 Of the 90 participating banks, 59 were so-called IRB (internal ratings
based) banks, meaning that their internal models were validated to the
supervisor's satisfaction for at least one regulatory portfolio (e.g., corpo­
rate, commercial real estate, etc.). Non-IRB banks were given very non­
specific guidance (EBA, 2011, Section 5.5.1.1).
23 For an excellent treatment, see Canabarro (2010) and Hopper (2010).
Chapter 15 Stress Testing Banks ■ 275
 2 0 0 9 S C A P P/L co ve ra g e
</) 5
0
< 4
V/)) 3
Median:58%
O
2

Q.
Z
Q.
1
0 a
-1 x 0 u o 0 if) (/> 00 _co
LU
E o 08
00 >- o
c o < E O CD
CD
CD CO 0
00 <J
-M =3
z f-C
< £ U)
CO
00 00 CD T3 0
-M
CO
•-M
...
Q. O 0 CD
cn—
(D CD CD
O -M =3
CD CO
u <
CD +-»
CO

2 0 1 2 C C A R P/L co v e ra g e
5
4
V) 3 Median:63%
<
<//))
CD
2
O 1
0
or -1 □
Z
-2
0
Q.
Q- x I— 2 0
•
-M
1
“O o c U CL (/)
0 co CO —
LU
E o 08
00
C
U •
<
CD
E
_0 Z C
o 0 lo “55
00
>- O

< 00 z o
Q_
0 C Q_ +-*
co
h- :> CD
CD U *CD CO
>> -M 0
•-t—* -M o
CO 0
c
M— O 0
CL
CD
•—
—
LL O CD
+-*
CD
-M
co
CD CO

2011 E B A P/L c o v e ra g e (a d ve rse scen ario )

+-*
C
V)
0
3
0
E
V)
(/)
2 Median:66%
_o
•
CD 'v )
1
a U)
E l I__ I_____i___ » i ■it. i 11. i > ■i 1___ 11■■i i .hi L
0 liin n im n a a iiiiiiiin m - 1■- t■1 --1 llllllllllllu . A • im m iiiiim iiim i
c
•
•
i c
0 1-
cu
oZ 0
-1
T-rOLnNCOO(N^r\CM>^-OCN^OCX)OCNJ^'OOOOCNCNi ,v f O ^ T“ T“ ^LONO'-rOLnNC>r:oOLO^-ON
Oooo^-CNCNCNCNCNJOr-^sOvOvOONrsNNNCDCD^t-^-cDorororororo^-^^-^j-^-LnmLncocoLn
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o q o o o o o o g o o o o o
|— |— L U > - L 1 J L U L U L U L I J L I J ^ ^ C O C O C O C O C O C O C O C O C O C O C O C O l l Q ^ Q ^ Q Q C O Q ^ Q ^ Q ^ L 1 J L 1 J | — |— —) _ J — I O |— I— LU LU TT;
< < co( J Q Q Q Q Q Q Q Q l u l u l u l u l u l u l u l u l u l u l u l u l l l l o O O O O ” _j Z Z z Q- " Q-
n ----
co co

Fiaure 15.1 Projected coverages of losses with profits in the 2009 SCAP and 2011 EBA stress tests.

collateral posted by the counterparty is anything other than conditions. Banks' total income can be divided roughly into
cash or a cash equivalent, a revaluation of that collateral interest and non-interest income. The interest income is clearly
under the same stress scenario needs to be added to the a function of the yield curve and credit spreads posited under
process. 24 the stress scenario, but the net impact of rising or falling rates
on bank profitability remains ambiguous, perhaps in part
because of interest rate hedging strategies (English, 2002;
Modeling Revenues Purnanandam, 2007). The impact of stress scenarios on the
Implementing stress scenarios on the revenue side of the equa­ noninterest income, which includes service charges, fiduciary,
tion remains largely a black box, and seems far less well devel­ fees, and other income (e.g., from trading), is far harder to
oped than stress testing for losses. Neither the 2009 SCAP nor assess, and there has been precious little discussion of its
the otherwise richly documented 2011 EB A disclosures determinants in the literature. This is concerning, since Stiroh
devoted much space or revealed much detail about the meth­ (2004) shows that not only has the share of noninterest income
ods and approaches for computing revenues under stressful2
*
4 in US banks been rising steadily, from 25% in 1985 to 43% in
2001, but it is associated with a greater volatility and lower
risk-adjusted returns. If we compare the 2009 SCAP, the 2011
EBA and the 2012 C C A R stress tests, the median bank in the
24 There is the added complication that major derivatives dealers actively
manage CVA risk using a range of strategies and instruments that them­ US was able to cover about 58% of its total projected losses
selves vary in price and availability depending on market conditions. with profits (including reserve releases, if any) in 2009 and 63%

276 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 Two year dynamic forecast
Starting Q1 end
balance Q1 income balance
sheet I y statement sheet
L L
A A
E E
M Capital
V i?
Capital
and and
liquidity liquidity
ratios ratios
Fig u re 1 5 .2 S tre ss testin g b alan ce sh e e t and incom e sta te m e n t dynam ics.
in 2012,25 compared with 66% in the European case. As
Figure 15.1 shows, there is a considerable degree of variability
across banks, especially in the EBA test, where in some cases
profits are projected to outpace losses 4:1, even under the
stress scenario!
Modeling the Balance Sheet
Recall that capital adequacy is defined in terms of a capital
ratio, roughly capital over assets. O f course, both the numera­
tor and denominator are nuanced. All supervisory stress tests
have insisted, to varying degrees, that the relevant form of
capital be common equity. The 2010 C EBS test allowed for
some forms of hybrid capital which are typical of state partici­
pations, but the requirements were tightened a year later. As
was discussed in Section 4.1, the denominator is typically risk-
weighted assets (RWA), where the risk weights are determined
by the prevailing regulatory capital regime, namely Basel I (in
the US cases of the SCAP and CCAR) and Basel II (in the Euro­
pean stress tests). The many subtleties of what this implies are
beyond the scope of this paper; suffice it to say that a bank
may be forced to raise capital under one regime but not the
other, and there is no way to know which regime will result in a
more favorable treatm ent without knowing about the portfolio
in considerable detail.
Regardless of the risk weight regime, determining the post­
stress capital adequacy requires modeling of both the income
statement and the balance sheet, both flows and stocks, over
the course of the stress test horizon, which is typically two
25 PPNR calculations in the 2012 CCAR were net of operational risk
related losses and OREO expenses, as well as mortgage repurchase and
put-back costs, meaning that these items were not reported separately
(though they totaled $115 bn for all 19 banks) (Board of Governors, 2012).
Q2 end Q8 end
Q2 income balance balance
statement sheet sheet
L L
A A
E E
years.26 This is illustrated in Figure 15.2 below. The point of
departure is the current balance sheet, at which point the bank
meets the required capital (and, if included, liquidity) ratios. The
starting balance sheet generates the first quarter's income and
loss, which in turn determines the quarter-end balance sheet.
The modeler is then faced with the problem of considering the
nature and amount of new assets originated and/or sold during
the quarter, and any other capital depleting or conserving
actions such as acquisitions or spin-offs, dividend changes or
share (re-)purchase or issuance programs, including employee
stock and stock option programs. The problem of balance sheet
modeling exists under a static (be it in raw form, as in the 2011
EBA, or in risk weighted form, as in the 2009 SCAP) or dynamic
balance sheet assumption. The bank should not drop below the
required capital (and liquidity) ratios in any quarter. Moreover, at
the end of the stress horizon, the bank needs to estimate the
amount of reserves needed to cover expected losses on loans
and leases for the following year. In this way, the stress tests are
really three years (or T + 1 years for a T-year stress test).
15.5 STRESS TESTING DISCLOSURE
Stress testing is here to stay, whether because it is just good
risk management practice, or because it is enshrined in legisla­
tion (through the Dodd-Frank Act). In the debate on disclosure
regimes, it is not clear that more is always better. We divide the
discussion into crisis and noncrisis or normal times, with the simple
point that normal times may not require or even desire the same
degree of transparency as is clearly needed in times of crisis.
We have seen very large differences in disclosure across the dif­
ferent supervisory stress tests, as summarized in Table15.1. The
26 The horizon is 9 quarters for the CCAR, as it is based on Q3, not Q4,
balance sheets.
Chapter 15 Stress Testing Banks ■ 277
Real GDP growth
Stress-test scenarios vs. recent historical observations
CCA R 1 from 2010 Q4
CCA R 2 from 2011 Q3
— CCA R 3 "severely adverse" from 2012 Q3
— CCA R 3 "adverse" from 2012 Q3
— SC A P "more adverse scenario" from 2008 Q4
— Historical from 2008 Q4
F ig u re 1 5 .3 US real G D P and u n em p lo ym en t sce n a rio s co m p are d .
Source: Fed, The Supervisory Capital Assessment Program: Design and Implementation, 24 April 2009; Fed, Comprehensive Capital Analysis and
Review: Objectives and Overview, 18 March, 2011; Fed, "Comprehensive Capital Review" document and "Capital Plan review" 22 November 2011;
Fed, "Supervisory Scenarios" 15 November 2012; Datastream.
SCAP in 2009 opened Pandora's box by disclosing projected
stress losses for each of the 19 participating banks, for eight dif­
ferent categories or asset classes, as well as resources other than
capital for absorbing losses (mostly pre-provision net revenue
and reserve releases, if any). Until then, regulatory disclosures
(e.g., Y-9C reports for US bank holding companies) reported only
realized losses (the past), not projected losses (a possible future).
This allowed the market to check the severity of the stress test
easily, not just in terms of the scenario, but also, and much more
importantly, in terms of the resulting outcomes at the bank
level. Given the crisis of confidence which was prevalent in the
market at the time, this amount of transparency was crucial. Two
years later, the CCA R displayed a radically different disclosure
regime: only the macro-scenario was published, with no bank-
level results. The only indications of bank-level outcomes were
the subsequent dividend and other capital actions announced by
some banks: banks which were allowed to raise their dividends
were interpreted as having "passed" the stress test. The market
digested this meager information event without a hiccup.
Dodd-Frank, however, requires the Fed to disclose the results of
regular stress testing, and the 2012 CC A R, with the
278 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Unemployment rate
Stress-test scenarios vs. recent historical observations
Stressed quarter
-------CCA R 1 from 2010 Q4
-------CCA R 2 from 2011 Q3
CCAR 3 "severely adverse" from 2012 Q3
CCAR 3 "adverse" from 2012 Q3
SCA P "more adverse scenario" from 2008 Q4
Historical from 2008 Q4
accompanying rules (final and proposed27), gave a glimpse of
what regular disclosure might look like. The 2012 CCAR dis­
closed nearly the same level of detail as the 2009 SCAP, namely
bank-level loss rates and dollar losses by major regulatory asset
classes (following the categories of the FR Y-9C bank holding
company reports): first and second lien mortgages, commercial
and industrial (C&l) lending, C RE, credit cards, other consumer,
and other loans. In addition, the Fed reported the dollar PPNR,
gains/losses on the AFS/HTM securities portfolio, and trading
and counterparty losses for those firms who were required to
conduct the trading book stress.28 Again, as with the 2009 SCAP,
the numbers reported were supervisory estimates, not the banks'
own estimates of losses (and PPNR) under the stress scenario.
By contrast, the 2011 Irish and 2011 Europe-wide EBA stress tests,
both of which were disclosed after the CCAR, were consider­
able in their detail, including comparisons of bank and third-party
27 http://www.gpo.gov/fdsys/pkg/FR-2011 -12-01/pdf/2011-30665.pdf.
OR
In 2012, these were the six institutions with the largest trading
portfolios.
Dow Jo nes total stock market index level House Price index
Stress-test scenarios vs. recent historical observations Stress-test scenarios vs. recent historical observations

18,000 -1

16,000 -

14.000 -

12.000 -

10,000 -

8,000 -

6,000 -

4.000 -

2.000 -

0 -t----1---- 1---- 1---- 1---- 1 1---- 1----1---- 1---- 1---- 1 1--- 1—

0 1 2 3 4 5 6 7 8 9 10 11 12 13
Stressed quarter Stressed quarter
-------CCA R 1 from 2010 Q4 -------C C A R 1 from 2010 Q4
-------CCA R 2 from 2011 Q3
-------CCA R 2 from 2011 Q3
— CCAR 3 "severely adverse" from 2012 Q3
— CCA R 3 "severely adverse" from 2012 Q3
— CCA R 3 "adverse" from 2012 Q3
CCAR 3 "adverse" from 2012 Q3
— SCA P "more adverse scenario" from 2008 Q4
— Historical from 2008 Q4 — Historical from 2008 Q4
Fig u re 1 5 .4 US eq u ity and house p rice in d ices co m p ared .

Source: Fed, The Supervisory Capital Assessment Program: Design and Implementation, 24 April 2009; Fed, Comprehensive Capital Analysis and
Review: Objectives and Overview, 18 March, 2011; Fed, "Comprehensive Capital Review" document and "Capital Plan review" 22 November 2011;
Fed, "2013 Supervisory Scenarios" 15 November 2012; Datastream.

estimates of losses in the Irish case (revealing the bias that any
bank is likely to have when estimating its own potential losses),
and data in electronic, downloadable form in the EBA case. Ire­
land in particular was suffering from an acute credibility problem,
having emerged from the CEBS stress test with flying colors in
July 2010, only to require massive external aid four months later.
This difference in experiences between Europe and the US
provides some hints on how to design a disclosure regime dur­
ing "normal" times. The discussion of the benefits and costs of
stress test disclosures by Goldstein and Sapra (2012) is helpful.
They argue persuasively that in a world with frictions and stra­
tegic environments, the benefits (better market discipline) may
not outweigh the costs: banks may make poor portfolio choices
which are designed to maximize the chance of passing the test
(window dressing), thereby giving up longer term value; while
traders may place too much weight on the public information of
stress test disclosure and lose their incentive to produce private
information about the banks; and finally, with the information
content of market prices having been damaged, market disci­
pline is harmed, and supervisors will find market prices less use­
ful for policy decisions (micro- as well as macro-prudential).
Clearly, some disclosure is still preferable to no disclosure, and
Goldstein and Sapra propose the disclosure of aggregated but
not necessarily bank-specific results, with sufficient information
about category outcomes (loss rates by major asset class, for
instance). Aggregation has the advantage of being less wrong,
since the idiosyncratic errors in estimating bank conditions
under hypothesized stress scenarios are averaged out. In this
way, supervisors can still provide the useful macro-prudential
information which only they can provide— loss rates by asset
class, total capital decline in the system (or significant fraction
of the banking system)— without drowning out signals about
individual banks from the market participants themselves. Such
a disclosure gives the market an anchor point for system-wide
possibilities, without diluting the incentive to dig hard into a
particular firm's financials.
During times of crisis, with the enormous uncertainty about
the health of the banking system, the benefit of detailed bank-
specific stress test disclosure is significant, given the ability of
supervisors to assess the health of individual firms correctly, and
the resulting inability of the market distinguish between a good
bank and a bad. Indeed, Goldstein and Sapra argue that stress

Chapter 15 Stress Testing Banks ■ 279

test disclosures, when more disaggregated, ought to be accom­
panied by detailed descriptions of the exposures of the banks.
This is precisely what was done in the Irish bank stress test of
2011, an acute case of loss of confidence (and a subsequent
regaining of confidence), as well as in the 2011 EBA stress test.
Because the credibility of European supervisors was rather low
by that point, only with a very detailed disclosure, bank by bank,
of their exposures by asset class, by country and by maturity
bucket, could the market do its own math and arrive at its own
conclusions.
Between March 2009 and March 2011, the 19 SCAP banks had
raised about $300 bn in capital and the S&P500 had increased
by 65%; by the end, the economy was no longer in recession,
and, arguably, the supervisory agencies had regained credibility.
The non-event of the nondisclosure of the 2011 CCA R suggests
that the market seems content to live in a state of "symmetric
ignorance", to borrow a term from Dang, Gorton, and Holm-
strom (2010). O f course, this might change were the economy to
receive another adverse shock, but until it does, it is not clear
that an EBA-like disclosure regime is necessarily either desirable
or stability-enhancing. In contrast, Europe is not yet out of the
woods (at the time of writing); yet even the EBA was not limit­
less with its disclosure of the 2011 stress test results. It is worth
noting that funding liquidity was also stressed for banks, but
without disclosing the results. Because liquidity positions are
highly dynamic, and thus subject to rapid change, snapshot dis­
closure, especially with a delay (the as-of date for the 2011 EBA
stress test was Y E 2010), is unlikely to be informative at the time
of disclosure.29
Recall the discussion in the introduction: regulatory capital
models (risk weighting), internal economic capital models and
stress testing all have the same goal, namely to determine the
amount of capital needed to support the business (risk taking)
of the bank. Both regulatory and economic capital models (and
especially the former) evolve very slowly, and thus have difficulty
in adapting to financial innovations and rapidly changing macro
conditions. Indeed, some of the innovation is motivated by those
slowly evolving, one-size-fits-all regulatory capital rules. More­
over, bank balance sheets are notoriously opaque and subject to
easy-to-hide asset substitution (higher risk for lower risk assets);
see Morgan (2002). Stress tests, especially macro-prudential
supervisory stress tests, are adapted to the then-current envi­
ronment and bank portfolios by construction. Between balance
sheet opacity, asset substitution and regulatory arbitrage, it is
easy to see the value of a "pop quiz" in the form of bespoke
stress testing (Acharya, Mehran, Schuermann, & Thakor, 2011).
29 Reuters, Sept. 2, 2011, "EBA won't seek disclosure of bank liquidity".
Available at http://www.reuters.com/article/2011/09/02/
idUSL5E7K23PI20110902.
280 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
CONCLUSION
The problem of sizing the amount of capital needed to support a
bank's risk taking is not new, but the use of broad-based super­
visory stress tests for an entire banking system is. The first use of
such tests was in the US in 2009, and its success there has made
it the supervisory and risk management hammer for dealing with
all nails. A critical component of the exercise is the disclosure of
the results. The reason why stress testing became an imperative
was precisely because existing approaches that were publicly dis­
closed, such as regulatory capital ratios, were no longer informa­
tive, and were heavily (if not entirely) discounted by the market.
In order to regain their credibility, supervisory authorities needed
to disclose enough to allow the market to "check the math".
However, broad-based supervisory stress testing has not been
universally successful, as the 2010-2011 European experience
has shown. Nor is it clear how useful such broad supervisory
stress testing with concomitant disclosure would be as a mat­
ter of routine. Its value in the crisis was undoubtedly due to its
"pop quiz" nature. It was sprung on the banks at short notice,
and thus was very difficult for them to manipulate through care­
ful pre-positioning; and it was tailored to the situation at hand,
genuinely revealing new information to all participants and the
public. As a result, trust was regained. Once that trust has been
re-established, the cost-benefit of stress testing disclosures may
tip away from bank-specific towards more aggregated informa­
tion. This still provides the market with unique information (after
all, supervisors have access to proprietary bank data) without
taking away market participants' incentives to produce private
information and trade on it— with all the downstream benefits of
information-rich prices and market discipline.
ACKNOWLEDGMENTS
I would like to thank John Fell, Mark Flannery, Itay Goldstein,
Bengt Holmstrom, Bill Janew ay, Umit Kaya, Ugur Koyluoglu,
Andy Kuritzkes, John Lester, Clinton Lively, Hashem Pesaran,
Brian Peters, Barry Schachter, Hal Scott, and members of the
Committee for Capital Markets Regulation for helpful discus­
sions and suggestions. I am also thankful to Cary Lin for helpful
research assistance, as well as the participants in the workshop
on "Predicting Rare Events" sponsored by the IF/Federal
Reserve Bank of San Francisco. All errors remain mine, of course.
References
Acharya, V. V., Bharath, S. T., & Srinivasan, A. (2007). Does
industry-wide distress affect defaulted firms? Evidence from
creditor recoveries. Jou rn al o f Financial Econom ics, 85, 787-821.
Acharya, V., Mehran, H., Schuermann, T., & Thakor, A. (2011).
R o b u st capital regulation. Federal Reserve Bank of New York
Staff report no. 490.
Allen, L., Boudoukh, J ., & Saunders, A. (2004). U nderstanding
m arket, cre d it and operational risk: the value at risk approach.
Blackwell: New York, NY.
Bangia, A ., Diebold, F. X ., Kronimus, A ., Schagen, C ., &
Schuermann, T. (2002). Ratings migration and the business cycle,
with applications to credit portfolio stress testing. Jou rn al o f
Banking and Finance, 26(2-3), 235-264.
Berkowitz, J . (2000). A coherent framework for stress testing.
Jou rn a l o f Risk, 2, 1-11.
Board of Governors of the Federal Reserve System (2012). Com­
prehensive capital analysis and review 2012: methodology and
results for stress scenario projections. 13 March, 2012. Available
at: http://www.federalreserve.gov/newsevents/press/bcreg/
bcreg20120313a1 .pdf.
Canabarro, E. (2010). Pricing and hedging counterparty risk: les­
sons relearned? In E. Canabarro (Ed.), C oun terparty cred it risk
(C hapter 6). London, UK: Risk Books.
Committee on the Global Financial System (2001). A survey of
stress tests and current practice at major financial institutions.
Available at: http://www.bis.org/publ/cgfs18.htm.
Dang, T.V., Gorton, G ., & Holmstrom, B. (2010). Financial crises and
the optimality o f d e b t for liquidity provision. Working paper. Avail­
able at: http://mfi.uchicago.edu/publications/papers/ignorance-
crisis-and-the-optimality-of-debt-for-liquidity-provision.pdf.
English, W. B. (2002). Interest rate risk and bank net interest
margins. BIS Q uarterly Review , D ecem b er, 67-82.
European Banking Authority (2011). 2011 EU-wide stress test:
methodological note. 18 March 2011. Available at: http://www
.eba.europa.eu/EU-wide-stress-testing/2011/The-EBA-publishes-
details-of-its-stress-test-scena.aspx.
Fender, I., Gibson, M. S., & Mosser, P. C. (2001). An international
survey of stress tests. Current Issues in Economics and Finance,
7(10), Federal Reserve Bank of New York.
Flannery, M. J . (2012). M easuring eq u ity capital fo r stress-testin g
large financial institutions. Working paper.
Foglia, A. (2008). Stress testin g cred it risk: a survey o f authori­
tie s' approaches. Banca d'ltalia occasional paper, No. 37.
Goldstein, I., & Sapra, H. (2012). Sh ou ld banks' stress te st results
b e d isclo se d ? A n analysis o f the co sts and b en efits. Working
paper. Available at: http://finance.wharton.upenn.edu/~itayg/
Files/disclosure.pdf.
Gupton, G . M., Finger, C ., & Bhatia, M. (1997).
C re d itM e tricsT M — technical docum ent. This version: April 2.
J.P. Morgan. Available at: http://www.defaultrisk.com/_pdf6j4/
creditm etrics_techdoc.pdf.
Hopper, G. (2010). Stress testing and scenario analysis: some
second generation approaches. In E. Canabarro (Ed.), Counter­
party credit risk (C hapter 11). London, UK: Risk Books.
Jorion, P. (1996). Value at risk: the new benchm ark for m anaging
financial risk (1st ed.). New York, NY: M cGraw Hill.
Jorion, P. (2007). Value at risk: the new benchm ark for m anaging
financial risk (3rd ed.). New York, NY: McGraw Hill.
Koyluoglu, H. U., & Hickman, A. (1998). Credit risk: reconcilable
differences. Risk, 77(10), 56-62.
Kupiec, P. H. (1998). Stress testing in a value at risk framework.
Jou rn a l o f D erivatives, 6(1), 7-24.
Kuritzkes, A ., & Scott, H. (2009). Markets are the best judge of
bank capital. Financial Tim es, Septem ber 23.
Lester, J ., Reynolds, P, Schuermann, T., & Walsh, D. (2012).
Stra teg ic capital: defining an effective real w orld view o f capital.
Oliver Wyman financial services report. Available at: http://www
.oliverwyman.com/strategic-capital-defining-an-effective-real-
world-view-of-capital.htm.
Morgan, D. P. (2002). Rating banks: risk and uncertainty in an
opaque industry. A m erican Eco n o m ic Review , 92(4), 874-888.
Purnanandam, A. (2007). Interest rate risk management at com­
mercial banks: an empirical investigation. Jou rn a l o f M onetary
Econ om ics, 54, 1769-1808.
Rebonato, R. (2010). C o h eren t stress testin g : a Bayesian
approach to the analysis o f financial stress. New York: John
Wiley & Sons.
Stiroh, K. (2004). Diversification in banking: is noninterest
income the answer? Jou rn a l o f M on ey, C red it and Banking,
36(5), 853-882.
W ilde, T. 1997. C reditRiskT — a credit risk management fram e­
work. Available at: http://www.csfb.com/institutional/research/
assets/creditrisk.pdf.
Wyman, O. (2012a). Bank of Spain stress testing exercise. Avail­
able at: http://www.bde.es/webbde/GAP/Secciones/SalaPrensa/
Informacionlnteres/ReestructuracionSectorFinanciero/Ficheros/
en/informe_oliverwymane.pdf.
Wyman, O. (2012b). Asset quality review and bottom-up stress
test exercise. Available at: http://www.bde.es/f/webbde/
SSICOM /20120928/inform e_ow280912e.pdf.
Chapter 15 Stress Testing Banks ■ 281
Guidance
on Managing
Outsourcing Risk

Learning Objectives
After completing this reading you should be able to:

Explain how risks can arise through outsourcing activities Describe topics and provisions that should be addressed
to third-party service providers and describe elements of in a contract with a third-party service provider.
an effective program to manage outsourcing risk.

Explain how financial institutions should perform due

diligence on third-party service providers.

E x c e rp t is Su p erviso ry L e tte r SR 13-19/CA 13-21 from the B oard o f G overn ors o f the Fed era l R eserve System , D e ce m b e r 2013.
16.1 PURPOSE
In addition to traditional core bank processing and information
technology services, financial institutions1 outsource operational
activities such as accounting, appraisal management, internal
audit, human resources, sales and marketing, loan review, asset
and wealth management, procurement, and loan servicing. The
Federal Reserve is issuing this guidance to financial institutions
to highlight the potential risks arising from the use of service
providers and to describe the elements of an appropriate ser­
vice provider risk management program. This guidance supple­
ments existing guidance on technology service provider (TSP)
risk,1
2 and applies to service provider relationships where busi­
ness functions or activities are outsourced. For purposes of this
guidance, "service providers" is broadly defined to include all
entities3 that have entered into a contractual relationship with a
financial institution to provide business functions or activities.
16.2 RISKS FROM THE USE
OF SERVICE PROVIDERS
The use of service providers to perform operational functions
presents various risks to financial institutions. Some risks are
inherent to the outsourced activity itself, whereas others are
introduced with the involvement of a service provider. If not
managed effectively, the use of service providers may expose
financial institutions to risks that can result in regulatory action,
financial loss, litigation, and loss of reputation. Financial institu­
tions should consider the following risks before entering into
and while managing outsourcing arrangements.
• C om pliance risks arise when the services, products, or activi­
ties of a service provider fail to comply with applicable U.S.
laws and regulations.
• C oncentration risks arise when outsourced services or prod­
ucts are provided by a limited number of service providers or
are concentrated in limited geographic locations.
• Reputational risks arise when actions or poor performance of
a service provider causes the public to form a negative opin­
ion about a financial institution.
1 For purpose of this guidance, a "financial institution" refers to state
member banks, bank and savings and loan holding companies (includ­
ing their nonbank subsidiaries), and U.S. operations of foreign banking
organizations.
2 Refer to the 'FFIEC' Outsourcing Technology Services Booklet (June
2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-
services.aspx.
3 Entities may be a bank or nonbank, affiliated or non-affiliated, regu­
lated or non-regulated, or domestic or foreign.
284 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• C ountry risks arise when a financial institution engages a
foreign-based service provider, exposing the institution to
possible economic, social, and political conditions and events
from the country where the provider is located.
• O perational risks arise when a service provider exposes a finan­
cial institution to losses due to inadequate or failed internal
processes or systems or from external events and human error.
• Legal risks arise when a service provider exposes a financial
institution to legal expenses and possible lawsuits.
16.3 BOARD OF DIRECTORS
AND SENIOR MANAGEMENT
RESPONSIBILITIES
The use of service providers does not relieve a financial insti­
tution's board of directors and senior management of their
responsibility to ensure that outsourced activities are conducted
in a safe-and-sound manner and in compliance with applicable
laws and regulations. Policies governing the use of service
providers should be established and approved by the board
of directors, or an executive committee of the board. These
policies should establish a service provider risk management
program that addresses risk assessments and due diligence,
standards for contract provisions and considerations, ongoing
monitoring of service providers, and business continuity and
contingency planning.
Senior management is responsible for ensuring that board-
approved policies for the use of service providers are appro­
priately executed. This includes overseeing the development
and implementation of an appropriate risk management and
reporting framework that includes elements described in this
guidance. Senior management is also responsible for regularly
reporting to the board of directors on adherence to policies
governing outsourcing arrangements.
16.4 SERVICE PROVIDER RISK
MANAGEMENT PROGRAMS
A financial institution's service provider risk management pro­
gram should be risk-focused and provide oversight and controls
commensurate with the level of risk presented by the outsourc­
ing arrangements in which the financial institution is engaged.
It should focus on outsourced activities that have a substantial
impact on a financial institution's financial condition; are critical
to the institution's ongoing operations; involve sensitive cus­
tomer information or new bank products or services; or pose
material compliance risk.
The depth and formality of the service provider risk manage­
ment program will depend on the criticality, complexity, and
number of material business activities being outsourced. A com­
munity banking organization may have critical business activities
being outsourced, but the number may be few and to highly
reputable service providers. Therefore, the risk management
program may be simpler and use less elements and consider­
ations. For those financial institutions that may use hundreds or
thousands of service providers for numerous business activities
that have material risk, the financial institution may find that they
need to use many more elements and considerations of a ser­
vice provider risk management program to manage the higher
level of risk and reliance on service providers.
While the activities necessary to implement an effective service
provider risk management program can vary based on the scope
and nature of a financial institution's outsourced activities, effec­
tive programs usually include the following core elements:
A. Risk assessments;
B. Due diligence and selection of service providers;
C. Contract provisions and considerations;
D. Incentive compensation review;
E. Oversight and monitoring of service providers; and
F. Business continuity and contingency plans.
A. Risk Assessments
Risk assessment of a business activity and the implications of
performing the activity in-house or having the activity per­
formed by a service provider are fundamental to the decision
of whether or not to outsource. A financial institution should
determine whether outsourcing an activity is consistent with
the strategic direction and overall business strategy of the
organization. After that determination is made, a financial insti­
tution should analyze the benefits and risks of outsourcing the
proposed activity as well as the service provider risk, and deter­
mine cost implications for establishing the outsourcing arrange­
ment. Consideration should also be given to the availability
of qualified and experienced service providers to perform the
service on an ongoing basis. Additionally, management should
consider the financial institution's ability and expertise to pro­
vide appropriate oversight and management of the relationship
with the service provider.
This risk assessment should be updated at appropriate intervals
consistent with the financial institution's service provider risk
management program. A financial institution should revise its
risk mitigation plans, if appropriate, based on the results of the
updated risk assessment.
Chapter 16 Guidance on Managing Outsourcing Risk
B. Due Diligence and Selection of Service
Providers
A financial institution should conduct an evaluation of and
perform the necessary due diligence for a prospective service
provider prior to engaging the service provider. The depth and
formality of the due diligence performed will vary depending
on the scope, complexity, and importance of the planned out­
sourcing arrangement, the financial institution's familiarity with
prospective service providers, and the reputation and industry
standing of the service provider. Throughout the due diligence
process, financial institution technical experts and key stake­
holders should be engaged in the review and approval process
as needed. The overall due diligence process includes a review
of the service provider with regard to:
1. Business background, reputation, and strategy;
2. Financial performance and condition; and
3. Operations and internal controls.
1. Business Background, Reputation, and Strategy
Financial institutions should review a prospective service pro­
vider's status in the industry and corporate history and qualifi­
cations; review the background and reputation of the service
provider and its principals; and ensure that the service provider
has an appropriate background check program for its employees.
The service provider's experience in providing the proposed ser­
vice should be evaluated in order to assess its qualifications and
competencies to perform the service. The service provider's busi­
ness model, including its business strategy and mission, service
philosophy, quality initiatives, and organizational policies should be
evaluated. Financial institutions should also consider the resiliency
and adaptability of the service provider's business model as factors
in assessing the future viability of the provider to perform services.
Financial institutions should check the service provider's references
to ascertain its performance record, and verify any required licenses
and certifications. Financial institutions should also verify whether
there are any pending legal or regulatory compliance issues (for
example, litigation, regulatory actions, or complaints) that are asso­
ciated with the prospective service provider and its principals.
2. Financial Performance and Condition
Financial institutions should review the financial condition of the
service provider and its closely-related affiliates. The financial
review may include:
• The service provider's most recent financial statements and
annual report with regard to outstanding commitments, capi­
tal strength, liquidity and operating results.
■ 285
• The service provider's sustainability, including factors such as
the length of time that the service provider has been in busi­
ness and the service provider's growth of market share for a
given service.
• The potential impact of the financial institution's business
relationship on the service provider's financial condition.
• The service provider's commitment (both in terms of financial
and staff resources) to provide the contracted services to the
financial institution for the duration of the contract.
• The adequacy of the service provider's insurance coverage.
• The adequacy of the service provider's review of the financial
condition of any subcontractors.
• Other current issues the service provider may be facing that
could affect future financial performance.
3. Operations and Internal Controls
Financial institutions are responsible for ensuring that services
provided by service providers comply with applicable laws and
regulations and are consistent with safe-and-sound banking
practices. Financial institutions should evaluate the adequacy of
standards, policies, and procedures. Depending on the charac­
teristics of the outsourced activity, some or all of the following
may need to be reviewed:
• Internal controls;
• Facilities management (such as access requirements or shar­
ing of facilities);
• Training, including compliance training for staff;
• Security of systems (for example, data and equipment);
• Privacy protection of the financial institution's confidential
information;
• Maintenance and retention of records;
• Business resumption and contingency planning;
• Systems development and maintenance;
• Service support and delivery;
• Employee background checks; and
• Adherence to applicable laws, regulations, and supervisory
guidance.
C. Contract Provisions and Considerations
Financial institutions should understand the service contract
and legal issues associated with proposed outsourcing arrange­
ments. The terms of service agreements should be defined in
written contracts that have been reviewed by the financial insti­
tution's legal counsel prior to execution. The characteristics of
the business activity being outsourced and the service provider's
286 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
strategy for providing those services will determine the terms
of the contract. Elements of well-defined contracts and service
agreements usually include:
• S c o p e : Contracts should clearly define the rights and respon­
sibilities of each party, including:
• Support, maintenance, and customer service;
• Contract timeframes;
• Compliance with applicable laws, regulations, and regula­
tory guidance;
• Training of financial institution employees;
• The ability to subcontract services;
• The distribution of any required statements or disclosures
to the financial institution's customers;
• Insurance coverage requirements; and
• Terms governing the use of the financial institution's prop­
erty, equipment, and staff.
• Cost and com pensation: Contracts should describe the
compensation, variable charges, and any fees to be paid
for non-recurring items and special requests. Agreements
should also address which party is responsible for the pay­
ment of any legal, audit, and examination fees related to
the activity being performed by the service provider. Where
applicable, agreements should address the party responsible
for the expense, purchasing, and maintenance of any equip­
ment, hardware, software or any other item related to the
activity being performed by the service provider. In addition,
financial institutions should ensure that any incentives (for
example, in the form of variable charges, such as fees and/or
commissions) provided in contracts do not provide potential
incentives to take imprudent risks on behalf of the institution.
• Right to audit: Agreements may provide for the right of the
institution or its representatives to audit the service provider
and/or to have access to audit reports. Agreements should
define the types of audit reports the financial institution will
receive and the frequency of the audits and reports.
• Establishm ent and m onitoring o f p erfo rm a n ce standards:
Agreements should define measurable performance stan­
dards for the services or products being provided.
• Confidentiality and secu rity o f inform ation: Consistent with
applicable laws, regulations, and supervisory guidance, ser­
vice providers should ensure the security and confidentiality
of both the financial institution's confidential information and
the financial institution's customer information. Information
security measures for outsourced functions should be viewed
as if the activity were being performed by the financial insti­
tution and afforded the same protections. Financial institu­
tions have a responsibility to ensure service providers take
 appropriate measures designed to meet the objectives of the
information security guidelines within Federal Financial Insti­
tutions Examination Council (FFIEC) guidance,4 as well as
comply with section 501(b) of the Gramm-Leach-Bliley Act.
These measures should be mapped directly to the security
processes at financial institutions, as well as be included or
referenced in agreements between financial institutions and
service providers.
Service agreements should also address service provider use
of financial institution information and its customer informa­
tion. Information made available to the service provider
should be limited to what is needed to provide the con­
tracted services. Service providers may reveal confidential
supervisory information only to the extent authorized under
applicable laws and regulations.5
If service providers handle any of the financial institution cus­
tomer's Nonpublic Personal Information (NPPI), the service
providers must comply with applicable privacy laws and regu­
lations.6 Financial institutions should require notification from
service providers of any breaches involving the disclosure of
NPPI data. Generally, NPPI data is any nonpublic personally
identifiable financial information; and any list, description, or
other grouping of consumers (and publicly available informa­
tion pertaining to them) derived using any personally identifi­
able financial information that is not publicly available.7
Financial institutions and their service providers who main­
tain, store, or process NPPI data are responsible for that
information and any disclosure of it. The security of, retention
of, and access to NPPI data should be addressed in any con­
tracts with service providers.
When a breach or compromise of NPPI data occurs, financial
institutions have legal requirements that vary by state and
these requirements should be made part of the contracts
between the financial institution and any service provider that
provides storage, processing, or transmission of NPPI data.
Misuse or unauthorized disclosure of confidential customer
data by service providers may expose financial institutions
to liability or action by a federal or state regulatory agency.
Contracts should clearly authorize and disclose the roles and
responsibilities of financial institutions and service providers
regarding NPPI data.
4 For further guidance regarding vendor security practices, refer to the
'FFIEC' Information Security Booklet (July 2006) at http://ithandbook.
ffiec.gov/it-booklets/infornnation-security.aspx.
5 See 12 CFR Part 261.
6 See 12 CFR Part 1016.
7 See 12 U.S.C. 6801(b).
Chapter 16 Guidance on Managing Outsourcing Risk
• O w n ersh ip and license: Agreements should define the abil­
ity and circumstances under which service providers may use
financial institution property inclusive of data, hardware, soft­
ware, and intellectual property. Agreements should address
the ownership and control of any information generated by
service providers. If financial institutions purchase software
from service providers, escrow agreements may be needed
to ensure that financial institutions have the ability to access
the source code and programs under certain conditions.8
• Indem nification: Agreements should provide for service pro­
vider indemnification of financial institutions for any claims
against financial institutions resulting from the service pro­
vider's negligence.
• D efault and term ination: Agreements should define events
of a contractual default, list of acceptable remedies, and pro­
vide opportunities for curing default. Agreements should also
define termination rights, including change in control, merger
or acquisition, increase in fees, failure to meet performance
standards, failure to fulfill the contractual obligations, failure
to provide required notices, and failure to prevent viola­
tions of law, bankruptcy, closure, or insolvency. Contracts
should include termination and notification requirements that
provide financial institutions with sufficient time to transfer
services to another service provider. Agreements should also
address a service provider's preservation and timely return of
financial institution data, records, and other resources.
• D ispute resolution: Agreements should include a dispute
resolution process in order to expedite problem resolution
and address the continuation of the arrangement between
the parties during the dispute resolution period.
• Limits on liability: Service providers may want to contractually
limit their liability. The board of directors and senior manage­
ment of a financial institution should determine whether the
proposed limitations are reasonable when compared to the
risks to the institution if a service provider fails to perform.9
• Insurance: Service providers should have adequate insurance
and provide financial institutions with proof of insurance.
Further, service providers should notify financial institutions
when there is a material change in their insurance coverage.
8 Escrow agreements are established with vendors when buying or leas­
ing products that have underlying proprietary software. In such agree­
ments, an organization can only access the source program code under
specific conditions, such as discontinued product support or financial
insolvency of the vendor.
9 Refer to SR letter 06-4, "Interagency Advisory on the Unsafe and
Unsound Use of Limitations on Liability Provisions in External Audit
Engagement Letters," regarding restrictions on the liability limitations
for external audit engagements at http://www.federalreserve.gov/
boarddocs/srletters/2006/SR0604.htm.
■ 287
• C u sto m e r com plaints: Agreements should specify the
responsibilities of financial institutions and service provid­
ers related to responding to customer complaints. If service
providers are responsible for customer complaint resolu­
tion, agreements should provide for summary reports to
the financial institutions that track the status and resolution
of complaints.
• Business resum ption and co n tin g en cy plan o f the service
p ro vid er: Agreements should address the continuation of
services provided by service providers in the event of opera­
tional failures. Agreements should address service provider
responsibility for backing up information and maintaining
disaster recovery and contingency plans. Agreements may
include a service provider's responsibility for testing of plans
and providing testing results to financial institutions.
• Fo reig n -b a sed service p ro vid ers: For agreements with
foreign-based service providers, financial institutions should
consider including express choice of law and jurisdictional
provisions that would provide for the adjudication of all dis­
putes between the two parties under the laws of a single,
specific jurisdiction. Such agreements may be subject to
the interpretation of foreign courts relying on local laws.
Foreign law may differ from U.S. law in the enforcement of
contracts. As a result, financial institutions should seek legal
advice regarding the enforceability of all aspects of proposed
contracts with foreign-based service providers and the other
legal ramifications of such arrangements.
• Su b con tra ctin g : If agreements allow for subcontracting, the
same contractual provisions should apply to the subcontrac­
tor. Contract provisions should clearly state that the primary
service provider has overall accountability for all services that
the service provider and its subcontractors provide. A gree­
ments should define the services that may be subcontracted,
the service provider's due diligence process for engaging and
monitoring subcontractors, and the notification and approval
requirements regarding changes to the service provider's
subcontractors. Financial institutions should pay special
attention to any foreign subcontractors, as information secu­
rity and data privacy standards may be different in other juris­
dictions. Additionally, agreements should include the service
provider's process for assessing the subcontractor's financial
condition to fulfill contractual obligations.
D. Incentive Compensation Review
Financial institutions should also ensure that an effective process
is in place to review and approve any incentive compensation
that may be embedded in service provider contracts, including
288 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
a review of whether existing governance and controls are
adequate in light of risks arising from incentive compensation
arrangements. As the service provider represents the institu­
tion by selling products or services on its behalf, the institution
should consider whether the incentives provided might encour­
age the service provider to take imprudent risks. Inappropri­
ately structured incentives may result in reputational damage,
increased litigation, or other risks to the financial institution.
An example of an inappropriate incentive would be one where
variable fees or commissions encourage the service provider to
direct customers to products with higher profit margins without
due consideration of whether such products are suitable for
the customer.
E. Oversight and Monitoring of Service
Providers
To effectively monitor contractual requirem ents, financial
institutions should establish acceptable perform ance metrics
that the business line or relationship m anagem ent determ ines
to be indicative of acceptable perform ance levels. Financial
institutions should ensure that personnel with oversight and
management responsibilities for service providers have the
appropriate level of expertise and stature to manage the
outsourcing arrangem ent. The oversight process, including
the level and frequency of management reporting, should be
risk-focused. Higher risk service providers may require more
frequent assessm ent and monitoring and may require finan­
cial institutions to designate individuals or a group as a point
of contact for those service providers. Financial institutions
should tailor and implement risk mitigation plans for higher
risk service providers that may include processes such as addi­
tional reporting by the service provider or heightened moni­
toring by the financial institution. Further, more frequent and
stringent monitoring is necessary for service providers that
exhibit perform ance, financial, com pliance, or control con­
cerns. For lower risk service providers, the level of monitoring
can be lessened.
Financial condition: Financial institutions should have estab­
lished procedures to monitor the financial condition of service
providers to evaluate their ongoing viability. In performing
these assessments, financial institutions should review the
most recent financial statements and annual report with regard
to outstanding commitments, capital strength, liquidity and
operating results. If a service provider relies significantly on
subcontractors to provide services to financial institutions, then
the service provider's controls and due diligence regarding the
subcontractors should also be reviewed.
Internal controls: For significant service provider relationships,
financial institutions should assess the adequacy of the provider's
control environment. Assessments should include reviewing
available audits or reports such as the American Institute of
Certified Public Accountants' Service Organization Control
2 report.101If the service provider delivers information technology
services, the financial institution can request the FFIEC Technol­
ogy Service Provider examination report from its primary federal
regulator. Security incidents at the service provider may also
necessitate the institution to elevate its monitoring of the
service provider.
Escalation o f o versig h t activities: Financial institutions should
ensure that risk management processes include triggers to
escalate oversight and monitoring when service providers are
failing to meet performance, compliance, control, or viability
expectations. These procedures should include more frequent
and stringent monitoring and follow-up on identified issues,
on-site control reviews, and when an institution should exercise
its right to audit a service provider's adherence to the terms of
the agreement. Financial institutions should develop criteria for
engaging alternative outsourcing arrangements and terminating
the service provider contract in the event that identified issues
are not adequately addressed in a timely manner.
F. Business Continuity and Contingency
Considerations
Various events may affect a service provider's ability to provide
contracted services. For example, services could be disrupted by
a provider's performance failure, operational disruption, financial
difficulty, or failure of business continuity and contingency plans
during operational disruptions or natural disasters. Financial insti­
tution contingency plans should focus on critical services pro­
vided by service providers and consider alternative arrangements
in the event that a service provider is unable to perform .11 When
preparing contingency plans, financial institutions should:
• Ensure that a disaster recovery and business continuity plan
exists with regard to the contracted services and products;
• Assess the adequacy and effectiveness of a service provider's
disaster recovery and business continuity plan and its align­
ment to their own plan;
10 Refer to www.AICPA.org.
11 For further guidance regarding business continuity planning with ser­
vice providers, refer to the 'FFIEC' Business Continuity Booklet (March
2008) at http://ithandbook.ffiec.gov/it-booklets/business-continuity-
planning.aspx.
Chapter 16 Guidance on Managing Outsourcing Risk
• Document the roles and responsibilities for maintaining and
testing the service provider's business continuity and contin­
gency plans;
• Test the service provider's business continuity and contin­
gency plans on a periodic basis to ensure adequacy and
effectiveness; and
• Maintain an exit strategy, including a pool of comparable ser­
vice providers, in the event that a contracted service provider
is unable to perform.
G. Additional Risk Considerations
S u sp icio u s A c tiv ity R e p o r t (SAR) re p o rtin g fu n ctio n s:
The confidentiality of suspicious activity reporting makes
the outsourcing of any SAR-related function more com plex.
Financial institutions need to identify and monitor the risks
associated with using service providers to perform certain
suspicious activity reporting functions in com pliance with
the Bank Secrecy A ct (BSA). Financial institution m anage­
ment should ensure they understand the risks associated
with such an arrangem ent and any BSA-specific guidance in
this area.
F o re ig n -b a se d se rv ice p ro v id e rs: F inancial institutions should
ensure that foreign-based service providers are in compliance
with applicable U.S. laws, regulations, and regulatory guid­
ance. Financial institutions may also want to consider laws
and regulations of the foreign-based provider's country or
regulatory authority regarding the financial institution's ability
to perform on-site review of the service provider's operations.
In addition, financial institutions should consider the authority
or ability of home country supervisors to gain access to the
financial institution's custom er information while examining the
foreign-based service provider.
Internal audit: Financial institutions should refer to existing
guidance on the engagement of independent public accounting
firms and other outside professionals to perform work that has
been traditionally carried out by internal auditors.12 The
Sarbanes-Oxley Act of 2002 specifically prohibits a registered
12 Refer to SR 13-1, "Supplemental Policy Statement on the Internal
Audit Function and Its Outsourcing," specifically the section titled,
"Depository Institutions Subject to the Annual Audit and Reporting
Requirements of Section 36 of the FDI Act" at http://www.federalreserve
,gov/bankinforeg/srletters/sr1301.htm. Refer also to SR 03-5, "Amended
Interagency Guidance on the Internal Audit Function and Its Outsourc­
ing," particularly the section titled, "Institutions Not Subject to Section
36 of the FDI Act That Are Neither Public Companies Nor Subsidiaries of
Public Companies" at http://www.federalreserve.gov/boarddocs/
srletters/2003/sr0305.htm.
■ 289
public accounting firm from performing certain non-audit ser­
vices for a public company client for whom it performs financial
statement audits.
Risk m anagem ent a ctivities: Financial institutions may out­
source various risk management activities, such as aspects of
interest rate risk and model risk management. Financial institu­
tions should require service providers to provide information
that demonstrates developmental evidence explaining the
product components, design, and intended use, to determine
whether the products and/or services are appropriate for the
290 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
institution's exposures and risks.13 Financial institutions should
also have standards and processes in place for ensuring that ser­
vice providers offering model risk management services, such as
validation, do so in a way that is consistent with existing model
risk management guidance.
13 Refer to SR 11-7, "Guidance on Model Risk Management" which informs
financial institutions of the importance and risk to the use of models and
the supervisory expectations that financial institutions should adhere to
http://www.federalreserve.gov/bankinforeg/srletters/sr1107.htm.
Management of
Risks Associated
with Money
Laundering
and Financing
of Terrorism
Learning Objective
After completing this reading you should be able to:

Explain best practices recommended for the assessment,

management, mitigation, and monitoring of money
laundering and financial terrorism (ML/FT) risks.

By M ark Carey o f the G A R P Risk Institute.

Many nations and international bodies have developed laws,
regulations or guidelines focused on limiting the use of banking
services to support criminal activities, particularly money laun­
dering (ML) or financing of terrorism (FT). Though involvement
with ML or FT is an operational risk, management of this risk
has become a separate subfield due to the intensity of regula­
tory attention to the issue, the significant level of fines, and the
creativity of criminals and terrorists.
This chapter summarizes the Basel Committee's 2016 "Sound
Management of Risks Related to Money Laundering and Financing
of Terrorism," as well as some of the Financial Action Task Force's
(FATF) 2016 "The FATF Recommendations" and other documents.
Note that this chapter is only an overview. Risk managers in areas
where management of ML/FT risks is central should examine this
topic in further readings and undergo any requisite training.
17.1 BACKGROUND
Criminals and terrorists use payment services to finance their
activities, or to convert funds linked to criminal activity (includ­
ing tax evasion) to an untainted or laundered form. Because
banks are at the heart of the global payment system, they are
uniquely vulnerable to being ensnared in such activities, which
can expose them to reputational losses, fines, convictions, and
restrictions on their ability to do business.
In addition to the usual attention to governance arrangements,
policies and procedures, M L/FT risk management includes some
specific activities that supervisors and other authorities expect
at every bank:
• Risk assessment
• Customer due diligence and acceptance (CDD) [aka Know
Your Customer (KYC)]
• Transaction and other monitoring
• Reporting of suspicious activity and freezing assets
• Addressing risks associated with global operations
• Attention to third-party risk and correspondent banking risks
• Awareness of an array of official sector pronouncements.
Among the most important are standards issued by the
Financial Action Task Force (FATF), an intergovernmental
coordinating body.*1
A 3. Internal auditors and/or external equivalents should
FATF, "International Standards on Combating Money Laundering
and the Financing of Terrorism and Proliferation," February 2012; and
"Methodology" February 2013.
292 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Some others appear in the list of references at the end of this
chapter.
On Decem ber 3, 2018, several financial regulatory agencies
of the U.S. government issued a "Jo int Statement on Innovative
Efforts to Com bat Money Laundering and Terrorist Financing,"
which expressed their openness to "innovative efforts" and
noted that some banks have been experimenting with machine
learning models and digital identity technologies to identify
risks, monitor transactions, and aid in the reporting of suspi­
cious activity. To date, Bank Secrecy Act (BSA) and Anti-Money
Laundering (AML) supervisory activity in the United States has
focused on compliance, with detailed guidance influencing
bank internal procedures. The agencies state that any flaws
found in banks' internal procedures as a result of innovative
activities will not be used against these firms by supervisors.
Although the agencies imply that internal procedures might
someday be permitted to depart from existing compliance
requirements where innovations are successful, they also imply
that for the moment banks must continue to satisfy existing
compliance requirements.
17.2 APPLICATION OF STANDARD
PRACTICES
Banks should apply (though not limit themselves to) standard
risk management practices:
• G overnance: The board of directors should approve and
oversee risk assessm ents, policies, organization, risk
management and com pliance in the specific context
of ML/FT. To that end, a chief M L/FT officer should be
appointed.
• As in other risk areas, banks are expected to have three lines
of defense
1. Business units must identify, assess and control M L/FT
risks; have written policies and procedures as well as
em ployee training; and screen potential em ployees.
2. The risk function and/or the function under the chief
ML/FT officer must monitor the effectiveness of first line
management of ML/FT risks and compliance with all
policies and procedures. Conflicts of interest on the part
of second line employees should be avoided. The chief
ML/FT officer should have direct reporting lines to senior
management or the board.
independently evaluate M L/FT risk m anagem ent and
controls.
17.3 RISK ASSESSMENT
Banks should assess and understand the M L/FT risks inherent
within their businesses and customer base:
• All relevant risk factors at the country, sector, bank and
business relationship levels should be considered. Charac­
teristics of the customer base, products and services offered,
and delivery channels should be considered.
• For each customer or business relationship, a profile of
normal activity should be built to support identification of
abnormal activity.
• Risk assessments should be documented for potential
inspection by authorities.
• International banks should be attentive to national risk
assessments and country reports.
17.4 CUSTOMER DUE DILIGENCE
AND ACCEPTANCE*•
Some customers pose a low risk of involving a bank in ML/FT
activity (e.g., a long established client employed in the commu­
nity with regular, small account inflows and outflows) and some
pose a high risk (e.g., a person with a past record of criminal
activity with large and intermittent account inflows and outflows).
If a bank chooses to do business with a high-risk customer,
more intensive ongoing monitoring of that customer's activity is
needed. Moreover, to classify customers by level of risk, a bank
should have well-developed customer identification and accep­
tance policies and procedures. Such policies and procedures
should not prevent the general public, nor people who are finan­
cially or socially disadvantaged, from accessing banking services.
• Written policies and procedures should exist to ensure that
a customer is not accepted, and business is not done, until
the customer's identity has been satisfactorily established.
Reliable, independent source documents and information
should be used in identification. Consideration should be
given to a customer's home jurisdiction(s), including whether
that jurisdiction is known to have ML/FT deficiencies. The
reasons the customer is opening accounts should also be
considered.
• Politically exposed persons (PEP), such as former high gov­
ernment officials, pose higher risk given the possibility that
some wealth may have been obtained through corruption.
• Consider the potential customer's background, occupation,
source of wealth and income, and country of origin and
residence.
Chapter 17 Management of Risks Associated with Money Laundering and Financing of Terrorism
• Though information about a customer's previous banking
relationships may be helpful, the fact that a customer previ­
ously had accounts at another bank is not sufficient to classify
the customer as low-risk or as well-identified. For example,
the previous bank may have ejected the customer due to
ML/FT concerns.
• Due diligence and monitoring may be more com plex for
banks operating internationally, particularly for those
operating in jurisdictions that do not permit customer
information to cross borders. However, information should
be combined and analyzed across the group as much as
possible.
• In some jurisdictions, banks may be permitted to rely on
third parties for some customer due diligence. Banks should
ensure that the third parties' own management of ML/FT
risks is sound and are ultimately responsible even if deci­
sions are made by third parties. Arrangements, controls and
reviews should be documented.
17.5 TRANSACTION AND OTHER
MONITORING AND REPORTING
Banks should monitor customer and transaction activity for
unusual patterns to identify potential ML/FT activity.
• A profile of normal activity and transactions must be built
in order to aid identification of abnormal activity, such as
unusual business relationships and transactions.
• The higher the assessment of the risk posed by a customer,
the more intense and wide-ranging the monitoring.
• Changes in a customer's risk profile should trigger changes in
the intensity of monitoring.
• Monitoring should cover all accounts and transactions.
• CDD information should be used.
• The larger and more complex the bank and its businesses,
and the more international its operations, the more likely that
automated monitoring applications will be needed.
• Monitoring activity should be documented.
• Especially where required by law, suspicious activity revealed
by monitoring should be reported to appropriate law
enforcement authorities.
17.6 CORRESPONDENT BANKING
Correspondent banking involves the provision of banking ser­
vices by one bank to another bank. O f most concern in the
■ 293
context of ML/FT is execution of cross-border payments by a
correspondent bank for a respondent bank's customer.
• Because the correspondent bank does not have a rela­
tionship with the ultimate customer, it must perform due
diligence on the respondent bank. Details of the services
provided and of counterparties are relevant to the risk.
The quality of the respondent banks' management of ML/
FT risks is vitally important. As such, due diligence must
be done on such management, and agreem ents among
correspondent and respondent banks should set out
responsibilities.
• Some correspondent banking activity involves nested
respondent banks (i.e., the ultimate customer may have a
relationship with the respondent bank's respondent bank).
For example, a small bank might use a medium-sized bank,
which in turn uses a large international bank as correspon­
dent. Though many legitimate transactions and activities are
conducted through such nested relationships, ML/FT risks are
higher. This is especially true if relationships among respon­
dent banks cross borders.
• When information about the risk changes, termination of
correspondent banking relationships with a respondent bank
may be appropriate.
17.7 WIRE TRANSFERS
Wire transfers are accomplished by sending payment messages
among banks. Information about the originating bank and the
customer should appear in the messages, and such information
should be monitored.
294 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
17.8 INTERNATIONAL SCOPE
Banks with a presence in multiple countries should:
• Understand and abide by laws and regulations in each
country. If a country's laws and regulations prevent adequate
management of ML/FT risks, consider cessation of business
in the country.
• Apply consistent group-wide policies and procedures.
• Share information across the group and usie groupwide
information and understanding in monitoring and risk
assessment.
Good official-sector supervisory examination and enforcement
in each country of bank management of M L/FT risks is important
to global containment of M L/FT activity.
References
Basel Committee on Banking Supervision, 2016, "Sound Manage­
ment of Risks Related to Money Laundering and Financing of
Terrorism."
Financial Action Task Force, 2016, "The FATF Recommendations."
Board of Governors of the Federal Reserve System, Federal
Deposit Insurance Corporation, Financial Crimes Enforce­
ment Network, National Credit Union Administration, Office
of the Comptroller of the Currency, 2018, "Joint Statement on
Innovative Efforts to Combat Money Laundering and Terrorist
Financing."
Regulation of the
Derivatives
Market
Learning Objectives
After completing this reading you should be able to:

Summarize the clearing process in O TC derivatives

markets.

Describe changes to the regulation of O TC derivatives

which took place after the 2007-2009 financial crisis and
explain the impact of these changes.

E x c e rp t is C h a p ter 17 of Risk Management and Financial Institutions, Fifth Edition, by Jo h n C. Hull.

The exchange-traded market is a market where products devel­
oped by an exchange are bought and sold on a trading platform
developed by the exchange. A market participant's trade must
be cleared by a member of the exchange clearing house. The
exchange clearing house requires margin (i.e., collateral) from
its members, and the members require margin from the brokers
whose trades they are clearing. The brokers in turn require mar­
gin from their clients.
The O TC market is a market where financial institutions, fund
managers, and corporate treasurers deal directly with each other.
An exchange is not involved. Before the 2007-2008 credit crisis,
the O TC market was largely unregulated. Two market participants
could enter into any trade they liked. They could agree to post
collateral or not post collateral. They could agree to clear the
trade directly with each other or use a third party. Also, they were
under no obligation to disclose details of the trade to anyone else.
Since the crisis, the O TC market has been subject to a great
deal of regulation. This chapter will explain the regulations and
show that regulatory pressure is leading to the O TC market
becoming more like the exchange-traded market.
18.1 CLEARING IN OTC MARKETS
We start by describing how transactions are cleared in the
O TC market. There are two main approaches: central clear­
ing and bilateral clearing. They are illustrated schematically in
Figure 18.1 (which makes the simplifying assumption that there
are only eight market participants and only one CCP). In bilateral
clearing, market participants clear transactions with each other.
In central clearing, a third party, known as a central counterparty
(CCP), clears the transactions.
Margin
Before proceeding to describe bilateral and central clearing
in more detail, we review the operation of margin accounts.
Margin is the word now used to describe the collateral posted
in O TC markets as well as exchange-traded markets.
Bilateral clearing Clearing through a single CCP
F ia u re 18.1 Bilateral and central clearing .
296 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Variation margin is the collateral posted to reflect the change in
the value of a derivatives portfolio. Consider the situation where
Party A is trading with Party B and the collateral agreement
states that variation margin (with no threshold or minimum
transfer amount) has to be posted by both sides.1 This means
that, if the value of outstanding transactions changes during a
day so that they increase in value by $X to A (and therefore
decrease in value by $X to B), B has to provide A with $X of
acceptable collateral. The cumulative effect of variation margin
is that, if outstanding derivatives have a value of + $ V to A and
—$ V to B at a particular time, B should have posted a total of %V
of collateral with A by that tim e.*2
Variation margin provides some protection against a counterparty
default. It would provide total protection in an ideal world where
(a) the counterparty never owes any variation margin at the time
of default and (b) all outstanding positions can be replaced at
mid-market prices as soon as the counterparty defaults.
In practice, defaulting counterparties often stop posting collateral
several days before they default, and the non-defaulting
counterparty is usually subject to a bid-offer spread as it replaces
transactions.3 To allow for adverse movements in the value of the
portfolio during a period prior to defaulting when no margin is
being posted, market participants sometimes require initial mar­
gin in addition to variation margin. Note that, in this context,
adverse market movements are increases in the value of the port­
folio to the non-defaulting party, not decreases. This is because
increases in the value during a period when variation margin is not
being posted lead to increases in replacement costs.4 Initial mar­
gin, which can change through time as the outstanding portfolio
and relevant volatilities change, reflects the risk of a loss due to
adverse market moves and the costs of replacing transactions.5
A
A and B could be two derivatives dealers or a derivatives dealer and
one of its clients. Also, one of A and B could be a CCP. A threshold is a
minimum value of the portfolio to one side before it can demand mar­
gin, and the minimum transfer amount is the minimum change in value
necessary for a margin to have to be posted.
2 In this context, note that if A buys an option from B for $10,000, it
must pay $10,000 to B, but B must then return the $10,000 to A as varia­
tion margin.
3 As explained later, the non-defaulting counterparty is able to claim
from the defaulting party the cost related to the bid-offer spread that it
would incur in replacing the transaction.
4 It may seem strange that a market participant would be worried about
the value of its transactions increasing. But suppose a transaction with a
defaulting counterparty is hedged with another transaction entered into
with another counterparty (as is often the case). The transaction with the
other party can be expected to lose value without any compensating
gain on the defaulted transaction.
5 As indicated earlier, the non-defaulting party is allowed to keep all
margin posted by the defaulting party up to the amount that can be
legitimately claimed.
Most margin is cash, but the agreements in place may specify
that securities can be posted instead of cash. The securities
may be subject to a h a ircu t This means that the market value
of the securities is reduced to determine their value for margin
purposes. For example, a Treasury bond might be subject to
a 10% haircut, indicating that, if its market value were $100, it
would cover only $90 of a margin requirement.
Should cash margin earn interest? There is a difference between
futures markets and O TC markets here. A futures exchange clear­
ing house requires both initial margin and variation margin from
members. Members earn interest on the initial margin. But they
do not do so on variation margin because futures contracts are
settled daily so that variation margin does not belong to the mem­
ber posting it. In the case of O TC trades, interest is usually earned
on all cash margin posted because trades are not settled daily.
Central Clearing
In central clearing, a central counterparty (CCP) handles the
clearing. A CCP operates very much like an exchange clearing
house. When two companies, A and B, agree to an over-the-
counter derivatives transaction and decide to clear it centrally,
they present it to a CCP. Assuming that the CCP accepts it, the
CCP acts as an intermediary and enters into offsetting transac­
tions with the two companies.
Suppose, for example, that the transaction is an interest rate
swap where company A pays a fixed rate of 5% to company B
on a principal of $100 million for five years and company B pays
LIBOR to company A on the same principal for the same period
of time. Two separate transactions are created. Company A has
a transaction with the C C P where it pays 5% and receives LIBOR
on $100 million. Company B has a transaction with the CCP
where it pays LIBOR and receives 5% on $100 million. The two
companies no longer have credit exposure to each other. This is
illustrated in Figure 18.2. If one or both parties to the transac­
tion are not members of the CCP, they can clear the transaction
through members.
Three large CCPs are
1. SwapCIear (part of LCH Clearnet in London),
2. ClearPort (part of the CM E Group in Chicago), and
3. ICE Clear Credit (part of the Intercontinental Exchange).
A CCP requires its members to provide initial margin and varia­
tion margin for the transactions being cleared. Typically, the
initial margin is calculated so that there is a 99% probability that
it will cover market moves over five days. This protects the CCP
from losses as it tries to close out or replace the positions of a
defaulting member.
Chapter 18 Regulation of the OTC Derivatives Market
The OTC Trade
Role of CCP
F ia u re 1 8 .2 Role of C C P in O T C m arkets.
Consider the swap in Figure 18.2. Suppose for simplicity that
it is the only transaction each side has with the CCP. The CCP
might require an initial margin of $0.5 million from each side. If,
on the first day, interest rates fall so that the value of the swap
to A goes down by $100,000, Party A would be required to pay
a variation margin equal to this to the CCP, and the CCP would
be required to pay the same amount to B. There could also be
a change to the initial margin requirements determined by the
CCP. If required margin is not paid by one of its members, the
CCP closes out its transactions with that member. Cash and
Treasury instruments are usually accepted as margin by CCPs.
Typically the interest rate paid on cash balances is close to the
overnight federal funds rate for U.S. dollars (and close to similar
overnight rates for other currencies).
In practice, market participants are likely to have multiple
transactions outstanding with the CCP at any given time. The
initial margin required from a participant at any given time
reflects the volatility of the value of its total position with the
CCP. The role of a CCP in the O TC market is similar to the
role of a clearing house in the exchange-traded market. The
main difference is that transactions handled by the CCP are
usually less standard than transactions in the exchange-traded
market so that the calculation of margin requirements is more
complicated.
The key advantage of clearing a transaction through a CCP
is that O TC market participants do not need to worry about
the creditworthiness of the counterparties they trade with.
Credit risk is handled by the C C P using initial and variation
margin.
A CCP requires its members to contribute to a default fund.
(As mentioned, if one or both parties to a transaction are not
members of the CCP, they can clear the transaction through
members. They will then have to post margin with the mem­
bers.) If a member fails to post margin when required, the
member is in default and its positions are closed out. In closing
out a member's positions, the C C P may incur a loss. A waterfall
■ 297
defines who bears the loss. The order in which the loss is funded
is usually as follows:
1. The initial margin of the defaulting member
2. The default fund contribution of the member
3. The default fund contributions of other members
4. The equity of the C C P 6
This is similar to the way losses in the event of a default are
funded by an exchange clearing house.
Bilateral Clearing
In bilateral clearing, each pair of m arket participants enters
into an agreem ent describing how all future transactions
between them will be cleared. Typically this is an ISD A
m a ster a g re e m e n t. (ISDA is short for International Swaps
and D erivatives A ssociation.) An annex to the agreem ent,
known as the c re d it s u p p o rt a n n ex (CSA ), defines collateral
arrangem ents. In particular, it defines what collateral (if any)
has to be posted by each side, what assets are acceptable as
collateral, what haircuts will be applied, and so on. The main
body of the agreem ent defines what happens when one side
defaults (e.g ., by declaring bankruptcy, failing to make pay­
ments on the derivatives as they are due, or failing to post
collateral when required). We will discuss this in more detail
shortly.
Netting
We discussed netting in connection with the Basel I rules in the
section "N etting." Netting is a feature of ISDA master agree­
ments and a feature of the agreements between CCPs and
their members. It states that all transactions between two
parties are considered to be a single transaction when
(a) collateral requirements are being calculated and (b) early
terminations occur because of a default. As explained in the
section "N etting," netting reduces credit risk because it means
that the defaulting party cannot choose to default on transac­
tions that are out-of-the-money while keeping transactions that
are in-the-money.
Netting can also save initial margin. Suppose Party A has two
transactions with a CCP that are not perfectly correlated. The
6 In some cases, the non-defaulting members are required to provide
additional default fund contributions when there is a default, with a cap
on the amount of these additional contributions. (This is true of both
exchange clearing houses and CCPs.)
298 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
initial margin for the portfolio is likely to be less than that for the
two transactions separately.
Events of Default
Derivatives transactions are treated differently from other
transactions in the event that a market participant fails to
meet its obligations. For exam ple, in ISDA master agreem ents
there is an early termination provision that takes precedence
over bankruptcy rules. This states that, if there is an "event of
default," the non-defaulting party has the right to term inate
all transactions with the defaulting party after a short period
of time has elap sed .7 Events of default include declarations of
bankruptcy, failure to make payments as they are due, and
failure to post collateral when required.8 Non-derivative con­
tracts cannot always be term inated in this way. Another
important difference between derivatives transactions and
non-derivatives transactions is that in the case of derivatives
transactions the non-defaulting party can take immediate
possession of any collateral that has been posted by the
defaulting party. It does not have to get a court order to allow
it to do this.
If there is an event of default under an ISDA master agree­
ment, the non-defaulting party calculates the mid-market value
of outstanding transactions. It then adjusts this valuation in
its favor by half the bid-offer spreads on the transactions for
the purposes of calculating a settlem ent amount. This adjust­
ment is compensation for the fact that it will have to trade with
other dealers to replace the transactions and it will be subject
to their bid-offer spreads when it does so. Suppose that one
transaction has a mid-market value of $20 million to the non­
defaulting party and that the transaction is bid $18 million,
offer $22 million. For the purposes of settlem ent, the trans­
action would be valued at $22 million because this is what it
would cost the non-defaulting party to replace the defaulting
party's position in the transaction. If the non-defaulting party
had the other side of the transaction so that its mid-market
value was —$20 million, it would be valued at —$18 million for
settlem ent purposes. In this case, the assumption is that a third
party would be prepared to pay only $18 million to take the
defaulting party's position.
7 The non-defaulting party is not obliged to terminate transactions.
Counterparties that are out-of-the-money sometimes consider that it is
in their best interests not to terminate.
8 Failure resolution mechanisms have been proposed where transactions
are stayed (i.e., not terminated) for a period of time even if there is a
bankruptcy filing, provided margin/collateral continues to be posted.
These would allow the derivatives portfolios of bankrupt market partici­
pants to be unwound in an orderly way.
18.2 POST-CRISIS REGULATORY
CHANGES
The O TC derivatives market was considered by many to have
been partly responsible for the 2008 credit crisis. When the G20
leaders met in Pittsburgh in September 2009 in the aftermath of
the 2008 crisis, they wanted to reduce systemic risk by regulat­
ing the O TC market. The statement issued by the leaders after
the meeting included the following paragraph:
All standardized O TC derivative contracts should be
traded on exchanges or electronic trading platforms,
where appropriate, and cleared through central coun­
terparties by end-2012 at the latest. O TC derivative
contracts should be reported to trade repositories.
Non-centrally cleared contracts should be subject to
higher capital requirements. We ask the FSB and its rel­
evant members to assess regularly implementation and
whether it is sufficient to improve transparency in the
derivatives markets, mitigate systemic risk, and protect
against market abuse.
The results of this were three major changes affecting O TC
derivatives:
1. A requirement that all standardized O TC derivatives be
cleared through CCPs. Standardized derivatives include
plain vanilla interest rate swaps (which account for the
majority of O TC derivatives traded) and default swaps on
credit indices. The purpose of this requirement is to reduce
systemic risk (see Business Snapshot 21.1). It leads to deriv­
atives dealers having less credit exposure to each other so
that their interconnectedness is less likely to lead to a col­
lapse of the financial system.
2. A requirement that standardized O TC derivatives be traded
on electronic platforms. This is to improve transparency. The
thinking is that, if there is an electronic platform for matching
buyers and sellers, the prices at which products trade should
be readily available to all market participants.9 The platforms
are called swap execution facilities (SEFs) in the United
States and organized trading facilities (OTFs) in Europe. In
practice, standardized products, once they have been traded
on these platforms, are passed automatically to a C C P
3. A requirement that all trades in the O TC market be
reported to a central trade repository. This requirement
9 An issue here is that the type of electronic platform that is appropriate
for swaps may not be the same as the one that is used by exchanges.
Swaps are traded intermittently with large notional principals. Futures
and options on an exchange trade continually and the size of trades is
usually much smaller.
Chapter 18 Regulation of the OTC Derivatives Market
provides regulators with important information on the risks
being taken by participants in the O TC market. It is partly a
response to the AIG fiasco where regulators were not aware
of the huge risks being taken by a subsidiary of AIG until
the insurance company asked to be bailed out.
The first two of these requirements apply only to transactions
between two financial institutions (or between a financial insti­
tution and a non-financial company that is considered to be
systemically important because of the volume of its O TC deriva­
tives trading). Derivatives dealers can therefore continue to
trade with many of their non-financial corporate clients in the
same way that they did pre-crisis.
About 25% of O TC transactions were cleared through CCPs pre­
crisis and the remaining 75% were cleared bilaterally. As a result
of the new rules, these percentages have flipped so that approx­
imately 75% of O TC transactions are now cleared through CCPs,
while 25% are cleared bilaterally.
Uncleared Trades
Following another G20 meeting in 2011, the rules have been
tightened for non-standard O TC derivatives. These are the
derivatives that are not covered by the rules just mentioned.
They are cleared bilaterally rather than centrally and are referred
to as uncleared trades. Regulations, which are being imple­
mented between 2016 and 2020, require uncleared trades
between two financial institutions (or between a financial insti­
tution and a non-financial company that is considered to be
systemically important) to be subject to rules on the margin that
has to be posted. Previously, one of the attractions of bilateral
clearing was that market participants were free to negotiate any
credit support annex to their ISDA master agreements.
The rules state that both initial margin and variation margin must
be posted for uncleared trades by both sides. Variation margin
was fairly common in the O TC market pre-crisis (particularly in
trades between derivatives dealers), but initial margin was rare.
When entering into a transaction with a much less creditworthy
counterparty, a derivatives dealer might insist on the counterparty
posting initial margin. But the posting of initial margin by both
sides was almost unheard of in the bilaterally cleared market.
Variation margin is usually transmitted directly from one coun­
terparty to the other. Initial margin when posted by both sides
cannot be handled in this way. If, for example, A transmitted
$1 million of initial margin to B and B transmitted $1 million of
initial margin to A, the initial margin would not serve the desired
purpose because the transfers would cancel each other. For this
reason the regulations require initial margin to be transmitted to
a third party, where it is held in trust.
■ 299
Determination of Initial Margin: SIMM To calculate the incremental effect on initial margin of gamma
risk, SIMM first considers the situation where all deltas are zero
For the new rules on uncleared transactions to work, the two and there is no cross gamma. The mean and standard deviation
sides to an ISDA master agreement must agree on the varia­ of the change in the value of the portfolio over one day are:
tion margin and initial margin. The variation margin requires
agreement on the valuation of outstanding transactions, e (a p )
and procedures have been established for resolving any dis­
agreements on this. The calculation of initial margin is more S D (A P ) = p27.Y.G20 2
r !J 7 V
I J
complicated than valuing the transactions and there is more
scope for different models to give different results. As a result
where y i s the gamma with respect to the /th risk factor.
there have been attempts to develop an industry standard.
Estimates of the mean and standard deviation of portfolio
Initial margin is specified in the regulations for portfolios of change over 10 days are obtained by replacing a ; with VTOer,-.
uncleared transactions between two parties as the gain in value Defining
over 10 days that we are 99% certain will not be exceeded in
stressed market conditions. Note that initial margin is the mirror C . = —y. (\ f\ 0 a ■
i 2 '\ i
image of VaR. When we are calculating VaR, we are determining
extreme percentiles of the loss distribution, but when we are the mean, m, and standard deviation, s, of the 10-day change
calculating initial margin we are determining extreme percen­ are therefore given by
tiles of the gain distribution. This is because exposure increases
as the uncollateralized value of a portfolio increases.

The Basel Committee proposed a grid approach for calculating

initial margin, which specified initial margin as a percentage of
notional principal for different types of transactions. This was
unpopular because it did not incorporate netting. If a market SIMM then sets
participant entered into a certain transaction on Day 1 and an IM(Gamma) = m +
almost offsetting transaction on Day 5, both with the same
counterparty, the initial margin on Day 5 would be almost The parameter A in this equation is (see Problem 18.14) defined
double that on Day 1— even though the net exposure to the in terms of
counterparty would be close to zero. ISDA proposed what is
known as the Standard Initial Margin Model (SIMM) as a way
of overcoming this. This model has now been approved by
regulators.
as indicated in Figure 18.3. This relationship produces results
Delta and vega risks are handled using the weighted sensitivities that have the right properties and correspond closely with tests
and risk weights so that carried out using Monte Carlo simulation.

In n

IM (Delta and Vega) = j

ll /=i y=i

where the W, is the risk weight for risk factor / (specified by the
regulators), 8, is the sensitivity of the position held to risk factor /
(determined by the bank), and is the correlation between
risk factors / and j (specified by the regulators). Because a
10-day time horizon with 99% confidence is used, a possible
formula for VV(- is

Wj = VlO x N~\ 0.99)o 7 (18 ^

where cr, is the daily volatility (or standard deviation, in the case
of interest rates, credit spreads, and volatilities) of the /th risk
factor in stressed market conditions. F ig u re 1 8 .3 Relation b e tw e e n A and /3.

300 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
There are a number of other details in SIMM. To 100
simplify matters, gamma is calculated from vega A < (§ > B
using the relationship between the two that holds ◄

for European options. Risk factors are divided into

buckets, and some risk factors involve term struc­
tures with vertices. There are rules specified for
calculating the correlations p ti both within buckets
and between buckets.

18.3 IMPACT OF THE E x p o s u re E x p o s u re

CHANGES E x p o s u re after a fter n ettin g a fter n ettin g
D ea lve r bilateral n ettin g D ealer in clu d in g C C P e x c lu d in g C C P

The new regulations have led to a world where A 0 A 120 0

B 100 B 120 120
more collateral is required for O TC derivatives
C 20 C 90 90
transactions. Pre-crisis, most O TC transactions
Average 40 Average 110 70
were cleared bilaterally and an initial margin was
usually not required. Under the new regulations, F ia u re 1 8 .4 E x a m p le w h e re th e re are th re e m arket p articip an ts,

most transactions will be cleared through CCPs one CCP, and tw o p ro d u ct ty p e s. O n e p ro d u ct ty p e (re p re se n te d by

where both initial and variation margin will be d o tte d lines) can be cle a re d ; th e o th e r (re p re se n te d by solid lines)

required from both sides. Furthermore, transac­ cann ot.

tions that are cleared bilaterally between financial

institutions will require even more collateral than are three market participants and one CCP. For example, in B's
they would if they could be cleared through CCPs. dealings with A, the nonstandard transactions are worth 100 to

As discussed by Duffie and Zhu, there is one potential partial B and —100 to A ; the standard transactions are worth +50 to A

offset to the huge increase in collateral requirements mandated and —50 to B.

by the new rules.10 Under central clearing there is the potential
for more netting. In Figure 18.1, under bilateral clearing a mar­
ket participant has many different netting sets, one for each of
the other market participants. Under central clearing, there is
only one netting set. Bank A can, for example, net its transac­
tions where Bank B is the counterparty with its transactions
where Bank C is the counterparty, provided that all go through
the same CCP.
Without central clearing, the average exposure before collateral
of the three parties is +40. With central clearing, the average
exposure is 110 when the exposure to the C C P is included and
70 when it is not. Central clearing is likely to increase the col­
lateral market participants have to post in this simple situation.
This happens because without the central clearing rules stan­
dard transactions can be netted with nonstandard transactions,
but with the central clearing rules this is no longer possible.

Figure 18.1, however, is a simplification. It suggests that the
choice is between a 100% bilateral world and a world where
all transactions are cleared through a single CCP. The reality is
that (a) there will be a number of CCPs and it is quite likely that
they will not cooperate with each other to reduce initial margin
requirements, and (b) some transactions will continue to be
cleared bilaterally; so banks will face a situation that is a mixture
of the two worlds depicted in Figure 18.1.
Most experts think that there will be an increase in netting,
but the overall effect of the changes will be an increase in
margin requirements. Pre-crisis, relatively few O TC derivatives
attracted initial margin. Post-crisis, the vast majority of O TC
derivatives will require initial margin. A related consideration is
that, as more transactions are cleared through CCPs, more of
the funds of a financial institution will be tied up in default fund
contributions.

It is even possible that the new rules requiring the use of CCPs
could reduce rather than increase netting in some cases. This is
illustrated by Figure 18.4, which shows the situation where there
10 See D. Duffie and H. Zhu, "Does a Central Counterparty Reduce
Counterparty Risk?" Review of Asset Pricing Studies 1 (2011): 74-95.
Liquidity
Most of the collateral required under the new regulations will
have to be in the form of cash or government securities. An
increasingly important consideration for all derivatives market
participants is therefore liquidity. Not only will the collateral

Chapter 18 Regulation of the OTC Derivatives Market ■ 301

posted at any given time be a drain on liquidity, but banks will
have to keep a sufficient quantity of liquid assets on hand to
ensure that they are able to meet any margin calls. (Margin calls
from a CCP have to be met almost immediately.) As we saw in
Chapter 22, Basel III has recognized the importance of liquidity
by proposing two new liquidity ratios that banks must adhere to.
Capital has in the past been the key metric in determining the
profitability of different business units and different projects at
a bank. In the future, a two-dimensional metric involving capital
and liquidity is likely to be used. Often there will be a trade-off
between capital and liquidity in that a project will look attractive
from a capital perspective and unattractive from a liquidity per­
spective, or vice versa.
Rehypothecation
Liquidity pressures are likely to increase because of another
post-crisis change. What is known as "rehypothecation" was
common in some jurisdictions (particularly the United Kingdom)
pre-crisis. (See Business Snapshot 18.1.) It involved a dealer
using collateral posted with it by one counterparty to satisfy a
collateral demand by another counterpart. It is estimated that
pre-crisis about $4 trillion of collateral was required in derivatives
markets, but that because of rehypothecation only $1 trillion of
BUSINESS SNAPSHOT 18.1
REHYPOTHECATION
A practice in the management of collateral known as rehy­
pothecation can cause problems. If Party A posts collateral
with Party B and rehypothecation is permitted, Party B can
use the same collateral to satisfy a demand for collateral
from Party C; Party C can then the use the collateral to
satisfy a demand for collateral from Party D; and so on. In
2007, it was estimated that U.S. banks had more than
$4 trillion of collateral, but that this was created by
using $1 trillion of original collateral in conjunction with
rehypothecation. Rehypothecation was particularly com­
mon in the United Kingdom, where title to collateral is
transferred.
After Lehman declared bankruptcy in Septem ber 2008,
clients (particularly European hedge fund clients) found it
difficult to get a return of the collateral they had posted
with Lehman because it had been rehypothecated. As a
result of this experience, many market participants are
more cautious than they used to be, and clauses in CSAs
banning or limiting rehypothecation are now common.
302 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
new collateral was posted.11 In other words, each item of collat­
eral was used on average four times. Rehypothecation will be
restricted under new rules developed by the Basel Committee
and the International Organization of Securities Commissions
(IOSCO). These rules allow initial margin to be rehypothecated
once, but only if certain conditions are satisfied. Variation margin
can be rehypothecated. But increasingly dealers themselves
impose restrictions on rehypothecation because they do not
want to be disadvantaged in the same way that some of
Lehman's counterparties were (see Business Snapshot 18.1).
The Convergence of OTC and
Exchange-Traded Markets
The developments we have been discussing are blurring the
distinction between O TC derivatives and exchange-traded
derivatives. Many O TC transactions are now traded on platforms
similar to exchanges and cleared through organizations simi­
lar to exchange clearing houses. As time goes by, more O TC
transactions are likely to be classified as "standard" so that the
percentage of O TC transactions handled similarly to exchange-
traded transactions will increase. What is more, even those
O TC transactions between financial institutions that are cleared
bilaterally may begin to look more like exchange-traded transac­
tions. This is because margin has to be posted with a third party,
and we can expect organizations (somewhat similar to exchange
clearing houses) to be set up to facilitate this.
It is also the case that exchanges are increasingly trying to offer
less standard products to institutional investors in an attempt
to take business away from the O TC market. As a result, while
O TC markets are moving in the direction of becoming more like
exchange-traded markets, exchange-traded markets are moving
in the opposite direction and becoming more like O TC markets.
Many CCPs and exchanges have a common ownership and will
find areas for cooperation on margin requirements and business
practices. W hether a transaction is being cleared through an
exchange or a C C P may not be important in the future because
it will be handled in the same way by the same organization.
18.4 CCPS AND BANKRUPTCY
The key objective of regulators is to reduce systemic risk. Some
commentators have criticized the new derivatives regulations as
replacing too-big-to-fail banks by too-big-to-fail CCPs.
11 See M. Singh and J. Aitken, "The (Sizable) Role of Rehypothecation in
the Shadow Banking System," Working Paper, International Monetary
Fund, 2010.
It certainly would be a disaster for the financial system if a major
CCP such as LCH Clearnet's SwapCIear and CM E's ClearPort
were to fail.12 In theory, as described in Hull (2012), it is possible
to design the contract between CCPs and their members so that
it is virtually impossible for a C C P to fail. In practice, it is consid­
ered important that a CCP has "skin in the gam e." It is then
motivated to take good decisions with respect to key issues
such as whether a new member should be admitted, how initial
margins should be set, and so on.
The main reason why it makes sense to replace too-big-to-fail
banks by too-big-to-fail CCPs is that CCPs are much simpler
organizations than banks. They are therefore much simpler to
regulate than banks. In essence, regulators need ensure only
that the C C P follows good practices in (a) choosing members,
(b) valuing transactions, and (c) determining initial margins and
default fund contributions. In the case of banks, a myriad of dif­
ferent, much more complex activities must be monitored. It is
of course important for regulators to ensure that C C Ps are not
allowed to become more complex organizations by expand­
ing outside their core activity of intermediating derivatives
transactions.
SUMMARY
Prior to the 2007-2008 credit crisis, the over-the-counter (OTC)
derivatives market was largely unregulated. Two market partici­
pants could agree to any transaction they liked and then reach
any agreement they liked on how the transaction would be
cleared. They were also free to choose any arrangements they
liked for the posting of collateral. This is no longer the case.
The O TC derivatives market is now subject to a great deal of
regulation throughout the world. The extent to which the O TC
derivatives market should be blamed for the crisis is debatable,
but post-crisis regulatory changes are having more effect on this
market than on almost any other sector of the economy.
Most standard O TC derivatives between two financial institu­
tions must be cleared through central counterparties. These
are very similar to exchanges. They require initial margin and
12 See J. Hull, "CCPs, Their, Risks, and How They Can Be Reduced,"
Journal of Derivatives 20, no. 1 (Fall 2012): 26-29.
Chapter 18 Regulation of the OTC Derivatives Market
variation margin to be posted by both sides. Nonstandard trans­
actions between financial institutions will continue to be cleared
bilaterally, but are subject to regulation on the collateral that
must be posted. Specifically, transactions between financial
institutions are subject to initial margin (segregated) and varia­
tion margin (transferred from one side to the other when the
value of outstanding transactions changes).
What will the derivatives world look like in 15 or 20 years? Pres­
ent trends indicate the there will be a convergence between
O TC and exchange-traded markets, and the distinction between
the two will become blurred. But it should be acknowledged
that there is no certainty that this trend will continue. The O TC
market as it existed before the crisis was very profitable for a
few large banks. It is possible that they will chip away at the reg­
ulations so that they are able eventually to find a way of creating
a new O TC market somewhat similar to the one that existed
before the crisis. A battle is likely to take place pitting the deter­
mination of regulators against the ingenuity of banks.
Further Reading
Basel Committee on Banking Supervision and IO SCO .
"Margin Requirements for Non-Centrally Cleared Derivatives,"
September 2013.
Duffie, D., and H. Zhu. "Does a Central Counterparty Reduce
Counterparty Risk?" R eview o f A s s e t Pricing Stu d ies 1 (2011):
74-95.
Hull, J . "C C P s, Their Risks, and How They Can Be Reduced."
Jou rn al o f D erivatives 20, no. 1 (Fall 2012): 26-29.
Hull, J . "The Changing Landscape for Derivatives." Jou rn a l o f
Financial En gin eerin g 1, no. 2 (2014).
Hull, J. "O TC Derivatives and Central Clearing: Can All Transac­
tions Be Cleared?" Financial Stability Review 14 Ouly 2010): 71-89.
Singh, M., and J . Aitken. "The (Sizable) Role of Rehypothecation
in the Shadow Banking System ." Working Paper, International
Monetary Fund, 2010.
■ 303
Capital Regulation
Before the Global
Financial Crisis
Learning Objectives
After completing this reading you should be able to:
Explain the motivations for introducing the Basel
regulations, including key risk exposures addressed,
and explain the reasons for revisions to Basel regulations
over time.
Explain the calculation of risk-weighted assets and the
capital requirement per the original Basel I guidelines.
Describe measures introduced in the 1995 and 1996
amendments, including guidelines for netting of credit
exposures and methods for calculating market risk capital
for assets in the trading book.
Describe changes to the Basel regulations made as part
of Basel II, including the three pillars.
By M ark Carey o f the G A R P Risk Institute.
Compare the standardized internal ratings-based (IRB)
approach, the foundation IRB approach, and the advanced
IRB approach for the calculation of credit risk capital under
Basel II.
Calculate credit risk capital under Basel II utilizing the IRB
approach.
Compare the basic indicator approach, the standardized
approach, and the advanced measurement approach for
the calculation of operational risk capital under Basel II.
Summarize elements of the Solvency II capital framework
for insurance companies.
305
Financial regulation has developed incrementally over the cen­
turies, often in response to stressful periods which exposed the
limitations of previous regulations.
In the days before government regulation, banks or insurance
companies could be created without official approval. Success
(or failure) was based primarily on whether they could persuade
clients to use their services.
As such, these businesses have often found it essential to
establish trustworthy reputations. They did this by enlisting
the support of prominent people in the community, carrying
large amounts of capital at creation, and constructing promi­
nent buildings. These measures provided comfort that deposits
would be returned and claims paid as promised. Later, govern­
ments required new financial institutions to obtain a license
before being allowed to operate
Financial institution failures were frequent, and sometimes
occurred not because of insolvency but because of a loss
of client confidence. When losses occurred, clients naturally
attempted to withdraw funds from the institution in question.
When these withdrawals grew into a run or panic, even a solvent
institution could fail if it could not liquidate assets or raise new
funds quickly enough.
The first "regulations" were the result of financial firms band­
ing together to share resources in the event of runs. The Bank
of England, for example, was originally a private-sector entity
that would provide support to other banks. In addition, early
clearinghouses were partly arrangements for mutual support.
Specifically, clearinghouse members shared financial statements
with each other and had rights of inspection, and so monitoring
and enforcement of solvency was a part of the arrangements.
However, this was done privately.
Such private arrangements had several limitations.
• If a panic was big enough, no entity without the power to
print money would have enough resources to support the
financial system. As a result, government controlled central
banks gradually replaced clearinghouses and private banks as
lenders of last resort.1
• Governments learned that financial crises imposed large
costs on the economy as a whole (e.g., crises were often fol­
lowed by depressions). Desiring stability, governments began
making attempts to ensure that financial institutions were sol­
vent and liquid enough to survive plausible levels of distress.
Such regulations became more wide-ranging in the wake of
each crisis.
1 Central banks may operate independently from political interference
but are usually considered governmental entities.
306 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• Customers of failed financial institutions were unhappy (at the
very least) when large fractions of their wealth disappeared.
Fraud was not uncommon, but even when a failure was not
associated with fraud, customers complained of unfairness
and of the difficulty of adequately monitoring a financial insti­
tution's safety-and-soundness.
• Globalization was the fourth trigger of regulation ,and espe­
cially of international coordination of regulation. Central
banks have facilitated international transfers and capital
movements for centuries. As international trade blossomed
in the 1960s and 1970s, and as multinational corporations
became more numerous, foreign exchange flows and capital
flows grew ever larger.
Multinationals valued financial service providers who operated
in many countries, which gave rise to several issues.
• First, large financial firms, especially international banks,
became interlinked, so a failure of one would cause problems
in many countries, not just its home country.
• Second, as described further below, banks and regulators
became concerned about competitive (dis)advantages flow­
ing from differences in capital requirements across nations.
• Third, technical arrangements in clearing and settlement
proved to be important. For example, when Herstatt Bank
failed in the summer of 1974, differences in the required
delivery times for currencies across countries and time zones
caused large amounts of foreign exchange transactions to fail
to clear. In turn, this raised concerns about a potential col­
lapse of the global financial system.
It became evident that only official-sector cooperation and
coordination could address these risks. As a result, what is now
called the Basel Committee on Banking Supervision (BCBS) was
created 1974, following the Herstatt failure. Perhaps motivated
in part by the perceived success of the BCBS, the International
Association of Insurance Supervisors (IAIS) and the International
Organization of Securities Commissioners (IOSCO) were created
in 1994 and 1983, respectively.
This chapter focuses on solvency regulation of banks and insur­
ance companies before the Global Financial Crisis (i.e., before
2009), with a particular attention to the Basel Accord. Later
chapters focus on regulation after the crisis.
19.1 THE BASEL ACCORD: BASEL I
VARIANT
In the late 1980s, the BCBS developed a specification for capital
(solvency) regulation. First published in December 1987, it was
formally agreed in July 1988 fully implemented by the end of 1992.
This accord, which has come to be known as Basel I, was ini­
tially agreed upon by the members of the BCBS (roughly, the
G10 nations). By the early 2000s, however, it became a de facto
global minimum capital standard. Note that Basel I has no legal
standing in and of itself. Rather, nations haven chosen to incor­
porate its standards through domestic law and regulation.
Two events motivated creation of Basel I.
• First, the growth of cross-border finance continued after Her-
statt's failure and it was evident that the G10 nations had a
common interest in ensuring that banks had enough equity
to absorb large losses.
• Second, international banks were competing vigorously in
each other's home countries. However, minimum levels of
required capital varied significantly across nations, creating
a perception that banks headquartered in countries with
low minimums had a com petitive advantage. In response,
members of the BCBS decided to develop a global mini­
mum standard to "level the playing field" and avoid a race
to the bottom. That is, while the Basel Accord was partly
about ensuring safety and soundness, negotiations also
had an elem ent of maneuvering for perceived competitive
advantage.
The central elements of Basel I are a risk-based capital ratio, a
minimum level of this ratio, and definitions of the numerator and
denominator.
The Risk-Based Capital Ratio
A goal of Basel I was to ensure that financial institutions would
have sufficient assets to remain solvent during periods of stress.
However, the BCBS had to find a way of measuring sufficiency.
Since banks differ greatly in size, specifying minimum amounts
of capital (in dollars, pounds, etc.) would be infeasible. A ratio
of capital to the book value of assets (i.e., "leverage ratio"), on
the other hand, would seemingly allow for a universal standard
that could apply to institutions of all sizes. However, banks can
also differ greatly in the composition and riskiness of their bal­
ance sheets.
Given the perception that minimums specified in terms of
leverage ratios would disadvantage banks with low-risk port­
folios and advantage those with high-risk portfolios, the BCBS
decided on a risk-based capital ratio (i.e., a ratio of capital to
risk-weighted assets (RWA)) instead. Moreover, these assets
included not only assets on the balance sheet according to
accounting conventions (e.g., loans or securities), but also off-
balance-sheet exposures (e.g., loan commitments) and deriva­
tive exposures. Though crude by modern standards, these
risk-based ratios represented a major innovation at the time.
Chapter 19 Capital Regulation Before the Global Financial Crisis
The Ratio and Minimum Values
Basel I required consolidated banking organizations to maintain2
Tier 1 capital > 4%
RWA
and
Total capital > 8%
RWA
Total capital is the sum of Tier 1 capital and Tier 2 capital. By
design, Tier 2 capital may comprise no more than half of total
capital. To the extent that Tier 1 capital exceeded 4 percent of
risk-weighted assets, the excess could be included with Tier 2
capital to satisfy the second (8%) requirement.
"Capital"
Under the Basel I framework, Tier 1 capital consists of common
equity and disclosed reserves (i.e., retained earnings plus some
types of minority interest in subsidiaries) minus goodwill. Later
frameworks include a limited amount of non-cumulative per­
petual preferred stock.
In contrast, Tier 2 capital consists of
• loan loss reserves not already allocated to impairment of
particular assets;
• undisclosed reserves (including some revaluation reserves); and
• hybrid instruments (i.e., unsecured, subordinated, not
redeemable at the investor's behest, on which payment
default would not precipitate bankruptcy or resolution, and
on which interest or dividend payments could be deferred.)
A limit was placed on the proportion of loan loss reserves
allowed into capital (originally 2%, later reduced to 1.25% of
RWA). Some kinds of subordinated debt and preferred stock
were in the latter category. In the years after Basel I was imple­
mented, consultants and investment bankers invented instru­
ments that would qualify as Tier 1 or Tier 2 capital.
Though never expressed by the BCBS, two assumptions were
implicit in these definitions.
• First, preservation of solvency was the job of Tier 1 capital,
whereas Tier 2 capital would provide resources for recapi­
talization of an entity in resolution and reduce the impact of
failures on depositors.
• Second, although general loan loss reserves were often viewed
as covering losses that are likely already embedded in the
entity's portfolio but that have not yet occurred, they were not
counted as loss-absorbing capacity that could preserve solvency.
2 The ratios are sometimes referred to as "Cooke" ratios, for Peter
Cooke of the Bank of England.
■ 307
Table 19.1 Risk Weights by Asset Category

Risk Weight Asset Category

0% Cash; claims on O EC D governments such as bonds issued by the central government; other
instruments with a full guarantee from an O EC D government

20% Claims on O EC D banks and on O EC D public sector entities, such as claims on municipalities or on
Fannie Mae and Freddie Mac

50% Uninsured residential mortgages

100% All other exposures, such as commercial or consumer loans

Risk-Weighted Assets off-balance-sheet exposures (along with as nontraditional on-

balance-sheet exposures such as derivatives).
To make the ratio risk-sensitive, the on-balance-sheet amount of
each type of asset is multiplied by a percentage weight accord­ Traditional off-balance-sheet exposures were converted to a
ing to the risk it poses. The RWA is the sum of such products credit-equivalent amount (i.e., on-balance-sheet equivalent) by
N multiplying by one of the credit conversion factors shown in
RW A = ^ wiAi Table 19.2. The risk weight was then determined by the nature
1=1 of the counterparty.

where w, is the risk weight and A, is the size of the asset. For exam ple, a $100 million five-year loan commitment to an
O EC D municipality would first be converted to a $20 million
In Basel I, the weights are as shown in Table I, which includes a
summary of the assets in each category. In the absence of other credit equivalent, and then be assigned a 20 percent risk

adjustments, the maximum amount that a position could con­ weight. Thus, its contribution to RWA would be only $4 million.

tribute to RWA was the book value of its assets (since the maxi­
mum risk weight was 100 percent).
Implicit in Table 19.1 is a view that no O EC D government would
ever default on its obligations as well as that residential mort­
gages and claims on banks are much less likely to impose losses
than a typical bank loan. Though these assumptions appear
unreasonable today, they were consistent with what was experi­
enced in the decades preceding Basel I.3
Example 19.1:
The assets of a Canadian bank consist of C$200 million of loans
to corporations, C$100 million of Canadian central government
bonds, C$100 million of residential mortgages insured by the
central government, and C$100 million of uninsured residential
mortgages. Though the book value of assets is C$500 million,
the sum of risk-weighted assets is C$250 million since
RWA = 100% X 200 + 0% x 100 + 0% x 100 + 50% X 100 = 250
Though the concept of RWA was natural for traditional
With respect to derivatives, Basel I offered authorities in each
nation a choice between two methods of computing a credit
equivalent amount (this structure was revised in 1995 with the
addition of a maturity bucket greater than five years)
1. Current Exposure Method:
a. First, calculate the current market value of the contract
V. If the current market value is negative (making it a
liability rather than an asset), set V = 0.
b. Second, add an amount D to account for changes in the
contract's future market value. For interest rate swaps,
D was
i. zero for for maturities of less than one year,
ii. 0.5% of the notional value of the swap for remaining
maturities of five years or less; and
iii. 1.5% for more than five years.
c. For foreign exchange swaps, D was
i. 1% of notional value for maturities of less than one
year,
ii. 5% of notional value for maturities between one and
five years, and

balance-sheet exposures, banking organizations also had many

iii. 7.5% of notional value for maturities greater than
five years.
2. Original Exposure Method (only for interest rate and foreign
exchange contracts)
3 Implicit in the beneficial treatment of sovereign debt is the expectation
that governments can print money to address potential defaults. This a. Nations could ignore the current market value of the
assumption does not hold when debt is borrowed in foreign currencies,
or where a national government is not fully in control of its own mone­ contract and choose whether to use the original or
tary policy, as could be the case in the European Monetary Union today. remaining maturity.

308 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Table 19.2 Credit Conversion Factors for Traditional Off-Balance-Sheet Exposures
Credit Conversion Factor Off-balance-sheet Category
100% Guarantees on loans and bonds, bankers acceptances, and equivalents
50% Warrantees and standby letters of credit related to transactions
20% Loan commitments with original maturity greater than or equal to one year
0% Loan commitments with original maturity less than one year
b. For interest rate contracts, D was
i. 0.5% for maturities of less than one year,
ii. 1% for maturities between one and two years, and
iii. 1% + 1% X IN T [M — 1 ] for maturities greater than
two years respectively4
c. For foreign exchange contracts, D was
i. 2%, for maturities of less than one year,
ii. 5%, for maturities between one and two years, and
iii. 5% + 3% X IN T [M — 1]fo r maturities of greater
than two years
Equity and commodity derivatives were not discussed in Basel I.
The risk weight was set according to the nature of the counter­
party, except that no risk weight could be more than 50%. The
1995 Amendm ent included add-on factors for such derivatives.
The 1995 and 1996 Amendments ("Market Risk Amendment")
Put bluntly, the handling of derivative exposures in Basel I was
crude. However, as Basel I was being developed, the 1987 stock
market crash had not yet occurred, value-at-risk (VaR) was not in
widespread use, and quantitative market risk management was
in its infancy. By 1995, all of this had changed.
Example 19.2:
The derivatives book of an international bank contains $300 mil­
lion of notional value of interest rate swaps with $100 million
each having remaining maturity of 0.5, 1.5 and 2.5 years. Their
market value is $30 million.
The book also has $300 million of foreign exchange swaps with
a similar maturity profile and a market value of -$10 million.
All counterparties are private corporations, so the risk weight is
100 percent. Under the exposure method described above, the
credit equivalent amount would be:
CE = 30 + 0% x 100 + 0.5% x 200 + 1% x 100 + 5% x200
= $42 million
Under the original exposure method, it would be
CE = 0.5%x 100+ l% x 100 + 2% x 100 + 2% x 100 + 5% x 100
+ 8%x 100= SI8.5 million
4 where INT[X] returns the closes integer to X.
Chapter 19 Capital Regulation Before the Global Financial Crisis
Netting
A market convention is that entities engaged in over-the-counter
derivatives transactions sign an International Swaps and Deriva­
tives Association master agreement specifying that, in the event
of a default by a counterparty, the defaulting entity's transactions
with each other counterparty could be considered as a single
transaction. Choices in these agreements permit bilateral trans­
actions with positive and negative values to offset one another.
For exam ple, Bank A might enter an interest rate swap to buy
protection from Bank B against an increase in interest rates, and
later enter another swap with an identical notional amount with
Bank B to sell protection. If rates did not move in the interim
between these two agreements, their combined impact on
Bank A's (and Bank B's) net exposure and portfolio value is zero.
However, the original Basil I allowed almost no capital credit for
netting. Though changes in interest rates would have offsetting
effects on the market value of the two swaps in the previous
example, the treatment in the original Basil I would apply an
add-on to each swap, disincentivizing hedging. The rationale
for this was that (as of 1988) master agreements had not been
sufficiently tested in bankruptcy courts.
By 1995, the members of the BCBS were more confident that
such agreements would function as intended and thus the 1995
Amendment allowed reductions in credit equivalent amounts
when enforceable bilateral netting agreements were in place.
In calculating credit equivalent amounts, the complete net­
ting of the market values of all positions was allowed for each
counterparty i, and add-ons Dj for future changes in value were
reduced for each category of derivative j
C E A = m a x 0 + ^^[0.4 * Dj + 0.6 * Dj * N R R ]
i =1 ./
where NRR (i.e., the net replacement ratio) is
m a x ( Z i = i V t , 0)
N R R =
£ f=1 max(l/j, 0)
The numerator is the market value of positions of type j with net­
ting, while the denominator is the market value with no netting.
Note that the net replacement ratio is an average across all posi­
tions; although add-on factors and the impact of netting may differ
across types of derivatives, the impact of the latter is ignored.
■ 309
Example 19.3 Credit Equivalent Am ount for Derivatives
Suppose a bank has a portfolio of five derivatives with two counterparties, as described in the following table

Counterparty Type Maturity Notional Market value Add-on factor

1 Interest rate 2 100 -5 0.5%

1 Interest rate 3 100 0 0.5%

1 Foreign exch. 2 200 10 5%

2 Equity option 6 100 0 10%

2 W heat option 0.5 300 -1 0 10%

With netting, the current exposure portion of the credit equiva­
lent amount is 5 for the first counterparty (i.e., the —5 exposure
on the first interest rate derivative is netted against the 10 expo­
sure on the foreign exchange derivative) and 0 for the second,
for a total of 5. Note that current exposure may not be less than
zero, and the —10 market value on the wheat option may only
be netted against positive exposures at the second counter­
party, not at the first counterparty.
The standardized approach details separately for five categories
of positions:
• fixed income securities and interest rate derivatives other
than options, for which remaining maturity was a key driver;
• equity securities and equity derivatives other than options;
• foreign exchange;
• commodities; and

In this case, NRR = 0.5 because the numerator of NRR is the
current exposure of 5 and the denominator is the sum of the
positive exposures (i.e., 10).
The add-on for potential future exposure must be calculated
separately for each type of derivative, multiplying the total
notional value for each type by the add-on factor to obtain
values of Dj. For the interest rate derivatives, 200 X 0.5% yields
a value of 1, while for the remaining types in the table D is 10,
10, and 30 for the foreign exchange, equity, and wheat types,
respectively. Applying the formula for C E A
CEA = 5 + (0.4* I+0.6* l *.5) + (0.4* 10+0.6* 10*.5) + (0.4* 10+0.6* 10*.5)
+ (0.4*30+0.6*30*.5) = 5 + .7 + 7 + 7 + 21= 40.7
• all types of options.
These approaches were relatively simple for some categories,
while for others there were many operational complexities (e.g.,
the separate treatment of sp e cific risk and g en eral m arket risk,
where the latter is due to general movements in market prices
and the former is driven by idiosyncratic changes in a specific
position's value).
The internal models-based approach embodied a major change
in philosophy by permitting banks to use internally developed
risk measures as the inputs to formulas specified by regulators.
To limit manipulation of the internal measures, monitoring was
built in. In contrast, the standardized approach specified most of
the details and was based on observable characteristics of posi­
tions (e.g., remaining maturity).

Capital for Market Risks Associated with Trading
Activities
While market risk (i.e., changes in market value of trading
book assets) is the primary risk for the trading book, it was not
captured by the requirements described previously. The 1996
Amendment to Basel I offers two ways to measure of for market
risk: a standardized approach and an internal models-based
approach.
For banks with trading books of material size, the internal
models-based approach was preferred because it generally
yielded smaller capital requirements. This is in part due to the
fact that asset values were not assumed to be perfectly corre­
lated, as they were in the standardized approach.
Under both approaches, capital charges were calculated sepa­
rately for specific risk (SR) and general market risk (MR) for each
of the five categories. These were summed and multiplied by
12.5 so that the usual multipliers on risk weighted assets could
also be applied to them 5
Total capital for trading assets = 0.08 * 12.5£y=1(MR; + S R j)
To measure market risk, a bank using the internal models-based
approach must calculate value-at-risk (VaR) for each asset
5 12.5 is the inverse of 8%. The multiplier has the effect of turning a
capital requirement into an RWA measure. This adjustment is based on
the total capital requirement rather than Tier 1 adjustment.

310 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
category. A 10-day VaR at the 99th percentile was required,
based on at least one year of daily data, usually using a scaled
one-day VaR multiplied by V 10. Correlations within a category
of position were considered by the internal model, whereas
adjustments for correlations across categories were allowed at
the discretion of the national supervisor.
Thus, market risk was given by
MR = max(VaRt-i, m*VaRavg)
where VaRavg was the average VaR over the past 60 days and m
was a multiplier that was never less than 3 (and could be larger
if national supervisors found deficiencies in the bank's models
or other systems, or if monitoring implied other deficiencies.)
Given a multiplier of 3, the second term was usually larger
than the 10-day VaR computed for the preceding business day
(i.e., t — 1).
Capital for specific risk, which was required for fixed income,
equity instruments, and derivatives, could be determined using
either the standardized approach or the bank's internal models.
In the latter case, the approach was similar to that for market
risk, but the multiplier was 4 rather than 3 and capital for spe­
cific risk could not be less than half of capital calculated using
the standardized approach.6
The 1996 Amendment created a new class of capital (i.e., Tier 3
capital), composed mainly of unsecured subordinated debt with
an original maturity of at least two years, that could be used to
meet part of the market risk capital requirement. However, only
about 70 percent of the market risk capital requirements could
be satisfied with Tier 3 capital.
The 1996 Am endm ent specified several qualitative criteria
that banks using the internal m odels-based approach must
m eet (e .g ., sound risk m anagem ent, independent risk man­
agem ent units, lim its, active involvem ent of the board, and
so on).
It also required daily back testing. Each day, for each model,
the bank was required to use its current model and procedures
to calculate one-day 99% VaR for each of the most recent 250
days, and to compare the actual loss for the day to the VaR.
Each day with actual loss larger than VaR was termed an e x c e p ­
tion. Five or less exceptions enabled the multiplier m to be 3,
but larger numbers of exceptions could lead to larger multipliers
at the discretion of the supervisor. With 10 or more exceptions,
a multiplier of 4 was required.
6 Thus, as a practical matter, a bank using internal models was also
required to calculate capital under the standardized approach.
Chapter 19 Capital Regulation Before the Global Financial Crisis
19.2 THE BASEL ACCORD: BASEL II
VARIANT
Some supervisors had become concerned by the mid-1990s that
Basel I, while more risk-based than capital requirements based
on equity-to-asset ratios, was not risk-based enough. The 100
percent risk weight, for example, incorporated exposures pos­
ing a wide range of risk, from very safe loans made to highly-
rated corporations to very risky loans to commercial real estate
development projects.
Moreover, banking crises in the Nordic countries had dem­
onstrated that systemic problems could occur even in well-
capitalized banking systems. Meanwhile, there had been several
technical advances in market and credit risk measurement and
management since 1987, signaling a potential for more precise
risk weighting and vastly improved risk management at all levels
of banking organizations.
Basel II was the reaction to such concerns. Discussions among
supervisors about a revised accord began in the late 1990s
and the "final" revision was published in 2004 (further revisions
occurred frequently in the years that followed).
While retaining much of Basel I, Basel II contained four signifi­
cant innovations:
1. Risk weight formulas for credit risk based on modern
credit risk management concepts and banks' internal risk
measures;
2. Required capital for operational risk, in addition to credit
risk and market risk.
3. In addition to minimum capital requirements (Pillar 1), Basel
II included specific requirements for supervision related to
capital and risk management (Pillar 2) and required public
disclosures (Pillar 3).
4. Repeated use of Quantitative Impact Studies (QIS) to fine-
tune the design of the accord. In each QIS, banks contrib­
uted detailed data which was then analyzed by supervisors.
Although the first two innovations have received the most
attention from the public, the three pillars represented a major
development as well. Through the early 2000s, regulatory phi­
losophy differed across nations, ranging from supervision-heavy
approaches (in which rules played much less of a role than the
judgment of field supervisors) to rules-heavy approaches (in which
regulators presented detailed rules and field supervisors focused
on evaluating compliance with the rules). Moreover, at the time of
Basel II development, disclosures of bank condition and risk also
varied widely across nations. For example, banks in some nations
did not disclose Basel I capital ratios or risk weighted assets.
■ 311
The three pillars represented a push toward convergence of
national practices. Specifically, Pillar 2 mandated that supervi­
sors require banks to have more than the minimum amount of
capital as well as internal capital adequacy and assessment pro­
cesses (ICAAP) that take their risk profile into account. Supervi­
sors were to assess bank ICAAPs and were to act if they were
not satisfied. Additionally, supervisors were to intervene early if
there was danger that a bank's capital would fall below the mini­
mum by requiring prompt corrective actions. Supervisors were
also to encourage banks to improve risk management practices
and to actively push for improvement of deficiencies. National
discretion regarding enforcement of the accord's provisions was
reduced, and national regulators were to be transparent about
their implementation efforts, including those concerning the
requirements in excess of the minimums.
Pillar 3 required more qualitative and quantitative disclosures,
in the hope that pressure from market participants would help
improve banks' practices. Qualitative disclosures included
aspects of corporate structure, applicability of the accord and
approaches used, accounting practices, and other matters.
Meanwhile, quantitative disclosures included many characteris­
tics of a bank's capital, exposures, and risk measures.
However, some found the requirements difficult to interpret and
disclosure practices remained uneven for many years, until addi­
tional clarity (and pressure) was provided by the Basel Committee.
Capital for Credit Risk
At Basel II was developed, supporting data and analysis
remained limited, and many supervisors were concerned that
banks would manipulate internal risk measures to reduce
required capital. Negotiators addressed such concerns by
including three options for determination of minimum capital
requirements for credit risk:
1. The standardized approach. Like Basel I, this included some
increased sensitivity of risk weights to credit quality for bor­
rowers with external ratings.7
2. The Foundation Internal Ratings-Based (IRB) approach.
Here, risk weights were sensitive to internal measures of
default probability, with the use of regulatory-specified loss
given default parameters.
3. The Advanced IRB approach. Risk weights were sensitive to
internal measures of default probability, loss given default,
and exposure at default.
7 The United States chose not to implement the Standardized Approach.
Internationally active banks were required to use IRB approaches, while
all other banks were required to use an updated version of the Basel I
requirements.
312 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The Standardized Approach
As under Basel I, the Basel II standardized approach was
intended for banks with internal risk measures and risk man­
agement practices that were insufficient to support the IRB
approaches. However, the risk weights were somewhat more
sensitive to variations in risk. Under Basel I, the headline risk
weights depended on asset type and nationality of the obligor.
Under the Basel II standardized approach, the headline risk
weights depended on obligor type and rating for some obli­
gor types, and on asset type for others. Examples appear in
Table 19.3:
Although the risk weights appear less generous for banks and
sovereigns than was the case under Basel I (e.g., the ratings of
many banks and sovereigns were such that risk weights of 20 or
50 percent or more would apply), much of the generosity was
restored at national discretion:
• A supervisor could choose to apply risk weight of 0 on a
bank's holding of claims on its own sovereign debt that were
issued in the nation's own currency. Where a supervisor
exercises such discretion, banks in other nations could also
risk-weight claims on that sovereign at 0%. This option was
widely exercised.
• Claims issued by banks had a risk weight of one category
less favorable than the sovereign's (and capped at 100%) or
a risk weight based on the bank's own ratings, (or one cat­
egory more favorable where the obligation had no more than
3 months' original maturity, subject to a floor of 20%). Risk
weights on bank obligations could be capped at 100 percent.
The Standardized Approach included two ways of adjusting for
collateral. Under the "simple approach," which was similar to
Basel I, the risk weight of a counterparty could be replaced by
the risk weight of collateral for the portion of exposure covered
by the collateral. A minimum risk weight on the collateral was
set at 20 percent, unless the collateral was sovereign debt in the
same currency as the exposure.
The alternative "com prehensive approach" required changes in
exposure and collateral amounts to allow for possible changes
in the value. The risk weight of the collateral was applied to
the reduced amount of collateral, and the counterparty's risk
weight was applied to the remaining exposure. Any netting
was applied separately to exposures and collateral, and either
Basel rules or (approved) internal models could be used to
make the adjustments.
The IRB Approach
The Gordy (2003) "asym ptotic single risk factor" model of
credit losses, now more commonly referred to as a one-factor
Table 19.3 Risk Weights Under the Standardized Approach
Obligation of: A A A to A A - A + to A — BBB+ to B B B — BB+ to B B — B-f- to B — Unrated

Countries 0 20 50 100 150 100

Banks 20 50 50 100 150 50

Corporation 20 50 100 100 150 100

Obligation type:

Retail 75

Mortgage 35

Cash 0

Other 100

Gaussian copula model, was an expression of the thinking that
led to the IRB Approach.8 The paper demonstrates that in
large, well-diversified credit portfolios, a positive relationship
exists between the probability of default of an obligor and that
obligor's contribution to the capital needed to limit the proba­
bility of portfolio losses exceeding a percentile of the
loss distribution.
Using the Basel Committee's choices of a one-year time horizon
for credit losses and a desire that capital be enough to absorb
losses up to the 99.9th percentile of the credit loss distribution,
the formula is:
Capital = £ [ EA D t * LGDj * D R 99.9i\ - E L
where
• Capital is expressed in dollars;
• EADj is the exposure at default for asset i (i.e., the amount
expected to be owed by the counterparty on asset i at the
time of default);
• LGD, is the expected loss given default for asset i (i.e., the
fraction of EAD, that is expected to be lost);9*
• DR99.9j is the default rate at the 99.9th percentile for a large
portfolio of assets of type i. Gordy's research provides a for­
mula for DR99.9
yfp N ~ 1(0.999)
D R99.9i = N N- ' i PDt ) +
V 1 ~ P
Because the Basel Committee did not view loan loss reserves
as Tier 1 capital, and yet loan loss reserves were thought to be
approximately equal to expected losses, the Committee chose
to make capital a function only of unexpected losses (i.e., net
of expected losses). In cases where loan loss reserves are less
than EL, a reduction in capital is made for the shortfall. See
Figure 19.1 for a depiction of the capital for total stress losses,
expected losses, and unexpected losses.
This setup allowed the Basel Committee to specify a loss per­
centile and an asset correlation p for each type of asset.10 Each
individual asset's contribution to capital at any bank would then
depend only on the bank's estimates of EAD , LGD and PD for
that asset.
Basel II included two variants of the IRB approach:
• Foundation IRB, in which the bank would provide only the
PD, with the accord specifying values of EAD and LGD for
each class of asset; and
• Advanced IRB, in which the bank would provide all three
values.
Earlier work had found that, at least in the United States, most
large banks had internal rating systems that could be used to
obtain a PD for each loan.11 Thus, supervisors expected that
Foundation IRB would be feasible for most large banks. The lim­
ited available data on EAD and LGD made it likely that fewer
banks would be able to use Advanced IRB.

• EL is the expected loss (i.e., the expected mean annual credit

loss) on a portfolio and is given by
E L = 'Z[EAD i * LGDt * P D t]
8 Gordy, M. B., 2003, A risk-factor model foundation for ratings-based
capital ratios, Journal of Financial Intermediation 12, 199-232.
9 In the United States, the historical average LGD value was around 0.3
10 For large banks, with diversified portfolios representative of the mar­
ket, correlations were not expected to differ very much across banks. An
assumption is made that exposures are infinitely granular and that no
individual credit could affect the overall loss metrics. The development
of the Large Exposure Framework in 2014 was necessary when banks
were found to have sizable exposures to single counterparties.
11
Carey, Mark S., and William F. Treacy, 1998, Credit risk rating at large
U.S. banks, Federal Reserve Bulletin, November.

Chapter 19 Capital Regulation Before the Global Financial Crisis ■ 313


F iq u re 19.1 Loss distribution, expected and unexpected loss, and
capital.
Even Foundation IRB made capital quite risk-sensitive, as shown
in Table 19.4, which shows the values of DR given by the formula
for different values of PD and p at the 99.9th percentile.
Bank, Corporate, and Sovereign Exposures
Under IRB
For bank, corporate and sovereign exposures, Basel II assumes
that p and PD are related based on the work of Lopez (2004)12
1 — e x p {—50PD ) 1 — e x p (-S O P D )
p = 0.12 + 0.24 1 -
1 — e x p {—50) 1 — e x p {—50)
The formula implies that p decreases as PD increases, which
agrees with the idea that the determinants of default for very
high-risk borrowers are often rather idiosyncratic, whereas
middle-risk borrowers tend to default mainly when the mac­
roeconomy is distressed (i.e., middle-risk borrowers are more
likely to default together). That defaults of the safest borrowers
are also rather idiosyncratic is ignored, but this does little harm
because values of DR for them are sma
The effect of the specified relationship between p and PD is that
DR increases somewhat less quickly with PD than in Table 19.4.
The capital calculation for bank, corporate and sovereign expo­
sures also includes a maturity adjustment to account for the
fact that assets with more than 1 year of remaining maturity will
remain on the balance sheet at the end of the loss-forecasting
12 Lopez, J., 2004, The empirical relationship between average asset
correlation, firm probability of default, and asset size, Journal of Finan­
cial Intermediation 13(2), 265-283.
314 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
period and may have deteriorated in credit
quality. The maturity adjustment factor is
b (M - 2.5)
MA = 1 +
1 - 1.5 b
where MA is remaining maturity of the asset and
b = [0.11852 - 0.05478ln(PD)]2
Com bining all the elem ents discussed previ­
ously, and recalling that Basel II expressed
required capital in term s of risk-weighted assets,
the RWA for bank, corporate and sovereign
exposures is
RWA = 12.5 * EAD * LC D * (DR-PD) * MA
Under Foundation IRB, PD can be no lower than
.0003 for bank and corporate exposures (implicitly
it can be zero for sovereigns). LGD is 45 percent
for senior assets and 75 percent for subordinated
assets. When an asset is protected by collateral, the comprehen­
sive approach discussed earlier is applied (i.e., LGD is reduced
by the ratio of adjusted collateral to adjusted exposure. MA is
set to 2.5 in most cases.
As mentioned previously, values of PD, EAD , LGD and MA
under the Advanced IRB are given by the bank based on its own
data, models, estimates and analysis.
For example, suppose that a bank's assets consist only of $100
million BB-rated drawn loans with a remaining maturity of 3
years. PD is estimated to be 0.01 and the LGD is 30 percent.
Then
MA=1/(1-1.5*0.137) = 1.26
DR is 0.14, so RWA = 12.5*100*.3*(0.14—0.01 )*1.26 =
$61.4 million.
Under Basel I, RWA would have been $100 million, and under
the Basel II standardized approach RWA would have also been
$100 million.
Retail Exposures Under IRB
For retail exposures, only a treatment like the Advanced IRB
approach is used (i.e., banks provide internal estimates of PD,
LGD and EAD). However, there is no maturity adjustment.
Rather, three correlations are used: p = 0.15 for residential
mortgages; p = 0.04 for qualifying revolving assets (mostly
credit card balances), and for all other retail assets
1 — e x p (—35PD) 1 — e x p (—35PD )
p = 0.03 + 0.16 1 -
1 — e x p (—35) 1 — e x p {—35)
Table 19.4 DR Values for different combinations of PD and
PD = 0.001 PD = 0 .0 0 5
p — 0.0 0.001 0.005
p = 0.2 0.028 0.092
p = 0.4 0.071 0.211
p — 0.6 0.135 0.387
That is, correlations are lower for retail than for wholesale
exposures.
Like the previous example, suppose a bank has
$100 million of residential mortgages with a PD = .01
and an LGD of 30 percent. DR is 0.09 rather than 0.14, so
RWA = 12.5*100*.3*(0.09 - 0.01) = $30 million. This is less
than Basel I's $50 million for such a portfolio and the Basel II
Standardized Approach's value of $35 million.
Credit Mitigants Other Than Collateral
A credit substitution approach is used to handle arrangements
like guarantees and credit default swaps. Under this approach,
the credit rating of the guarantor is substituted for that of the
obligor in capital calculations, up to the amount covered by the
mitigant.
However, this approach is not quite generous enough relative
to the actual loss outcomes, given that a double default (both
guarantor and borrower) is implied in the treatment. How­
ever, Basel II assumes relatively low correlations of wholesale
counterparty defaults, meaning that double defaults should be
infrequent.
As an alternative, in 2005 the Basel Committee amended the
accord to allow capital without the mitigant to be multiplied by
0.15 + 160*PDg, where PDg is the one-year PD of the guarantor.
Capital for Operational Risk
The Basel Com m ittee defined o p era tio n a l risk as the risk of
loss resulting from inadequate or failed internal processes,
people and system s, or from external events. In the wake of
rogue trader losses at Barings Bank in the mid-1990s, the
possibility of large losses from sources other than credit or
market risk became more concrete. Basel II implemented
capital requirements for operational risk, permitting three
approaches:
1. Basic Indicator Approach: 15 percent of the bank's average
annual gross income over the past three years, ignoring any
Chapter 19 Capital Regulation Before the Global Financial Crisis
p
PD = 0.01 PD = 0 .0 2
0.01 0.02
0.146 0.226
0.316 0.449
0.542 0.705
years of negative gross incom e.13 This could be a material
amount of capital, given that gross income is usually far
larger than net income. However, this approach is relatively
easy to implement and may be chosen by banks that do not
expect to be constrained by capital requirements.
2. Standardized Approach: Like the basic indicator approach,
but different multipliers are applied to gross income from
different business lines.
3. The Advanced Measurement Approach (AMA): Internal
models are used to calculate a one-year VaR-like measure of
operational risk losses at the 99.9th percentile. Operational
risk capital is this amount less expected operational losses.
This approach allows recognition of risk mitigants such as
insurance under some circumstances.
E x a m p le 1 9 .4 Capital for the Basic Indicator and
Standardized Approaches ($billions)
The table above provides an example of a bank's gross income
for each of the eight business lines specified in the Standardized
Approach over a period of three years. It also shows the opera­
tional risk capital levels each year for each business line under
the Standardized Approach, which are obtained by multiplying
gross income times the business-line-specific multiplier.
Negative capital may offset positive capital within a year, but
years for which total estimated capital is negative are ignored in
computing the three-year average. Thus, under the Standard­
ized Approach, operational risk capital in this example would be
(8.73 + 9.69)72 = $9.21 billion.
13 The definition of "gross income" provided by the BCBS for
the first quantitative impact study was: Net interest income
(interest received minus interest paid) + net fees and commissions
(fees and commissions received minus fees and commissions paid)
+ net trading income + gross other income. Income should be reflected
gross of any provisions (e.g. for unpaid interest) and gross of any opera­
tional costs and losses. Income should exclude extraordinary or irregular
items and also income derived from insurance.
■ 315
 Business Line Multiplier Gross Income Capital

Year 1 Year 2 Year 3 Year 1 Year 2 Year 3

Corporate Finance 18% 5 3 6 .90 .54 1.08

Trading & Sales 18% 1 -5 3 .18 - .9 0 .54

Retail Banking 12% 20 25 30 2.40 3.00 3.60

Commercial Banking 15% 30 40 35 4.50 6.00 5.25

Payment & Settlement 18% 2 3 -100 0.36 0.54 -1 8 .0 0

Agency Services 15% 1 1 1 0.15 0.15 0.15

Asset Management 12% 1 2 2 0.12 0.24 0.24

Retail Brokerage 12% 1 1 2 0.12 0.12 0.24

Sum 61 70 -2 1 8.73 9.69 - 6 .9 0

Under the Basic Indicator approach, total gross income for each
year is multiplied by 15 percent, (again ignoring years of nega­
tive total gross income) and so the capital requirement in this
example would be 0.15*(61 + 70)/2 = $9.83 billion.
The BCBS requires the inclusion of both expected and unex­
pected losses, and that the overall program use internal data
(at least five years of experience), external data, scenario analy­
sis, and a consideration of the business environment and the
bank's controls. Though each supporting element need not be

Some Details of the AMA Approach
Banks using the AM A approach are expected to estimate a dis­
tribution of operational risk losses in seven categories that incor­
porates estimates of both the incidence of operational loss
events and their severity.14
AM A methodologies vary widely across different banks, but two
broad approaches are most popular:
• A parametric and Monte Carlo approach, in which data are
used to parameterize the bank's choice of probability dis­
tribution for incidence (e.g., Poisson) and for severity (e.g.,
Weibull). These distributions are then used to produce large
numbers of simulated loss observations from which the value
at the 99.9th percentile can be read; and/or
• Generate a moderate number of detailed scenarios in which
losses occur, and then measure operational losses in each
scenario. Separate scenario analyses are often conducted for
each category of operational losses. Scenario analysis has the
advantage of generating informative narratives and being
forward-looking. However, the number of data points gener­
ated is usually small and it is not obvious how to best convert
such data into losses at the 99.9th percentile. As a result, many
banks use a combination of scenario and parametric methods.
14 The categories are: Clients, Products and Business Practices; Execu­
tion, Delivery and Process Management; External Fraud; Internal Fraud;
Damage to Physical Assets; Employee Practices and Workplace Safety;
Business Disruption and System Failures.
included directly in calculations, the overall process must include
all four. Moreover, a bank must make a convincing argument
that its process can capture bad-tail events and, if it chooses to
assume that losses across business lines and loss categories are
anything but perfectly correlated, it must convincingly defend
its correlation assumptions. A bank may offset at most 20 per­
cent of the operational risk capital charge with insurance, and
only insurance arrangements that meet stringent requirements
are acceptable.
In recent years, required capital for operational at some banks
risk was a material fraction of total required capital, in part
because the internal loss data that was required to be used
under the AM A included many large penalties for compliance
failures, scandals, or misbehavior. As a result, the AM A approach
has lost favor and is no longer permitted.
Solvency II
Minimum capital requirements also exist for insurance compa­
nies in many nations. Though international standards do not yet
exist, sophisticated approaches have been implemented in the
United States and the European Union.
In the mid-1990s, the U.S.-based National Association of Insur­
ance Commissioners (NAIC) promulgated a capital standard that
anticipated some elements of Basel II. In addition to capital
requirements covering the risks associated with liabilities, capital
is required for risky assets at levels that depend on ratings

316 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
assigned by the NAIC to each asset.15 Insurance regulation is at Also similar to Basel II, requirements may be satisfied by a com­
the state level in the United States, but most states have imple­ bination of Tier 1 capital (equity, retained earnings, and equiva­
mented these requirements. lents), Tier 2 capital (liabilities subordinated to policyholders and
available for write-off in liquidations), and Tier 3 capital (subor­
In Europe, regulation of insurance companies is done by the Euro­
dinated to policyholders but not satisfying the other criteria for
pean Union's (EU) European Insurance and Occupational Pensions
Tier 2).
Authority (EIOPA). The first capital regulations at the EU level were
known colloquially as Solvency I, which has recently been replaced
by Solvency II. More than 10 years in the making, Solvency II
resembles Basel II in that many elements of its capital requirements
SUMMARY
are based on a one-year VaR concept (at the 99.5th percentile) and
This chapter has provided an overview of internationally agreed
it has three pillars (quantitative requirement, internal governance
capital requirements that were created before the Global Finan­
and official supervision, and disclosure and transparency). Under­
cial Crisis. The 1988 Basel Accord (Basel I) introduced risk-based
writing risk, credit and market risk, and operational risk are all
capital requirements, while the 1995 and 1996 amendments
considered. Underwriting risk is further subdivided into risks arising
introduced much more sophisticated treatments of netting and
from life insurance, property & casualty, and health insurance.
market risk than had been previously available.
Solvency II also has elements found in Basel III (see Chapter ##),
Basel II introduced additional approaches to capital for credit
such as required buffers of capital above the minimum amount.
risk that were much more risk-sensitive and more aligned with
If an insurance company breaches Solvency ll's minimum capital
modern credit risk management analysis. It also introduced
requirement (MCR), supervisors may prevent the stressed firm
two new pillars in addition to quantitative capital requirements:
from writing new policies or put it into resolution (e.g., a sale to
supervision and disclosure.
a stronger company, or liquidation). The required buffer above
the MCR is defined by the solvency capital requirement" (SCR)
less the MCR. If the SCR is breached, the insurance company
References
should present a plan for capital restoration, and the supervisor
might impose additional requirements. Bank for International Settlements, 2006, "Basel II: International
Solvency II includes both standardized and internal model-based Convergence of Capital Measurement and Capital Standards."
approaches to calculating the SCR. Internal models must satisfy
Bank for International Settlements, 1988, "International conver­
three criteria. gence of capital measurement and capital standards."
• First, the data and methodology must be sound. Carey, Mark S., and William F. Treacy, 1998, Credit risk rating at
• Second, risk assessments must be calibrated to be in accor­ large U.S. banks, Federal Reserve Bulletin, November.
dance with target criteria set by the regulator.
Gordy, M. B., 2003, A risk-factor model foundation for ratings-
• Finally, the model must be used in actual business based capital ratios, Journal of Financial Intermediation 12,
decision-making. 199-232.

Lopez, J ., 2004, The empirical relationship between average

15 Unlike at banks, liabilities are a major source of risk at insurance com­
panies, since most insurance policies are liabilities for the insurer and asset correlation, firm probability of default, and asset size,
variation in claim amounts has the potential to impose large losses. Journal of Financial Intermediation 13(2), 265-283.

Chapter 19 Capital Regulation Before the Global Financial Crisis ■ 317

Solvency, Liquidity,
and Other
Regulation After
the Global Financial
Crisis
Learning Objectives
After completing this reading you should be able to:

Describe and calculate the stressed VaR introduced in
Basel 2.5 and calculate the market risk capital charge.
Explain the process of calculating the incremental risk
capital charge for positions held in a bank's trading book.
Describe the comprehensive risk (CR) capital charge for
portfolios of positions that are sensitive to correlations
between default risks.
Define in the context of Basel III and calculate where
appropriate:
Tier 1 capital and its components
Tier 2 capital and its components
Required Tier 1 equity capital, total Tier 1 capital, and
total capital
Describe the motivations for and calculate the capital con­
servation buffer and the countercyclical buffer, including spe­
cial rules for globally systemically important banks (G-SIBs).
Describe and calculate ratios intended to improve the
management of liquidity risk, including the required lever­
age ratio, the liquidity coverage ratio, and the net stable
funding ratio.
Describe the mechanics of contingent convertible bonds
(CoCos) and explain the motivations for banks to issue them.
Explain motivations for "gold plating" of regulations and
provide examples of legislative and regulatory reforms
that were introduced after the 2007-2009 financial crisis.

By M ark Carey o f the G A R P Risk Institute.

319
The financial crisis that began in the summer of 2007 revealed
limitations and gaps in the existing solvency and liquidity regula­
tions. It also revealed market practices and product designs that
proved ill-suited to stressed environments. Global regulators
reacted with more restrictive regulations and supervision and
with more coordination across nations.
20.1 THE FINANCIAL
STABILITY BOARD
The Financial Stability Forum, a body that undertook occa­
sional studies, was reconstituted as the Financial Stability
Board (FSB) in the wake of the financial crisis. The FSB is com­
posed of representatives from finance ministries, central banks,
prudential regulators, securities regulators, and others from
dozens of nations.
Although organizations like the Basel Com m ittee and IO SCO
appeared to retain their independence and authority, as a
practical matter the FSB became the body in which many
changes in international standards were approved. Later, as
the regulatory tsunami receded, the FSB's began to focus on
other matters.
20.2 BASEL 2.5
Market prices of financial assets fell sharply during 2007-2009. In
addition, many assets not already illiquid became so, the sound­
ness of securitizations was doubted, and many hedging strate­
gies failed. It was clear that minimum capital charges under the
market risk amendment were inadequate for the trading-book
risks revealed during the crisis.
The Basel Committee responded with updated rules for capital
for the trading book, making three major changes:
1. VaR calculations were expanded to include a stressed-VaR
component;
2. Capital for incremental risk was added (roughly capturing
the jump-to-default risk);
3. C om preh en sive risk capital requirements were added for
securitizations and related instruments.
These changes were implemented by the end of 2011.
Stressed VaR
Most banks computed capital under the market risk amend­
ment using historical simulation, (i.e., 1-day VaR was computed
by drawing daily changes in value from recent history and then
320 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
converted to VaR by multiplying by v 10). During periods of
low volatility, such a practice causes measured VaR to gradually
decline because all or nearly all of the historical observations
have small changes in value. When volatility rises again, as it did
in 2007 for many assets, VaR from historical simulation was slow
to follow because most historical observations were from a low-
volatility period.
The Basel Committee introduced a requirement for use of
stressed-VaR measures to counter such tendencies. Rather
than drawing daily observations from the most recent historical
period, a bank is required to identify the one-year (i.e., 250 day)
period from the most recent seven years that was most stress­
ful for its current p ortfolio. Because this will be the sub-period
with the highest fraction of portfolio-weighted large declines
in value, the resulting 1-day VaR will be relatively large and will
not change much as time passes (unless a period of low volatility
persists for 7 years).
Stressed VaR was combined with the traditional VaR measure in
an expanded formula
MR 2.5 - max(VaRt-i, m,*VaRaVg) + max(SVaRt-i, ms*SVaRavg)
where VaR,..-! and VaRavg are the traditional 10-day, 99 percent
VaR calculated by drawing from the the previous day and the
average of the 60 most recent days, respectively. SVaR^ and
SVaRavg are calculated by drawing from the equivalent times
during the most stressful period in the past seven years. The
multipliers mr and ms must be at least 3 as under the 1996
Amendment.
Because the definition of the stress period is such that the
most recent period cannot be more stressed than the stressed
period, and the charges based on traditional and stressed VaR
are summed, MR2 5 must be at least twice as large as MR cal­
culated under the 1996 Am endm ent as long as the multipliers
are equal.
Incremental Risk Charge
The incremental risk charge (IRC) combines two strands of
work, one released in 2005 as a reaction to regulatory arbitrage
opportunities between the banking and trading book, and the
other released in the wake of the crisis.
Although the specific risk charge was intended to capture
default risk (as well as other sources of idiosyncratic risk), banks
had learned by the early 2000s that even with the specific
risk charge, most banking-book exposures had smaller capital
requirements in the trading book than in the banking book.
Thus, many illiquid instruments posing default risk were placed
in the trading book.
To remove this incentive, the Basel Committee proposed adding
an incremental default risk charge (IDRC). Two variants were
proposed:
• An internal model of default risk calibrated to the same
99.9th percentile at a one-year horizon as the Committee's
IRB approach
• Or, in the absence of such a model, either a "standardized"
or a "current exposure" approach that had some similarity to
Basel I capital charges for specific risk.
As a practical matter, capital in the trading book would be the
greater of market risk capital and banking book capital.1
Late in the crisis, however, the Committee had realized that
most losses in portfolio value associated with credit risk had
been due to changes in ratings, credit spreads, or liquidity, not
defaults. As a result, the scope of the proposal was increased to
include changes in ratings. The same 99.9th percentile was used,
but in addition to defaults, banks were required to estimate
losses associated with rating downgrades. Portfolio credit qual­
ity is held approximately constant by an assumption that any
position that is downgraded or that defaults is replaced by a
position with the same pre-downgrade rating. A loss is recorded
from sale of the downgraded or defaulted position. The period
over which replacement could occur differs across positions
according to their liquidity but is never less than three months.1
2*•
Correlations and the Comprehensive
Risk Measure
An assumption embedded in Basel II is that the correlation
parameter in the Gordy (2003) model is constant across obli­
gors and over time (though not across types of assets). This
assumption is reasonable for portfolios of debt instruments
for purposes of determining banking-book capital, but not
for instruments in the correlation b o o k (e.g., securitizations,
re-securitizations and derivatives written on securitizations).
Such instruments place a portfolio in a special-purpose vehicle
and create tranched liabilities that differ in seniority, and thus in
their exposure to credit losses in the portfolio. In reality, correla­
tions change over time and such changes can have large effects
on the value of tranches For example, the market prices of A A A ­
rated tranches were consistent with a near-zero probability of
default pre-crisis, but during the crisis market estimates of PD
increased significantly and tranche prices fell.
1 See BCBS, The Application of Basel II to Trading Activities and the
Treatment of Double Default Effects, July 2005.
2 See BCBS, Guidelines for computing capital for incremental risk in the
trading book, July 2009.
Chapter 20 Solvency, Liquidity, and Other Regulation After the Global Financial Crisis
Table 20.1 C o m p re h e n siv e Risk C ap ital C h a rg e
U n d er th e S ta n d a rd ize d A p p ro a ch
<BB,
AAA, AA A BBB BB unrated
Securitizations 1.6% 4% 8% 28% 100%
Re-securitizations 3.2% 8% 18% 52% 100%
The Basel Committee addressed this issue by replacing the IRC
and specific risk charge with a comprehensive risk (CR) charge
for the correlation book. Under the new rules, banks may use a
standardized approach (summarized in Table 20.1) that depends
only on the rating of the instrument. (Note that percentages are
capital as a fraction of the exposure, not risk weights.)
Because re-securitizations (for which the underlying pool of
assets are the tranched liabilities of securitization vehicles) are
more vulnerable to changes in correlations, capital requirements
are much higher for them. Meanwhile, tranches rated below BB
are the most exposed to losses in the underlying pool (i.e., in
effect they must be financed entirely with capital).
Banks may also use an internal model to estimate the CR
charge if approved to do so by supervisors, though the model-
based charge may not be less than a fraction of the charge
under the standardized approach. Given the com plexity of
the underlying instruments and the rationale for using an
internal model, which often includes the capture of hedges
with more sophistication than the standardized approach, the
internal models must be unusually com plete, complicated and
robust. Multiple default and rating change events; volatility
in correlations and credit spreads; basis risk (e.g., the differ­
ence between CDS and underlying index values); the dynamics
of hedges; and volatility in recovery rates must be modeled,
ideally with simulations that revalue the whole portfolio for
each iteration of a simulation.
20.3 BASEL 3
In addition to the need for more capital for risks in the trading
book, the crisis revealed many other weaknesses of the Basel II
framework:
• In the depths of the crisis, market participants cared only
about tangible Tier 1 common equity capital (i.e., capital that
could absorb losses and maintain a bank as a going concern).
Many elements of the pre-crisis definition of capital proved
limited in their ability to maintain banks as going concerns.
• The official sector came to believe that distress at some
banks posed greater threats to society than distress at other
■ 321
 banks, and that those in the former category should be bet­
ter able to manage distress. Categories of "systemically
important" financial firms were created and embedded in a
wide range of regulatory and supervisory practices.
• Risk-based capital ratios were thought to have been too sus­
ceptible to gaming. Leverage-ratio capital requirements were
needed as a backstop, especially since market participants
who focused only on tangible common equity tended to also
focus only on leverage ratios.
• It was not enough for banks to remain solvent up to the
point of maximum losses - they also had to be able to
operate as a going concern thereafter, which meant they
needed substantial capital a fter absorbing the losses.
In many cases, governments provided capital, but such
provision was unpopular. Buffers of capital above the
minimum requirements were needed, as were means of
recapitalizing failed banks.
• Entities that were thought to be solvent by regulators nev­
ertheless suffered runs and, in some cases, failed. This was
in part because their liquid reserves proved inadequate to
cover withdrawn funding and in part because wholesale fund­
ing proved to be unstable. Thus, liquidity requirements were
needed.
• Especially after the failure of Lehman, which did not honor
its commitments as a counterparty in derivative contracts, it
became clear that capital was needed to cover counterparty
credit risk.
• In addition, a Large Exposures Framework was created in
2014 to set a common global standard to limit exposure
concentrations to a single counterparty, particularly between
systemically important institutions. Specifically, there limits
are 25% of capital (and 15% between global systemically
important banks). This framework assumes 100% probability
of default and 100% loss given default (after netting and col­
lateral adjustments), limited use of models that failed in the
crisis, and aggregates across wholesale credit, trading and
other books. LEF also addresses a limitation of the capital
framework, which does not adjust capital requirements for
significant concentrations under either the Standardized
Approach or the Gordy Model used in IRB (which assumes
exposures are granular, not concentrated).
Proposals to remedy the deficiencies were published in 2010
and 2011 and amended in later years.3
3 BCBS, "Basel III: A global regulatory framework for more resilient
banks and banking systems," June 2011; and BCBS, "Basel III: Interna­
tional framework for liquidity risk measurement standards and monitor­
ing," December 2010.
322 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The Definition of Capital
Basel III eliminated Tier 3 Capital and divided Tier 1 Capital into
Tier 1 Equity Capital (also known as Core Tier 1 Capital) and
Additional Tier 1 Capital, restricting the former to high-quality
capital.
Minimum capital requirements were also changed: Core Tier 1
must be at least 4.5 percent of risk-weighted assets, and Total
Tier 1 (i.e., the sum of Core and Additional Tier 1) capital must
be at least 6 percent of risk-weighted assets. The Total Capital
requirement (Tier 1 plus Tier 2) was left unchanged at 8 percent.
The components of each category are:
• Tier 1 Equity Capital includes
• common equity,
• retained earnings, and
• a limited amount of minority interest and unrealized gains
and losses.
Goodwill and other intangibles are deducted, as are deferred
tax assets and any shortfall of reserves relative to IRB
expected losses.
• Additional Tier 1 Capital includes:
• Unsecured, unguaranteed, non-cumulative perpetual
preferred equity instruments subordinated to depositors and
subordinated debt, and callable only after five years or more.
• Debt with appropriate triggers that cause conversion to
equity or write-downs.
• Approved minority interest not included in Core Tier 1.
• Tier 2 capital is designed to absorb losses after failure,
protecting depositors and other creditors. It includes:
• Subordinated debt. Specifically, unsecured, unguaranteed,
debt instruments subordinated to depositors and subordi­
nated debt, with five years or more original maturity, and
callable only after five years or more.
• General loan loss reserves. These are reserves not allo­
cated to absorb losses on specific positions. Reserves
included in capital are capped at 1.25% of standardized
approach RWAs, or 0.6% of IRB RWAs.
A number of other deductions are required, such as
• defined-benefit pension plan deficits,
• certain cross-holdings within a group, and
• mortgage servicing rights greater than 10 percent of com­
mon equity.
Overall, capital requirements were significantly increased rela­
tive to Basel 2 because minimum ratios were increased, and
allowable capital was constricted.
Leverage Ratio Capital Requirements
Prior to Basel 3, minimum capital ratios specified by the Basel
Committee were expressed as a percentage of risk-weighted
assets (RWA). However, during and after the crisis many observ­
ers felt that RWA had understated the risks borne by banking
organizations and thus led them to be over-leveraged. Though
known weaknesses in the calculation of RWA were addressed,
the possibility of future mismeasurement remained. Moreover,
during the crisis market participants had focused on simple
ratios of equity to unweighted assets as they assessed the
soundness of banking organizations, making risk-weighted ratio
values peripheral to the debates of the time.
The Committee's reaction was to introduce a "sim ple" lever­
age ratio capital requirement as a supplement to the risk-based
requirements: banking organizations must maintain a ratio of
Core Tier 1 Capital to Leverage Exposure of 3 percent or more.
Leverage Exposure includes both on-balance-sheet assets and
fractions of off-balance-sheet assets (e.g., derivatives or poten­
tial futures exposures). Though the IFRS and G A A P accounting
standards differ somewhat in their handling of off-balance sheet
assets, the Committee's Leverage Exposure measure is specified
in some detail to promote comparability across nations.
Systemically Important Financial
Institutions
The FSB publishes lists of globally systemically important banks
(G-SIBs) and (in cooperation with the IAIS) globally systemically
important insurers (G-SII). Some nations also designate other
banks as domestically systemically important (D-SIBs).
Collectively, these and other firms fall into the category of sys­
temically important financial institutions (SIFIs). To determine
whether an entity is a G-SIB, the FSB combines variables that
proxy for size, interconnectedness, complexity, international
activity and other matters.
An entity is systemically important if its failure or distress would
cause substantial problems in the financial system or the real
economy. For example, the aftermath of Lehman's failure dem­
onstrated that it was systemically important because many finan­
cial markets were disrupted, and many counterparties suffered
because Lehman failed to satisfy its obligations.
SI FIs are often presumed to be "too big to fail," but key goals
of reforms include reducing the likelihood of failure while also
making it possible for any entity to "fail" without disrupting
the financial system or the real economy. Though shareholders
likely would be wiped out in a failure and some creditors would
suffer losses, the goal is for the entity to keep operating and
Chapter 20 Solvency, Liquidity, and Other Regulation After the Global Financial Crisis
be recapitalized without government assistance. As described
ahead, systemically important firms are often subjected to more
wide-ranging supervision and regulation.
Buffers
As of early 2019, the Basel specifications feature three require­
ments for capital above the minimum fractions of RWA:
1. A 2.5 percent capital conservation buffer (CCB) requirement.
2. An additional G-SIB requirement that depends on an
organization's score when the Committee applies its
method to identify G-SIBs. These additions are 1, 1.5, 2,
2.5 and 3.5 percent.4
3. A Countercyclical Capital Buffer (CCyB) that varies at the
discretion of national supervisors and is between 0 and
2.5 percent.
The rationales for the buffers differ somewhat. In the case of the
C C B , the rationale roughly follows that for the Prompt Correc­
tive Action (PCA) system built into U.S. capital regulation begin­
ning in 1991 (i.e., a bank with ratios that begin to approach the
minimums should be subject to increasingly stringent supervi­
sory intervention in order to induce a return to well-capitalized
status). Though the only restrictions formally imposed by the
Committee involve restrictions on dividend payments and
bonuses, as well as a requirement for plans to restore capital
ratios, supervisors may try to act more broadly as w ell.5
In the case of the G-SIB buffer, the rationale is similar to that
for the C C B but also recognizes the very large costs to society
of distress at G-SIBs (and the higher volatility of losses at some
of them). Thus, larger buffers are specified to further reduce
the chance of failure. A breach of the G-SIB buffer has conse­
quences similar to a breach of the C C B.
The CCyB has two rationales. One is to provide an instrument
for macroprudential restraint of overheating; the other is atten­
tive to the cost of capital.
The overheating rationale posits that higher bank capital
requirements tend to restrict credit supply by banks, and thus
4 The 2018 list of G-SIBs contained 29 entities. Since the list of G-SIBs
was first published in 2011, none have been in the 3.5 percent category,
and since 2013 only HSBC and JP Morgan Chase have appeared in the
2.5 percent category.
5 Supervisors have a range of tools at their disposal and may be
constrained from certain actions when a bank is still meeting its
minimums. In stressed environments it may be difficult to achieve asset
sales, capital raises, or mergers that provide a remedy to deal with a
weak bank. A failure to meet a buffer is less severe than failing to meet
a minimum requirement.
■ 323
overheating in the credit markets, thereby damping the amplitude
of the credit cycle and perhaps reducing the frequency and sever­
ity of financial crises. A consequence of the overheating rationale
is that computation of the CCyB requirement is complicated for
banks with international operations. This is beucase the CCyB may
differ across nations, and a bank with operations in several nations
will have a consolidated CCyB requirement that is a weighted
average of the requirements in each nation in which it operates.
The cost-of-capital rationale presumes that a bank's costs of
increasing its capital ratio are smaller in good times than in
bad times, which implies that increased financial stability can
be obtained at lower cost by increasing the CCyB during good
times and reducing it during bad times. Implicitly, this rationale
focuses on capital market costs for the entity as a whole, without
regard to conditions in different nations' credit markets.
As a practical matter, different supervisors have given different
weights to the two rationales. The consequences of violating
the CCyB are similar to those of violating the C C B . However,
because national supervisors can reduce the CCyB at any
time, such consequences can be mitigated by changing the
requirement.
All of the aforementioned requirements apply only to risk-based
capital ratios. In 2017, the Committee introduced a leverage
ratio buffer for G-SIBs as well, equal to one-half of its risk-based
G-SIB buffer (not including the C C B or C C yB ).6 Earlier, the U.S.
had implemented a 2 percentage point leverage buffer require­
ment for G-SIB consolidated organizations, and a 3 percentage
point buffer for subsidiary banks, for an aggregate minimum of
5 and 6 percent, respectively. In 2018, the U.S. proposed to
change its G-SIB leverage buffer to half of the sum of C C B and
G-SIB risk-based buffer requirements.
Basel III Finalizing the Post-Crisis Reforms
In December 2017, the BCBS finalized a set of reforms that
include revisions to
a) the standardized approach to credit,
b) the Internal ratings-based approach,
c) the CVA framework for counterparty credit,
d) operational risk, and
e) the leveraged ratio.
In addition, an output floor was introduced to ensure that
capital calculations under the ratings-based and other modelled
approaches is constrained at not less than 72.5% of the stan­
dardized approach.
6 Though it will not be implemented until 2022.
324 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
K e y C h a n g e s - S ta n d a rd ize d A p p ro a ch
• Risk weights for banks have been adjusted, with one set of
weights linked to external rating agencies, and another to
credit risk assessments (i.e., Grade A, B or C) used when
a country does not permit external ratings to be used for
capital measures. Range is 20% RWA for A A A up to 150%
RWA for lower than B-.
• Covered bonds (i.e., bonds issued by banks and secured by
a portfolio of collateral) meeting specific criterial carry a risk
weight of between 10% and 100%.
• Corporate bonds carry risk weights of 20%, 50%, 75%, 100%
and 150% tied to ratings. In countries that do not allow
ratings, a 65% risk weight applies to investment grade and
100% to non-investment grade. Favorable treatment is pro­
vided to loans to small and medium enterprises (SMEs).
• Specialized lending has several buckets (e.g., project finance
or object finance) with detailed definitions and specific risk
weights.
• Equities have a 400% risk weight (with exceptions) and
sub-debt or other instruments have a 150% risk weight.
• New risk weights were set for real estate tied to loan value
and type (e.g., retail versus commercial).
• New credit conversion factors were set for a range of
off-balance sheet exposures.
• A definition of default was added. It includes payments past
due for 90 days, non-accrual assets, write-offs in anticipation
of default, sale of asset at loss, distressed restructuring, bank­
ruptcy, and inability to pay without recourse to collateral.
• Treatment of hedges and collateral was expanded into
significant detail.
K e y C h a n g e s - IRB
• Categories include corporate, sovereign, bank, retail, and
equity. Within retail there are three subtypes. Five subcat­
egories of specialty lending include project finance, object
finance, commodities, income producing real estate and high
volatility real estate.
• IRB is not permitted for large corporates or banks where
modeling is problematic, given few historical defaults and a
limited number of exposures in the data set.
• Banks must apply IRB to all assets in a given asset class and
cannot cherry pick some exposures to be covered under SA
alone and IRB for others.
• Minimum UL risk weights apply for specialized lending.
Collateral haircuts are applied for secured lending.
• Input floors for LGD calculations are provided for corporates,
with 25% minimum LGD on unsecured exposures and a
 range of 0% to 15% minimum on secured exposures. Retail
exposures have a 50% minimum LDG on credit cards, 30%
on other unsecured exposures, and a similar 0% to 15% mini­
mum LGD on secured loans.
K e y C h a n g e s - C V A Risk
• Two approaches are available for calculating CVA risk:
the standardized approach (SA-CVA) and basic approach
(BA-CVA).
K e y C h a n g e s - O p e ra tio n a l Risk
• The standardized approach replaces existing Basel II
approaches for operational risk. Key elements include the
business indicator (Bl) and the Business indicator component
(BIC), which equals the Bl times an Internal Loss Multiplier
(ILM) (i.e., a scaling factor based upon historical losses).
Bl =ILDC + SC + FC
Where ILDC = Min [(Abs(lnterest Income — Interest Expense);
2.25% X Income Earning Assets T Dividend Income); SC —
Max [Other Operating Income; Other Operating Expense] +
Max [Fee Income; Fee Expense]; and FC = Abs(Net P&L
Trading book) + Abs(Net P&L Banking book)
B IC
Bucket 1 (under Euro 1 billion) 12%
Bucket 2 (1 to 30 billion Euro) 15%
Bucket 3 (over 30 billion Euro) 18%
ILM
ILM =Ln(exp(l)-l+(LC/BIC)A0.8))
Liquidity Requirements
Solvent financial institutions can sometimes fail because their
depositors and counterparties withdraw more rapidly than
assets can be sold. Regardless of the causes of a run, authorities
value having time to diagnose the problem and find a solution,
ideally one not involving government guarantees.
During the crisis, perhaps the most notable example of a failure
involving a run was that of Northern Rock. Heavily dependent
on securitization markets to fund its mortgage business, the
bank had trouble finding enough wholesale funding to finance
its pipeline of mortgage loans when securitization became
difficult.
The trouble began when news broke on September 13 (a
Thursday) that the Bank of England would provide liquidity sup­
port. In the response to the prospect of government intervention,7
Chapter 20 Solvency, Liquidity, and Other Regulation After the Global Financial Crisis
a substantial fraction of retail deposits was withdrawn and North­
ern Rock's wholesale funding fell. With most of its remaining assets
illiquid, Northern Rock found itself in imminent danger of being
unable to meet further requests for withdrawals. By the following
Monday, the government announced that all deposits would be
guaranteed for all U.K. banks.
Basel 3 addressed liquidity risk by specifying two requirements,
the liquidity coverage ratio (LCR) and the net stable funding
ratio (NSFR).
The LCR is designed to give banks and authorities a month to
manage a crisis by selling liquid assets. The idea is that if the
bank has more liquid assets than it needs to meet liquidity
demands during the month, it can sell the assets while attempt­
ing to restore confidence in itself. To be "liquid," the likelihood
must be high that the asset can be sold quickly and with little
reduction in price. The requirement is defined as
j rD _ High, q u a l i t y liq u id a s s e t s .
L L t x — ---------------------------------------------> 1
N e t cash o u t f l o w s in a 30 d a y p e r i o d
The quantity of a bank's high-quality liquid assets (HQLA) is
measured by placing assets in categories and applying hair­
cuts according to the likely availability of buyers at prices near
normal-times values.
For example, included in HQLA without a haircut are deposits
at central banks and securities issued by central governments
with a 0 percent risk weight in the standardized approach.
In contrast, corporate debt and equity have 50 percent
haircuts and individual mortgage loans are excluded from
HQLA entirely.
Net cash outflows are computed by applying assumptions about
the tendency of different classes of liabilities to be withdrawn in
stress situations, and the tendency credit line holders to draw on
them. For example, only 3 percent of insured retail deposits are
assumed to be withdrawn, whereas that number is 100 percent
for most non-operational wholesale deposits and 30 percent
for undrawn capacity of lines of credit to nonfinancial wholesale
customers. These examples only scratch the surface of a vast
structure of asset/commitment categories and their associated
percentages. As such, the definition of the LCR is simple but the
implementation is complicated.
The NSFR uses a one-year period and is conceptually slightly
different, in that it focuses not on what can be sold but rather
what funding would remain after a stressful year. It is defined as
A v a ila b le a m o u n t o f s t a b l e f u n d i n g
N S F R = > 1
Required a m o u n t o f sta b le f u n d i n g
7 At the time, deposit insurance in the U.K. was relatively meaqer (up to
GBP 31,700).
■ 325
The available amount of stable funding is calculated by Using a 5% runoff rate for the stable retail deposits, a 100%
multiplying the amount in several categories of funding by runoff rate for the one-third of wholesale CDs that mature in the
available stable funding (ASF) factors (which are similar to next month, and a 0% runoff rate for senior bonds and equity,
haircuts). However, these categories are different from those net 30-day cash outflows are 25 + 67 = 92, so
of the LCR. The required stable funding is similarly calculated
LCR = = 2.72
by multiplying amounts in each category of asset by required
stable funding (RSF) factors, where the factor is higher the
Thus, the bank in this example would be in compliance with the
more illiquid the asset (since it cannot be sold as easily when
LCR and NFSR. Note that a very large number of categories,
funding runs off).
factors and haircuts were not discussed in this example and the
The new liquidity requirements represent a major change in liquidity requirements are operationally complex.
bank regulation and management. Prior to the crisis, the pre­
sumption was that regulators would instantly know whether a
bank was solvent or not. If a bank was solvent, central banks Derivatives Counterparty Credit Risk
could immediately provide enough emergency funding until
Banks calculate a credit valuation adjustment (CVA) for
market participants became comfortable with its solvency, each derivatives counterparty, which is the difference in
whereas insolvent banks would be closed immediately. value between a risk-free portfolio of derivatives with that
One lesson of Northern Rock is that provision of funding by counterparty and the actual portfolio. CVA increases with the
central banks can make funding stresses worse, not better, counterparty's credit spread and also changes with the market
and doing so for one bank can destabilize a banking system. value of the portfolio. The component from changes in market
Thus, banks must be much better prepared to survive periods values affects profit, while the component associated with
of funding stress with their own resources. This means that bal­ counterparty credit spreads appears in market risk capital.
ance sheet composition is somewhat constrained, with a smaller
proportion of illiquid assets and a larger proportion of illiquid
liabilities. 20.4 RESOLUTION PLANNING
AND PREPARATION
E x a m p le o f L C R and N S F R
Banks will fail in the future in spite of Basel I, II, III and later
A bank's liabilities consist of USD 500 of stable retail deposits
reforms. To limit the disruptions caused by such failures, the
with 9 months or less remaining maturity, USD 200 of 3-month
FSB agreed in 2014 that national resolution regimes for G-SIBs
wholesale certificates of deposit with one-third maturing each
would have 12 key attributes and that each G-SIB should have
month, USD 200 of 10-year senior bonds with none maturing
sufficient total loss absorbing capacity (TLAC) to enable it to
in the next year, and USD 100 of common equity. A SF factors
recapitalize itself.
for these categories of liability are 95%, 0%, 100%, and 100%,
respectively. Recapitalization might be accomplished by causing convertible
bonds to become equity or by bail-in, in which certain whole­
The bank's assets consist of USD 100 of vault cash, USD 100 of
sale debt liabilities are either written down or converted to
the debt of its sovereign, USD 100 of corporate debt securities
equity. The terms of conversion are written into the indentures
rated BBB in the trading account, and USD 700 of loans to busi­
of convertible bonds and often require conversion when a bank
nesses with more than one year of remaining maturity and risk
appears to be solvent, whereas bail-ins are governed by national
weights of 50% or more. The RSF factors for these assets are
law and details are generally chosen by authorities after they
0%, 5%, 50%, and 85%, respectively. Thus
have seized control of a bank.
475 + 0 + 200 + 100
N SFR = 1.19
0 + 5 + 50 + 595
CoCos
For the LCR, HQ LA factors (1-haircut) are 100%, 100%, 50%,
0%, presuming the supervisory allows inclusion of the corporate Traditionally, convertible bonds were issued by non-financial
debt securities. Note that the corporate debt securities are firms who wished to avoid the dilution of issuing equity before
Level 2 assets, which may not comprise more than 40% of HQLA the firm's performance improved. Such bonds would, at the
after the haircut. This is satisfied since total HQLA is USD 250, of option of the holder, convert into equity when the firm's share
which USD 50 is the corporate debt securities. price exceeded thresholds specified in the indenture.

326 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
For banks, contingent convertible bonds (CoCos) are the mirror
image: they cause a bank's equity to increase when distress
occurs, as reflected by triggers written into the indenture, and
not at the option of the holder. With CoCos, equity increases
either because the bond converts to equity or because its value
is written down.
Triggers have varied somewhat across CoCos, but a common
trigger is when the ratio of Core Tier 1 Capital to RWA falls
below a threshold, or when a bank's primary regulator declares
it to be nonviable. CoCos may be included in Additional Tier 1
Capital if the threshold is 5.125 percent or higher, and Tier 2
capital otherwise.
Economically, it is not obvious why the market would price
CoCos to make the cost of capital for them less than the cost
of equity. Because CoCos are debt instruments when issued,
holders receive little or none of the high returns received by
equity holders when a bank does well, but holders bear losses
not so different from those of equity holders when a bank fails.
Thus, they should be expensive for a bank to issue. But they do
have an accounting advantage: because they do not appear in
the equity account until converted, a bank can report a higher
return on equity.
Living Wills
In many countries, G-SIBs (and sometimes D-SIBs) are required
to prepare detailed resolution plans in which they specify
how they would fund themselves when distressed, how they
would recapitalize, how they would continue to operate as a
going concern even if some subsidiaries failed, and many other
related matters.
20.5 STRESS TESTING AND OTHER
LOCAL APPLICATIONS OF BASEL
W hile Basel I, II and III have achieved some level of
harmonization across countries, significant differences persist.
Little effort has been made to fully adjust for differences
in accounting standards, bankruptcy laws, or other rules or
regulations with differences across countries. Even where
there is agreem ent in Basel, some jurisdictions apply tighter
treatm ents than others. For exam ple, many European
countries treat all banks as internationally active and
subject to Basel rules, while the U.S. considers only its
largest banks as internationally active, with less stringent
requirem ents applied to many regional and community
banks that only operate in one or a few states with little
international activity.
Chapter 20 Solvency, Liquidity, and Other Regulation After the Global Financial Crisis
Though participating countries are not supposed to promulgate
domestic laws and regulations that are less onerous for inter­
nationally active banks, they may enact requirements that are
superequivalent (i.e., imposing a different but higher, or just a
higher standard than Basel requires).
This approach sometimes acts as a safety valve in the Basel
negotiations, allowing those who want stronger standards for
everyone to at least have them domestically, and sometimes it
reflects a nation's special circumstances. Switzerland's choices
are in the latter category: as a small country with two huge
G-SIBs, it found itself during the crisis in the uncomfortable situ­
ation of being unable to recapitalize its G-SIBs should that have
been necessary. Thus, its capital requirements are more onerous
than those of Basel 3, and in resolution planning it has required
the G-SIBs to structure themselves so that domestic opera­
tions could continue even if international operations failed. The
United Kingdom has taken a somewhat similar step, requiring
that retail operations be ringfenced (i.e., separated from) whole­
sale operations.
Basel anticipates that in addition to minimum standards, each
jurisdiction will supervise banks and take other actions to ensure
they have adequate capital and liquidity, and strong risk man­
agement and governance. In the U.S., coordinated stress tests
based upon supervisory designs and scenarios ensure that banks
have capital and liquidity planning processes, risk management,
and sufficient buffers to allow compliance with minimum capital
and liquidity standards even in a stressed situation.
The Federal Reserve's Com prehensive Capital Analysis and
Review (C C A R ), which requires participation by G-SIBs and
D-SIBs with material operations in the United States, includes
a supervisory severe scenario that has been one of the more
severe stress tests. For some banks, C C A R stress testing is
the binding capital constraint, as restrictions on dividend
payments and share buybacks apply if the bank's capital
ratios fall below the requirem ent minimums after losses in
the "severely adverse" scenario are included. This approach
requires banks to hold buffers that should allow them to
meet their minimum capital requirem ents even in stressed
scenarios and is consistent with past expectations that
banks should have a cushion above Basel minimum capital
requirem ents. Furtherm ore, that cushion is likely greater
than in the past.
Similarly, there is a program for liquidity known as CLAR that
assesses bank stress testing and supervisory provided stress
tests to ensure liquidity buffers are maintained. In 2019, ele­
ments of CCA R have been relaxed to reduce in future periods
the use of qualitative criteria (relating to bank risk management
and capital planning processes) in judging results.
■ 327
20.6 OTHER REFORMS
A vast array of legislation and regulations was implemented
across the globe in the decade after 2007. These include:
• Capacity to conduct macroprudential policy was added
through institutional reforms in some nations where legal
authority was previously lacking. For example, in the United
States, bank regulators' missions often restricted them to
consider only the soundness of individual banks, not the
financial system as a whole. The Financial Stability Oversight
Council (FSOC) was created to take a more macropruden­
tial view, though its legal authority was somewhat limited.
In the United Kingdom, the Financial Policy Committee was
created at the Bank of England, with some power to take
macroprudential policy actions and to recommend others to
Parliament.
• Pre-crisis compensation practices at large banks that made
pay effectively independent of risk-taking were widely
blamed for imprudent risk taking. The FSB promulgated prin­
ciples for better compensation practices, and many nations
responded with increased supervision and regulation. Some
elected to take a more formulaic approach, in some cases
restricting the level of pay, while other nations focused on
supervision of the presence of risk-sensitive features in com­
pensation arrangements.
• In the United States, the Volcker Rule (part of the Dodd Frank
Act) restricts proprietary trading and investments in hedge
funds and private equity at deposit-taking financial firms. The
rationale is that banks should not be permitted to "specu­
late" while being funded by insured depositors. However, the
Volcker Rule has proved difficult to enforce because of chal­
lenges in identifying the intent of a trade and in separating
hedging activity from speculative activity. Nevertheless, most
banks shut down their proprietary trading desks.
• In the United States and in the European Union, some over-
the-counter derivatives (i.e., those that are relatively standard
in form and terms) must be traded on swap execution facili­
ties (SEFs), which are electronic platforms that promote price
transparency. Derivatives traded between financial institu­
tions must be cleared by central counterparties (CCPs).
• In the United States, an Office of Credit Ratings was created at
the Securities and Exchange Commission to provide oversight
of rating agencies, though its powers were somewhat limited.
Prior to the crisis, rating agencies had been subject to rela­
tively little regulatory oversight and they were widely blamed
for underestimates of the credit risks posed by securitizations.
• In the United States, a Consumer Financial Protection
Bureau (CFPB) was created to improve information flows to
328 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
consumers of financial products and to curb abuses by finan­
cial firms of all kinds.
• In the United States, mortgage lenders were required to
determine whether borrowers have the ability to repay the
loans they take. The legal and financial liabilities associated
with mistakes in such determinations have caused many
banks to exit the mortgage market.
• In the United States, large banks were required to have
board risk committees where at least one member has risk
management experience at a large financial firm.
• In the United States and the European Union, issuers of secu­
ritizations were required to retain at least 5 percent of each
tranche, in an attempt to better-align the incentives of issuers
and investors.
References
Basel Committee on Banking Supervision, "The Application
of Basel II to Trading Activities and the Treatment of Double
Default Effects," Ju ly 2005.
Basel Committee on Banking Supervision, "Guidelines for
computing capital for incremental risk in the trading book,"
January 2009.
Basel Committee on Banking Supervision, "Revisions to the
Basel II market risk fram ework," Ju ly 2009 and February 2011.
Basel Committee on Banking Supervision, "Guidelines for comput­
ing capital for incremental risk in the trading book," Ju ly 2009.
Basel Committee on Banking Supervision, "Basel III: A global
regulatory framework for more resilient banks and banking
systems - revised version June 2011," Ju n e 2011.
Basel Committee on Banking Supervision, "Basel III: A global
regulatory framework for more resilient banks and banking
system s," D e ce m b e r 2010.
Basel Committee on Banking Supervision, "Basel III: the net
stable funding ratio," O c to b e r 2014.
Basel Committee on Banking Supervision, "Basel III: the
Liquidity Coverage Ratio and liquidity risk monitoring tools,"
January 2013.
Basel Committee on Banking Supervision: Basel III Finalising
Post Crisis Reforms, December 2017
Basel Committee on Banking Supervision: Minimum capital
Requirements for Market Risk, R evised 14 January 2019.
Basel Committee on Bank Supervision: Large Exposures
Framework, A p ril 2014.
High-Level
Summary of
Basel III Reforms
Learning Objectives
After completing this reading you should be able to:

Explain the motivations for revising the Basel III framework ■ The CVA risk framework
and the goals and impacts of the December 2017 reforms
■ The operational risk framework
to the Basel III framework.
■ The leverage ratio framework
Summarize the December 2017 revisions to the Basel III
framework in the following areas: Describe the revised output floor introduced as part of
the Basel III reforms and approaches to be used when
■ The standardized approach to credit risk
calculating the output floor.
The internal ratings-based (IRB) approaches for credit
risk

Basel C om m ittee on Banking Supervision Publication, D e ce m b e r 2017. R e p rin ted with perm ission o f the Bank for International
Settlem en ts. The full publication is available on the BIS w eb site free o f charge: w w w .b is.o rg .

329
This note summarises the main features of the finalised Basel III
reforms. The standards text, which provides the full details of
the reforms, is published separately and is available on the BIS
website at www.bis.org/bcbs/publ/d424.htm .
The Basel III framework is a central element of the Basel Com ­
mittee's response to the global financial crisis. It addresses a
number of shortcomings in the pre-crisis regulatory framework
and provides a foundation for a resilient banking system that will
help avoid the build-up of systemic vulnerabilities. The fram e­
work will allow the banking system to support the real economy
through the economic cycle.
The initial phase of Basel III reforms focused on strengthening
the following components of the regulatory framework:
• improving the quality of bank regulatory capital by placing a
greater focus on going-concern loss-absorbing capital in the
form of Common Equity Tier 1 (CET1) capital;
• increasing the level of capital requirements to ensure that
banks are sufficiently resilient to withstand losses in times of
stress;
• enhancing risk capture by revising areas of the risk-weighted
capital framework that proved to be acutely miscalibrated,
including the global standards for market risk, counterparty
credit risk and securitisation;
• adding macroprudential elements to the regulatory fram e­
work, by: (i) introducing capital buffers that are built up in
good times and can be drawn down in times of stress to
limit procyclicality; (ii) establishing a large exposures regime
that mitigates systemic risks arising from interlinkages across
financial institutions and concentrated exposures; and (iii)
putting in place a capital buffer to address the externalities
created by systemically important banks;
• specifying a minimum leverage ratio requirement to constrain
excess leverage in the banking system and complement the
risk-weighted capital requirements; and
• introducing an international framework for mitigating exces­
sive liquidity risk and maturity transformation, through the
Liquidity Coverage Ratio and Net Stable Funding Ratio.
The Committee's now finalised Basel III reforms complement
these improvements to the global regulatory framework. The
revisions seek to restore credibility in the calculation of risk-
weighted assets (RWAs) and improve the comparability of
banks' capital ratios by:
• enhancing the robustness and risk sensitivity of the stan­
dardised approaches for credit risk, credit valuation adjust­
ment (CVA) risk and operational risk;
• constraining the use of the internal model approaches, by
placing limits on certain inputs used to calculate capital
330 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
requirements under the internal ratings-based (IRB) approach
for credit risk and by removing the use of the internal model
approaches for CVA risk and for operational risk;
• introducing a leverage ratio buffer to further limit the lever­
age of global systemically important banks (G-SIBs); and
• replacing the existing Basel II output floor with a more robust
risk-sensitive floor based on the Committee's revised Basel III
standardised approaches.
STANDARDISED APPROACH
FOR CREDIT RISK*•
Credit risk accounts for the bulk of most banks' risk-taking activi­
ties and hence their regulatory capital requirements. The stan­
dardised approach is used by the majority of banks around the
world, including in non-Basel Committee jurisdictions.
The Committee's revisions to the standardised approach for
credit risk enhance the regulatory framework by:
• improving its granularity and risk sensitivity. For example, the
Basel II standardised approach assigns a flat risk weight to all
residential mortgages. In the revised standardised approach
mortgage risk weights depend on the loan-to-value (LTV)
ratio of the mortgage;
• reducing mechanistic reliance on credit ratings, by requiring
banks to conduct sufficient due diligence, and by developing
a sufficiently granular non-ratings-based approach for juris­
dictions that cannot or do not wish to rely on external credit
ratings; and
• as a result, providing the foundation for a revised output
floor to internally modelled capital requirements (to replace
the existing Basel I floor) and related disclosure to enhance
comparability across banks and restore a level playing field.
The revisions to the standardised approach for credit risk,
relative to the existing standardised approach, are outlined in
Table 21.1. In summary, the key revisions are as follows:
• A more granular approach has been developed for unrated
exposures to banks and corporates, and for rated exposures
in jurisdictions where the use of credit ratings is permitted.
• For exposures to banks, some of the risk weights for rated
exposures have been recalibrated. In addition, the risk-
weighted treatment for unrated exposures is more granular
than the existing flat risk weight. A standalone treatment for
covered bonds has also been introduced.
• For exposures to corporates, a more granular look-up
table has been developed. A specific risk weight applies to
exposures to small and medium-sized enterprises (SMEs).
 In addition, the revised standardised approach includes a
standalone treatment for exposures to project finance, object
finance and commodities finance.
• For residential real estate exposures, more risk-sensitive
approaches have been developed, whereby risk weights
vary based on the LTV ratio of the mortgage (instead of the
existing single risk weight) and in ways that better reflect
differences in market structures.
• For retail exposures, a more granular treatm ent applies,
which distinguishes between different types of retail
exposures. For exam ple, the regulatory retail portfolio
distinguishes between revolving facilities (where credit is
typically drawn upon) and transactors (where the facility
is used to facilitate transactions rather than a source
of credit).
• For commercial real estate exposures, approaches have
been developed that are more risk-sensitive than the flat risk
weight which generally applies.
• For subordinated debt and equity exposures, a more granu­
lar risk weight treatment applies (relative to the current flat
risk weight).
• For off-balance sheet items, the credit conversion factors
(CCFs), which are used to determine the amount of an
exposure to be risk-weighted, have been made more risk-
sensitive, including the introduction of positive C C Fs for
unconditionally cancellable commitments (UCCs).

Table 21.1 O v e rv ie w of R evised S ta n d a rd ise d A p p ro a ch to C re d it Risk

Exposures to banks

Risk weights in jurisdictions where the ratings approach is permitted

External rating AAA to A A — A+ to A — BBB+ to B B B - BB + to B - Below B— Unrated

Risk weight 20% 30% 50% 100% 150% As for SCRA below

Short-term exp o su res

Risk weight 20% 20% 20% 50% 150% As for SCRA below

Risk weights where the ratings approach is not permitted and for unrated exposures

Standardised Credit Risk Grade A Grade B Grade C

Assessment Approach (SCRA)
grades

Risk weight 40% 1 75% 150%

Short-term exposures 20% 50% 150%

Exposures to covered bonds

Risk weiahts for rated covered bonds

External issue-specific rating AAA to A A — A+ to B B B - BB+ to B - Below B -

Risk weight 10% 20% 50% 100%

Risk weights for unrated covered bonds

Risk weight of issuing bank 20% 30% 40% 50% 75% 100% 150%

Risk weight 10% 15% 20% 25% 35% 50% 100%

Exposures to general corporates

Risk weights in jurisdictions where the ratings approach is permitted

External rating AAA to A A — A+ to A — BBB+ to B B B - BB+ to B B - Below BB— Unrated

of counterparty

Risk weight 20% 50% 75% 100% 150% 100% or 85%

if corporate SME

(C ontinued)

1 A risk weight of 30% may be applied if the exposure to the bank satisfies all of the criteria for Grade A classification and in addition the counterparty
bank has (i) a CET1 ratio of 14% or above; and (ii) a Tier 1 leverage ratio of 5% or above.

Chapter 21 High-Level Summary of Basel III Reforms ■ 331

Table 21.1 Continued
Risk weights where rating approach is not permitted

SCRA grades Investment grade All other

General corporate (non-SME) 65% 100%

SM E general corporate 85%

Exposures to project finance, object finance and commodities finance

Exposure (excluding real estate) Project finance Object and commodity finance

Issue-specific ratings available Same as for general corporate (see above)

and permitted

Rating not available or not 130% pre-operational phase 100%

permitted
100% operational phase
80% operational phase (high quality)

Retail exposures excluding real estate

Regulatory Regulatory retail (revolving) Other retail

retail
Transactors Revolvers
(non-revolving)

Risk weight 75% 45% 75% 100%

Residential real estate exposures

LTV bands Below 50% 50% to 60% to 70% to 80% to 90% to above Criteria not met
60% 70% 80% 90% 100% 100%

G eneral R R E

Whole loan 20% 25% 30% 40% 50% 70% RW of counterparty

approach RW

Loan-splitting 20% RW of counterparty RW of counterparty

approach2 RW

Incom e-producing residential real esta te (IPRRE)

Whole loan 30% 35% 45% 60% 75% 105% 150%

approach RW

Commercial real estate (CRE) exposures

G eneral C R E

Whole loan approach LTV < 60% LTV > 60% Criteria not m et

Min (60%, RW of counterparty) RW of counterparty RW of counterparty

Loan-splitting LTV < 55% LTV > 55% Criteria not m et

approach2
Min (60%, RW of counterparty) RW of counterparty RW of counterparty

Incom e-producing com m ercial real esta te (IPCRE)

Whole loan LT V < 60% 60% < LTV < 80% LT V > 80% Criteria not m et
approach
70% 90% 110% 150%

2 Under the loan-splitting approach, a supervisory specified risk weight is applied to the portion of the exposure that is below 55% of the property
value and the risk weight of the counterparty is applied to the remainder of the exposure. In cases where the criteria are not met, the risk weight of
the counterparty is applied to the entire exposure.

332 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 Land acquisition, d e ve lo p m e n t and construction (AD C) e xp o su res

Loan to company/SPV 150%

Residential A D C loan 100%

Subordinated debt and equity (excluding amounts deducted)

Subordinated debt Equity exposures "Speculative unlisted All other equity

and capital other than to certain legislated equity" exposures
equities programmes

Risk weight 150% 100% 400% 250%

Credit conversion factors for off-balance sheet exposures

UCCs Commitments, NIFs and RUFs, ST self-liquidating Direct credit

except UCCs and certain trade letters of credit substitutes and
transaction- related arising from the other off balance
contingent items movement of goods sheet exposures

CCF 10% 40% 50% 20% 100%

INTERNAL RATINGS-BASED Table 2 1 .2 R evised S co p e of IRB A p p ro a ch e s

APPROACHES FOR CREDIT RISK for A sse t C la sse s

Basel III:
As noted above, the financial crisis highlighted a number Portfolio/ Basel II: Available Available
of shortcomings related to the use of internally modelled Exposure Approaches Approaches
approaches for regulatory capital, including the IRB approaches
Large and mid­ A-IRB, F-IRB, SA F-IRB, SA
to credit risk. These shortcomings include the excessive com­
sized corporates
plexity of the IRB approaches, the lack of comparability in banks' (consolidated
internally modelled IRB capital requirements and the lack of revenues >
robustness in modelling certain asset classes. €500m)

To address these shortcomings, the Committee has made the Banks and A-IRB, F-IRB, SA F-IRB, SA
following revisions to the IRB approaches: (i) removed the other financial
institutions
option to use the advanced IRB (A-IRB) approach for certain
asset classes; (ii) adopted "input" floors (for metrics such as Equities Various IRB SA
probabilities of default (PD) and loss-given-default (LGD)) to approaches
ensure a minimum level of conservativism in model parameters Specialised A-IRB, F-IRB, A-IRB, F-IRB,
for asset classes where the IRB approaches remain available; and lending3 slotting, SA slotting, SA
(iii) provided greater specification of parameter estimation prac­
tices to reduce RWA variability.
of RWA variability as it applies fixed values to the LGD and EAD
parameters. In addition, all IRB approaches are being removed

Removing the Use of the Advanced IRB for exposures to equities, which are typically a small component
of the credit risk of banks.
Approach for Certain Asset Classes
Table 21.2 outlines the revised scope of approaches available
The revised IRB framework removes the use of the A-IRB
under Basel III for certain asset classes relative to the Basel II
approach— which allows banks to estimate the PD, LGD, expo­
framework.
sure at default (EAD) and maturity of an exposure - for asset
classes that cannot be modelled in a robust and prudent man­
ner. These include exposures to large and mid-sized corporates,
3 With respect to specialised lending, banks would be permitted to
and exposures to banks and other financial institutions. As a
continue using the advanced and foundation IRB approaches. The
result, banks with supervisory approval will use the foundation Committee will review the slotting approach for specialised lending in
IRB (F-IRB) approach, which removes the two important sources due course.

Chapter 21 High-Level Summary of Basel III Reforms ■ 333

Table 21.3 Minimum Parameter Values in the Revised IRB Framework4

Loss-Given-Default (LGD)
Probability of Exposure at
Default (PD) Unsecured Secured Default (EAD)

Corporate 5 bp 25% Varying by collateral type:

• 0% financial
• 10% receivables
• 10% commercial or residen­
tial real estate
• 15% other physical EAD subject to a floor
that is the sum of (i) the
Retail classes: on-balance sheet expo­
Mortgages 5 bp N/A 5% sures; and (ii) 50% of the
off-balance sheet exposure
Q RRE transactors 5 bp 50% N/A
using the applicable Credit
Q RRE revolvers 10 bp 50% N/A Conversion Factor (CCF) in
Other retail 5 bp 30% Varying by collateral type: the standardised approach
• 0% financial
• 10% receivables
• 10% commercial or residen­
tial real estate
• 15% other physical

Specification of Input Floors CVA RISK FRAMEWORK

The revised IRB framework also introduces minimum "floor" val­
The initial phase of Basel III reforms introduced a capital charge
ues for bank-estimated IRB parameters that are used as inputs
for potential mark-to-market losses of derivative instruments as
to the calculation of RWA. These include PD floors for both the
a result of the deterioration in the creditworthiness of a coun­
F-IRB and A-IRB approaches, and LGD and EAD floors for the
terparty. This risk - known as CVA risk - was a major source of
A-IRB approach. In some cases, these floors consist of recali­
losses for banks during the global financial crisis, exceeding
brated values of the existing Basel II floors. In other cases, the
losses arising from outright defaults in some instances.
floors represent new constraints for banks' IRB models. Table 21.3
summarises the set of input floors in the revised IRB framework. The Committee has agreed to revise the CVA framework to:

• enhance its risk sensitivity: the current CVA framework does

Additional Enhancements
The Committee agreed on various additional enhancements to
the IRB approaches to further reduce unwarranted RWA variabil­
ity, including providing greater specification of the practices that
banks may use to estimate their model parameters. Adjustments
were made to the supervisory specified parameters in the F-IRB
approach, including: (i) for exposures secured by non-financial
collateral, increasing the haircuts that apply to the collateral and
reducing the LGD parameters; and (ii) for unsecured exposures,
reducing the LGD parameter from 45% to 40% for exposures to
non-financial corporates.
Given the enhancements to the IRB framework and the introduc­
tion of an aggregate output floor (discussed further below), the
Committee has agreed to remove the 1.06 scaling factor that is
currently applied to RWAs determined by the IRB approach to
credit risk.
not cover an important driver of CVA risk, namely the expo­
sure component of CVA. This component is directly related
to the price of the transactions that are within the scope of
application of the CVA risk capital charge. As these prices are
sensitive to variability in underlying market risk factors, the
CVA also materially depends on those factors. The revised
CVA framework takes into account the exposure component
of CVA risk along with its associated hedges;
• strengthen its robustness: CVA is a complex risk, and is
often more complex than the majority of the positions in4
4 The LGD and EAD floors are only applicable in A-IRB approaches. The
EAD floors are for those exposures where EAD modelling is still permit­
ted. The LGD floors for secured exposures apply when the exposure is fully
secured (ie the value of collateral after the application of haircuts exceeds
the value of the exposure). The LGD floor for a partially secured exposure is
calculated as a weighted average of the unsecured LGD floor for the unse­
cured portion and the secured LGD floor for the secured portion.

334 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 banks' trading books. Accordingly, the Committee is of the
view that such a risk cannot be modelled by banks in a robust
and prudent manner. The revised framework removes the
use of an internally modelled approach, and consists of: (i) a
standardised approach; and (ii) a basic approach. In addition,
a bank with an aggregate notional amount of non-centrally
cleared derivatives less than or equal to €100 billion may
calculate their CVA capital charge as a simple multiplier of its
counterparty credit risk charge.
• improve its consistency: CVA risk is a form of market risk as
it is realised through a change in the mark-to-market value of
a bank's exposures to its derivative counterparties. As such,
the standardised and basic approaches of the revised CVA
framework have been designed and calibrated to be con­
sistent with the approaches used in the revised market risk
framework. In particular, the standardised CVA approach, like
the market risk approaches, is based on fair value sensitivities
to market risk factors and the basic approach is benchmarked
to the standardised approach.
OPERATIONAL RISK FRAMEWORK
The financial crisis highlighted two main shortcomings with the
existing operational risk framework. First, capital requirements
for operational risk proved insufficient to cover operational risk
losses incurred by some banks. Second, the nature of these
losses— covering events such as misconduct, and inadequate
systems and controls— highlighted the difficulty associated with
using internal models to estimate capital requirements for opera­
tional risk.
The Committee has streamlined the operational risk framework.
The advanced measurement approaches (AMA) for calculating
operational risk capital requirements (which are based on banks'
internal models) and the existing three standardised approaches
are replaced with a single risk-sensitive standardised approach
to be used by all banks.
The new standardised approach for operational risk determines
a bank's operational risk capital requirements based on two
components: (i) a measure of a bank's income; and (ii) a measure
of a bank's historical losses. Conceptually, it assumes: (i) that
operational risk increases at an increasing rate with a bank's
income; and (ii) banks which have experienced greater opera­
tional risk losses historically are assumed to be more likely to
experience operational risk losses in the future.
The operational risk capital requirement can be summarised as
follows:
Operational risk capital = BIC X ILM
Chapter 21
where:
• Business Indicator Component (BIC) = ^ ( a , .Bl,)
• Bl (Business Indicator) is the sum of three components: the
interest, leases and dividends component; the services com­
ponent and the financial component
• a, is a set of marginal coefficients that are multiplied by the
Bl based on three buckets (i = 1, 2, 3 denotes the bucket), as
given below:
Marginal Bl
Bl Bucket Bl Range Coefficients (« j)
1 < €1 bn 0.12
2 €1 bn < Bl < € 3 0 bn 0.15
3 > € 3 0 bn 0.18
• ILM (the Internal Loss Multiplier) is a function of the BIC
and the Loss Component (LC), where the latter is equal to
15 times a bank's average historical losses over the preceding
10 years. The ILM increases as the ratio of (LC/BIC) increases,
although at a decreasing rate.5
At national discretion, supervisors can elect to set ILM equal
to one for all banks in their jurisdiction. This means that capital
requirements in such cases would be determined solely by the
BIC. That is, capital requirements would not be related to a bank's
historical operational risk losses. However, to aid comparability,
all banks would be required to disclose their historical operational
risk losses, even in jurisdictions where the ILM is set to one.
LEVERAGE RATIO FRAMEWORK
Buffer for Global Systemically
Important Banks
The leverage ratio complements the risk-weighted capital
requirements by providing a safeguard against unsustainable
levels of leverage and by mitigating gaming and model risk
across both internal models and standardised risk measurement
approaches. To maintain the relative incentives provided by
both capital constraints, the finalised Basel III reforms introduce
a leverage ratio buffer for G-SIBs. Such an approach is consis­
tent with the risk-weighted G-SIB buffer, which seeks to mitigate
the externalities created by G-SIBs.
The leverage ratio G-SIB buffer must be met with Tier 1 capital
and is set at 50% of a G-SIB's risk- weighted higher-loss absor­
bency requirements. For example, a G-SIB subject to a 2%
5 Specifically, ILM = In [exp(1) - 1 + (LC/BIC)08].
High-Level Summary of Basel III Reforms ■ 335
risk-weighted higher-loss absorbency requirement would be
subject to a 1% leverage ratio buffer requirement.
The leverage ratio buffer takes the form of a capital buffer
akin to the capital buffers in the risk-weighted framework. As
such, the leverage ratio buffer will be divided into five ranges.
As is the case with the risk-weighted framework, capital distribu­
tion constraints will be imposed on a G-SIB that does not meet
its leverage ratio buffer requirement.
The distribution constraints imposed on a G-SIB will depend on
its CET1 risk-weighted ratio and Tier 1 leverage ratio. A G-SIB
that meets: (i) its CET1 risk-weighted requirements (defined as
a 4.5% minimum requirement, a 2.5% capital conservation buf­
fer and the G-SIB higher loss-absorbency requirement) and; (ii)
its Tier 1 leverage ratio requirement (defined as a 3% leverage
ratio minimum requirement and the G-SIB leverage ratio buffer)
will not be subject to distribution constraints. A G-SIB that does
not meet one of these requirements will be subject to the asso­
ciated minimum capital conservation requirement (expressed
as a percentage of earnings). A G-SIB that does not meet both
requirements will be subject to the higher of the two associated
conservation requirements.
definition of the leverage ratio exposure measure. These
refinem ents include modifying the way in which derivatives
are reflected in the exposure measure and updating the treat­
ment of off-balance sheet exposures to ensure consistency
with their m easurem ent in the standardised approach to
credit risk.
The Committee has also agreed that jurisdictions may exercise
national discretion in periods of exceptional macroeconomic
circumstances to exempt central bank reserves from the lever­
age ratio exposure measure on a temporary basis. Jurisdictions
that exercise this discretion would be required to recalibrate
the minimum leverage ratio requirement commensurately to
offset the impact of excluding central bank reserves, and require
their banks to disclose the impact of this exemption on their
leverage ratios.
The Committee continues to monitor the impact of the Basel III
leverage ratio's treatment of client-cleared derivative transac­
tions. It will review the impact of the leverage ratio on banks'
provision of clearing services and any consequent impact on the
resilience of central counterparty clearing.

As an example, Table 21.4 shows the minimum capital conser­
vation standards for the CET1 risk-weighted requirements and
Tier 1 leverage ratio requirements of a G-SIB in the first bucket
of the higher loss-absorbency requirements (ie where a 1% risk-
weighted G-SIB capital buffer applies).
OUTPUT FLOOR
The Basel II framework introduced an output floor based on
Basel I capital requirements. That floor was calibrated at 80%
of the relevant Basel I capital requirements. Implementation of
the Basel II floor has been inconsistent across countries, partly

Refinements to the Leverage Ratio because of differing interpretations of the requirement and also

Exposure Measure because it is based on the Basel I standards, which many banks
and jurisdictions no longer apply.
In addition to the introduction of the G-SIB buffer, the
The Basel III reforms replace the existing Basel II floor with a
Com m ittee has agreed to make various refinem ents to the
floor based on the revised Basel III standardised approaches.
Consistent with the original floor, the revised floor places
Table 21.4 C ap ital C o n se rv a tio n R atios for a G -SIB a limit on the regulatory capital benefits that a bank using
S u b je ct to a 1 % R isk-W eig h ted Buffer and 0 .5 % internal models can derive relative to the standardised
L e v e ra g e Ratio Buffer approaches. In effect, the output floor provides a risk-based
backstop that limits the extent to which banks can lower their
Minimum Capital
capital requirem ents relative to the standardised approaches.
Conservation
This helps to maintain a level playing field between banks
CET1 Risk- Ratios (Expressed
using internal models and those on the standardised
Weighted Tier 1 Leverage as a Percentage
approaches. It also supports the credibility of banks' risk-
Ratio Ratio of Earnings)
weighted calculations, and improves com parability via the
4.5-5.375% 3-3.125% 100% related disclosures.
> 5 .3 7 5 -6 .2 5 % > 3 .1 2 5 -3 .2 5 % 80% Under the revised output floor, banks' risk-weighted assets
> 6 .2 5 -7 .1 2 5 % > 3 .2 5 -3 .3 7 5 % 60% must be calculated as the higher of: (i) total risk-weighted assets
calculated using the approaches that the bank has supervisory
> 7 .1 2 5 -8 % > 3 .3 7 5 -3 .5 0 % 40%
approval to use in accordance with the Basel capital fram e­
> 8.0% > 3.50% 0% work (including both standardised and internal model-based

336 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
§0 2 3 3 ^ 3 Im p lem en tation D a te s of B asel III P o st-C risis R eform s and Transitional A rra n g e m e n t for Phasing in the
A g g re g a te O u tp u t Flo o r

Revision Implementation Date

Revised standardised approach for credit risk • 1 January 2022

Revised IRB framework • 1 January 2022

Revised CVA framework • 1 January 2022

Revised operational risk framework • 1 January 2022

Revised market risk framework • 1 January 20226

Leverage ratio • Existing exposure definition:7 1 January 2018

• Revised exposure
definition: 1 January 2022
• G-SIB buffer: 1 January 2022

Output floor • 1 January 2022: 50%

• 1 January 2023: 55%
• 1 January 2024: 60%
• 1 January 2025: 65%
• 1 January 2026: 70%
• 1 January 2027: 72.5%

approaches); and (ii) 72.5% of the total risk-weighted assets • Market risk: the standardised (or simplified standardised)
calculated using only the standardised approaches. approach of the revised market risk framework. The SEC-
ERBA, the SEC-SA or a 1250% risk weight must also be used
The standardised approaches to be used when calculating the
when determining the default risk charge component for
output floor are as follows:
securitisations held in the trading book.
1• • 1 1 . 1 1• 1 1 ^ l*i°l
• Credit risk: the standardised approach tor credit risk
• O perational risk: the standardised approach for opera-
outlined above. When calculating the degree of credit
tional risk.
risk m itigation, banks must use the carrying value when
applying the sim ple approach or the com prehensive Banks will also be required to disclose their risk-weighted assets
approach with standard supervisory haircuts. This also based on the revised standardised approaches. Details about
includes failed trades and non-delivery-versus-paym ent these disclosure requirements will be set forth in a forthcoming
transactions as set out in Annex 3 of the Basel II fram ework consultation paper.
(June 2006).
• Counterparty credit risk: to calculate the exposure for
TRANSITIONAL ARRANGEMENTS
derivatives, banks must use the standardised approach for
measuring counterparty credit risk (SA-CCR). The exposure
Table 21.5 sum m arises the im plem entation dates and
amounts must then be multiplied by the relevant borrower transitional arrangem ents related to the standards
risk weight using the standardised approach for credit risk described above.
to calculate RWA under the standardised approach for
credit risk. In addition, at national discretion, supervisors may cap
the increase in a bank's total RWAs that results from the
• Credit valuation adiustment risk: the standardised approach
application of the output floor during its phase-in period.
for CVA (SA-CVA), the Basic Approach (BA-CVA) or 100% of a
bank's counterparty credit risk capital requirement (depend­
ing on which approach the bank is eligible for and uses for
CVA risk). 6 This will constitute both the implementation and regulatory reporting
date for the revised market risk framework published in January 2016.
• Securitisation framework: the external ratinas-based
7 Based on the January 2014 definition of the leverage ratio exposure
approach (SEC-ERBA), the standardised approach (SEC-SA) measure. Jurisdictions are free to apply the revised definition of the
or a 1250% risk weight. exposure measure before 1 January 2022.

Chapter 21 High-Level Summary of Basel III Reforms ■ 337

The transitional cap on the increase in RWAs will be set at
25% of a bank's RWAs before the application of the floor.
Put differently, if the supervisor uses this discretion, the bank's
RWAs will effectively be capped at 1.25 tim es the internally
calculated RWAs during that tim e. The cap would apply for
the duration of the phase-in period of the output floor
(i.e., the cap would be removed on 1 January 2027).
More generally, a jurisdiction which does not implement some
or all of the internal-modelled approaches but instead only
implements the standardised approaches is compliant with the
Basel framework. More generally, jurisdictions may elect to
implement more conservative requirements and/or accelerated
transitional arrangements, as the Basel framework constitutes
minimum standards only.

338 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Basel III: Finalising
Post-Crisis Reforms
Learning Objectives
After completing this reading you should be able to:

Explain the elements of the new standardized approach
to measure operational risk capital, including the business
indicator, internal loss multiplier, and loss component, and
calculate the operational risk capital requirement for a
bank using this approach.
Describe general and specific criteria recommended by
the Basel Committee for the identification, collection and
treatment of operational loss data.

Compare the Standardized Measurement Approach (SMA)

to earlier methods of calculating operational risk capital,
including the Advanced Measurement Approaches (AMA).

Basel C om m ittee on Banking Supervision Publication, D e ce m b e r 2017. R e p rin ted with perm ission o f the Bank for International
Settlem en ts. The full publication is available on the BIS w eb site free o f charge: w w w .b is.o rg .
22.1 INTRODUCTION
Operational risk is defined as the risk of loss resulting from
inadequate or failed internal processes, people and systems or
from external events. This definition includes legal risk,1 but
excludes strategic and reputational risk.
The standardised approach for measuring minimum operational
risk capital requirements replaces all existing approaches in the
Basel II fram ework.1
2 That is, this standard replaces paragraphs
644 to 683 of the Basel II framework.
Consistent with Part I (Scope of Application) of the Basel II
Framework, the standardised approach applies to internationally
active banks on a consolidated basis. Supervisors retain the dis­
cretion to apply the standardised approach framework to non-
internationally active banks.
22.2 THE STANDARDISED APPROACH
The standardised approach methodology is based on the fol­
lowing components: (i) the Business Indicator (Bl) which is a
financial-statement-based proxy for operational risk; (ii) the
Business Indicator Com ponent (BIC), which is calculated by
multiplying the Bl by a set of regulatory determined marginal
coefficients (a,); and (iii) the Internal Loss Multiplier (ILM), which
is a scaling factor that is based on a bank's average historical
losses and the BIC.
The Business Indicator
The Business Indicator (Bl) comprises three components: the
interest, leases and dividend component (ILDC); the services
component (SC), and the financial component (FC).
The Bl is defined as:
Bl = ILDC + SC + FC
1 Legal risk includes, but is not limited to, exposure to fines, penalties,
or punitive damages resulting from supervisory actions, as well as pri­
vate settlements.
2 Basel Committee on Banking Supervision, Basel II: International
Convergence o f Capital Measurement and Capital Standards: A
Revised Framework—Comprehensive Version, June 2006, www.bis.org/
pub7bcbs128.htm.
340 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
In the formula below, a bar above a term indicates that it is cal­
culated as the average over three years: t, t-1 and t-2, and:3
ILD C = Min A b s (Interest Income - Interest Exp en se );
2.25% ■Interest Earning A ssets ] + Dividend Income
SC = Max [ Other Operating Incom e; Other Operating
Expen se + Max [ Fee Income; Fee Expense
FC = A b s (Net P & LTrading B ook ) + A b s (N et P & L
Banking Book)
The definitions for each of the components of the Bl are
provided in the annex of this section.
The Business Indicator Component
To calculate the BIC, the Bl is multiplied by the marginal
coefficients (a,). The marginal coefficients increase with the
size of the Bl as shown in Table 22.1. For banks in the first
bucket (ie with a Bl less than or equal to €1bn) the BIC is
equal to Bl X 12%. The marginal increase in the BIC result­
ing from a one unit increase in the Bl is 12% in bucket 1,
15% in bucket 2 and 18% in bucket 3. For example, given
a Bl = €35b n, the BIC = (1 X 12%) + (3 0 -1 ) X 15% +
(3 5 -3 0 ) X 18% = €5.37b n.
The Internal Loss Multiplier
A bank's internal operational risk loss experience affects the
calculation of operational risk capital through the Internal Loss
Multiplier (ILM). The ILM is defined as:
/ \
ILM = Ln e x p fl
V 7
where the Loss Com ponent (LC) is equal to 15 tim es average
annual operational risk losses incurred over the previous 10
years. The ILM is equal to one when the loss and business
indicator com ponents are equal. W hen the LC is greater
than the BIC , the ILM is greater than one. That is, a bank
with losses that are high relative to its BIC is required to hold
higher capital due to the incorporation of internal losses into
the calculation m ethodology. Conversely, where the LC is
3 The absolute value of net items (eg, interest income - interest
expense) should be calculated first year by year. Only after this year
by year calculation should the average of the three years be calculated.
Table 22.1 Bl R an g es and M arginal C o e fficie n ts
Bl Marginal
Bucket Bl Range (in €bn) Coefficients («i)
1 < 1 12%
2 1 < Bl < 30 15%
3 > 30 18%
lower than the BIC , the ILM is less than one. That is, a bank
with losses that are low relative to its BIC is required to hold
lower capital due to the incorporation of internal losses into
the calculation m ethodology.
The calculation of average losses in the Loss Component must
be based on 10 years of high-quality annual loss data. As part of
the transition to the standardised approach, banks that do not
have 10 years of high-quality loss data may use a minimum of
five years of data to calculate the Loss Com ponent.4*Banks that
do not have five years of high-quality loss data must calculate
the capital requirement based solely on the Bl Component.
Supervisors may however require a bank to calculate capital
requirements using fewer than five years of losses if the ILM is
greater than 1 and supervisors believe the losses are representa­
tive of the bank's operational risk exposure.
The Standardised Approach Operational
Risk Capital Requirement
The operational risk capital requirement is determined by the
product of the BIC and the ILM. For banks in bucket 1 (ie with
Bl < €1 billion), internal loss data does not affect the capital
calculation. That is, the ILM is equal to 1, so that operational risk
capital is equal to the BIC (=12% • Bl).
At national discretion, supervisors may allow the inclusion of
internal loss data into the framework for banks in bucket 1, sub­
ject to meeting the loss data collection requirements. In addi­
tion, at national discretion, supervisors may set the value of ILM
equal to 1 for all banks in their jurisdiction. In case this discretion
is exercised, banks would still be subject to the full set of disclo­
sure requirements.
4 This treatment is not expected to apply to banks that currently use the
advanced measurement approaches for determining operational risk
capital requirements.
Chapter 22
Minimum operational risk capital (ORC) is calculated by multiply­
ing the BIC and the ILM :5
ORC = BIC ■ILM
22.3 APPLICATION OF THE
STANDARDISED APPROACH
WITHIN A GROUP
At the consolidated level, the standardised approach cal­
culations use fully consolidated Bl figures, which net all the
intragroup income and expenses. The calculations at a sub-con­
solidated level use Bl figures for the banks consolidated at that
particular sub-level. The calculations at the subsidiary level use
the Bl figures from the subsidiary.
Similar to bank holding companies, when Bl figures for sub-con­
solidated or subsidiary banks reach bucket 2, these banks are
required to use loss experience in the standardised approach
calculations. A sub-consolidated bank or a subsidiary bank uses
only the losses it has incurred in the standardised approach cal­
culations (and does not include losses incurred by other parts of
the bank holding company).
In case a subsidiary of a bank belonging to bucket 2 or higher
does not meet the qualitative standards for the use of the Loss
Component, this subsidiary must calculate the standardised
approach capital requirements by applying 100% of the Bl Com ­
ponent. In such cases supervisors may require the bank to apply
an ILM which is greater than 1.
22.4 MINIMUM STANDARDS FOR
THE USE OF LOSS DATA UNDER
THE STANDARDISED APPROACH
Banks with a Bl greater than €1bn are required to use loss data
as a direct input into the operational risk capital calculations.
The soundness of data collection and the quality and integrity
of the data are crucial to generating capital outcomes aligned
with the bank's operational loss exposure. National supervisors
should review the quality of banks' loss data periodically.
Banks which do not meet the loss data standards are required
to hold capital that is at a minimum equal to 100% of the BIC.
In such cases supervisors may require the bank to apply an ILM
5 Risk-weighted assets for operational risk are equal to 12.5 times ORC.
Basel III: Finalising Post-Crisis Reforms ■ 341
which is greater than 1. The exclusion of internal loss data due
to non-compliance with the loss data standards, and the applica­
tion of any resulting multipliers, must be publicly disclosed.
22.5 GENERAL CRITERIA ON LOSS
DATA IDENTIFICATION, COLLECTION
AND TREATMENT
The proper identification, collection and treatment of internal
loss data are essential prerequisites to capital calculation under
the standardised approach. The general criteria for the use of
the LC are as follows:
a. Internally generated loss data calculations used for regula­
tory capital purposes must be based on a 10-year observa­
tion period. When the bank first moves to the standardised
approach, a five-year observation period is acceptable on
an exceptional basis when good-quality data are unavail­
able for more than five years.
b. Internal loss data are most relevant when clearly linked to a
bank's current business activities, technological processes and
risk management procedures. Therefore, a bank must have
documented procedures and processes for the identification,
collection and treatment of internal loss data. Such proce­
dures and processes must be subject to validation before the
use of the loss data within the operational risk capital require­
ment measurement methodology, and to regular indepen­
dent reviews by internal and/or external audit functions.
c. For risk management purposes, and to assist in supervisory
validation and/or review, a supervisor may request a bank
to map its historical internal loss data into the relevant Level
I supervisory categories as defined in Annex 9 of the Basel
II Framework and to provide this data to supervisors. The
bank must document criteria for allocating losses to the
specified event types.
d. A bank's internal loss data must be comprehensive and
capture all material activities and exposures from all appro­
priate subsystems and geographic locations. The minimum
threshold for including a loss event in the data collection
and calculation of average annual losses is set at €20,000.
At national discretion, for the purpose of the calculation of
average annual losses, supervisors may increase the thresh­
old to €100,000 for banks in buckets 2 and 3 (ie where the
Bl is greater than €1 bn).
e. Aside from information on gross loss amounts, the bank must
collect information about the reference dates of operational
risk events, including the date when the event happened or
first began ("date of occurrence"), where available; the date
342 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
on which the bank became aware of the event ("date of dis­
covery"); and the date (or dates) when a loss event results in
a loss, reserve or provision against a loss being recognised in
the bank's profit and loss (P&L) accounts ("date of account­
ing"). In addition, the bank must collect information on
recoveries of gross loss amounts as well as descriptive infor­
mation about the drivers or causes of the loss event.6 The
level of detail of any descriptive information should be com­
mensurate with the size of the gross loss amount.
f. Operational loss events related to credit risk and that are
accounted for in credit risk RWAs should not be included
in the loss data set. Operational loss events that relate to
credit risk, but are not accounted for in credit risk RWAs
should be included in the loss data set.
g. Operational risk losses related to market risk are treated as
operational risk for the purposes of calculating minimum
regulatory capital under this framework and will therefore be
subject to the the standardised approach for operational risk.
h. Banks must have processes to independently review the
comprehensiveness and accuracy of loss data.
22.6 SPECIFIC CRITERIA ON LOSS
DATA IDENTIFICATION, COLLECTION
AND TREATMENT
Building of the Standardised Approach
Loss Data Set
Building an acceptable loss data set from the available internal
data requires that the bank develop policies and procedures to
address several features, including gross loss definition, refer­
ence date and grouped losses.
Gross Loss, Net Loss, and Recovery
Definitions
Gross loss is a loss before recoveries of any type. Net loss is
defined as the loss after taking into account the impact of recov­
eries. The recovery is an independent occurrence, related to the
original loss event, separate in time, in which funds or inflows of
economic benefits are received from a third party.7
6 Tax effects (eg reductions in corporate income tax liability due to
operational losses) are not recoveries for purposes of the standardised
approach for operational risk.
7 Examples of recoveries are payments received from insurers, repay­
ments received from perpetrators of fraud, and recoveries of misdi­
rected transfers.
Banks must be able to identify the gross loss amounts, non­
insurance recoveries, and insurance recoveries for all operational
loss events. Banks should use losses net of recoveries (including
insurance recoveries) in the loss dataset. However, recoveries
can be used to reduce losses only after the bank receives pay­
ment. Receivables do not count as recoveries. Verification of
payments received to net losses must be provided to supervi­
sors upon request.
The following items must be included in the gross loss computa­
tion of the loss data set:
a. Direct charges, including impairments and settlements, to
the bank's P&L accounts and write-downs due to the opera­
tional risk event;
b. Costs incurred as a consequence of the event including
external expenses with a direct link to the operational risk
event (eg legal expenses directly related to the event and
fees paid to advisors, attorneys or suppliers) and costs of
repair or replacement, incurred to restore the position that
was prevailing before the operational risk event;
c. Provisions or reserves accounted for in the P&L against the
potential operational loss impact;
d. Losses stemming from operational risk events with a defini­
tive financial impact, which are temporarily booked in tran­
sitory and/or suspense accounts and are not yet reflected in
the P&L ("pending losses").8 Material pending losses should
be included in the loss data set within a time period com­
mensurate with the size and age of the pending item; and
e. Negative economic impacts booked in a financial account­
ing period, due to operational risk events impacting the
cash flows or financial statements of previous financial
accounting periods ("timing losses").9 Material "timing
losses" should be included in the loss data set when they
are due to operational risk events that span more than one
financial accounting period and give rise to legal risk.
8 For instance, in some countries, the impact of some events (e.g., legal
events, damage to physical assets) may be known and clearly identifi­
able before these events are recognised through the establishment of a
reserve. Moreover, the way this reserve is established (e.g., the date of
discovery) can vary across banks or countries.
9 Timing impacts typically relate to the occurrence of operational risk
events that result in the temporary distortion of an institution's finan­
cial accounts (e.g., revenue overstatement, accounting errors and
mark-to-market errors). While these events do not represent a true
financial impact on the institution (net impact over time is zero), if the
error continues across more than one financial accounting period, it
may represent a material misrepresentation of the institution's financial
statements.
Chapter 22
The following items should be excluded from the gross loss
computation of the loss data set:
a. Costs of general maintenance contracts on property, plant
or equipment;
b. Internal or external expenditures to enhance the business
after the operational risk losses: upgrades, improvements,
risk assessment initiatives and enhancements; and
c. Insurance premiums.
Banks must use the date of accounting for building the loss data
set. The bank must use a date no later than the date of account­
ing for including losses related to legal events in the loss data
set. For legal loss events, the date of accounting is the date
when a legal reserve is established for the probable estimated
loss in the P&L.
Losses caused by a common operational risk event or by related
operational risk events over time, but posted to the accounts
over several years, should be allocated to the correspond­
ing years of the loss database, in line with their accounting
treatment.
22.7 EXCLUSION OF LOSSES
FROM THE LOSS COMPONENT
Banking organisations may request supervisory approval to
exclude certain operational loss events that are no longer rel­
evant to the banking organisation's risk profile. The exclusion of
internal loss events should be rare and supported by strong jus­
tification. In evaluating the relevance of operational loss events
to the bank's risk profile, supervisors will consider whether
the cause of the loss event could occur in other areas of the
bank's operations. Taking settled legal exposures and divested
businesses as examples, supervisors expect the organisation's
analysis to demonstrate that there is no similar or residual legal
exposure and that the excluded loss experience has no rel­
evance to other continuing activities or products.
The total loss amount and number of exclusions must be dis­
closed under Pillar 3 with appropriate narratives, including total
loss amount and number of exclusions.
A request for loss exclusions is subject to a materiality thresh­
old to be set by the supervisor (for example, the excluded loss
event should be greater than 5% of the bank's average losses).
In addition, losses can only be excluded after being included in
a bank's operational risk loss database for a minimum period (for
example, three years), to be specified by the supervisor. Losses
related to divested activities will not be subject to a minimum
operational risk loss database retention period.
Basel III: Finalising Post-Crisis Reforms ■ 343
22.8 EXCLUSIONS OF DIVESTED disclose their annual loss data for each of the ten years in the ILM
calculation window. This includes banks in jurisdictions that have
ACTIVITIES FROM THE BUSINESS opted to set ILM equal to one. Loss data is required to be reported
INDICATOR on both a gross basis and after recoveries and loss exclusions. All
banks are required to disclose each of the Bl sub-items for each of
Banking organisations may request supervisory approval to the three years of the Bl component calculation window.10
exclude divested activities from the calculation of the Bl. Such
exclusions must be disclosed under Pillar 3.
22.11 ANNEX: DEFINITION OF
22.9 INCLUSION OF LOSSES AND Bl BUSINESS INDICATOR COMPONENTS
ITEMS RELATED TO MERGERS AND The following P&L items do not contribute to any of the items of
ACQUISITIONS the Bl:

• Income and expenses from insurance or reinsurance

Losses and the measurement of the Bl must include losses and Bl
items that result from acquisitions of relevant business and mergers.
22.10 DISCLOSURE
All banks with a Bl greater than €1 bn, or which use internal loss
data in the calculation of operational risk capital, are required to
businesses
• Premiums paid and reimbursements/payments received from
insurance or reinsurance policies purchased
• Administrative expenses, including staff expenses, outsourcing
fees paid for the supply of non-financial services (e.g., logisti­
cal, IT, human resources), and other administrative expenses
(e.g., IT, utilities, telephone, travel, office supplies, postage).

Business Indicator Definitions

P&L or Balance
Bl Component Sheet Items Description Typical Sub-Items

Interest, lease Interest income Interest income from all financial
and dividend assets and other interest income
(includes interest income from
financial and operating leases
and profits from leased assets)
• Interest income from loans and advances, assets
available for sale, assets held to maturity, trading
assets, financial leases and operational leases
• Interest income from hedge accounting derivatives
• Other interest income
• Profits from leased assets

Interest Interest expenses from all finan­
expenses cial liabilities and other interest
expenses
(includes interest expense from
financial and operating leases,
losses, depreciation and impair­
ment of operating leased assets)
• Interest expenses from deposits, debt securities
issued, financial leases, and operating leases
• Interest expenses from hedge accounting derivatives
• Other interest expenses
• Losses from leased assets
• Depreciation and impairment of operating leased
assets

Interest earning Total gross outstanding loans, advances, interest bearing securities (including government
assets (balance bonds), and lease assets measured at the end of each financial year
sheet item)

Dividend Dividend income from investments in stocks and funds not consolidated in the bank's finan­
income cial statements, including dividend income from non-consolidated subsidiaries, associates
and joint ventures

1n
The Committee will undertake a separate public consultation on the
operational risk disclosure templates.

344 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Business Indicator Definitions

P&L or Balance
Bl Component Sheet Items Description Typical Sub-Items

Services Fee and com­ Income received from provid­
mission income ing advice and services. Includes
income received by the bank as
an outsourcer of financial services
Fee and commission income from:
• Securities (issuance, origination, reception, transmis­
sion, execution of orders on behalf of customers)
• Clearing and settlement; Asset management; Cus­
tody; Fiduciary transactions; Payment services;
Structured finance; Servicing of securitisations; Loan
commitments and guarantees given; and foreign
transactions

Fee and Expenses paid for receiving Fee and commission expenses from:
commission advice and services. Includes
• Clearing and settlement; Custody; Servicing of
expenses outsourcing fees paid by the
securitisations; Loan commitments and guarantees
bank for the supply of financial
received; and Foreign transactions
services, but not outsourcing
fees paid for the supply of non-
financial services (eg logistical, IT,
human resources)

Other operat­ Income from ordinary banking
ing income operations not included in other
Bl items but of similar nature
(income from operating leases
should be excluded)
• Rental income from investment properties
• Gains from non-current assets and disposal groups
classified as held for sale not qualifying as discontin­
ued operations (IFRS 5.37)

Other operat­ Expenses and losses from ordi­
ing expenses nary banking operations not
included in other Bl items but of
similar nature and from opera­
tional loss events (expenses from
operating leases should be
excluded)
• Losses from non-current assets and disposal groups
classified as held for sale not qualifying as discontin­
ued operations (IFRS 5.37)
• Losses incurred as a consequence of operational loss
events (eg fines, penalties, settlements, replacement
cost of damaged assets), which have not been provi-
sioned/reserved for in previous years
• Expenses related to establishing provisions/reserves
for operational loss events

Financial Net profit (loss) • Net profit/loss on trading assets and trading liabilities (derivatives, debt securities, equity
on the trading securities, loans and advances, short positions, other assets and liabilities)
book • Net profit/loss from hedge accounting
• Net profit/loss from exchange differences

Net profit (loss) • Net profit/loss on financial assets and liabilities measured at fair value through profit and
on the banking loss
book • Realised gains/losses on financial assets and liabilities not measured at fair value through
profit and loss (loans and advances, assets available for sale, assets held to maturity,
financial liabilities measured at amortised cost)
• Net profit/loss from hedge accounting
• Net profit/loss from exchange differences

Chapter 22 Basel III: Finalising Post-Crisis Reforms ■ 345

• Recovery of administrative expenses including recovery of
payments on behalf of customers (e.g., taxes debited to
customers)
• Expenses of premises and fixed assets (except when these
expenses result from operational loss events)
• Depreciation/amortisation of tangible and intangible assets
(except depreciation related to operating lease assets, which
should be included in financial and operating lease expenses)
• Provisions/reversal of provisions (e.g., on pensions, commit­
ments and guarantees given) except for provisions related to
operational loss events
• Expenses due to share capital repayable on demand
• Impairment/reversal of impairment (e.g., on financial assets,
non-financial assets, investments in subsidiaries, joint ven­
tures and associates)
• Changes in goodwill recognised in profit or loss
• Corporate income tax (tax based on profits including current
tax and deferred).

346 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The Cyber-Resilient
Organization
Learning Objectives
After completing this reading you should be able to:

Describe elements of an effective cyber-resilience Explain methods that can be used to assess the financial
framework and explain ways that an organization can impact of a potential cyber-attack and explain ways to
become more cyber-resilient. increase a firm's financial resilience.

Explain resilient security approaches that can be used to

increase a firm's cyber resilience and describe challenges
to their implementation.

E x c e rp t is C h a p ter 8 from Solving Cyber Risk: Protecting Your Company and Society, by A n d re w C oburn, Eireann Leverett, and
G ordon W oo.

347
23.1 CHANGING APPROACHES
TO RISK MANAGEMENT
Identify, Protect, Detect, Respond,
Recover
The cyber risk management framework proposed by the
National Institute of Standards and Technology (NIST) consists
of five functions:1
1. Identify. Develop an organizational understanding to man­
age cyber security risk to systems, people, assets, data, and
capabilities.
2. Protect. Develop and implement appropriate safeguards to
ensure delivery of critical services.
3. D e te ct. Develop and implement appropriate activities to
identify the occurrence of a cyber security event.
4. R esp o n d . Develop and implement appropriate activities to
take action regarding a detected cyber security incident.
5. Recover. Develop and implement appropriate activities to
maintain plans for resilience and to restore any capabili­
ties or services that were impaired due to a cyber security
incident.
Cyber security in an organization typically places em pha­
sis on maintaining a secure perimeter, with an emphasis on
technology tools for monitoring internal traffic and external
communications, and with minimal tolerance of external pen­
etration, malware, or unauthorized software. Cyber security
tools include antivirus software, firewalls, network traffic deep-
packet inspection, data management systems, email security
systems, server gateways, web application firewalls, and many
others.
Cyber security system design is a com plex and skillful process,
matching the specific operations and needs of an organization
with the threats it faces, the tools available, and the budget
allocated. The values of individual components of security are
hard to evaluate independently, because security depends
on the weakest link in the chain - if one component is weaker
than others, then that is the one that will be exploited by
attackers.
Companies spend on average around 3% of their information
technology (IT) capital expenditure budget on cyber security.1
2 he managed to land at an airbase, stopping just 20 feet from
Cyber security expenditure has grown rapidly, generating a
1 NIST (2018a), Cybersecurity Framework v1.1.
2 Pacific Crest analyst Rob Owens, quoted in Investor's Business Daily
News, 10 June 2016.
348 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
$120 billion industry today. Projections expect the industry to
continue to grow rapidly to reach hundreds of billions annually
worldwide in a few years.
However, the type of expenditure for typical cyber security bud­
gets is shifting. Traditional purchasing of hardware IT security
components, such as servers, networking gear, data centers, and
physical infrastructure, is being augmented by broader security
solutions, such as personnel training, non-computer platforms,
and internet of things (loT) security.3
Key trends include increasing emphasis on incident response,
shifting from intrusion prevention to intrusion tolerance, com-
partmentalization and 'credential silos' with protected end­
points, and risk management in the supply chain. We discuss
each of these in this chapter.
Threat Analysis
Most cyber security assessments begin with threat analysis.
In Chapter 5, 'Know Your Enem y', we provide a profile of the
main threat actors and their driving motivations. An organiza­
tion needs to evaluate the likelihood of being the primary
target of each of the main threat groups, or being caught
in the collateral damage from their activities. Organizations
will monitor their cyber events - attempted attacks, malware
discovered, suspicious activity - typically in an incident log.
Analysis of the incident log provides important insights into the
characteristics and frequencies of attem pted attacks and the
overall threat.
23.2 INCIDENT RESPONSE AND
CRISIS MANAGEMENT
Real-time Crisis Management: How
Fighter Pilots Do It
On May 1, 1983, high over the Negev desert of Israel, an F-15
Israeli Air Force jet collided with an A-4 Skyhawk plane. The
impact sheared off the right wing of the F-15 jet, which was
sent spinning. A second before pressing the ejector button,
the pilot pushed the throttle, lit the afterburner, gained speed,
and regained control of the plane. At twice the normal speed,
the end of the runway. The ability to recover from unexpected
precarious and hazardous situations is the essence of resilience.
3 Cybersecurity Ventures, Cybersecurity Market Report Q4 2016.
This astonishing feat of resilience was accomplished through
a highly effective man-machine partnership. First, the intrinsic
aeronautic design of the F-15 meant that it acted like a rocket,
with sufficient lift being provided by the large surface area of
the stabilizers, fuselage, and what remained of the wings. Sec­
ond, the enterprising pilot had the presence of mind to light the
afterburner and accelerate his way out of a deep crisis.
There is much to learn from this example of surprisingly success­
ful real-time crisis management. Technology should be designed
to be robustly adaptive to threats both foreseen and unfore­
seen. The man-machine interface is crucial. Corporate staff
have to be trained and prepared for both the expected and the
unexpected. The aim of cyber resilience is to maintain a system's
capability to deliver the intended outcome at all times, including
times of crisis when regular delivery has failed. A wide range of
measures, from backups to full disaster recovery, contribute to
cyber resilience, and to maintaining business continuity under
the most testing, unusual, and unexpected circumstances.
Rapid Adaptation to Changing Conditions
As defined by a Presidential Policy Directive, resilience is the
ability to prepare for and adapt to changing conditions and
withstand and recover rapidly from disruptions. Cyber resilience
analysts assess system deficiencies in disruption response, and
develop means of rectifying these weaknesses through cyber
security enhancements in prevention, detection, and reaction.
Organizations need to be agile in crisis response. Organizations
need to prepare, prevent, respond, and recover from any crisis
that may emerge.
Cyber resilience requires a coherent strategy encompassing
people, processes, and technology. The human dimension is
especially important, because people can make imprudent secu­
rity decisions and take risky actions. On the other hand, under
crisis situations, people can rise in an extraordinary way to the
challenge of adversity. They can make excellent decisions under
intense pressure, coping well with the uncertainty over the trou­
ble they find themselves in and the viability of their emergency
response plan.
Corporate decision making starts with the board of directors,
who have to drive forward the cyber resilience agenda and
involve the whole organization, extending to the supply chain,
partners, and customers. To balance risk with opportunity, a
corporate risk-based strategy needs to be put in place that man­
ages the vulnerabilities, threats, risks, and impacts. This strategy
has to include preparation for and recovery from a cyber attack.
At the same time, costs need to be kept under control, user
convenience must be taken into account, and business require­
ments should be satisfied.
Cyber Risk Awareness in Staff
Microsoft provides considerations for a cyber resilience pro­
gram .4 Amongst the recommendations is that every person with
corporate network access, including full-time employees, con­
sultants, and contractors, should be regularly trained to develop
a cyber-resilient mindset. This should include not only adhering
to IT security policies around identity-based access control, but
also alerting IT to suspicious events and infections as soon as
possible to help minimize time to remediation.
Training programs specifically geared towards developing a
cyber- resilient mindset are particularly productive. Many, cor­
porate training programs exist to help staff to deal safely with
social engineering scams. Even the most savvy of staff members
may fall victim to one of these scams, which prey upon all man­
ner of psychological, emotional, and cognitive weaknesses.
Magicians exploit these weaknesses to fool people with their
illusions. In the cognitive science literature, it is established that
providing misinformation about past events can reduce memory
accuracy and even create false memories. Phishing attacks and
social engineering use a wide variety of con tricks, misdirection,
and scams to try to get staff to reveal credentials, open toxic
attachments, follow false links, and carry out other tasks. Spot­
ting these tricks, questioning their veracity, and identifying the
clues to their fakeness are skills that need to be learned and
reinforced in staff behavior.
Business Continuity Planning
and Staff Engagement
All staff members need a good understanding of business con­
tinuity issues. Those assigned specialist duties, such as planning
testing and incident response, need extra specific training, as all
emergency responders do. Middle and senior managers have
their own responsibilities, and are required to understand and
adopt integrated cyber resilience management best practice
and compliance to standards. The key cyber resilience standards
that should be adopted are:
• ISO 27001, the international standard describing best prac­
tice for an information security management system.
• ISO 22301, the international standard for business continuity.
Successful training can be achieved only with full staff engage­
ment. If the training is perceived as dull, tedious, and boring,
the results are likely to be disappointing. No matter how tech­
nically expert the training is, eliciting an enthusiastic human
response requires addressing an extra dimension: psychology.
4 Johnson (2017).
Chapter 23 The Cyber-Resilient Organization ■ 349
One way of adding a psychological dimension to cyber resil­
ience training is to reward staff positively for good cyber
hygiene. Rewards might be handed out across the whole spec­
trum of cyber security issues of concern: reporting phishing
emails; preventing tailgating; reporting attempted intrusions
via social engineering; reporting any USB memory sticks lost
or found; keeping desktop software patched and updated;
maintaining strong, confidential passwords; attending secu­
rity seminars and webinars; not leaving laptops unattended;
and reporting bugs or vulnerabilities. Such incentivized train­
ing achieves measurable and impressive results. In one major
corporation, after 18 months participants were 50% less likely
to click on a phishing link and 82% more likely to report a
phishing em ail.5
Gaming and Exercises
One familiar field of human endeavor in which incentivized train­
ing is proven to work well is in playing competitive games. The
application of gaming principles to business is given the self-
explanatory if contrived name 'gamification'. It actually started
in marketing, as companies realized they could attract custom­
ers more readily by enticing them with a game or competition.
Some businesses have been using gamification in the workplace
as a way to boost employee morale.6 The application to adver­
sarial situations like combating cyber risk may be more compel­
ling and relevant than most. Amongst other cyber security firms,
Kaspersky Lab has been adopting gamification technology in
its security awareness training programs. In 2017, Kaspersky
awarded a young talent lab prize to the US-based creators of a
gamification app designed to raise information security aware­
ness amongst millennials.
There are four principles to gam ification: defining a goal,
defining rules for reaching that goal, setting up a feedback
m echanism , and making participation voluntary. Gam ification
usually means awarding points to em ployees who do the right
thing, with various forms of recognition, including badges,
prizes, and a leader board listing point totals. Treating cyber
security as a com petitive gam e, with scores posted as in a
golf tournam ent, is not inappropriate. Unlike natural hazards
resilience, security against cyber attacks is a persistent adver­
sarial game - the attackers are rewarded for their efforts and
industry, and so also should the defenders be rew arded. The
more points that staff m embers manage to accrue, the harder
5 Wood (2014).
6 Penenberg (2013).
350 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
it becom es for the adversary to score points by causing
major cyber loss and disruption. Adversarial exercises, such
as 'C apture the Flag' are good training for security staff and
technologists.
Nudging Behavior
Another way of using psychology to change staff behavior
is through adopting the nudge principle: encouraging good
cyber hygiene without having to reward staff accordingly. One
of the most famous original examples of nudging, quoted by
economics Nobel laureate William Thaler, one of the authors
of the nudge principle, is that of hygiene in men's restrooms.
Men can be nudged to make less floor mess simply by having a
marked target in the center of a urinal. No reward (or penalty)
of any kind is needed to encourage better hygiene. In line with
the previous golf tournament metaphor, one actual example of
a marked target is a golf flag pin. At the Cyber Security Summit
and Expo 2017, the chief operating officer at the UK Finan­
cial Conduct Authority suggested that staff members may be
nudged to talk more about cyber security, and explained that
far better cultural outcomes are then seen than with traditional
annual mandatory training regimes. She further suggested that
the same technique could be used with suppliers, who may be
an unsuspecting weak link in overall security. In addition to usual
due diligence, a regular conversation with suppliers on security
sets a positive nudging tone for a mutually beneficial enhanced
cyber security relationship.
23.3 RESILIENCE ENGINEERING
Safety Management
In traditional safety management, the focus is on identifying
and defending against a prescribed set of hazards, using tech­
niques with limited ability to realistically represent the intricacies
of human and organizational influences adequately.7 Also, the
search for causal factors of failures is obscured by the social,
cultural, and technical characteristics of complex engineered
systems. The concepts of resilience engineering address these
shortcomings, integrating safety, process, and financial manage­
ment. Resilience engineering builds on safety engineering, but
treats faults and failures in socio-technical systems rather than
in purely technical systems. The focus of resilience engineering
is on the organization and on the socio-technical system in the
___________
7 Wreathall (2006).
 THE CHALLENGE OF CYBER RESILIENCE: TRUMP HOTELS
Hotels are at high risk of data breach attacks, particularly
major chains. Seven of the luxury hotels owned by presiden­
tial candidate Donald Trump were infected between May
2014 and June 2015 with malware that stole payment infor­
mation. This data breach ended up exposing 70,000 credit
card numbers and customer records, and was discovered
only when multiple banks spotted hundreds of fraudulent
transactions on customer accounts where the last legitimate
transaction was at Trump Hotels.
Cardholders were unaware of the breach until a notice was
posted on the Trump Hotels website four months after
the hotel chain had learned of the major data exfiltration.
This delay violated New York state laws stipulating timely
presence of accidents, errors, and disasters. In particular, resil­
ience engineering is well suited to systems that are tightly cou­
pled but intractable in the sense that they cannot be completely
described or specified.
In general terms, resilience is the ability of an organization to
recover to a stable state, allowing it to continue operations dur­
ing and after a major mishap or in the presence of continuous
significant stresses. Both of these contingencies are relevant for
cyber resilience. The management challenge of building and
leading a resilient organization increases in complexity as more
products and services are online and open to cyber disruption
by malevolent hackers.
Hotel Keycard Failure Example
A simple example is a hotel where room keycards fail after a
cyber attack. Black hats have demonstrated how some digital
hotel keys can be read with a simple portable device. Even in
this dire situation, there has to be a backup plan to allow guests
to access their rooms securely. Availability is a vital pillar of resil­
ient cyber security; even after keycard failure, continuity of hotel
service must be maintained, and guest rooms have to be avail­
able for use. Along with availability, confidentiality and integrity
of information are two other vital pillars of cyber security. These
also are major issues for the hotel industry because of data
breach of the hotel booking and payments system, and the
theft of credit card data. Hotels have become popular targets
because they have a business hospitality culture of openness. A
cyber attack hit 1200 franchised InterContinental hotels in the
last quarter of 2016. Hackers have declared open season on
the reservation and point-of-sale systems of the hospitality and
tourism industry.
consumer notifications regarding compromised data. Tim eli­
ness of security response is also a requirement of resilience.
Trump Hotels duly enhanced security measures, including
employee training, comprehensive risk assessments, and reg­
ularly scheduled testing of systems - but not before another
data breach was discovered in March 2016.
Later that year, hackers broke into the Sabre SynXis Central
Reservations System, which facilitates online hotel booking
for some of the largest hotel chains. The intrusion remained
undetected on the Sabre network for seven months, steal­
ing data between August 2016 and March 2017. This was
the third credit card data breach affecting Trump Hotels in
three years.8
President Trump gave a public commitment to keeping America
safe in the cyber era.9 This commitment extended to resilience:
building defensible government networks and improving the
ability to provide uninterrupted and secure communications
and services under all conditions. Although a strident critic of
big government, as a victim of data breaches in his hotel chain,
Trump may recognize that stronger cyber security regulations
may be needed and may need to be better enforced.
23.4 ATTRIBUTES OF A
CYBER-RESILIENT ORGANIZATION
Anticipate, Withstand, Recover,
and Evolve
In general, the complexity of a system makes it difficult to clas­
sify failure states following a cyber attack, which can impact
an organization in innumerable ways. Yet, complexity is a vital
system attribute enabling adaptation under external stress. The
individual links between people and their environment should
adapt under stress in a resilient manner. Because resilience is
an emerging property of complex systems, it can be developed
through focus on attaining specific goals.
A cyber-resilient organization should aim to anticipate, with­
stand, recover, and evolve. Given their intrinsic interconnected­
ness, all four of these goals should be addressed simultaneously.
For example, even while withstanding or recovering from
8 Seals (2017).
9 Trump (2017).
Chapter 23 The Cyber-Resilient Organization ■ 351
a cyber attack, a business manager must anticipate further
attacks. Even while anticipating, withstanding, or recovering
from attacks, business processes that rely on them are con­
stantly evolving to address changing operational and technical
environments. And part of anticipation is withstanding stresses
within some bounded range.
Cyber resilience is just one aspect of resilience in general. An
organization that aspires to be cyber resilient should aim further
to be resilient against all potential stresses. A highly resilient
organization will share the six attributes listed in Section 8 .4 .3 .10
In this list of attributes, which are not cyber-specific, there is a
well-merited emphasis on human performance within the orga­
nization. This is appropriate since not only are security decision
making and preparedness the responsibility of the organiza­
tion's employees, but the staff members themselves are also a
primary source of vulnerability to cyber attack, being susceptible
to social engineering deception, as well as the source of human
error in undertaking corporate security tasks.
Negative Attributes
Case studies of organizations that have suffered major data
breaches often highlight missing attributes for a resilient organiza­
tion. For example, security commentators referred negatively to
the security culture at Equifax, which discovered a massive data
breach on July 29, 2017, and announced it six weeks later on
September 7. In his testimony to a US House of Representatives
subcommittee on consumer protection, the Equifax C EO , Rick
Smith, justified the delay in communicating the data breach on the
grounds of avoiding further attacks and ensuring consumer protec­
tion measures could be put in place. A resilient organization would
have had detailed contingency plans in place for a data breach,
which would have expedited its crisis communication response.
The Equifax C EO also excused the communication delay with
reference to Hurricane Irma, which took down two large call cen­
ters in September, soon after the breach announcement. This is
a classic failure of resilience. Corporate preparedness for natural
hazards should include plans to overcome breakdowns in infra­
structure. Professional resilience engineers would not have been
astonished that some of the 15 million Britons affected by the
Equifax data breach were only notified eight months afterwards.
Six Positive Attributes for Resilience
For a consumer credit reporting agency, corporate resilience
should have been a business priority. The many millions of
10 Wreathall (2006).
352 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
consumers and businesses whose information was collected by
Equifax would have expected the agency to have been a para­
digm of resilience. But based on information publicly disclosed
after the breach, Equifax may have possessed all too few of the
following six attributes of a resilient organization. Indeed, in
respect of human performance, the CEO personally blamed a sin­
gle member of the company's security team, rather than recognize
that all errors are the outcome of organizational deficiencies, such
as a lack of resilience, for which the C EO is ultimately responsible.
1. Top-level com m itm ent to recognizing and valuing human
performance concerns, in both word and deed. An orga­
nization should provide continuous and extensive follow-
through to actions related to human performance.
2. A ju s t culture supporting the reporting of issues up through
the organization. Without a just culture, the willingness of
staff to report problems will be eroded, as will the organiza­
tion's ability to learn about defensive weaknesses.
3. A learning culture benefiting from both good and bad
experiences, and not responding to questions about secu­
rity issues with denial.
4 . A w a ren ess of the true state of defenses, and their state of
degradation. Also, insight into the quality of human perfor­
mance, and the extent to which it is a problem.
5. P rep a redn ess for problems, especially in human perfor­
mance. The organization should actively anticipate prob­
lems and prepare for them.
6. Flexibility to adapt that maximizes ability to solve problems
without loss of functionality. It requires that important secu­
rity decisions may be made at lower organizational levels.
These six attributes are qualitative organizational attributes, which
have a significant bearing on quantitative resilience metrics: the
time and cost to restore operations, the time and cost to restore
system configurations, the time and cost to restore functionality
and performance, the degree to which the pre-disruption state is
restored, the potential disruption circumvented, and successful
adaptations within time and cost constraints.
Cyber Resilience Objectives
Because the cyber threat is so dynamic, many actions to improve
resilience may be effective for only a short duration. However,
common to all actions are various general cyber resilience objec­
tives, which are summarized next.
• Adaptive Response
An adaptive response involves executing and monitoring the
effectiveness of actions that best change the attack surface,
maintain critical capabilities, and restore functional capabilities.
• Analytic Monitoring
Analytic monitoring involves gathering and analyzing data on
an ongoing basis and in a coordinated way to identify poten­
tial vulnerabilities, adversary activities, and damage.
• Coordinated Defense
In any conflict situation, having multiple defenses is advanta­
geous, but they have to be carefully coordinated so that they
do not interfere negatively with each other, but rather have a
maximum positive effect.
• Deception
Sun Tzu's dictum that 'All war is based on deception' applies
to cyber warfare as well as older traditional forms of conflict.
Deception is an essential weapon of cyber defense, espe­
cially against a powerful adversary, such as a state-sponsored
threat actor.
• Privilege Restriction
Violation of privilege restriction has facilitated some major
cyber attacks. To minimize the impact of criminal action, privi­
leges should be carefully restricted.
• Random Changes
Static security, however strong, is progressively liable to be
eroded over time. Frequent randomized security actions that
make it more perplexing for an adversary to predict behavior
increase the chance of adversary detection.
• Redundancy
The value of redundancy in enhancing system safety is evi­
dent from elementary reliability analysis. If the chance of fail­
ure of a key component is one in a thousand, then the chance
of failure of two such components, assumed to have indepen­
dent failure rates, is as low as one in a million.
• Segmentation
The attack surface of a system can be reduced if system com­
ponents can be segmented based on criticality to restrict the
damage from exploits. Segmentation often employs either
physically distinct entities or virtualization of computing sub­
networks to provide the desired separation.
• Substantiated Integrity
It is crucial that critical systems and backups have not been cor­
rupted by an adversary. Their integrity needs to be substanti­
ated and data checked that they are not invalid or out of range.
23.5 INCIDENT RESPONSE PLANNING
Forensic Investigation
The vast majority of internet crimes are left unreported. A tiny
proportion of cyber crimes are successfully prosecuted. Most
perpetrators are outside Western jurisdiction, and even if they
are within the same jurisdiction as the victim, successful prosecu­
tion is difficult to achieve.
However, where a significant corporate cyber crime has been
com m itted, some level of criminal investigation is required for
legal reasons, as well as to comply with obligations to share­
holders and other corporate stakeholders, and to enhance
resilience. This involves com puter forensics. As with any
forensic investigation, diligence is needed when attending the
scene of a crim e, to ensure that significant evidence gathered
is adm issible. In particular, the following four principles must
be upheld:11
1. No action taken by law enforcement agencies, persons
employed within those agencies, or their agents should
change data, which may be subsequently relied upon in
court.
2. Where a person finds it necessary to access original data,
that person must be competent to do so, and be able to
give evidence explaining the relevance and the implications
of his or her actions.
3. An audit trail or other record of all processes applied to
digital evidence should be created and preserved. An inde­
pendent third party should be able to examine those pro­
cesses and achieve the same result.
4. The person in charge of the investigation has overall
responsibility for ensuring adherence to the law and these
principles.
Forensic investigators not only must comply with these prin­
ciples; they also have to cope with insidious attempts to thwart
computer forensic analysis. This may include encryption, the
overwriting of data, and the modification of file metadata. And
even where no such anti-forensic efforts have been made, a
shrewd defense lawyer can query in court the quality of evi­
dence of an intrusion - maybe the log file had been tampered
with, or the origination of the internet protocol (IP) address was
faked.1
12 Thinking through defense arguments is a valuable intel­
1
lectual exercise in cyber resilience, because it raises technical
issues that could lead to ideas for improving the cyber security
environment. One argument might be over identifying when
exactly a cyber security incident occurred. For example reconcil­
ing the timestamp for a connection to a Webserver might involve
clients in London, a server in Tokyo and various time zones and
daylight-saving adjustments.
11 ACPO (2012).
12 Grimes (2016).
Chapter 23 The Cyber-Resilient Organization ■ 353
Initial Breach Diagnosis
An initial step in incident response is to assess when security
was first breached. This is far from being a straightforward mat­
ter, as shown by the 2014 and subsequent 2013 Yahoo breach
revelations. The next step is to discover what systems have been
compromised, and what data has been exfiltrated or corrupted.
An essential aspect of any first response to an unfolding crisis is
conducting triage, which consists of classifying incidents, priori­
tizing them, and assigning incidents to appropriate personnel.13
Containment of damage and prevention of its spreading are
then urgent actions before eradication of the threat and removal
of malware from the network. The mark of resilience in incident
response is restoration of systems to their normal operation. The
main challenges in recovery are in reconnecting networks and
confirming that systems have been successfully restored.
Thinking ahead is characteristic of a resilient mindset. Even
before, and preferably well before a major incident occurs,
plans should be drawn up for investigating incidents, as and
when they might occur, and undertaking extensive postincident
investigations. Communicating lessons learned to all stakehold­
ers in a transparent and timely manner is a crucial element of a
resilient response. Amongst the lessons will be insights into the
effectiveness of security measures, and the costs and impacts
of cyber incidents. From such lessons the cost-effectiveness of
enhanced security measures can be better gauged.
23.6 RESILIENT SECURITY SOLUTIONS
Resilient Software
Resilient software should have the capacity to withstand a fail­
ure in a critical component, such as from a cyber attack, but
still recover in an acceptable predefined manner and duration.
Factors affecting resilience include complexity, globalization,
interdependency, rapid change, level of system integration,
and behavioral influences. The complex networked systems
prevalent in many organizations make it hard to provide a
service platform with consistent levels of resilience. When a
critical system fails, the required service may not be readily
deliverable, especially when there is high demand. Furthermore,
net-centricity can introduce complexities that lead to greater
chances of errors.14 Learning from failure is essential for a
resilient organization. When software fails, this is an opportunity
for additional resilience features to be introduced.
13 CREST (2013).
14 Murray et al. (2017).
354 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Security should be fully integrated within the development pro­
cess, with built-in features such as defense in depth, running
with least privilege, and avoidance of security by obscurity. A
software development life cycle (SDLC) is a series of phases that
provide a framework for developing software and managing it
through its entire life cycle. There is no specific technique or sin­
gle way to develop applications and software components, but
there are established methodologies that organizations use and
models they follow to address different challenges and goals.
However well written and resilient the software is, and however
much the network perimeter defense has been hardened, a
determined, highly motivated (perhaps state-sponsored) cyber
attacker can eventually manage to find an entry point into any
system through some social engineering deception or zero day
exploit. Treating a twenty-first-century software system as a
medieval fortress with impregnable entry points is itself a coun­
terproductive form of self-deception, and self-denial of reality
of the virtual world. This is detrimental to cyber security in gen­
eral, and to maintaining resilience in particular. It is prudent to
accept that system intrusion will occur in the future, and to plan
a maximally resilient response. The three pillars of successful
response identified by Dr Eric Cole are detection, containment,
and control.15
Detection, Containment, and Control
In biology, a system's capacity to absorb and resist any dam­
age from internal or external mechanisms, and recover quickly,
is a measure of its resilience. The universal process of evolution
embodies natural selection for resilience. A key criterion for fit­
ness is resilience. In healthcare, a doctor would advise a patient
that prevention is always better than cure. Hence those who
spend hours in the sun are urged to use sunscreen. Regular use of
sunscreen can halve the incidence of melanoma, which is a type
of skin cancer. If excessive sun exposure does eventually cause
melanoma, the sooner this is detected the better, so that effective
treatment can be given. Most importantly, any malignant tumor
should be found before it spreads to other parts of the body.
Rapid threat detection lies at the heart of resilient cyber secu­
rity. Imagine a cyber attack that targets a perceived security
weakness in a peripheral device such as a printer. If system
security extends to intrusion detection that monitors the device
memory for malicious attacks, then threat detection can auto­
matically instigate a reboot from a safe copy of the device's
operating system. By restoring the peripheral device without
business interruption, cyber resilience is achieved.
15 Cole (2015).
 CASE STUDIES IN GERMAN STEEL RESILIENCE
In February 2016, Southeast Asian hackers exfiltrated tech­
nological intellectual property data from Thyssenkrup, one
of the world's largest steelmakers, Early detection and timely
countermeasures limited the loss from this professional
cyber espionage attack, which was discovered, continuously
observed, and analyzed by Thyssenkrup's computer emer­
gency response team. This admirably resilient response to
a cyber attack contrasts with what happened when a steel
mill in an undisclosed location in Germany was targeted for
a cyber attack in 2014. (Thyssenkrup denied it was one of
its steel mills.) The motive for this apparently senseless act
of cyber vandalism remains unknown, but it does provide an
instructive contrasting case study in cyber nonresilience.
The attackers used spear phishing emails to access the steel
mill office IT network, compromise a multitude of systems,
and spread over to the production network. Failures accumu­
lated in individual control components, and a blast furnace
was unable to be shut down in a regulated manner, which
resulted in extensive damage. This cyber attack came as a
Minimize Intrusion Dwell Time
A resilient strategy for coping with a cyber attack should mini­
mize the intrusion dwell time, which is the time from initial sys­
tem compromise to the time the malware ceases to be effective.
Controlling dwell time means early detection with an appropri­
ate effective response. Just as with malignant cancer, the lateral
spread of intrusion should also be contained and controlled, so
as to minimize the number and extent of compromised systems.
Dwell times can be measured in months rather than days or
weeks because attackers are often ingeniously adaptive to new
security systems, and may change their threat signatures from
those detected by threat intelligence service providers. Spotting
anomalous behavior is a crucial aspect of resilient cyber security.
A network behavior anomaly detection (NBAD) program tracks
critical network characteristics in real time and generates an
alarm if an anomaly or unusual trend is detected that might sig­
nal a threat. Examples of such characteristics include increased
traffic volume, bandwidth, and protocol use. Such a program
can also monitor the behavior of individual network subscribers.
For NBAD to be optimally effective, a baseline of normal
network or user behavior must be established over a period
of time. A large volume of network data can enable even a
comparatively modest anomaly to be tracked and flagged up.
Inevitably, as in any anomaly detection system, there may be
false positives, such as when an employee decides to back
up the contents of a hard drive on a Saturday evening before
going away on vacation the following morning. The flip side of
shock not just to the steel mill security staff, but to the entire
cyber security industry in Germany and beyond. Surprise is
the enemy of resilience.
It would not have been feasible for an outside vandal to have
physically gained access to the steel mill and sabotaged a
blast furnace. Basic site security would have detected the
unauthorized intrusion and prevented this kind of criminal
damage. The cyber attack was not detected because it was
an advanced persistent threat (APT), executed carefully in
stages in a slow and stealthy way, keeping a low profile to
make detection difficult.16 Apart from remaining undetected,
the attack was neither contained nor controlled.
A more resilient cyber defense strategy would have had a
network intrusion detection system (NIDS) deployed. This
strategy should also have maintained a strict separation
between business and production networks to contain the
attack, preventing it from spreading from the entry point to
the key industrial target.
anomaly detection, when dealing with an intelligent adversary
striving to keep illicit activities hidden within the noise, is the
possibility of false negatives. The international prize for smart
detection avoidance might be awarded to the Soviets who vio­
lated nuclear test ban treaties by automatically timing the deto­
nation of nuclear test explosions to coincide with the occurrence
of regional earthquakes. The seismic signal of a nuclear explo­
sion (the observational basis for nuclear test forensics) would
be hidden within the tail of the earthquake signal. This kind of
subtle trickery to evade detection ended with the Cold War, but
the ingenious cunning of the Russian chess mind in the age of
state-sponsored cyber attacks should not be underestimated.
Anomaly Detection Algorithms
Anomaly detection algorithms use state-of-the-art artificial
intelligence methods, incorporating sophisticated Bayesian
techniques of statistical inference. These probabilistic tools
for searching for discrepancies have been refined using ideas
developed for Big Data analysis. Faster, cheaper, simpler - but
less powerful - are signature-based detection methods. Rather
like a police biometric database of fingerprints or DNA samples,
these methods rely on a database of signatures carried by
packets known to be sources of malicious activities. Signature-
based methods check for automated procedures supplied by
well-known hacker tools. These tend to have the same traffic
16 Bartman and Kraft (2016).
Chapter 23 The Cyber-Resilient Organization ■ 355
signatures every time, because computer programs repeat over
and over again the same instructions.
Both anomaly and signature-based detection approaches should
be incorporated within an overall NIDS. As anyone who lives
in a gated community knows, reliance on the detection of an
intruder is far from being a resilient strategy for mitigating the
risk of burglary. The probability of detection can never be very
close to certainty, because the price of false alarms would be
unacceptable. Each house needs its own security system to
contain and control the criminal action of an intruder. Defense in
depth is a cornerstone of resilient security. Recognition of lateral
movements of a cyber attacker requires continuous monitoring
of the internal network, and a visual interface that provides the
right metrics for security analysts to gain situation awareness of
any intrusion. With these metrics, an intrusion can begin to be
contained and controlled.
Containment of the adverse impacts of security breaches will
help avoid an escalation of loss and blunt the force of a cyber
attack, so as to make incident response more effective. Con­
tainment might be achieved through network segmentation,
and redundancy measures such as having logical and physi­
cal duplication. Another containment approach that increases
resilience is designing systems so that they continue to function
and perform their tasks even when connectivity to external sys­
tems is lost. With any security initiative, there is also an intrinsic
human component that needs to be considered. Dealing with
an intrusion effectively requires a degree of security staff pre­
paredness that merits training and rehearsal of an emergency
response plan.
Penetration Testing
In cyberspace, it is essential to understand the interrelationship
between vulnerability assessment and risk analysis.17 Much more
effort is directed towards the former than the latter. But mea­
suring work on vulnerability assessment is not measuring risk
reduction. For example, a vulnerability scanner might determine
that a server is missing critical operating system patches by
detecting an outdated version of the operating system during a
network probe. This vulnerability might be remedied simply by
a software update and a reboot. Assessing the corresponding
cyber risk reduction is not so straightforward. This would involve
explicitly devising an exploit to show that the missing patch
would allow an attacker to gain access to the server. This might
be a difficult task, not necessarily cost-effective for a work-
averse hacker.
17 George (2016).
356 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
A penetration test (pen test to its friends) is the process of
conducting simulated attacks to discover how successful cyber
attacks might occur. Conducting a pen test to prove that a miss­
ing patch is a security issue typically raises the cost of testing,
and runs the expensive risk of potential system downtime. Not
all pen testing is expensive; the simplest type of pen testing
involves a handful of social engineering tricks, or taking advan­
tage of an easily guessable password. Some loT gadgets such
as a kitchen kettle leave the factory with a basic default pass­
word, which may not be changed by the forgetful or ignorant
purchaser. Like all professional occupations, pen testers come
with a wide range of knowledge, ability, and experience. The
best pen testers have deep knowledge of operating systems,
networking, scripting languages, and the like, and use a clever
combination of manual and automated tools to simulate attacks
with the same complexity as might be conceived by a black hat.
Pen test results are typically reported on severity, exploit-
ability, and associated remediation actions. The information
obtained from pen testing can be used to plug security gaps,
improve attack response, and enhance cyber resilience. Con­
trolling network entry and exit points and reducing the overall
attack surface will make it easier to respond to an attack, and
enable functionality to be restored more quickly. This therefore
increases an organization's resilience against cyber attacks.
The Risk-Return Trade-Off
Whereas junior security personnel may work obsessively to
reduce vulnerability where they find it, cost-conscious senior
management and their accountants are particularly interested
in the risk-return trade-off. The actual level of risk reduction
achieved may in fact be lower than is optimistically perceived,
given the large security budget. For example, within days of a
pen test, network changes may create new security challenges.
Pen testing is commonly used to address the problem of cyber
risk mitigation, instead of more empirical and scientific practices.
Although pen testers know what to charge for their professional
services, most pen testers cannot put a price on their success or
failure. Pen testers can make recommendations on how to close
security gaps, and how to prioritize the necessary tasks. But no
two pen testers go about their assignment in the same way, and
pen testing is usually done on a limited set of targets. Accord­
ingly, pen testing is not strictly a risk management exercise.
To provide another perspective on security risk management,
consider the pen testing analog of red-teaming in counterterror­
ism studies. Ever since 9/11, security consultancies with exten­
sive military expertise have undertaken vulnerability assessments
for specific locations and events that might be targeted for a
terrorist attack. Red-teaming exercises are particularly valuable
in identifying gaps in security that would make a location or
event a comparatively soft target relative to other alternative
targets. By hardening any one potential target, e.g. deploying
additional perimeter security guards and installing CCTV, the
risk may be transferred to another soft target, in a process that
terrorism risk analysts recognize as target substitution.18 This
tactic should extend to cyber risk as well. Hackers (like terrorists)
follow the path of least resistance in their targeting, and if an
attractive designated target for a cyber attack has been hard­
ened, others lacking the benefit of pen testing or red-teaming
knowledge may become more likely to be attacked.
23.7 FINANCIAL RESILIENCE
Financial Consequences of a Cyber Attack
A major cyber attack on a corporation can impact it in numer­
ous adverse ways. Intellectual property and other confidential
information may be stolen; important computer system files may
be corrupted or encrypted; denial of service may bring systems
down; physical damage to corporate facilities and property may
be inflicted; psychological and bodily harm may be caused to
staff and customers; reputational damage may be incurred, and
liability lawsuits may be filed. W hatever the impact, business
will be disrupted to an extent that depends on the resilience of
the organization. We describe many of these consequences and
illustrate some of these costs in the first two chapters: Chap­
ter 1, 'Counting the Costs of Cyber Attacks', and Chapter 2,
'Preparing for Cyber Attacks'.
The bottom line for any commercial organization is the ultimate
financial cost. Each of the adverse impacts results in a financial
loss to the corporation. For publicly listed corporations, the stock
price is a resilience measure. For those publicly listed corporations
for which cyber security is paramount for customer confidence,
the impact of a severe cyber attack on stock price can be devas­
tating. As fallout from a massive identity theft data breach, the
stock price of Equifax fell precipitously by about one-third in one
week, before a new C EO was appointed in late September 2017
and started to turn the consumer credit reporting agency around.
But with further revelations that the data breach was worse than
previously thought, the stock price in mid-February 2018 was still
lower by 20% than it had been before the breach disclosure.
Financial Risk Assessment
Companies have to make assessments of their risk and build
resilience into their balance sheet to withstand the types of
18 Woo (2011).
shock that might be foreseeable. In the United States public
companies are expected to file annual 10-K submissions to the
Securities and Exchange Commission that identify the key risks
to their business and to notify their shareholders and counter­
parties of those risks. The UK equivalent is the Long Term Viabil­
ity Statement (LTVS) reporting to the Financial Reporting Council
on liquidity. Cyber risk is one of the most commonly reported
risks by companies, declared in their 10-K and LTVS filings.
A cyber attack can cause sufficient loss to cause damage to a
company's balance sheet, even for fairly sizeable organizations.
Examples include companies having to issue profit warnings,
suffer credit downgrades, make emergency loan provisions, and
see reduction in stock price, and ultimately the loss could be
severe enough to force the organization to cease trading. The
likelihood of cyber attacks causing a loss sufficient to trigger
each of these thresholds depends on the type of risk analysis we
have described, defining the odds of experiencing a cyber loss
of these levels of severity, combined with the financial structure
of the organization, its liquidity, its access to capital reserves,
and analysts' interpretation of the event in terms of how it
might affect the future business model and position relative to
its competitors.
Balance sheet resilience for the levels of financial shock that
might be inflicted by a cyber event can be achieved by having
all of the standard financial engineering processes to minimize
earnings volatility, including having sufficient liquidity margins,
reducing debt ratios, having access to emergency loan provi­
sions, being able to cut costs to meet earnings targets, and
having cyber insurance to provide a level of financial indemnity
against the loss.
Reverse Stress Testing
For any specified cyber attack scenario designed as a financial
stress test, the implications for a corporation can be evaluated,
taking account of the myriad ways that it might affect business.
For a particularly severe scenario, a corporation's credit rat­
ing might be downgraded. The implications of cyber attacks
could start taking a higher priority in credit analysis. Moody's
Investors Service views material cyber threats in a similar vein
as other extraordinary event risks, such as those arising from
natural disasters, with any subsequent credit impact depending
on the duration and severity of the event.19 While Moody's does
not explicitly incorporate cyber risk as a principal credit factor,
its fundamental credit analysis incorporates numerous stress­
testing scenarios, and a cyber event could be the trigger for one
19 Moody's Investors Service (2015).
Chapter 23 The Cyber-Resilient Organization ■ 357
of those stress scenarios. In a 2015 report, Moody's identified Having extra personnel available for patching provides defense
several key factors to examine when determining a credit impact in depth. Operational redundancy of course costs money - this is
associated with a cyber event, including the nature and scope of the price of resilience. Deciding on how much defense in depth
the targeted assets or businesses, the duration of potential ser­ a corporation should have depends partly on regulation, and
vice disruptions, and the expected time to restore operations. partly on corporate risk appetite. The irony of the Equifax data
breach is that the C EO might well have stipulated a tight limit
Both the disruption duration and the operational restoration
to the cyber risk to which Equifax should have been exposed.
time are basic defining characteristics of resilience. A cyber-
Given the extreme sensitivity of the identity data retained by
resilient organization should know just how bad a cyber attack
Equifax, customers would have been dismayed by any other
would need to be to threaten its viability, or to have its credit
cyber security policy. However, there was a disconnect between
rating downgraded. This is called reverse stress testing. Through
C EO instruction and actual operation. The implementation of
systematic reverse stress testing, measures can be developed to
this policy lacked the resilience required to ensure its practical
protect a corporation against such unacceptable outcomes.
effectiveness in a perpetually hostile cyber threat environment.
For insurance companies in the context of Solvency II, the con­
cept of reverse stress testing for an insurer's own risk and sol­
vency assessment (ORSA) is endorsed by the European Insurance Enterprise Risk Management
and Occupational Pensions Authority.20 A number of practical
Enterprise risk management (ERM) envisages an organizational
cyber reverse stress tests have been developed.21 They have
process applied in developing strategy across the enterprise. It
been used as management desktop exercises to identify opera­
is designed to identify events that might affect the organization,
tional weaknesses and areas that need attention.
and to help manage risk to within its risk appetite. The degree
of cyber resilience sought by an organization should be com­
Defense in Depth mensurate with its risk appetite. Traditional ERM measures of
cyber risk typically do not quantify severity of financial loss in
The principles of engineering resilience go a long way in cyber
the event of a cyber incident. As the importance of cyber risk
resilience. Defense in depth is a crucial objective in build­
increases amongst organizations worldwide, ERM studies will
ing in system resilience. Even if one system fails, overlapping
help to specify optimal levels of cyber resilience investment.
system design will mean there is no single point of failure.
Too often, when a large corporation suffers a massive cyber
This contrasts markedly with a standard check-box approach
attack loss, the C EO is unable to explain whether the negative
to security, which sanctions systems with a minimum level of
outcome was consistent with its risk appetite or resilience objec­
redundancy as having sufficient security. If this standard check­
tives. It is easier to attribute blame to staff error.
box approach were routine in the passenger airline industry,
there would be just a single pilot in the cockpit, rather than
two or three. Cyber Value at Risk
The Equifax C EO singled out one of the company's 250 security
Cyber value at risk (VaR) is based on the general notion of VaR,
personnel as responsible for allowing the data breach: 'We now
widely used in the financial services industry. In finance, VaR is a
know that the vulnerable version of Apache Struts within Equifax
risk measure for a given portfolio and time horizon, defined as a
was not identified or patched. The human error was that the
threshold loss value. Specifically, given a low designated prob­
individual who's responsible for communicating in the organiza­
ability value X, e.g. 0.05, VaR expresses the threshold loss value
tion to apply the patch, did not'.22 Cyber security should not
such that the probability of the loss exceeding the VaR value is
be reliant on the error-free human action of any individual, just
the low number X. As with other types of risks, the concern is
as airline safety should not be reliant on the perfect, impec­
not only with expected losses from cyber threats, but should
cable job performance of any one pilot. No computer user can
incorporate an understanding of potentially more significant
presume that computer software is bug-free, and no C EO can
losses that could occur with a small but finite probability. Cyber
presume that the successful management of such bugs can be
VaR can be perceived as the value exposed given both common
achieved without some occasional human error.
and significant attack risks. Technically, financial value at risk
is defined as the maximum loss for a given confidence interval
20 EIOPA (2017). (say, with 95% certainty) on a given time horizon, e.g. one year.
21 See References for list of publications by CCRS. Traditionally, the confidence levels have been estimated under
22 Harmer (2017). the simplifying hypothesis that the underlying loss variability

358 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
can be represented by a bell-shaped normal distribution. This is
very convenient for mathematical analysis, because the sum of
any number of normal distributions is still normal. However, the
normal approximation is invalid for open-ended risks like cyber
risks, which recognize no bounds of geography and can increase
in severity scale by orders of magnitude. A problem faced by
cyber risk analysts is the brief observational period of historical
data, which may not represent accurately the tail of the loss dis­
tribution, which could have a much fatter shape than any bell.
Re-Simulations of Historical Events
The historical record of cyber attacks is just a couple of decades
long. By conducting stochastic simulations of past cyber attacks
within this time window, cyber risk analysts can look beyond the
near horizon of history and scan the far horizon, gaining insight
into how large cyber losses might potentially have been. For
example, suppose that a major bug (such as H eartbleed) had
been discovered by a black hat rather than by a white hat; what
might the cyber loss have been? Even though H ea rtb leed was
found first in 2014 by the Google security team, the alarming
potential for data exfiltration was demonstrated by Chinese
hackers who, after the bug was disclosed, stole the personal
data of about 4.5 million patients of hospital group Community
Health Systems Inc. The hackers used stolen credentials to log
into the network posing as employees. Once in, they hacked
their way into a database and stole millions of records. If this
bug had not been found by white hats and patched, many
criminal hacking groups might have followed this basic modus
operandi of using the H ea rtb leed bug to steal credentials, which
would then be a gateway of opportunity to exfiltrate very large
volumes of valuable data. With a complete medical record sell­
ing on the dark web for high prices, the economic loss from tens
of millions of medical records alone might have been many bil­
lions of dollars.
The sensitivity of corporate vulnerability to cloud failure might
also be assessed by revisiting the most severe historical cloud
outages involving a cloud service provider, and contemplating
some downward counterfactuals where the situation, which was
bad already, turned for the worse because of poor resilience
of the cloud service provider. In 2015, a notable bug, XSA -148,
was found in the Xen hypervisor software by the cloud platform
security team at the Chinese multinational A libaba.23 This bug
would have allowed malicious code to be written into a hypervi­
sor's memory space. This vulnerability was probably the worst
ever seen affecting Xen, which is a free software project. It is
claimed that Xen has fewer critical bugs than other hypervisors,
23 Luan (2016).
but this would be little consolation to an organization that suf­
fered loss through a Xen bug.
Counterfactual Analysis
Counterfactual analysis can also quantify the benefit from past
security enhancements, such as regular penetration testing, as
well as from the introduction of resilience measures to mitigate
the loss from cyber attacks. For example, measures to stream­
line the process of restoring backup systems in the event of a
ransomware attack might be assessed retrospectively for the
W annaCry attack of May 2017. Suppose that the kill switch had
not been found early on by Marcus Hutchins, and that Wanna­
Cry had spread widely within the United States. How much
worse might the corporate cyber loss have been if an improved
backup restoration process had not been implemented? Due
consideration of past near misses such as this would encour­
age improved future preparedness for, and resilience against,
another ransomware attack.
This kind of counterfactual analysis would also help decide on
the cost-effectiveness of additional cyber resilience measures.
Suppose that an additional resilience technology had been
introduced several years ago. How much would the cyber losses
over this period have been reduced? A positive answer would
then lead to a quantitative assessment of whether the substan­
tial expenditure on this resilience enhancement is warranted by
prescribed corporate limits on its cyber risk appetite. Resilient
organizations are less prone to strategic surprise.
Building Back Better
In the depth of the financial crisis in November 2008, President­
elect Obama's chief of staff, Rahm Emanuel, looked forward
optimistically: 'You never let a serious crisis go to waste. And
what I mean by that - it's an opportunity to do things you
could not do before'.24 In earthquake engineering, there is an
extended resilience concept that reconstruction after an earth­
quake should not merely aim to restore a building to its pre­
earthquake state, which was evidently seismically vulnerable,
but to make it more earthquake-resistant in the future. This is
called building back better. The same concept applies to recon­
figuring a computer system after a major cyber attack. Merely
restoring previous functionality with its exposed security vulner­
abilities is a poor short-term option; far superior is building in
more robust, enhanced security from the outset. For example, if
overall system failure can be traced back to a single item failure,
which could have either a technological or human source, then
24 Selb (2008).
Chapter 23 The Cyber-Resilient Organization ■ 359
introducing some extra redundancy could mitigate this source of
cyber risk in the future.
After Target suffered a massive data breach in 2013, the task of
building back better started with Target doing something it had
never done before - appoint a chief information security officer
(CISO). An experienced CISO was hired from General Motors to
lead the post-breach response. Upgrading payment terminals
was clearly essential, and $100 million was spent to support
chip-and-PIN credit and debit cards, which had been introduced
in Europe some years before. W hether it was the cost of hiring a
top CISO or upgrading payment terminals, even a simplified VaR
analysis would have demonstrated these to be cost-effective
security enhancements, considering that customer confidence
decline would have sharply limited its corporate cyber risk
appetite.
Events Drive Change
Cyber criminals learn from each other, and so do their victims.
Organizations can build back better, not just when they them­
selves have suffered loss, but when others have had this mis­
fortune. The Target breach was a wake-up call not just for the
retailer's own management, but for management right across
corporate America. A survey conducted of 20,000 IT practitio­
ners in the United States by the Ponemon Institute found that
respondents' security budgets increased by an average of 34%
in the year following the Target breach, with most of those funds
used for security information and event management (50%), end
point security (48%), and intrusion detection and prevention
(44%).25 Some 60% of respondents also said they made changes
to their operations and compliance processes in response to
recent well-publicized data breaches: 56% created an incident
response team, 50% conducted training and awareness activi­
ties, 48% added new policies and procedures, 48% began using
data security effectiveness metrics, 47% added specialized edu­
cation for the IT security staff, and 41% added monitoring and
enforcement activities.
From such substantial remedial security measures, organiza­
tions show they can be fast learners in cyberspace, and the
cyber security market is seen to be highly adaptive, swift, and
responsive to new commercial opportunity. Indeed, the digital
revolution would not have happened so rapidly had it not been
for the spirit of technical enterprise and ingenuity that digital
pioneers have abundantly displayed in overcoming enormous
challenges. Back in 1996, the Clinton-Gore vision of having
the internet in every American school seemed blighted by
25 Ponemon Institute (2015).
360 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the proliferation of carcinogenic asbestos in buildings, which
made it prohibitively expensive and risky to run internet cables
through old school walls. Wi-Fi was the innovative and resilient
answer to a seemingly formidable obstacle. In a most timely
fashion, Wi-Fi was invented and first released for consumers the
year afterwards, 1997.
Transcending the physical barriers of old building construc­
tion, this seminal advance in educational opportunity has been
crucial in making internet access a basic right of a US citizen.
Wi-Fi has also been a major opportunity for cyber criminals,
especially public W i-Fi. Data over this type of open connec­
tion is often unencrypted and unsecured, and consequently
vulnerable to man-in-the-middle attacks whereby sensitive data
can be intercepted. To keep at least one step ahead of cyber
criminals, a continuous investment increase in security educa­
tion will be essential.
Education for Cyber Resilience
The universal availability to US schoolchildren of Wi-Fi is now
crucial for filling the looming cyber security skills gap. Demand
for cyber security professionals is growing faster than the overall
IT job market. Many more of the millennial cohort are needed
to train and work as cyber security professionals. The increasing
demand for young cyber security staff should serve a valuable
societal purpose in providing gainful employment for hackers of
rather modest IT skill and knowledge, who might struggle to get
a well-paying job in a tight IT labor market.
Such average hackers might otherwise drift into a life of petty
cyber crim e, purchasing from better-skilled cyber criminals
off-the-shelf exploit toolkits that they could use to make
money illegally in cyberspace. With demand for talented cyber
security professionals outstripping supply now and into the
foreseeable future, a life of cyber crime makes little sense for
a highly able cyber security professional, unless he or she has
a penchant for illegal hacking, in which case legitimate and
fulfilling governm ent employment at the National Security
Agency (NSA) or Governm ent Communications Headquarters
(GCHQ ) beckons. Collectively, NSA and G C H Q may have
the best offensive cyber attack capability, which in itself is an
employment draw.
Aviation resilience in the skies ultimately depends on the skill,
training, and experience of airline pilots. The safety of airlines
varies quite significantly, even though their fleets of Boeing arid
Airbus aircraft may be quite similar. The cyber security of corpo­
rations also varies quite significantly, even though their Micro­
soft and Apple computer systems may also be quite similar.
Cyberspace resilience ultimately depends on the skill, training,
and experience of smart cyber security professionals who have
the knowledge, capability, and motivation to defend their orga­
nization effectively against a continuous barrage of targeted and
random cyber attacks, some of which are masterminded by elite
state-sponsored hacking teams.
Improving the Cyber Profession
In any professional adversarial contest, the outcome depends
heavily on the quality of the best players. Nobody appreciates
this as much as the North Koreans, Chinese, and Russians, with
their prestigious and highly competitive cyber academies. To
match such training centers of cyber excellence, the UK National
Cyber Security Centre has offered bursaries, specialist training,
and paid work placements to a thousand young British students.
This training initiative has had the support of major international
defense contractors, as well as the City of London Police.
More ambitiously, with additional US expenditure on national
security programs, the Pentagon could establish a US National
Cyber Academ y to defend the nation in cyberspace. This acad­
emy would be rather like the existing sea, land, and air acad­
emies at Annapolis, West Point, and Colorado Springs. The
underlying rationale for this investment is the realization that
winning in cyberspace is fundamentally a matter of cyber secu­
rity skill and expertise.
Beyond the government, recruiting and retaining the best cyber
security staff should be a priority of every cyber-resilient organi­
zation. In 2018, 70% of CISO s reckoned that lack of competent
in-house staff was their top security threat. Other than being tar­
geted by a cyber attack, the resilience of a corporation may be
severely tested if one or more of its leading cyber security team
were to leave. From the CISO downwards, robust backup plans
need to be prepared for this contingency. Management consul­
tants highlight the importance of both CISO succession planning
and developing others to represent the CISO . The sooner that
individuals are trained and prepared for this role, the more resil­
ient a corporation will be.
Chapter 23 The Cyber-Resilient Organization ■ 361
 Learning Objectives
After completing this reading you should be able to:

Define cyber-resilience and compare recent regulatory
initiatives in the area of cyber-resilience.
Describe current practices by banks and supervisors in
the governance of a cyber-risk management framework,
including roles and responsibilities.
Explain and assess current practices for the sharing of
cybersecurity information between different types of
institutions.
Describe practices for the governance of risks of
interconnected third-party service providers.

Explain methods for supervising cyber-resilience, testing

and incident response approaches, and cybersecurity and
resilience metrics.

E x c e rp t is rep rin ted from Cyber-Resilience: Range of Practices, by the Basel C om m ittee on Banking Supervision, D e ce m b e r 2018.
R e p rin ted with perm ission o f the Bank for International Settlem en ts. The full publication is available on the BIS w eb site free o f
charge: w w w .b is.o rg .

363
24.1 INTRODUCTION
In March 2017, the G20 Finance Ministers and Central Bank
Governors noted that "the malicious use of information and
communication technologies (ICT) could disrupt financial
services crucial to both national and international financial
systems, undermine security and confidence, and endanger
financial stab ility".1
Regulated institutions' use of technology includes greater levels of
automation and integration with third-party service providers and
customers.*2 This results in an attack surface that is growing and is
accessible from anywhere, and it incentivises cyber-adversaries to
increase their capabilities. Increased use of third-party providers
means that the perimeter of interest to financial sector regulators
has gotten bigger, and greater use of cloud services means that
the perimeter is also shared. Shared service models require regu­
lated institutions to think differently about how they build and
maintain their cyber-resilience in partnership with third parties.
Given the increase in the frequency, severity and sophistication
of cyber-incidents in recent years, a number of legislative, regu­
latory and supervisory initiatives have been taken to increase
cyber-resilience. At the international level, the G7 issued Funda­
mental Elements of Cyber-security for the financial sector,3 and
the Committee on Payments and Market Infrastructures (CPMI)
issued, jointly with the International Organization of Securities
Commissions (IO SCO ), guidance on cyber-resilience for financial
market infrastructures (FMIs) in June 2016.4 In the European
Union (EU), the European Commission's (EC) Fintech Action Plan
invites the European Supervisory Authorities to consider issuing
guidelines to achieve convergence on ICT risk.5
Against this backdrop, the Basel Committee on Banking Super­
vision (BCBS) recognised the merits of approaching operational
See G20, Communique: G20 Finance Ministers and Central Bank
A
Governors Meeting, Baden-Baden, Germany, 17-18 March 2017, www
.bundesfinanzministerium.de/Content/EN/Standardartikel/Topics/
Featured/G20/g20-communique.pdf?_blob=publicationFile&v=3.
2 Many regulated institutions are adopting strategies that will see more
data stored and/or processed outside the perimeters of the regulated
institution while at the same time granting service providers (now grow­
ing to what is commonly a multitude of providers) access to their envi­
ronments to perform business and technology processes.
3 See G7, Fundamental elements of cybersecurity for the financial sector,
October 2016.
4 See CPMI-IOSCO: Guidance on cyber-resilience for financial market
infrastructures, June 2016.
5 The European Securities and Markets Authority (ESMA), the European
Banking Authority (EBA), and the European Insurance and Occupational
Pensions Authority (EIOPA), collective referred to as the "European
Supervisory Authorities".
364 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
resilience beyond the purview of operational risk management
and minimum capital requirements, and established the O pera­
tional Resilience Working Group (ORG) with the intention of
contributing to, inter alia, the international effort related to
cyber-risk in close coordination with the other international bod­
ies involved. The Committee therefore requested that the ORG
provide this first assessment of observed cyber-resilience prac­
tices at authorities and firms.
The objective of this report is to identify, describe and compare
the range of observed bank, regulatory and supervisory cyber­
resilience practices across jurisdictions. In preparing this range
of practices document, ORG members used the input provided
by their organisation to an FSB survey in April 2017, which led
to the publication of its stocktake of publicly released cyber­
security regulations, guidance and supervisory practices at both
the national and international level issued in October 2017.
According to the FSB cyber-security stocktake, banking is the
only sector in financial services for which all FSB jurisdictions
have issued at least a regulation, guidance or supervisory prac­
tices. In addition, the FSB found that member jurisdictions drew
upon a small body of previously developed national or interna­
tional guidance or standards of public authorities or private
bodies in developing their cyber-security regulatory and supervi­
sory schemes (mainly the 2016 CPIM I-IOSCO guidance, the US
National Institute of Standards and Technology (NIST) cyber­
security framework and the ISO 27000 series).6
Besides reviewing and completing their jurisdiction's responses
to the FSB survey questions, ORG members shared their direct
experiences and insights in order to provide a more concrete
and specific understanding of the main trends, progress and
gaps in the pursuit of cyber-resilience in the banking sector. Fur­
thermore, additional insight was gained and findings were fine-
tuned through outreach to a broad set of industry stakeholders
including banks, utility and technology service providers, consul­
tancies and associations involved in domestic and international
cyber-security matters.
For the purpose of this report, the BCBS uses the FSB Lexicon
definition of cyber-resilience,7 which defines it as the ability of
an organisation to continue to carry out its mission by anticipat­
ing and adapting to cyber threats and other relevant changes in
the environment and by withstanding, containing and rapidly
recovering from cyber incidents. Although this paper focuses on
6 See NIST, Framework for improving critical infrastructure cybersecurity,
16 April 2018, www.nist.gov/cyberframework/framework, which consists
of standards, guidelines and best practices to manage cyber- security-
related risk.
7 See FSB, Cyber Lexicon, 12 June 2018, www.fsb.org/wp-content/
uploads/P121118-l.pdf.
cyber-resilience, practices also relevant to the broader opera­
tional resilience context were considered. A distinction was also
drawn between cyber-risk management (which deals with vul­
nerabilities and threats) and IT risk management, the scope of
which is broader than the matter at hand in this report. Where
appropriate, deeper dives on practices that reflect new
approaches or address widely shared strategic concerns have
been performed ORG members in the form of nine specific
case studies.
The remainder of this report is divided into the following
sections:
• Section 2 provides a high-level overview of current
approaches taken by jurisdictions to issue cyber-resilience
guidance standards.
• Section 3 assesses the range of practices regarding gover­
nance arrangements for cyber-resilience.
• Section 4 focuses on current approaches on cyber-risk man­
agement, testing, and incident response and recovery.
• Section 5 explores the various types of communications and
information-sharing.
• Section 6 analyses expectations and practices related to
interconnections with third-party services provides in the con­
text of cyber-resilience.
24.2 CYBER-RESILIENCE STANDARDS
AND GUIDELINES
Most jurisdictions address cyber through the lens of IT and gen­
eral operational risk. Cyber-resilience expectations, which are
sometimes embedded within high-level IT risk guidance, cover a
wide range of regulatory standards.8 The intent of IT risk guid­
ance is to communicate jurisdictions' expectations and encour­
age good practice. Guidance typically addresses governance,
risk management, information security, IT recovery and manage­
ment of IT outsourcing arrangements. While guidance is pre­
sented as operational risk or IT risk guidance, it effectively
provides coverage of cyber-risk management as a subset of
these practices.
8 We note that while the majority of jurisdictions' cyber-resilience expec­
tations are derived from common frameworks, eg NIST, each supervisory
authority has designed their own assessment tools, eg questionnaires.
As a result, regulated entities are required to provide slightly different
information to each supervisory authority, even where the broad ques­
tions posed are the same. Banks and supervisory authorities may benefit
from harmonisation and standardisation, not just of supervisory expecta­
tions, but also of the information requested by supervisors and the tools
used to collect it.
Chapter 24 Cyber-Resilience: Range of Practices
Standards on general risk topics such as business continuity
planning and outsourcing contribute to the management of a
wide range of risks and also have relevance to cyber-risk. Discus­
sion at the 2017 Information Technology Supervisors' Group
(ITSG) meeting highlighted that many countries are working on
updates to their outsourcing standards.9 The Australian Pruden­
tial Regulation Authority(APRA) is also considering whether the
term outsourcing remains relevant or whether service p ro vid er
risk m anagem ent might be more appropriate, recognising that
bank supply chains have become more complex. Section 6 of
this report further discusses expectations and practices in rela­
tion to third-party interconnections.
Specific cyber-risk management guidance has emerged in the
context of information security. A few jurisdictions have issued
specific cyber-risk management or information security guidance,
including on the importance of effective cyber-security risk man­
agement (Hong Kong SAR), on early detection of cyber intru­
sions (Singapore), on the establishment of a cyber-security policy
(Brazil) and on the common procedures and methodologies for
the assessment of ICT risk (European Banking Authority (EBA)).
In jurisdictions where no specific cyber-security regulations exist
for the financial sector, supervisors encourage their regulated
entities to implement international standards and apply prescrip­
tive guidance, and supervisory practices align with the top-down
initiatives of national cyber-agencies. Most jurisdictions implement
key concepts from international and industry standards such as
NIST, ISO/IEC and CO BIT.10 Regulators also leverage supervisory
practices from the US (Federal Financial Institution Examining
Council (FFIEC) IT Examination Handbook) and the UK (CBEST).
Some jurisdictions are developing enforceable standards for
cyber-resilience in the financial sector. This is the theme of this
report's first case study (Box 24.1).
24.3 CYBER-GOVERNANCE
The majority of the regulators have issued either principles-
based guidance or prescriptive regulations, with varying levels
of maturity. In general, regulatory standards and supervisory
practices address enterprise IT risk management but do not
include specific regulations or supervisory practices that cover
9 The Information Technology Supervisors' Group (ITSG) is an interna­
tional working group of IT supervisors which meets annually to discuss
approaches to IT risk (including cyber-risk).
10 Control Objectives for Information and Related Technologies (COBIT)
is a good practice framework created by international professional
association ISACA for information technology (IT) management and IT
governance.
■ 365
 BOX 24.1 CASE STUDY 1s RECENT REGULATORY INITIATIVES - THE
AUSTRALIAN, GERMAN AND US MINIMUM REQUIREMENTS
A ustralian Prudential Regulation A utho rity
(A PRA ) Prudential Standard CPS 234
Inform ation Security
This Prudential Standard aims to ensure that an APRA-regu-
lated entity takes measures to be resilient against information
security incidents (including cyber-attacks) by maintaining an
information security capability commensurate with informa­
tion security vulnerabilities and threats.
A key objective is to minimise the likelihood and impact of
information security incidents on the confidentiality, integrity
or availability of information assets, including information
assets managed by related parties or third parties. The board
of an APRA-regulated entity is ultimately responsible for
ensuring that the entity maintains its information security.
The key requirements of this Prudential Standard are that an
APRA-regulated entity must:
• clearly define the information security-related roles and
responsibilities of the board, senior management, govern­
ing bodies and individuals;
• maintain its information security capability commensu­
rate with the size and extent of threats to its information
assets, and so that it enables the continued sound opera­
tion of the entity;
• implement controls to protect its information assets
com m ensurate with the criticality and sensitivity of
those information assets, and undertake system atic te st­
ing and assurance regarding the effectiveness of those
controls; and
• notify APRA of material information security incidents.
Supervisory Requirem ents fo r IT in Financial
Institutions (BaFin Circular 10/2017, BAIT)
The German Banking Act requires financial institutions to
demonstrate that its risk management comprises, among
other things, adequate technical and organisational resources
and adequate contingency planning, especially for IT
systems.
cyber-risk management of critical business functions, intercon­
nectedness or third-party risk management. Against this back­
drop, supervisory expectations and practices were identified
and analysed in the following areas relevant to governance:
• Cyber-security strategy
• Management roles and responsibilities
• Cyber-risk awareness culture
• Architecture and standards
• Cyber-security workforce
366 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
The circular on Minimum Requirements for Risk Manage­
ment (MaRisk) provides a comprehensive framework for the
management of all significant risks, thereby concretising the
requirements of the German Banking Act. Complementing
MaRisk in this regard, the Banking Supervisory Requirements
for IT (BAIT) refines the German Banking Act.
The BAIT covers requirements with respect to:
• IT strategy and IT governance;
• information risk management and information security
management;
• user access management;
• IT project management and application development;
• IT operations; and
• outsourcing and other external procurement of IT services.
US A gencies' N otice of Proposed Rulem aking
fo r N ew Cyber-Security Regulations fo r Large
Financial Institutions
Another example is the joint announcement from the US Fed­
eral Reserve, the Officer of the Comptroller of the Currency
(O CC) and the Federal Deposit Insurance Corporation (FDIQ,
which provided a notice of proposed rulemaking for new
cyber-security regulations for large financial institutions. The
intent is to address the type of serious cyber-incident that
could impact safety and soundness. As announced, require­
ments will relate to cyber-risk governance, risk management,
internal dependency management, external dependency
management, incident response, assurance management of
third parties and audit.
The State of New York Department of Financial Services has
also released cyber-security regulations that require regulated
intuitions in New York to have a cyber-security programme
designed to protect consumers' private data; a written policy
or policies that are approved by the board or a senior officer;
a Chief Information Security Officer to help protect data and
systems; and controls and plans in place to help ensure the
safety and soundness of the financial services industry.
Cyber-Security Strategy Is Expected But
Not Required
Although most regulators do not require regulated entities to
develop a cyber-security strategy, all expect regulated institu­
tions to have a board-approved information security strategy,
policy and procedures under the broad remit of effective over­
sight of technology.
Many jurisdictions (eg Australia, Brazil and jurisdictions across
Europe) expect that cyber-risk should be covered by the
organisation-wide risk management framework and/or informa­
tion security framework which is monitored and reviewed by
senior executives.
Consistent with the previous observation regarding regulatory
expectations, most supervisors review regulated entities' infor­
mation security strategies, but very few require or evaluate those
entities' standalone cyber-security strategies. Examiners typically
review an institution's information security strategy, information
security plans, and cyber-security implementation, including key
cyber-security initiatives and timelines. They may also review its
practices for communicating with relevant stakeholders.
A variety of approaches can also be observed within regions:
while the FFIEC IT Examination Handbook in the US does not
specifically address the development of a cyber-security strat­
egy, Canada's self-assessment guidance attempts to determine
whether a regulated financial institution has established a cyber­
security strategy aligned with the institution's business strategy
and implementation plan. Mexico does not have supervisory
practices focused on cyber-security strategy but has issued regu­
lations that direct banks to develop IT security strategies.
Jurisdictions enforce cyber-security strategy requirements using
three types of non-mutually exclusive regulatory approaches:
1. The regulator/authority implements cyber-security strategy
requirements, either sector-specific or across multiple indus­
tries, with which financial institutions have to comply. This
is a common approach in emerging market economies with
relative homogeneity in their banking systems.
2. The financial institutions establish their own cyber-security
strategies in compliance with principles-based risk manage­
ment practices. Regulators review these strategies as part
of their assessment of an institution's overall risk manage­
ment practices.11
3. A third approach, prevalent in Europe, involves examin­
ing whether financial entities have an IT strategy and the
accompanying security provisions.
Management Roles and Responsibilities
Recognition of the Importance of the Board of
Directors and Senior Management
Some jurisdictions have issued specific regulatory guidance and
requirements addressing cyber-governance roles and responsi­
bilities of the board of directors (BoD) and senior management.
11 The Saudi Arabian Monetary Authority (SAMA) applied the first two of
these approaches by compelling financial institutions to formulate their
own cyber-security strategies while it developed supervisory practices
for implementing cyber-security strategy.
Chapter 24 Cyber-Resilience: Range of Practices
The majority of such guidance prioritises the roles and respon­
sibilities of the BoD and senior management, while others have
prioritised them even more in overseeing overall business tech­
nology risks. Other jurisdictions approach cyber-governance as a
risk that regulated entities are expected to address within their
existing risk management frameworks.
Almost all the jurisdictions emphasise the importance of man­
agement roles and responsibilities for cyber-governance and
controls. In the US, EU and Japan, high-level guidelines encour­
age global systemically important banks (G-SIBs) and domes­
tic systemically important banks (D-SIBs) to implement well
defined, risk-sensitive management frameworks under initiatives
taken by theBoD. In addition, the EBA implements granular and
prescriptive requirements, ensuring consistent cyber-security
regulation and supervision across the European banking sector.
Similarly, emerging market economies implement more granular
and prescriptive cyber-security requirements.
Variety of Supervisory Approaches Regarding the
Second and Third Lines of Defence (3LD)
The majority of regulators have adopted the 3LD risk manage­
ment model to assess cyber-security risk and controls. However,
most regulators do not require the implementation of 3LD at
regulated entities and do not prescribe precisely how responsi­
bilities should be distributed across the lines, as the expectation
is rather for banks themselves to clearly define responsibilities
and leave no gaps between the lines. As a result, supervisory
practices for assessing the degree of 3LD implementation vary
widely, and there appears to be a greater supervisory focus on
the first and second lines of defence than on the third line across
jurisdictions, which could hamper the effectiveness of the 3LD
checks and balances model. In particular, only a few jurisdictions
have formulated specific expectation regarding the independent
reporting line from the chief audit executive to the audit com­
mittee of the BoD.
Cyber-Risk Awareness Culture
An awareness of cyber-risk by staff at individual banks and a
common risk culture across the banking industry are prerequi­
sites for maintaining cyber-resilience within the sector. Regula­
tors in most jurisdictions have published guidance emphasising
the importance of risk awareness and risk culture for staff
and management at all levels, including BoDs and third-party
employees. Regulatory requirements include increasing cyber­
security awareness and cyber-related staffing at regulated
entities. In some jurisdictions, regulators require cyber-security
awareness training during each phase of the employment pro­
cess, from recruitment to termination.
■ 367
 BOX 24.2 CASE STUDY 2: ROLES AND RESPONSIBILITIES OF CHIEF
INFORMATION SECURITY OFFICERS (CISOS) IN CYBER-GOVERNANCE
A widespread practice among large and globally active banks
is to establish a robust governance structure based on the
3LD model. Typically, in this model, the CISO is the execu­
tive officer responsible for a bank's cyber-security manage­
ment. The CISO's role is to serve as a circuit breaker and
to balance the firm's risk appetite with security protection
considerations long before introducing or expanding digi­
tal services or products. However, in most cases the CISO
reports to the chief risk officer (CRO) or to the chief informa­
tion officer (CIO), with no independent reporting line to the
C EO or board of directors (BoD). CRO s typically place more
emphasis on compliance over risk management. Emerging
trends in cyber-governance indicate that the placement of
the CISO under the CRO is not ideal because the two posi­
tions have inherently conflicting priorities. When the CISO
attempts to implement risk-based cyber and IT security con­
trols that accommodate technological innovation through the
"plan-do-check-act" (PDCA) cycle, the CRO may prioritise
compliance over the benefits of technological innovation.
This dynamic can impede the CISO from effectively perform­
ing his/her job function. In response, some global banks
are restructuring the CISO role by having the CISO report
directly to the C EO or BoD.
Regulated entities may be required to include non-disclosure
clauses within staff agreements. To mitigate insider threats,
some jurisdictions require new employees to complete a screen­
ing and background verification process, while existing employ­
ees undergo a mandatory reverification process at regular
intervals. In some jurisdictions, regulators assess whether banks
have robust processes and controls in place to ensure their
employees, contractors and third-party vendors understand their
responsibilities, are suitable for their roles and have the requi­
site skills to reduce the risk of theft, fraud or misuse of facilities.
The majority of the regulators encourage the development of a
common risk culture sufficient to ensure effective cyber-risk man­
agement. In some jurisdictions, regulators assess each bank's
cyber-risk appetite, considering such factors as the bank's busi­
ness model, core business strategy and key technologies. Some
jurisdictions view cyber-security as a critical business function,
since a cyber-attack could lead to the insolvency of individual
entities or even to widespread disruption of the entire sector.
Architecture and Standards
For most jurisdictions, general regulatory requirements for
architecture and standards are not in place, or there is a lack of
coverage. Only a small number of countries specifically highlight
control considerations and substantial supervisory guidance
368 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Considering the cyber-threat landscape, the Saudi Arabian
Monetary Authority (SAMA) issued a principle-based cyber­
security framework and mandated financial institution to
comply with various range of control considerations men­
tioned in different topics of this framework.
One such topic addresses responsibilities of the CISO in
the cyber-security committee, security strategy, security
architecture, risk-based cyber-security solutions, operational
security, etc to ensure that cyber-security controls are applied
throughout the financial institution. This is reinforced with
the role of the cyber-security function in financial institutions
where SAM A requires financial institutions to have a cyber­
security function independent from the IT function. This
includes separate budgets and staff evaluations along with
the cyber-security function reporting directly to the C EO /
managing director or senior management of the control func­
tion of the financial institution.
SAM A also requires financial institutions to perform periodic
self-assessments against the cyber-security framework, which
is subject to review (on- and off-site) by SAM A to determine
the level of compliance and cyber-security maturity of the
financial institution.
for cyber-security architecture. For instance, the US FFIEC IT
Examination Handbook specifies that when discussing network
architecture, supervisors should confirm that the diagrams are
current, securely stored and reflective of a defence-in-depth
security architecture. In Saudi Arabia, practices covering cyber­
security architecture are subject to a periodic self-assessment.
Cyber-Security Workforce
The skills and competencies of cyber-workforces, their regula­
tory frameworks and the range of practices differ markedly
across jurisdictions. Some jurisdictions have IT-specific standards
that address the responsibilities of the IT workforce and infor­
mation security functions, with particular attention to cyber­
security workforce training and competencies. Their range of
supervisory practices covers the assessment of team divisions,
staff expertise (background and security checks of cyber-security
specialists), the staff training processes and the adequacy of
funding and resources to implement the organisation's cyber­
security framework. Most of the jurisdictions are in the early
stages of implementing supervisory practices to monitor a
bank's cyber-workforce skills and resources. Their regulatory
schemes require regulated entities to manage risks but do not
set specific requirements to address cyber-security workforce
skills and resources.
 BOX 24.3 CASE STUDY 3: FRAMEWORKS FOR PROFESSIONAL TRAINING
IN CYBER-SECURITY AND CERTIFICATION PROGRAMMES
The Center for Financial Industry Information Systems
(FISC), a public-private partnership, was founded in Japan
in 1984 to promote the cyber-security initiatives of financial
institutions. FISC facilitates the exchange of staff between
financial sector supervisors, banks, and IT security vendors
by partnering with the private sector and supervisors. FISC's
efforts have resulted in the development of FISC Guidelines
for cyber-security preparedness in Japan, as well as cyber­
security education and training programs for its bankers.
Bank examiners at the FSA and BoJ reference FISC Guide­
lines to ensure a consistent and integrated supervisory
approach. The same structure can be found in the Finan­
cial Security Institute (FSI) founded in Korea in 2015. This
illustrates the effectiveness of cross-border public-private
partnerships when the supervisors leverage the industry for
cyber-security enhancement. At a minimum, FISC's efforts
serve as a model for other jurisdictions transitioning from
prescriptive to more risk-based and incentive-compatible
regulatory models.
Bank of England (BoE): The BoE has established the C B EST
accreditation for suppliers who offer threat intelligence and
penetration testing services who wish to be involved in the
C B ES T scheme. This is in addition to the accreditation for
individuals offered by the Council for Registered Ethical
The majority of regulators assess the cyber-security workforce
of the institutions through on-site inspections, where they have
the opportunity to talk with relevant specialists. Self-assessment
questionnaires are becoming common practice. Training pro­
cesses are particularly scrutinised. As staff competence is integral
to cyber-security, authorities have been known to raise concerns
about the capability or qualifications of an institution's head
of IT or information security. Jurisdictions diverge in how they
regulate the roles and responsibilities of the IT and information
security staff. Some jurisdictions, including Argentina, Australia,
the EU, Japan and Saudi Arabia, issue regulations specifically
addressing IT staff's roles and responsibilities. Sometimes regula­
tions are embedded in a jurisdiction's global governance frame­
work, such as those issued in Switzerland. In regulations issued
by Mexico, the US, and Saudi Arabia, regulatory requirements
addressing the roles and responsibilities of the IT and informa­
tion security functions are encompassed by requirements for the
BoD and senior management. In South Africa, such regulations
are included in the national cyber-security strategy.
The range of practices and regulatory expectations for work­
force competence is wide, and many jurisdictions have not
formulated any. The FISC in Japan and FSI in South Korea are
both examples where public authorities have set guidelines on
Chapter 24 Cyber-Resilience: Range of Practices
Security Testers (CREST), ie the C R EST Certified Threat Intel­
ligence Manager (CCTIM) for providers of threat intelligence
services, and the C R EST Certified Simulated Attack Manager
(CCSAM ) and C R EST Certified Simulated Attack Specialist
(CCSAS) for providers of penetration testing services.
Monetary Authority of Singapore (MAS): MAS requires
financial institutions to have in place a comprehensive tech­
nology risk and cyber-security training programme for the
BoD. Such a programme may include periodic briefings con­
ducted by in-house cyber-security professionals or external
specialists. The goal is to help equip the BoD with the requi­
site knowledge to competently exercise its oversight function
and appraise the adequacy and effectiveness of the financial
institution's overall cyber-resilience programme.
Hong Kong Monetary Authority (HKMA): The HKMA's Pro­
fessional Development Program (PDP) is one of the three ele­
ments of HKMA's Cybersecurity Fortification Initiative (CFI).
It seeks to increase the supply of qualified cyber-security
professionals in Hong Kong SAR. The HKM A has worked
with the Hong Kong Institute of Bankers and the Hong Kong
Applied Science and Technology Research Institute (ASTRI)
to develop a localised certification scheme and training pro­
gramme for cyber-security professionals.
appropriate cyber-security workforce management. In other
jurisdictions, regulatory requirements for cyber-workforce man­
agement are limited to supervisory expectations, and there may
be no assessment by supervisors of cyber-security skills and staff
training at regulated entities. Only the Hong Kong, Singapore
and the UK have issued dedicated frameworks to certify cyber­
workforce skills and competencies.
24.4 APPROACHES TO RISK
MANAGEMENT, TESTING AND
INCIDENT RESPONSE AND RECOVERY
This section sets out a range of observed practices on cyber-risk
management, and incident response and recovery. It aims to identify
practices in the supervision of banks' cyber-resilience which could
inform future work. This section is divided into four sub-sections:
• Methods for supervising cyber-resilience
• Information security controls testing and independent
assurance
• Response and recovery testing and exercising
• Cyber-security and resilience metrics.
■ 369
Methods for Supervising Cyber-Resilience
Risk Specialists Assess Information Security
Management and Controls
Jurisdictions apply different approaches to supervise regulated
institutions' cyber-resilience. Most focus on key risks such as
cyber in the context of the scale, complexity, business model
and previous findings, often assigning institutions to categories
to aid decisions about which institutions will be in scope for vari­
ous supervisory initiatives. Guided by existing international and
national legislation, a programme of supervision is then agreed
spanning financial and operational resilience matters.
Half of the jurisdictions in the EU have internal guidance
addressing the circumstances when the competent authority
should conduct a cyber-security review. These include institu­
tions' own risk assessments, findings from on-site inspections or
questionnaires, and incidents (eg cyber incident trend analysis).
Risk specialists typically draw on documentary evidence includ­
ing survey responses, physical inspections, incident reports,
and in-person meetings to assess the adequacy of controls in
place. Many supervisory expectations are aligned with industry
standards (eg COBIT, NIST) but approach, depth and breadth of
supervisory assessments vary between jurisdictions.
Most jurisdictions undertake off- and on-site reviews and inspec­
tions of regulated institutions' information security controls to
assess compliance with regulatory standards and alignment with
good practice.12 Reviews are completed either as part of gen­
eral technology assessments or risk management assessments
more broadly. They tend to focus on governance and strategy,
management and frameworks, controls, third-party arrange­
ments, training, monitoring and detection, response and recov­
ery, and information-sharing and communication.
The number, type, and nature of regulated institutions vary by
jurisdiction, as do the size of the specialist risk teams of the
regulator. Some jurisdictions (eg Australia, Brazil and Singapore)
have developed approaches to equip front-line supervisors with
knowledge and tools to assess (triage) IT risk issues. Techniques
used include guidelines on how to identify and evaluate IT
risk, questionnaires, risk assessments and tools to quantify risk
assessments. Additionally, a number of jurisdictions (eg Australia
and the UK) have powers to appoint an auditor or other third
party to provide a report to the regulator on a particular aspect
of the regulated institutions' risk management, including cyber.
12 On-site reviews usually consist of one or more meetings with regu­
lated institutions at their premises. Off-site reviews usually consist of
desk-based assessment of documentation or a meeting at the office of
the regulator.
370 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Jurisdictions Increasingly Engage With Industry
to Address Cyber-Resilience
Industry engagement is used to either influence industry behav­
iour, or to seek feedback and views to inform regulatory work.
For instance, the French Autorite de Controle Prudentiel et de
Resolution (ACPR) and the UK Prudential Regulation Authority
(PRA) both released discussion papers, on IT risk and opera­
tional resilience respectively, in 2018.13 Common methods of
engagement also include speaking at conferences and other
communications to reach a range of regulated entities and
industry participants.14
Some jurisdictions include third-party service providers in this
engagement. In the EU, both the European Commission EU
FinTech Lab and the EBA FinTech Knowledge Hub have organ­
ised events with regulators, supervisors, industry and third-party
service providers. Communicating key messages through these
channels can be faster and more responsive.
Information Security Controls Testing
and Independent Assurance
Mapping and Classifying Business Services Should
Inform Testing and Assurance
Most jurisdictions (eg Australia, the EU, Hong Kong, Singapore
and the US) recognise the importance of mapping and classify­
ing business services and supporting assets and services as a
basis for building resilience. A clear understanding of business
services and supporting assets (and their criticality and sensitiv­
ity) can be used to design testing and assurance of end-to-end
business services. This is typically completed as part of business
impact analysis, recovery and resolution planning, reviewing
dependency of critical services on external third parties, and
scoping for assessments.
A number of jurisdictions assess institutions' monitoring and
surveillance of emerging threats, including real-time detec­
tion capability, ability to detect adversaries before they move
between systems and relevant continuity and control policies.
Some jurisdictions perform thematic reviews (eg Sweden com­
pleted a review of institutions' access controls and management
13 See ACPR, "IT Risk", Discussion Paper, March 2018, www.acpr
.banque-france.fr/sites/default/files/medias/documents/it_risk.pdf; and
Bank of England and Financial Conduct Authority, "Building the UK
financial sector's operational resilience", Discussion Paper, July 2018,
www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/
discussion-paper/2018/dpl I8.pdf.
14 Publications used include white papers, information papers, annual
reports and in some cases letters to industry.
of user access rights), while some members use existing inter­
national standards, applying them to other types of institution
(eg South Africa applies the CPM I-IO SCO guidance on cyber­
resilience for FMIs to banks).
Independent assurance also provides management and regula­
tors with an evaluation of whether appropriate controls have
been implemented effectively. Jurisdictions commonly also
leverage the management information outputs of these activi­
ties, providing the regulator with another source of information
for their own assessments.
Penetration Testing
Cyber-security controls are implemented through risk-based
decisions against a regulated institution's risk appetite. Regu­
lated institutions typically test information security controls
applied to hardware, software and data to prevent, detect,
respond and recover from cyber-incidents.
Supervisors review and challenge regulated institutions'
approach to testing controls and the remediation of issues iden­
tified. This can include reviewing survey responses, threat and
vulnerability assessments, risk assessments, audit reports and
control testing reports (eg penetration testing, health checks).
Five EU jurisdictions have developed programmes of regulator-
led penetration tests and three (the EC B, the Netherlands
and the UK) have provided guidance for regulated institu­
tions on howto test. Tests are typically voluntary, funded by
the regulated institution and targeted at larger, more systemic
institutions. In particular, threat-led red team penetration tests
delivered by third-party threat intelligence and penetration tes­
ters are becoming more widespread. The majority of directed
penetration tests focus on regulated institutions' protective
and detective cyber-resilience capabilities, while a few also test
response and recovery capabilities.
In May 2018, the ECB published the European Framework for
Threat Intelligence-based Ethical Red Teaming (TIBER-EU ),15
which is the first Europe-wide framework for controlled and
bespoke tests against cyber-attacks in the financial market. The
framework facilitates testing for cross-border entities under the
oversight of several authorities. It is up to the relevant authori­
ties and the entities themselves to determine if and when TIBER-
EU based tests are performed. Tests will be tailor-made and will
not result in a pass or fail - rather they will provide the tested
entity with insight into its strengths and weaknesses, and enable
it to learn and evolve to improve cyber-maturity.
15 ECB, "ECB publishes European framework for testing financial sector
resilience to cyber-attacks", press release, 2 May 2018, www.ecb
.europa.eu/press/pr/date/2018/html/ecb. prl80502.en.html.
Chapter 24 Cyber-Resilience: Range of Practices
Taxonomy of Cyber-Risk Controls
While putting cyber-risk controls in place is only one aspect
of building cyber-resilience, many jurisdictions find review of
controls a ready way to engage with regulated institutions.
Some jurisdictions use taxonomies of controls to understand
whether there are any gaps in the coverage of their supervisory
approach. Currently the taxonomies are jurisdiction-specific
and do not rely on harmonised concepts and definitions. If an
authority is unable to assess a particular type of control, for
example because it has no supervisory approach, assessment
method or the required skillset to assess the control, then that is
identified as a gap. An example taxonomy of cyber or informa­
tion security controls is included in Annex A.
Response and Recovery Testing
and Exercising
Evaluation of Service Continuity, Response and
Recovery Plans and Continuous Learning
Evaluation of service continuity plans focuses on reviewing
alignment with institutions' risk management frameworks, the
business continuity management strategies chosen, IT disaster
recovery arrangements and data centre strategies.
The majority of regulators require entities to establish a fram e­
work or policy for prevention, detection, response and recovery
activities, including incident reporting. Specific requirements
vary across supervisory authorities, and most are not specific
to cyber-risk. Indeed, few regulators have issued cyber-specific
business continuity or disaster recovery regulatory requirements
for the sector. A few jurisdictions, like China and India, have
prescribed cyber-incident response framework to be a key com­
ponent of cyber-governance. The US also has supervisory guid­
ance regarding incident management, covering identification
of indicator of compromise, analysis and classification of events
and escalation and reporting of incidents. Some authorities,
such as the Japanese Financial Services Agency (JFSA) and Bank
of Japan, also focus on potential threats and information-sharing
to minimise delays in reporting cyber-incidents.
Evaluation of regulated institutions' incident response and
recovery plans focuses on how plans are triggered, institutions'
ability to implement plans, preservation of data and specific
actions for "critical" technology. In Canada, the assessment of a
bank's internal and external communication plans and protocols
seeks to determine if all relevant stakeholders are included, to
avoid contagion.
Several jurisdictions (eg Australia, Belgium, Hong Kong, Japan and
the US) complete a supervisory review of post-incident learning.
■ 371
 BOX 24.4 CASE STUDY 4: "EXERCISE RESILIENT SHIELD"
One exam ple of an international public-private exercise
was UK/US "Exe rcise " Resilient Shield in 2015 - a joint
exercise with leading global financial firms to enhance
cooperation and ability to respond effectively to a cyber­
incident in the finance sector. The exercise was not a test
of individual financial firms or financial system s, but was
designed to improve understanding across governments
and industry of information-sharing, incident response han­
dling and public communications.
Participants included UK and US supervisory authorities,
government departments and cyber-agencies. The exercise
examined how the UK and US could enhance cyber-security
cooperation by:
• enhancing processes and mechanisms for maintaining
shared awareness of cyber-security threats between US
and UK governments and the private sector;
This is conducted through the discussion of regulated institutions'
response and the root cause analysis, but no further standard
practice could be observed.
Joint Public-Private Exercising
Distinct from testing, most supervisors and banks use exercises
to train and practice how they would respond to an incident.
Cross-border international exercises have made this more visi­
ble. Examples include the UK/US exercise Resilient Shield
(Box 24.4) and the TITUS exercise in 2015,16 as well as the G7
exercise under planning in 2018.
In the UK, the Sector Exercising Group (SEG), which is a sub­
group of the Cross Market Operational Resilience Group
(CM O RG), manages the sector's annual exercise regime, which
incorporates cyber-specific scenarios.17 In Japan, the JF S A has
conducted tabletop exercises to improve cyber-security, and in
particular communication and coordination of response mecha­
nisms. Over 100 regulated institutions including banks, credit
unions, insurance companies and securities companies partici­
pated in the 2017 exercise, which covered two cyber-scenarios.
A summary of results was then published to enable others to
draw lessons from the exercise.
16 TITUS was a crisis communication exercise for euro area financial mar­
ket infrastructures held in November 2015.
17 CMORG is a UK industry forum which is co-chaired by the Bank of
England and UK Finance and attended by senior representatives from
regulated institutions.
372 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• furthering mutual understanding of each country's cyber­
security information-sharing processes and incident response
coordination structures, including scenarios that may call for
a coordinated response and public communications; and
• exchanging best practices domestically and between
the US and UK on a government-to-government and
government-to-financial sector basis.
The exercise did not:
• amount to a "cyber war game" or include live play;
• test the actions of law enforcement or the security and
intelligence agencies;
• seek to involve the entire range of the UK and US finance
sectors; or
• seek to test individual firms or financial systems, but
instead rehearse communication and coordination links.
Cyber-Security and Resilience Metrics
Cyber-Security and Resilience Metrics are Not
Yet Mature
Some jurisdictions have methodologies to assess or benchmark
regulated institutions' cyber-security and resilience. Those juris­
dictions that have developed ways to assess cyber-security and
resilience have focused on reported incidents, surveys, penetra­
tion tests and on-site inspections. None of these methodologies
produce quantitative m etrics or risk indicators comparable to
those available for financial risks and resilience, eg standardised
quantitative metrics where established data are available.
Instead, indicators provide information on regulated institutions'
approach to building and ensuring cyber-security and resilience
more broadly. Supervisory authorities also rely on entities' own
management information, although this differs across entities
and is not yet mature.
Emerging Forward-Looking Indicators of Resilience
It is common for jurisdictions (and often regulated institutions
themselves) to focus on backward-looking indicators of the
performance of the technology function. These indicators are
presented to Board members and executives as part of manage­
ment information that regulators may review (examples can be
found in Annex B).
Backward-looking indicators comment on past performance as
an indicator of future performance, which is reasonable when
institutions' operations and risk environment are relatively stable
over time and more or less independent from outside influ­
ences. However, cyber-risk frustrates this because adversaries
are dynamic, themselves adapting to institutions' responses and
protective measures, sometimes changing their tactics and strat­
egies even in the space of a single cyber-incident. Distributed
denial of service (DDOS) incidents are a good example, where
the volume and scale of disrupted internet traffic generated
has increased significantly in the last two years and adversaries
adapt their techniques in response to an institution's defences.
While backward-looking metrics continue to be important,
jurisdictions are increasingly recognising the need for forward-
looking indicators as direct and indirect metrics of resilience,
indicating whether a regulated institution is likely to be more or
less resilient in the event of a risk crystallising.
Regulated institutions are also seeking to improve metrics for
resilience more broadly. Annex C contains cyber-centric metrics
collated by a sample set of regulated institutions for decision­
making bodies (boards and board sub-committees). It is notable
that the data provided typically allow for trend information so
that the reviewer can assess if the situation is getting better
or worse. Some metrics track compliance with internal policies
while others measure inherent risk. Patch ageing in particular is
a widespread and comparable metric.
This list of cyber-metrics collated by regulated entities can be
reviewed by regulators to gain insight into what may be col­
lected across the regulated population to gain an enhanced set
of cyber-metrics for measuring the state of cyber-resilience more
broadly. Collectively, these indicators can inform on the broad
adequacy of an institution's cyber- and operational resilience
levels for its business needs and risk appetite. However, no sin­
gle item taken in isolation is seen as a sufficient metric, and no
standard set of indicators has been identified so far to provide a
meaningful benchmark.
(1) the numbered circles next to the arrows indicate the "types" of info sharing as described in section 5.1 and Figure 24.2.
Source: Basel Committe on Banking Supervision.
Chapter 24 Cyber-Resilience: Range of Practices
A number of jurisdictions (eg Australia, Canada, the ECB-SSM ,
Hong Kong, Singapore, the UK and the US) analyse survey
responses to assess regulated institutions' capabilities and
inform prioritisation of follow-up work. The outcomes of this
work tend to be institution-specific findings and remediation or
action plans which can be monitored over time, and/or thematic
reports. As such, they provide indicators and trends if per­
formed on a regular basis. Results from the Australian surveys
are subsequently published to influence industry behaviour. In
the UK, thematic findings are often shared with participating
firms for the same purpose.
24.5 COMMUNICATION AND
SHARING OF INFORMATION
Most Basel Committee jurisdictions have put in place cyber-secu­
rity information-sharing mechanisms, be they mandatory or vol­
untary, to facilitate sharing of cyber-security information among
banks, regulators and security agencies. These communications
are established for multiple purposes, including helping relevant
parties defend themselves against emerging cyber-threats.
This section sets out a range of observed cyber-security
information-sharing practices among banks and regulators. For
the purpose of this report, they are divided into five categories
according to the parties involved in the sharing. Figure 24.1
illustrates the interlinkages of the five types of practices.
Overview of Information-Sharing
Frameworks Across Jurisdictions
Among the five types of cyber-security information-sharing prac­
tices, sharing among banks; sharing from banks to regulators and
■ 373
 0% 20%
Type 1 - among banks
Type 2 - bank to regulator
Type 3 - among regulators 29%
Type 4 - regulator to banks 32%
Type 5 - with security agencies
□ With information-sharing arrangement (either mandatory or voluntary, or both)
□ Without information-sharing arrangement
Fiaure 24.2 P e rce n ta g e of ju risd ictio n s w ith/w ith o u t inform ation-sharing a rra n g e m e n t.
Source: Basel Committee on Banking Supervision.
sharing with security agencies are the most commonly observed.
Sharing among regulators is the least observed type. This is partly
due to the less systematic nature of information-sharing arrange­
ments between regulators, where it can happen on an ad hoc basis
at a bilateral level or within supervisory colleges, under specific
circumstance. Figure 24.2 illustrates the adoption rate of different
types of cyber-security information-sharing, both mandatory and
voluntary, by the jurisdictions covered by this report.
Different kinds of cyber-security information are shared by
banks and regulators, including cyber-threat information,
information related to cyber-security incidents, regulatory and
supervisory responses in case of cyber-security incidents and/
or identifications of cyber-threat, and best practices related
to cyber-security risk management. Depending on the type
of arrangement, the kind of information shared varies. For
instance, information related to cyber-security incidents is more
widely observed in sharing from banks to regulators and with
security agencies, whereas cyber-threat information/intelligence
is the most common kind of information shared among banks.
Various jurisdictions have put in place certain cyber-security
information-sharing arrangements to facilitate more effective
sharing of cyber-security information by banks and regulators.
Full adoption of all types of information-sharing arrangements
within a jurisdiction is still exceptional.
That said, it was also noted that for jurisdictions with observed
practices of information-sharing among banks, there are less
observed practices of information-sharing from regulators
to banks. This is probably attributable to the lesser need for
sharing by regulators to banks if an effective peer sharing
mechanism among banks already exists. Similarly, jurisdictions
with observed practices of information-sharing from banks to
regulators display lower rates of sharing with security agencies,
374 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
40% 60% 80% 100%
75% 25%
75% 25%
71%
68%
68% 32%
potentially due to the allocation of responsibilities for cyber­
security information processing among regulators and security
agencies within a jurisdiction.
For some of the jurisdictions, both mandatory and voluntary
information-sharing arrangements are noted for the same type
of information-sharing arrangement. This is because voluntary/
mandatory sharing is sometimes applicable when different types
of information are being shared, or when information is shared
with different parties. For example, there is a mandatory require­
ment in Singapore for financial institutions to report relevant cyber­
security incidents to MAS, while cyber-threat information exchange
between MAS and the Cyber Security Agency (CSA) is voluntary.
Other types of information-sharing arrangements are observed,
which include public announcement/disclosure of information
about cyber-security incidents and cross-sector information­
sharing with public and private institutions. In particular, the range
of stakeholders involved in cyber-attacks typically includes non­
bank critical infrastructure operators, third-party service providers
and customers who could contribute to sharing information with
security agencies for further distribution to other sectors, or be
part of other setups such as a joint-industry groups.18
The remainder of this section summarises common practices
adopted by various jurisdictions, describes more specific prac­
tices adopted by individual jurisdictions and summarises key
gaps observed.
18 This "other" type of information is shown in Figure 24.3. One
example is the EBA guidelines on ICT Risk Assessment under the
Supervisory Review and Evaluation process (SREP) (EBA/GL/2017/05)
and recommendations on outsourcing to cloud service providers (EBA/
REC/2017/03), which assumed good information-sharing of IT risks
between banks and supervisors, although there was no specific require­
ment for banks to report security incidents to their supervisors.
 No of practices observed
0% 10% 20% 30% 40% 50% 60%

Cyber-threat information /
18 2 2 2 2 3
CD intelligence
E
o
Cyber-security incidents 20 5 J 4 18 6

Cyber-security regulatory
u 1| 4
Q) responses
if)

Q)
JD
Good practices 2 2
U
M—
o
“U
Other |p l
J
Type 1 - Sharing among banks □ Type 2 - Sharing from bank lo regulator □ Type 3 - Sharing among regulators
□ Type 4 - Sharing from regulator □ Type 5 - Sharing with security agencies □ Others
to banks

Fiqure 24.3 K inds of inform ation shared

Source: Basel Committee on Banking Supervision.

Sharing Among Banks
Banks share information (eg knowledge of a cyber-security
threat) with peer banks through established channels, mainly
to allow peer banks to take more tim ely action in response
to similar threats. Although there is no common standard
for automated information-sharing, regulators in most jurisdic­
tions are not directly involved in bank-to-bank inform ation­
sharing but do play a role in facilitating the establishm ent of
voluntary sharing mechanisms for cyber-vulnerability, threat
and incident information, and in some cases indicators of
com prom ise.
Some jurisdictions have established public sector platforms to
accomplish information-sharing initiatives while others have
encouraged private sector development of information-sharing
organisations. Three jurisdictions (Brazil, Japan and Saudi A ra­
bia) have mandated cyber-security information-sharing among
banks through regulations or statutes.
Outside the information-sharing and analysis centre construct,
some jurisdictions have established public/private forums or
government-led centres for information-sharing. In some juris­
dictions, local regulations on data protection are perceived to
be an obstacle to cyber-security information-sharing among
banks and may warrant a specific dialogue between banks and
their local or regional regulators.
Sharing of information and collaboration among banks depend
on the financial industry's culture and level of trust among par­
ticipants. Experience shows that a two-level information-sharing
structure through which information would be first shared on the
interpersonal level with a closer group and then be exchanged
at the company level with a broader group of banks helps build
trust into the system.
Sharing from Banks to Regulators
The sharing of cyber-security information from a bank to its
regulator(s)/supervisor(s) is generally limited to cyber-incidents
based on regulatory reporting requirements. Such requirements
are mainly established to (i) enable systemic risk monitoring
of the financial industry by regulator(s); (ii) enhance regulatory
requirements or issue recommendations by regulator(s) to adjust
policies and strategies based on information collected; (iii) allow
appropriate oversight of incident resolution by regulator(s); and
(iv) facilitate further sharing of information with industry and
regulators to develop a cyber-risk response framework.
Reporting requirements are established by different authori­
ties for specific purposes depending on their mandate (eg
supervisory and regulatory functions, consumer protection and
further distribution of information to national cyber-security
agencies for systemic operators). Incident reporting by banks
to regulator(s) is a mandatory requirement in many jurisdictions,
with different scopes of requirements and ranges of applica­
tion. For jurisdictions already enforcing the requirement in the
past, the reporting obligation has a broader operational incident
scope, including cyber-incidents. The perimeter can include all
supervised institutions but is more often limited to systemically
important institutions. Nearly all institutions regulated in the EU
are required to report cyber-security incidents to the competent
authorities. The requirements stem from supervisory frameworks

Chapter 24 Cyber-Resilience: Range of Practices ■ 375

 BOX 24.5 CASE STUDY 5: FS-ISAC - KEY FEATURES AND BENEFITS
The Financial Services Information-sharing and Analysis
Center (FS-ISAC) is a non-profit entity established in 1999 to
collect and provide financial services sector member organ­
isations with information on potential vulnerabilities as well as
timely, accurate and actionable warnings of physical, opera­
tional and cyber-threats or attacks on the national financial
services infrastructure. Its members include banks, credit
unions, insurance companies, investment companies, financial
services regulators and law enforcement entities.
In addition to the core information-sharing platform, the FS-
ISAC hosts conferences and educational seminars, conducts
sector and cross-sector contingency planning exercises, and
is an internationally recognised source for threat intelligence
information. Core elements of the FS-ISAC include:
• Rapid response: the FS-ISAC analyses and disperses
information and threat intelligence information among its
members through their proprietary real-time Critical Infra­
structure Notification System (CINS).
• Information analysis and sharing: the FS-ISAC receives
information from many sources that is verified and
(such as the Single Supervisory Mechanism (SSM) cyber-incident
reporting framework), EU directives (PSD2, NIS) and local law.
Some requirements also include the obligation to submit a root
cause analysis for the incident, or a full post-mortem or lessons
learnt after the incident.
Different scopes and perimeters may depend on the type of
authority (eg supervisors, regulators, national security) and their
mandate (ie national cyber-security agencies, consumer protec­
tion, banking supervision, etc), sector(s) involved (eg multisector
or specific: banks, significant banks, systemic operators, pay­
ment) and geographical range (eg national, multiregional). While
many of the supervisors focus only on reporting and tracking
incidents that have already taken place, some require proac­
tive monitoring and tracking of potential cyber-threats because
concerns about reputational risk may lead to a delay in incident
reporting by the regulated entity.
Based on these considerations, different reporting frameworks
are also observed. These range from formal communications to
informal communications (eg free-text updates via email or ver­
bal updates over the phone).
Differences are noted in: (i) taxonomy for reporting; (ii) reporting
time frame (immediately, after two hours, after four hours and
after 72 hours are examples of practices observed); (iii) tem ­
plates; and (iv) threshold to trigger an incident reporting. These
differences highlight the fragmentation issue facing the banks
operating in multiple jurisdictions or supervised by different
376 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
classified by type and severity. The information is then
sent out by CINS and reaches members instantly. FS-ISAC
also conducts crisis calls if necessary, and has a team
working 24/7 to analyse any incoming data and dissemi­
nate information.
• Anonymised data: Information received and disseminated
through the FS-ISAC is considered confidential and stored in
a standalone, secure portfolio so that no threat or informa­
tion can be traced back to its source by any members and all
information is anonymously shared. This makes the FS-ISAC
a safe place for its members and encourages sharing.
• Member-driven: The members of the FS-ISAC run the
organisation, tailoring it specifically for the needs of the
financial industry.
• Recognised by US Financial Services Regulators: the
Federal Financial Institutions Examination Council, a
group consisting of federal and state US financial services
regulators, has recognised the FS-ISAC as a key threat
intelligence source and recommends financial institutions
participate in its process to identify, respond to and miti­
gate cyber-security threats and vulnerabilities.
authorities, as these banks are likely to be obliged to fill in vari­
ous templates with different taxonomy, reporting time frame
and threshold. This may increase their regulatory burden, con­
suming significant resources to ensure compliance. It may be
possible for an authority with multiple functions to receive from
a bank multiple reports with distinct formats for multiple times.
All incident reporting processes have a single direction flow, by
a bank to an authority, although an informal flow back can be
used for alerting firms in case of an incoming threat. By normal­
ising the prompt exchange of information between banks and
supervisors, reciprocal flow mechanisms can help remove the
possible stigma associated with incident reporting by banks,
thereby fostering effective and timely incident reporting.
Sharing Among Regulators
Regulators share information with fellow regulators, be they
domestic or cross-border, as appropriate according to estab­
lished mandatory or voluntary information-sharing arrange­
ments. Cyber-security information shared among regulators
may include regulatory actions, responses and measures. Con­
sidering different types of cyber-security information-sharing,
information-sharing among regulators is the least observed
practice across jurisdictions, although it is expected that many
informal and ad hoc communication channels exist, such
as through supervisory colleges and memoranda of under­
standing. Cyber-fraud is becoming more sophisticated and
 BOX 24.6 CASE STUDY 6: BILATERAL CYBER-SECURITY INFORMATION-SHARING
BETWEEN THE HONG KONG MONETARY AUTHORITY (HKMA) AND THE
MONETARY AUTHORITY OF SINGAPORE (MAS)
Given the importance of facilitating more cross-border cyber­
security information-sharing, the HKMA and MAS established
a bilateral cyber-security information-sharing framework in
the first quarter of 2018.
As part of the framework, the HKMA and MAS have agreed
upon four important guiding principles and key design fea­
tures of the governance arrangement, the scope of informa­
tion-sharing, a traffic light protocol, standard taxonomy and
dedicated communication channels.
• Voluntary: Given that some cyber-security information may
be highly sensitive, the sharing of information under the
framework should be voluntary, without creating any legal
obligations for the participating authorities.
• Tim ely: The HKMA and MAS recognise that timely sharing
of cyber-security information is of paramount importance
to building an effective framework. The authorities have
therefore agreed that information about cyber-security
incidents should be shared as soon as possible to the
extent permitted by law. If a cyber-security incident is
assessed to have the potential to spread to other jurisdic­
tions, the related information should be shared within
cross-jurisdiction, and sharing of cyber-security information
among regulators could assist in maintaining awareness of the
cyber-threat situation for timely guidance to be provided to
banks to protect financial systems against cyber-frauds.
Sharing from Regulators to Banks
Information-sharing from regulators to banks occurs through
established channels, based on the information the regulator
receives both from banks and other sources. Various jurisdictions
(eg Australia, China, Korea, Saudi Arabia, Singapore, Turkey and
the US) have established clear guidance in the form of standards
and practices to enable cyber-security information-sharing by
regulators to banks. In these jurisdictions, information flows
from the bank to the regulator, and the regulator assesses the
risk to the financial industry and shares the information with the
industry, as appropriate, based on the risk assessment. In cases
where the information is sensitive (eg contains customer-specific
or bank-specific information), the regulator anonymises or sum­
marises it to allow sharing.
Regulators with a regulator to bank sharing mechanism more
readily share publicly available information such as cyber-secu­
rity risk management best practices. They use informal channels
such as industry sharing platforms (eg participation in industry
Chapter 24 Cyber-Resilience: Range of Practices
24 hours. Incomplete information about cyber-security
incidents can be shared so long as a reasonable degree of
validity has been ascertained.
• E ffe c tiv e : To ensure the efficacy of the fram ework, shar­
ing of cyber-security information should not be limited
to information related to those financial institutions
with an operation in both jurisdictions (ie unlike typical
supervisory college or memoranda of understanding,
"supervisory locus" is not required to be established).
A taxonom y was also established with reference to
the Structured Threat Information expression (STIX)
fram ework.
• C onfidential: The confidentiality of any information shared
between the authorities should be properly protected.
The framework will focus on the sharing of general infor­
mation such as the modus operandi of the attacks. The
authorities also adopted a Traffic Light Protocol (TLP) for
subsequent sharing of information.
The HKMA and MAS have been exchanging information
regarding real-life cyber-threats and cyber- security-related
regulatory responses and measures since April 2018.
forums), meetings and informal communications to disseminate
information to the banks.
In cases where non-public information is obtained by regula­
tors, the information is shared with selected parties via informal
meetings or other informal communication vehicles, so as to
preserve anonymity and confidentiality of the institution(s)/
bank(s) impacted by a cyber-attack, and maintain banks' confi­
dence and trust in the regulators generally.
Mandatory requirements for regulators to share information
with banks have only been established for a few jurisdictions (eg
China). A few other jurisdictions have put in place practices for
voluntary sharing (eg Singapore, the UK). However, many juris­
dictions have not put in place any standard practices for regula­
tors in the sharing of information with banks, nor established any
process or time frame to enable timely, risk-based information­
sharing. Classification of information could ensure that the
appropriate audience could receive the appropriate information
and help to build trust between regulators and banks.
Sharing with Security Agencies
This section examines sharing of information by banks or regu­
lators with the security agencies operating in their respective
jurisdictions.
■ 377
 BOX 24.7 CASE STUDY 7: COMPUTER SECURITY INCIDENT RESPONSE TEAMS
(CSIRTs) IN THE EU
The Network and Information Security (NIS) Directive is a
component of EU legislation with the specific objective to
improve cyber-security throughout the EU. The requirements
came into full effect on 10 May 2018. The NIS Directive
defines different obligations across the EU, one of which con­
cerns the establishment of one or more Computer Security
Incident Response Teams (CSIRTs) at national level for com­
prehensive incident management nationwide. Incident
reporting notification to national CSIRTs (directly or through a
competent authority) is mandatory for entities identified as
Operators of Essential Services (OES) and Digital Service Pro­
viders (DSP) (some banks have been included in the first cate­
gory). In some countries, competent authorities for banks
that have been identified as O E S 19 are the supervisory
authorities, while in others it can be the Ministry of Finance
or a specific government authority. The NIS Directive also
established the requirements to have a CSIRTs European net­
work (ie a dedicated network for all national CSIRTs, run by
Given that cyber-security incidents encountered by banks or
regulators could potentially be experienced by entities in other
sectors, effective communication of relevant cyber-security inci­
dents with security agencies could facilitate broader awareness
of cyber-threats in a timely manner, and enhance defensive mea­
sures against adversaries.
For jurisdictions with operations of Computer Emergency Readi­
ness Team (CERT) or similar security agencies, these agencies
may act as focal points for cyber-security incident notification.
Banks or regulators share cyber-security information with these
agencies for broader circulation of information and collaboration
with other sectors within the country (eg public sector, civilian
sector, computer community).
Jurisdictions have generally set out standards and practices
for critical infrastructure entities and regulators to share cyber­
security information with national security agencies. While
most jurisdictions adopt a voluntary approach, a few jurisdic­
tions mandate formal sharing requirements. Some jurisdictions
(eg Luxembourg, the US) have established sharing platforms
to facilitate multilateral sharing of cyber-security incident or
cyber-threat information. In the US, an online portal is available
for cyber-security information to be submitted to the National
19 As required by the NIS Directive, identification of OES should have
been completed by October 2018.
378 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
the member states, with its secretariat provided by the
European Network and Information Security Agency) with
the following competencies:
• Exchange information on services, operations and coop­
eration capabilities
• Exchange and discussing information related to incidents
and associated risks (on request, on a voluntary basis)
• Identify a coordinated response to an incident (on request)
• Providing member states support in addressing cross-
border incidents (on a voluntary basis)
• Issue guidelines concerning operational cooperation
• Discuss, explore and identify further forms of operational
cooperation (risks and incidents, early warnings, mutual
assistance, coordination)
• Discuss the capabilities and preparedness of certain
CSIRTs (on request from that CSIRT)
Cyber-security and Communications Integration Center and
the US CERT. In Luxembourg, the Computer Incident Response
Center (CIRCL) has established a Malware Information-sharing
Platform (MISP) to gather, review, report and respond to com­
puter security threats and incidents. The MISP allows organisa­
tions to share information about malware and their indicators.
The aim of this trusted platform is to help improve the counter­
measures used against targeted attacks and set up preventive
actions and detection.
For jurisdictions with mandatory requirements for cyber-security
incident information-sharing with national security agencies
(Canada, France, Singapore and Spain), the sharing arrange­
ments are bilateral in general. Instead of requiring banks or reg­
ulators to share all cyber-security incidents, these jurisdictions
require cyber-security incidents affecting key operators of critical
infrastructure to be reported.
Some jurisdictions have established procedures for relevant
information to be exchanged voluntarily and bring together
relevant parties for coordination of responses to incidents. In
the UK, the Authorities Response Fram ework can be invoked
by financial authorities to bring together the Financial Con­
duct Authority (FCA ), the Bank of England, the Treasury,
the National Crime Agency and the National Cyber-security
Centre to coordinate their response to a cyber-security
incident. Meetings and formal communications can be trig ­
gered as appropriate.
24.6 INTERCONNECTIONS WITH
THIRD PARTIES
All jurisdictions recognise the challenge of gaining assurance
of an entity's cyber-resilience, a challenge both for regulators
with regard to financial institutions, and for financial institutions
with regard to their third-party service providers. Extensive
use of third-party services increases the challenge for jurisdic­
tions and regulated institutions them selves to have full sight of
the controls in place, and the level of risk. For the purpose of
identifying the range of practices in relation to cyber-resilience,
"third parties" is understood in a broad sense, including: (i) all
forms of outsourcing (including cloud computing services);
(ii) standardised and non-standardised services and products
that are typically not considered outsourcing (power supply,
telecommunication lines, commercial hardware and software,
etc); and (iii) interconnected counterparties such as other insti­
tutions (financial or not) and FMIs (eg payment and settlem ent
systems, trading platforms, central securities depositories and
central counterparties).
Cyber-resilience practices in relation to third parties are analysed
across the following areas:
• Governance of third-party interconnections
• Business continuity and availability
• Information confidentiality and integrity
• Specific expectations and practices regarding visibility of
third-party interconnections
• Auditing and testing
• Resources and skills
Governance of Third-Party Connections
Widespread Expectations and Practices
Regulations across different jurisdictions require that insti­
tutions develop a management- and/or board-approved
outsourcing (or organisational) framework that defines the
applicable roles and responsibilities, the outsourceable activi­
ties and concrete conditions for outsourcing, the specific risks
that need to be analysed (either prior to selection of a provider
or when substantially amending/renewing an agreement) and
recurrent obligations (such as monitoring procedures or regular
risk assessments).
Regulators typically also require that institutions implement
a contractual framework, defining generic rights, obligations,
roles and responsibilities of the institution and the service pro­
vider, specifying the responsibility for reviewing, approving
Chapter 24 Cyber-Resilience: Range of Practices
and signing contracts (eg involvement of a cyber- security func­
tion), with specifications on the result (ie an official, written and
detailed contract) and the applicability of the framework (typi­
cally also for intragroup outsourcing).
The regulatory expectations on risk assessments and contracts
tend to specify in a rather comprehensive way which risks (and
mitigating measures) to cover, albeit mostly in general terms.
Next to a description of the nature of the service, the
expected results of the outsourcing, and the roles and respon­
sibilities of the service provider and the financial institution,
risk assessments and contracts are expected to include analysis
and clauses on strategic risk, compliance risk, security risk (typ­
ical areas of attention are security monitoring, patch m anage­
ment, authentication solutions, authorisation management and
data loss/breach procedures), business continuity risk, vendor
lock-in risk (the general ability of an institution to withdraw
from the service provider and to absorb the outsourced activ­
ity or transfer it to another service provider), counterparty risk
(the visibility into the service provider's organisation), country
risk, contractual risk, access risk (meaning that financial institu­
tions and/or supervisors cannot audit the third-party connec­
tion due to inadequate contractual agreements) and
concentration risk.20
Along with the outsourcing and contractual frameworks, regula­
tors typically expect that information, cyber-security and/or con­
tinuity frameworks address some crucial aspects of third-party
arrangements to ensure the availability of critical systems and
the security of sensitive data that are accessible to, or held by,
third-party service providers. These aspects include the identifi­
cation and prioritisation of interconnections, as well as the clas­
sification and response to incidents with third parties according
to service agreements and the communication of these policies
to relevant external parties.
As regards supervisory practices, the following activities appear
to be widespread:
• Intrusive on-site inspections with respect to cyber-risk in rela­
tion to outsourcing. During such inspections, the outsourcing
framework, the applicable processes and the completeness
and adequacy of specific risk assessments and contracts will
typically be reviewed.
20 "Concentration risk" in this context does not refer to the potential
systemic risk to the industry as a whole, but rather to the potential lack
of control of an individual firm over one single provider as multiple
activities are outsourced to the same service provider. These different
aspects of concentration risk are explained in Joint Forum, Outsourcing
in financial services, February 2005; and Committee of European Bank­
ing Supervisors, Guidelines on outsourcing, December 2006.
■ 379
• As part of their off-site supervision practices, most jurisdic­
tions receive periodic statements or reports that assess the
outsourcing policies and risks at the financial institution.
These reports will typically contain statements on the exis­
tence and adequacy of outsourcing policies, processes, risk
assessments and contracts.
Expectations on the Scope of the Ecosystem and
Management of Third Parties
Some international standards explicitly recognise that institu­
tions may critically depend on third-party interconnections,
other than those that are typically considered outsourcing. The
CPM I-IO SCO guidance on cyber-resilience for FMIs discusses
the identification of cyber-risks and the coordination of resil­
ience efforts from the perspective of the ecosystem of an FMI.
The ISO 27031 standard specifies requirements for hardware,
software, telecoms, applications, third-party hosting services,
utilities and environmental issues, such as air conditioning, envi­
ronmental monitoring and fire suppression.
Some jurisdictions require that financial institutions enter into
a prior agreement with their clients when they offer financial
services via the internet that involve the consultation and man­
agement of personalised data or carrying out transactions (eg
precise description and demarcation of the responsibilities of
each party in using the technologies provided or recommended
BOX 24.8 CASE STUDY 8: REGULATED/CERTIFIED THIRD PARTIES IN
LUXEMBOURG
The Luxembourg government has put in place a specific
regulation for companies that supply specialised services to
financial institutions. For these "financial sector profession­
als" (PSFs), the same regulation for authorisation and ongoing
supervision by the Commission de Surveillance du Secteur
Financier (CSSF) applies as for the financial institutions them­
selves. PSFs that exclusively offer operational services are
called support PSFs. By regulating and supervising technical,
administrative and communications-related activities, the
Luxembourg government seeks to facilitate the outsourcing
of core activities by ensuring a high quality of service and pro­
fessional confidentiality. If a financial institution is outsourcing
to a PSF, the ultimate responsibility remains with the institu­
tion, in accordance with the Committee of European Banking
Supervisors (CEBS) guidelines on outsourcing. However, in
some cases it is observed that an institution is more enticed
to neglect its monitoring and audit obligations, as it might
consider them to be performed by the supervisor.
Cloud service providers (CSPs) are not subject to this regu­
lation. The Luxembourg regulator (CSSF) defined specific
criteria for outsourcing that will be considered IT outsourcing
380 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
by the institution for the purpose of identifying and authenticat­
ing the client and validating the transactions).
In Luxembourg, authorities have put in place a specific regula­
tion for companies that supply specialised services to financial
institutions. For these "financial sector professionals", the same
regulation for authorisation and ongoing supervision applies as
for the financial institutions themselves (Box 24.8).
Consistent with the expanding scope of supervisory scrutiny
or regulated entities, in Europe legal mandates that regulate
interaction between institutions, supervisors and third-party pro­
viders are provided by the Mifid II Directive, and 12 competent
authorities can directly review third parties involved in IT ser­
vices. In addition, specific expectations for control and location
of data are starting to emerge in the form of requirements that
the location of at least one data centre for cloud computing ser­
vices provided in the country or region (eg in the EU) be identi­
fied, or data ownership, control (Australia) and location (Brazil
and France) be identified and monitored as part of the outsourc­
ing agreement. Some jurisdictions (Germany, Singapore and
Switzerland) further require a contractual clause that reserves
the right for institutions to intervene at, or give directives to, the
service provider.
Beyond the assurances required prior to engaging with third
parties, most jurisdictions also require either prior notification
based on a cloud computing infrastructure. If these criteria are
met, the specific obligations of CSSF circular 17/654 on cloud
computing apply. An institution can outsource directly to a
CSP or indirectly through a support PSF or a non-regulated
entity (which will outsource to CSP in a chain). The signatory
of the contract with the CSP can be either the financial
institution or the operator of the resources provisioned by the
CSP, who can be the support PSF or the non-regulated entity
outside of Luxembourg. Several provisions on the governance
of cloud services apply, including the appointment of a cloud
officer for the cloud resources operating entity (which can be
the institution itself or a third party).
Depending on the materiality of the activity supported by
the cloud infrastructure, the institution needs prior approval
from the CSSF. If the outsourced activities are not mate­
rial or if the cloud service contract is signed with a support
PSF, notification to the C SSF is sufficient. The C SSF circular
17/654 will be amended by abolishing the notification of
non-material outsourcing and asking all financial institutions
to set up a register containing all outsourcing in the cloud
regardless of materiality.
 BOX 24.9 CASE STUDY 9: CLOUD SERVICE PROVIDERS' REGULATORY CLOUD
SUMMITS
Some cloud service providers organise regulatory cloud sum­
mits that provide examples of how a supervisory college
model could work in practice when applied to a global tech­
nology provider.
These summits are organised with regulators and supervisors
with the objective of:
(i) holding cloud-focused discussions on the threats related
to cloud, the international regulatory landscape and the
cloud service provider's stance in this regard; and
(ii) providing the regulators with an opportunity to learn
about products, processes and practices and to discuss
approaches to supervise and gain assurance that financial
institutions using these cloud services operate in a safe
and sound manner.21
or prior authorisation of material (cloud) outsourcing activities.
To this end, jurisdictions have created questionnaires/templates
(sometimes specifically for IT outsourcing or cloud computing).
Although these are not harmonised in their coverage and met­
rics across jurisdictions, they facilitate the creation and docu­
mentation of risk assessments locally.
By focusing on the products and services themselves, new
expectations for secure development and procurement also
contribute to making regulations and practices future-proof.
In particular, specific requirements (eg regarding "internet
of things" systems in Japan) are in place for systems to be
designed, developed and operated under the principle of secu­
rity by design, considering that many individual devices, applica­
tions and systems will be interconnected in the future, providing
new opportunities and possibly introducing new vulnerabilities.
Observed Supervisory Practices
Overall, although jurisdictions' mandates to supervise third-party
service providers vary, supervisors have been using traditional
supervisory tools in order to ensure that the common expecta­
tions described above are met. Thematic exercises based on
self-assessment questionnaires to assess the cyber-security
and IT outsourcing risk of banks are a typical example. Third-
party providers can also be reviewed during on-site reviews
and inspections, either on the basis of formal requirements or
21 In addition to these summits with regulators and supervisors, these
cloud service providers typically also organise comparable summits with
their most important financial customers.
Chapter 24 Cyber-Resilience: Range of Practices
The main part of the summits is usually organised into
sessions provided by the staff of the service provider.
Typically, one session consists of a panel discussion of
regulators (chosen by the cloud service provider) that starts
a dialog with the cloud service provider's staff, after which
the discussion is opened to all regulators. Discussions are
typically not recorded, but the cloud service provider's staff
takes notes.
Regulatory summits could also be organised by regulators or
an independent body to allow examiners to understand the
products and compliance controls so as to usefully complete
their expertise and become more effective doing on-site
examinations.
authority (as is done in Hong Kong, Singapore and the US) or
based on cooperation from service providers. For example,
Australia engages with systemically important third-party service
providers which host critical systems for regulated institutions.
Periodic engagements are voluntary and focus on service provid­
ers' systemic role as opposed to their relationship with individual
institutions. This allows for a more open discussion of relevant
strategy, governance, customer engagement, controls and capa­
bilities (including those pertaining to cyber). It also can provide
useful insight into the maturity (or lack thereof) of regulated
institutions oversight practices, informing further supervisory
activities. They can also be used as a mechanism to influence the
provider regarding regulatory expectations and best practice.
In the same vein, supervisors can work directly with cloud sup­
pliers both on formal or informal grounds, to include the right
to audit in contracts for the financial industry (as in the Nether­
lands) or to take part in regulatory summits organised by major
cloud providers (including for discussions of assurance frame­
works; see Box 24.9).
Against the above findings, a "supervisory college" model to
supervise and share information about large, internationally
active service providers (particularly cloud providers) could also
be a way to address the blind spots resulting from mandate limi­
tations and regulatory fragmentation.
Business Continuity and Availability
To safeguard the availability and continuity of critical business
activities in case of exceptional events or crises (eg cyber­
attacks), regulators typically request that financial institutions
■ 381
analyse these activities,22 to design and implement appropriate
plans, procedures and technical solutions, and to adequately
test mitigating measures. The same holds true where critical
business activities depend on interconnections with third par­
ties, with regulations stressing the importance of aligning the
business continuity plans of critical suppliers (and their subcon­
tractors) with the needs and policies of the financial institution in
terms of continuity and security.
It is common practice to request that recovery and resumption
objectives be defined for critical business activities from an end-
to-end perspective23 For instance, Italy specifies that among the
risk scenarios for the continuity of systemically important pro­
cesses that are documented and constantly updated, institutions
should include catastrophic events that affect essential opera­
tors and third-party infrastructures (eg large-scale cyber-attacks).
Typical activities and services that are considered by regulators
are cloud outsourcing, settlement processes or internet services
offered to customers.
Expectations with regard to plans and procedures typically
address tasks and responsibilities in processes for incident
management and for response and recovery in case of material
disruptions, the information and communication needs from and
towards key internal and external stakeholders and the required
resources, including planned redundancy, so as to ensure the
prompt transfer of outsourced activities to a different provider
in case continuity or quality of the service provision are likely to
be affected.
Most regulators and international standards expect financial
institutions to test protective measures periodically in order to
verify their effectiveness and efficiency and make adjustments
where necessary. Advanced regulators require that tests for
critical activities are based on realistic and probable disrup­
tive scenarios, conducted at least on a yearly basis and that
service providers and significant counterparties are involved
through collaborative and coordinated resilience testing.
The analysis step typically involves a business impact assessment (BIA)
identifying the most critical activities, resources and services, their inter­
nal and external dependencies, their acceptable recovery time frames in
case of disruption, the events/scenarios (either natural or manmade) that
can affect these critical business activities and the potential impacts of a
(major) disruption.
23 The CPMI-IOSCO guidance on cyber-resilience for financial market
infrastructures, for instance, specifies that a Financial Market Infrastruc­
ture should, design and test its systems and processes to enable the
safe resumption of critical operations within two hours of a disruption
and to enable itself to complete settlement by the end of the day of the
disruption, even in the case of extreme but plausible scenarios. Some
banking supervisors have similar expectations for systemically important
functions.
382 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
These tests are typically complemented by audits and moni­
toring activities (on availability, security incidents, etc) of the
outsourcing vendors.
In terms of business continuity and availability, commonalities in
supervisory expectations and practices are observed, which are
mainly focused on the "standalone business continuity" of the
institutions. Such commonalities could provide an opportunity to
extend continuity and resilience testing to a more collaborative
and coordinated form that involves larger parts of the ecosys­
tem of a financial institution.
Information Confidentiality and Integrity
Confidentiality and integrity of information for third-party inter­
actions are commonly addressed in general data protection
requirements, through explicitly requiring contractual terms to
include confidentiality agreement and security requirements
for safeguarding the bank's and its customers' information.
In addition, banks are generally required to manage or take
appropriate steps to ensure The CPM I-IO SCO guidance on
cyber-resilience for financial market infrastructures, for instance,
specifies that a Financial Market Infrastructure should, design
and test its systems and processes to enable the safe resump­
tion of critical operations within two hours of a disruption and
to enable itself to complete settlement by the end of the day
of the disruption, even in the case of extreme but plausible
scenarios. Some banking supervisors have similar expectations
for systemically important functions, that their service providers
protect their confidential information and that of their clients.
Steps include verifying, assessing and monitoring security prac­
tices and control processes of the service provider.
A growing number of jurisdictions have cloud-specific
requirem ents, which range from requirem ents that inform a­
tion transferred to the cloud be subject to a contractual
clause and that different cloud-specific issues be considered
to ensure data security, to more specific requirem ents on
data location, data segregation, data use lim itations, security
and exit. One exam ple of data access limitation is the prohi­
bition imposed on staff of cloud service providers in Luxem ­
bourg to access a bank's data without the explicit agreem ent
of the bank and without a mechanism available to the bank to
detect and control access.
In a number of jurisdictions, regulations explicitly include
expectations that outsourcing arrangements comply with legal
and regulatory provisions on protection of personal data, con­
fidentiality and intellectual property. Evidence of more techni­
cal and operational requirements is more scattered and less
harmonised, with jurisdictions emphasising different aspects
of information confidentiality and integrity, ranging from
explicitly requiring encryption solutions for confidential data to
be under the banks' control, to regulating the transfers of data
abroad and requiring explicit client consent for data handling
by third parties.
Specific Expectations and Practices with
Regard to the Visibility of Third-Party
Connections
In many jurisdictions the supervisory authority requests to be
informed about the material outsourcing agreements made by
supervised institutions and imposes some conditions on them,
including about preserving a minimum level of visibility on the
outsourced functions by the supervised entity.
Beyond the prior notifications and authorisation processes,
supervised institutions are commonly expected to maintain an
inventory of outsourced functions and to receive regular reports
from service providers, mainly about measurements of service
level agreements and the appropriate performance of controls.
Some jurisdictions also require sub- outsourcing activities to be
visible for the supervised entities so that the associated risks can
also be managed.
Inventorying expectations can be set in relation to IT assets in
some jurisdictions, such as the identification of both hardware
and software elements together with the function they are
related to (even for outsourced functions) in Luxembourg.24
Other frameworks, such as the US FFIEC IT Examination Hand­
book and the CPM I-IO SCO guidance, focus on the connections
and information flows of financial institutions with external
parties.
The current practices inspired by the various expectations set at
national supervisory level and by international guidance play a
complementary role. While supervisory authorities' expectations
define activities that can fit into classical cyber-security fram e­
works (identify, protect, detect, respond and recover), standard
setting bodies have an organisational process-oriented
approach: for instance, ISO IEC 27036-2 addresses configuration
management, information management processes and the out­
sourcing relation termination processes, and ISACA C O BIT 5
elaborates on the implementation of an information security
management system. On the other hand, both ISO and the US
NIST framework25 recommend the identification, documentation
and categorisation of suppliers to address information security
issues, while ISACA C O B IT 4.1 and 5 recommend to identify
24 See CSSF, CSSF Circular 01/27, 23 March 2001.
25 See NIST, Framework, for improving critical infrastructure cybersecu­
rity, version 1.1, draft 2,16 April 2018.
Chapter 24 Cyber-Resilience: Range of Practices
suppliers and associated contracts and categorise them into
type, significance and criticality in order to establish a process
for their evaluation.
Analysis of supervisory expectations for the visibility of third-
party connections shows that the scope, format and content of
supervisory authorities' information requests about material out­
sourcing vary greatly across jurisdictions.
Auditing and Testing
Supervisory expectations regarding the audit of third parties
(internal and/or external) are aligned in two areas. First, the
majority of the requirements state the necessity for the super­
vised organisations to guarantee the "rights to inspect and
audit" their service providers. Some jurisdictions require that
this right be cascaded to the significant subcontractors while
other jurisdictions (France, Switzerland and Singapore) have
granted this right directly to supervisory authorities.
Second, for several jurisdictions the audit opinion on the out­
sourcing arrangements may be formed based on the report of
the service provider's external auditor. Others accept pooled
audits, organised by multiple financial institutions,26 or audits
performed by the internal audit department of a service pro­
vider, under the condition that the audit department comply
with certain regulatory conditions. Some jurisdictions specify
that these independent reports should be based on widely rec­
ognised standards or be performed by auditors with adequate
skills and knowledge.
Current regulations focus on traditional outsourcing and, in
some cases, cloud computing providers. The scope of the
requirements for "rights to inspect and audit" critical third par­
ties is nonetheless still focused on the strict banking sector.
Shared and independent audit reporting on the critical intercon­
nections with third parties could therefore facilitate the audit
approach effectiveness and efficiency.
As regards testing of the security requirements for outsourcing
and cloud computing providers, although institutions are
generally required to monitor their providers' com pliance,
most regulations are not aligned in term s of how compliance
should be verified or tested. One possible method is the
application of supervisor-led or bank-led (intelligence-based)
red teaming exercises focused on interconnections. In the
EU, the scope of the TIBER-EU test appears to include the
institution's critical functions that are outsourced to third-party
service providers.
26 As an example, a group of eight European financial institutions per­
formed a joint audit in June 2018 of a common cloud service provider.
■ 383
Resources and Skills
The Basel Committee's S o u n d P ractices: Im plications o ffin te c h
d evelo p m en ts fo r banks and bank su pervisors, published in
February 2018, indicate that banks may require specialist com­
petencies to assess whether their risk functions are capable of
maintaining effective oversight of the emerging risks posed by
new technologies.
This topic is usually covered by the broader outsourcing and
management processes, with the expectation that the relevant
personnel have the necessary expertise, competencies and qual­
ifications to effectively monitor outsourced services or functions
and are able to manage the risks associated with the outsourc­
ing beyond the mere compliance dimension.
Regulators expect that institutions contract sufficient and quali­
fied personnel to ensure continuity in managing and monitoring
outsourced services or functions, even if key personnel leave the
institution or become otherwise unavailable. When institutions do
not have internal resources sufficient in know-how or number, the
general expectation is that external experts or technical resources,
such as consultants or specialists, would be proactively identified
to complement or supplement in-house personnel. In Belgium,
384 Financial Risk Manager Exam Part II: Operational Risk and Resiliency
institutions are required to provide a monitoring and replacement
plan for employees who are crucial for ensuring the proper func­
tioning of the critical activities, services and resources and who are
difficult to replace due to their specific expertise and limited num­
ber. Even beyond the supervised institution personnel, institutions
should also provide documentation to clients of financial internet
services on security awareness and responsibilities with regard to
their secure use to strengthen those connections.
As with the regulatory expectations, supervisory practices
mostly reflect commonalities, as the assessment of human
resources and qualifications for managing third-party connec­
tions and relationships is usually done during on-site inspec­
tions. In those jurisdictions where financial supervisors have the
authority to examine third parties directly, they assess the suffi­
ciency and qualifications of staff at the third parties, and expect
the third parties to perform appropriate background checks.
Personnel who are Certified Information Systems Security Pro­
fessionals or an organisation that conforms to the ISO 9001
Quality Management System could provide additional assurance
that personnel have the necessary competencies to manage
third-party connections.
Operational
Resilience: Impact
Tolerance for
Important Business
Services
Learning Objectives
After completing this reading you should be able to:

Describe an impact tolerance; explain best practices and
potential benefits for establishing the impact tolerance for
a business service.
Provide examples of important business services and
explain criteria that firms should use to determine their
important business services.
Explain tools and processes, including mapping and
scenario testing, that financial institutions should use to
improve their operational resilience and remain within
their impact tolerance.
Describe the governance of an operational resilience
policy, including the relationships between operational
resilience and a firm's risk appetite, impact tolerance,
continuity planning, and outsourcing to third-party
providers.

E x c e rp t is rep rin ted from Operational Resilience: Impact Tolerances for Important Business Services, March 2021, by perm ission o f
the Bank o f England and the Financial C o n d u ct A uthority. This article is a reprodu ction o f a discussion paper, seekin g view s from
sta keh old ers, and d o e s n ot rep re se n t current Bank o f England, Prudential Regulation A u th ority or Financial C o n d u ct A u th ority policy.
25.1 INTRODUCTION
1.1 This paper is issued jointly by the Prudential Regulation
Authority (PRA), the Financial Conduct Authority (FCA), and the
Bank of England ('the Bank') in its capacity of supervising finan­
cial market infrastructures firms (FMIs), collectively 'the supervi­
sory authorities'.
1.2 A key priority for the supervisory authorities is to put in
place a stronger regulatory framework to promote the opera­
tional resilience of firms and FMIs. To this end, the supervisory
authorities published a joint Discussion Paper on Operational
Resilience in 2018 setting out an approach to operational resil­
ience. Following this, the supervisory authorities published a
suite of consultation documents ('the consultations') in
December 2019 to embed this approach into policy.1
1.3 The proposals were designed to improve the operational
resilience of firms and FMIs and protect consumers, the wider
financial sector and UK economy from the impact of operational
disruptions. The consultations proposed requirements and
expectations for firms and FMIs to:
• identify their important business services by considering how
disruption to the business services they provide can have
impacts beyond their own commercial interests;
• set a tolerance for disruption for each important business ser­
vice (an impact tolerance); and
• ensure they can continue to deliver their important business
services and are able to remain within their impact tolerances
during severe (or in the case of FMIs, extrem e)1
2 but plausible
scenarios.
1.4 The supervisory authorities' approach to operational resil­
ience is based on the assumption that disruptions will occur,
which will prevent firms and FMIs from operating as usual,
and result in them being unable to provide their services for a
period. The supervisory authorities consider that many firms and
FMIs currently may not sufficiently plan on the basis that disrup­
tions will occur, and therefore would not be able to manage
effectively when they do. The aim of the policy that the super­
visory authorities proposed is to ensure that firms and FMIs do
this planning and deliver improvements to their operational
resilience to ensure they are able to respond effectively if a dis­
ruption does occur.
1.5 The supervisory authorities received an excellent level of
engagement with the consultations. Overall, respondents were
supportive of the approach set out in the proposals.
1.6 A major theme from the feedback was respondents ask­
ing for more detail on how they might apply the proposals
and clearer definitions. Respondents suggested that such an
386 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
approach would make the policy clearer to implement and
enable more consistent supervision. The supervisory authorities
agree that a common understanding of the key principles of
the policy is important, and each authority has provided more
explanation and examples of how they expect the policy to be
implemented, where relevant.
1.7 However, the supervisory authorities believe that there
are benefits in maintaining an outcomes-based approach. An
important business service for one firm or FMI may not be
appropriate for another. Firms and FMIs may arrive at different
impact tolerances for similar business services due to differences
in the nature and scale of their client bases. The authorities
believe that encouraging boards and senior management to
make judgements in the selection of their important business
services and the setting of impact tolerances will facilitate bet­
ter decision-making as firms and FMIs build their operational
resilience.
1.8 While the final policy is not overly prescriptive in terms of
defining lists of important business services and setting specific
impact tolerances, the supervisory authorities expect best prac­
tice will emerge over time, and will take a close interest as it
develops. The supervisory authorities encourage firms and FMIs
to view the policy as a proportionate minimum standard and
develop their approach based on this standard. Both firms and
FMIs and the supervisory authorities will learn as firms and FMIs
put the policy into practice.
1.9 In this document, the supervisory authorities summarise fur­
ther common responses to the policy proposals and their policy
decisions.
1.10 It should be noted that each supervisory authority received
other comments which were more exclusively relevant to that
supervisory authority, and these have not been addressed in this
joint document. Those comments and the particular detail of
each supervisory authority's approach are instead covered in the
respective supervisory authorities' documents.3
1 PRA CP29/19 'Operational resilience: Impact tolerances for important
business services', FCA CP19/32: Building operational resilience: impact
tolerances for important business services and feedback to DP18/04,
Bank CP 'Operational Resilience: Central counterparties', Bank CP
'Operational Resilience: Central securities depositories', and Bank CP
'Operational Resilience: Recognised Payment Systems and Specified
Service providers'.
2 Note: for FMIs the terminology 'extreme but plausible' is used to avoid
confusion with other parts of their supervisory approach.
3 Available at: PRA PS6/21: Operational resilience: Impact tolerances
for important business services; Bank of England policy on Operational
Resilience of FMIs; FCA PS21/3 'Building operational resilience'.
25.2 IMPORTANT BUSINESS SERVICES
Overview
2.1 The consultations proposed that firms and FMIs would be
required to identify and prioritise the services that, if disrupted,
would impact the supervisory authorities' objectives and thereby
the public interest as represented by those objectives. These
were termed important business services. This represented a
shift away from thinking about the resilience of individual sys­
tems and operational resources to considering the continuity of
the services that firms and FMIs provide to their external end
users, customers, or participants.
Internal Services
2.2 A number of respondents asked for clarity as to whether
internal services were included within the definition of important
business service. Firms suggested that, if disrupted, internal ser­
vices such as human resources or payroll might have significant
impact on the ultimate delivery of services to external end users,
customers, or participants.
2.3 In the final policy, the supervisory authorities have set out
that internal services such as human resources or payroll should
not be identified as an important business service. These services
constitute enablers of the important business service. The policy
is focused on delivery of specific outcomes or services to exter­
nal end users. The supervisory authorities are therefore requiring
firms to prioritise work to build the operational resilience of those
important business services. Firms should identify the most critical
services and consider what is required for delivery. The supervi­
sory authorities consider that the most critical parts of the chain
should be operationally resilient. If internal services were defined
as important business services on a standalone basis, this would
expand the coverage of the policy, and could reduce focus on
the most important external services. The supervisory authori­
ties believe it appropriate to set minimum expectations on these
external services, but firms can expand on this should they so wish.
2.4 To provide further clarity for firms and FMIs, in some cases
the supervisory authorities have included examples in the policy
documents to illustrate where activities performed by internal
services within a firm would need to be included in the chain of
activities for the delivery of their important business services.
Definitions
Aligning definitions between supervisory authorities
2.5 The supervisory authorities set out definitions for terms
including important business services and impact tolerances in
Chapter 25 Operational Resilience: Impact Tolerance for Important
their respective consultations. These definitions were intended
to provide clarity in relation to the terms in line with the respec­
tive authorities' objectives.
2.6 Some respondents commented that the use of different
wording within the definitions caused some confusion and that
greater harmonisation between the supervisory authorities was
needed.
2.7 Following the responses, the supervisory authorities have
made some changes to clarify and better align the definitions
where possible.
2.8 Differences in the definitions are driven by a number of rea­
sons, including differing objectives and legal frameworks, but
the PRA and the FC A consider that the respective outcomes
and policies are aligned. For firms regulated by the PRA and the
FCA , the supervisory authorities expect that work done to meet
the requirements of one regulator should be leveraged to meet
those of the other, and would encourage firms to avoid dupli­
cative work. An example of where differences remain include
where the PRA has chosen to use the word 'person' rather than
'client' in order to align with the language used in the PRA Rule-
book; however, the FC A is not subject to this constraint.
2.9 To provide greater harmonisation between the supervisory
authorities and to ensure third parties are captured in the policy,
the PRA has added 'services provided by a firm, or by another
person on behalf of the firm' to their definition of an 'important
business service'.
2.10 The supervisory authorities have a shared goal of main­
taining financial stability, which is reflected in their respective
definitions of 'important business service'. The PRA's and FCA's
objectives are defined in the Financial Services and Markets
Act 2000 (FSMA). The PRA seeks to promote the safety and
soundness of the firms it supervises, and contribute to securing
an appropriate degree of protection for those who are or may
become insurance policyholders. The PRA also has a secondary
competition objective.
2.11 The FC A has a strategic objective to ensure relevant mar­
kets work well. To advance its strategic objective, the FCA has
three operational objectives: to secure an appropriate degree of
protection for consumers, to protect and enhance the integrity
of the UK's wider financial sector, and to promote effective com­
petition in the interests of consumers. This is reflected in part (1)
of its definition of 'important business service'.
2.12 Where definitions for important business services have
been updated, these are detailed in the table below. The areas
which have been amended are underlined. The PRA definitions
are in the Operational Resilience Parts of the PRA Rulebook, and
the FCA definitions are in the Glossary of the FCA Handbook.
Services ■ 387
 Term PRA4
Important Business a service provided bv a firm, or bv another person
Service on behalf of the firm, to another person which, if dis-
rupted, could pose a risk to:
(1) (where the firm is an O-SII/where the firm is a rel­
evant Solvency II firm) the stability of the UK financial
system;
(2) the firm's safety and soundness; or
(3) (for Solvency II firms) an appropriate degree of
protection for those who are or may become the firm's
policyholders.
FCA
means a service provided by a firm, or by another
person on behalf of the firm, to one or more clients
of the firm which, if disrupted, could:
(1) cause intolerable levels of harm to anv one or
more of the firm's clients; or
(2) pose a risk to the soundness, stabilitv or resil-
ience of the UK financial system or the orderly
operation of the financial markets.

25.3 IMPACT TOLERANCES not mandate that all important business services should have
separate impact tolerances set.

Overview
3.1 The consultations proposed that firms and FMIs would be
expected to set an impact tolerance for each of their important
business services. The impact tolerance would measure the
maximum tolerable level of disruption to an important business
service.
Impact Tolerances for PRA-FCA
Dual-Regulated Firms
3.2 The PRA and FC A issued a joint covering document accom ­
panying their consultation papers. This explained that if the
same business service is defined as an important business
service under both PRA and FC A rules, the firm should have
separate impact tolerances in consideration of the objectives
of the two supervisory authorities.5 The PRA and FC A set out
that the separate impact tolerances may be the same or they
may differ.
3.3 The PRA and FC A received responses that setting separate
impact tolerances for dual-regulated firms would be impractical
and burdensome. Respondents requested more detail on the
expected action firms should take to ensure they can remain
within both tolerances. Some requested that the authorities do
3.4 The PRA and FCA would like to emphasise that, if appro­
priate, a firm may set its PRA impact tolerance for a given
important business service at the same point as its FC A impact
tolerance or vice versa. The PRA and FC A expect that work
done to meet the requirements of one regulator should be lev­
eraged to meet those of the other, and encourage firms to avoid
duplicative work. The PRA and FCA view the design and goals
of their respective policies as the same.
3.5 However, each supervisory authority must construct their
policy in such a way as to advance their own statutory objec­
tives. For this reason, the policy approaches of the supervisory
authorities have not changed.
3.6 The PRA and FCA expect firms to understand whether the
scenarios that may cause firms to exceed their respective PRA
and FCA impact tolerances would differ (whether or not those
impact tolerances are aligned) and to take action to remain
within impact tolerances.
3.7 The PRA and FCA understand that in practice firms
may concentrate their efforts in ensuring they can remain within
the more stringent tolerance. Therefore, the final policies
state that taking action to ensure firms can remain within
the more stringent tolerance will be acceptable if a firm can
demonstrate:

(i) how they have considered each of the PRA and FCA's objec­
tives when setting their impact tolerances;

(ii) how their recovery and response arrangements are also

appropriate for the longer impact tolerance (recovery and
4 This table summarises the important business services definitions for response arrangements must be viable for both shorter and
CRR and Solvency II firms set out in the Operational Resilience Parts.
longer time periods); and
5 December 2019: https://www.bankofengland.co.uk/prudential-
regulation/publication/2018/building-the-uk-financial-sectors- (iii) that scenario testing has been performed with the longer
operational-resilience-discussion-paper. impact tolerance in mind as a shorter impact tolerance might

388 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 constrain the universe of severe but plausible events a firm
might consider.
Disruption to Multiple Business Services
3.8 The consultations proposed that firms set an impact toler­
ance for each of their important business services.
3.9 The supervisory authorities received responses commenting
that their respective statutory objectives are more likely to be
impacted by a disruption to multiple business services rather
than by significant disruptions to individual important business
services.
3.10 Having considered the responses, the supervisory authori­
ties are retaining the requirement, as proposed, for impact toler­
ances to be set for individual important business services. Firms
and FMIs should understand the maximum amount of time for
which disruption to an important business service can be toler­
ated, or a point in time beyond which disruption cannot be tol­
erated. This will provide clarity for firms and FMIs on how they
should act to remain within these tolerances.
3.11 However, the supervisory authorities also recognise that
disruptions to multiple important business services could signifi­
cantly compound the impacts of disruptions. Therefore, the pol­
icy has been amended to include an expectation for firms and
FMIs to take into account the impact of failure of other related
important business services when setting impact tolerances for
an individual important business service. These may be related
because, for example, they share common resources which sup­
port the delivery of the important business services or where
simultaneous disruption could have compounding impacts on
similar external end users, customers, or participants. The super­
visory authorities expect firms to take a proportionate approach
in making this assessment, and only to consider extra layers of
complexity where there are significant benefits in terms of build­
ing operational resilience.
Measuring Impact Tolerances
3.12 When defining impact tolerances for important business
services, the consultations proposed that firms and FMIs would
be required to, at a minimum, specify the length of time for
which a disruption to that important business service or impor­
tant group business service can be tolerated (ie use a 'time-
based' metric for all impact tolerances).
3.13 Some respondents raised concerns that requiring a time-
based metric for all impact tolerances could result in firms and
FMIs treating impact tolerances as a compliance exercise.
Chapter 25 Operational Resilience: Impact Tolerance for Important
3.14 The supervisory authorities acknowledge the concerns of
the respondents. The supervisory authorities consider that the
use of a time-based metric is necessary to ensure that firms plan
around the continuity of important business services, and ensure
that there are contingency plans in place to limit the extent
of disruption. This common approach to all impact tolerances
would also enable a minimum level of consistency - an idea that
was supported by respondents' comments. However, the super­
visory authorities also understand the importance of considering
other metrics depending on the type of the important business
service in question.
3.15 The supervisory authorities would like to clarify that a time-
based metric can be defined in different ways and, where appro­
priate, must be used in conjunction with other metrics. The
impact tolerance should specify that a particular important busi­
ness service should not be disrupted beyond a certain period
of or point in time. As an example, this could be a number of
hours/days or a point in time, such as the end of the day, in
conjunction with, for example, a certain level of customer com­
plaints or volume of interrupted transactions.
Definition of Impact Tolerances Between
Supervisory Authorities
3.16 The supervisory authorities proposed definitions for impact
tolerances in their respective documents. These definitions were
intended to provide clarity in relation to the term in line with the
respective supervisory authorities' objectives.
3.17 A number of respondents commented that the lack of
consistency between the definitions caused some confusion and
that greater harmonisation between the supervisory authorities
was needed.
3.18 Following these responses, changes have been
made to align the definitions where possible. Some differences
in the wording of the definitions remain to reflect the
differing objectives and legal frameworks of the supervisory
authorities.
3.19 Where definitions for impact tolerances have been
updated, these are outlined in the table below and are reflected
in the final rules. The FC A has, in line with amendments to the
'important business service' definition, made a correspond­
ing change to its definition of 'impact tolerance' to remove
the reference to 'intolerable' risk. The areas which have been
amended have been underlined in the table below. The PRA
definitions are in the Operational Resilience Parts of the PRA
Rulebook, and the FC A definitions are in the Glossary of the
FCA Handbook.
Services ■ 389
 Term PRA
Impact Tolerance The maximum tolerable level of disruption to an
important business service or an important group
business service as measured bv a lenath of time in
addition to anv other relevant metrics.
------------------------------------y----------------------------------------------------------
25.4 IMPLEMENTATION TIMELINE
4.1 The consultations proposed that firms and FMIs would have
12 months from the publication of final policy to implement the
policy. At the time of consultation, the proposed implementa­
tion date for the proposals was the second half of 2021. The
consultation period was subsequently extended by six months
in response to the Covid-19 pandemic. The consultations also
proposed that firms and FMIs would be required to ensure they
could remain within their impact tolerances in the event of a
severe but plausible disruption to operations. The proposed
rules would have required firms and FMIs to meet this latter
outcome within a reasonable time, but no later than three years
after the policy came into force.
4.2 A number of respondents enquired as to whether there
would be flexibility within the timelines for implementation.
Firms and FMIs queried if mapping and testing should also be
completed in these 12 months, suggesting they are resource
intensive and may be difficult to implement within such time-
frame. Respondents also requested flexibility around remaining
within impact tolerances, citing that operational resilience is not
an end-state and that remediating operational shortfalls can
take significantly longer than three years.
4.3 Firms and FMIs will need to have identified their important
business services and set impact tolerances by Thursday 31
March 2022. In order to achieve this, and to identify any vulner­
abilities in their operational resilience, firms and FMIs should
have mapped their important business services and commenced
a programme of scenario testing. Firms and FMIs are not
expected to have performed mapping and scenario testing to
the full extent of sophistication within this time. Both mapping
and scenario testing are ongoing processes, and firms and FMIs
are expected to perform them at varying levels of sophistication
over time. The supervisory authorities expect that firms' and
FMIs' approach to both mapping and scenario testing should
evolve over time.
390 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
FCA
means the maximum tolerable level of disruption
to an important business service, as measured by
a lenqth of time in addition to any other relevant
metrics, reflecting the point at which any further
disruption to the important business service could
cause intolerable harm to anv one or more of the
firm's clients or pose a risk to the soundness, stabil­
ity, or resilience of the UK financial system or the
orderly operation of the financial markets.
4.4 Senior management are expected to take responsibility for
delivering the policy outcomes. Firms and FMIs are expected to
have a strategy or plan which sets out how they will comply with
the supervisory authorities' requirements and expectations. In
order for the strategy to be effective, it should be put into effect
before Thursday 31 March 2022.As part of the strategy or plan,
firms and FMIs should prioritise their efforts on mapping and
scenario testing so that they will be able to identify vulnerabili­
ties in sufficient time so that measures can be taken to remedi­
ate them. Firms and FMIs, particularly larger more complex
ones, will need to make choices and prioritise with the ultimate
goal of delivering the outcomes of the policy.
4.5 The speed at which vulnerabilities are remediated should be
commensurate with the potential impact that a disruption would
cause, and will be an area of supervisory focus.
4.6 After Monday 31 March 2025, maintaining operational
resilience will be a dynamic activity. By this point, firms and
FMIs should have sound, effective, and comprehensive strate­
gies, processes, and systems that enable them to address risks
to their ability to remain within their impact tolerance for each
important business service in the event of a severe but plausible
disruption (or extreme disruption).
4.7 In the early stages of the Covid-19 pandemic, the supervi­
sory authorities decided to postpone the consultation close date
to Thursday 1 October 2020. In light of this, the supervisory
authorities have maintained the same timeline (12 months fol­
lowed by three years), but the date the timeline starts has been
pushed back. The policy will take effect on Thursday 31 March
2022 with a fixed three year implementation timeline within
which the policy will become fully operational.
4.8 The supervisory authorities have considered the implemen­
tation timelines carefully and consider that there is urgency for
firms and FMIs to build and prioritise their operational resilience
as soon as reasonably practicable. The supervisory authorities
further believe they are being proportionate and flexible in their
expectation for firms and FMIs to propose to their supervisors
what a 'reasonable time' is for them to comply with operational
resilience requirements.
25.5 DELIVERING OPERATIONAL
RESILIENCE
Overview
5.1 The policy requires firms and FMIs to set, and take actions
to meet, standards of operational resilience that incorporate the
public interest as represented by supervisory authorities' objec­
tives. Firms and FMIs should focus on their important business
services and ensure they have the ability to remain within impact
tolerances in severe but plausible (or extreme) scenarios. Firms
will be required to map the resources, people, processes, tech­
nology and facilities necessary to deliver important business ser­
vices, irrespective of whether or not they use third parties in the
delivery of these services, and test their ability to remain within
their impact tolerances.
Mapping
5.2 The consultations proposed that a firm or FMI would be
required to identify and document the necessary people, pro­
cesses, technology and information required to deliver each of
its important business services. In particular, it was proposed
that mapping should enable firms and FMIs to deliver the fol­
lowing outcomes:
(i) identify vulnerabilities in delivery of important business
services within an impact tolerance; and
(ii) test their ability to remain within impact tolerances.
5.3 Some firms and FMIs responded requesting that the super­
visory authorities set out further detail on these expectations
through a proportionate approach. The supervisory authorities
consider that the most proportionate and effective approach is
maintaining the outcomes-based approach. Firms and FMIs are
expected to meet these outcomes in ways most appropriate for
their circumstances. The supervisory authorities expect firms and
FMIs to take ownership of how mapping may fit into their exist­
ing approaches and how they could use it to identify vulnerabili­
ties. In supervising the policy, the supervisory authorities expect
firms and FMIs to meet the outcomes of the policy proportion­
ate to their size, scale, and complexity.
5.4 Some firms and FMIs requested clarity on identifying sub­
outsourcing dependencies through mapping. The supervisory
authorities note that the policy does not prescribe this level
of mapping. However, firms and FMIs should understand the
Chapter 25 Operational Resilience: Impact Tolerance for Important
reliance placed on sub-outsourcing arrangements, and if these
arrangements pose a threat to their operational resilience. Firms
and FMIs should, at a minimum, monitor sub-outsourced pro­
viders involved in the provision of important business services,
including their ability to deliver the firm's important business
services within the firm's impact tolerances.
Scenario Testing for PRA-FCA
Dual-Regulated Firms
5.5 Under the final policy, firms will be required to document a
self-assessment of their compliance with the policy. Firms are
expected to:
• summarise the vulnerabilities they have identified to the
delivery of their important business services; and
• outline the scenario testing performed and the findings from
the tests.
5.6 In addition to the above, the FCA has set an expectation for
firms to conduct 'lessons learned' exercises to identify, prioritise
and invest in their ability to respond and recover from disrup­
tions as effectively as possible.
5.7 Firms indicated that the introduction of the additional con­
cept of undertaking a 'lessons learned' exercise during scenario
testing in the FCA's consultation was not drawn out specifically
in PRA proposals. The respondents requested that the supervi­
sory authorities use consistent terminology in this regard.
5.8 To provide consistency in the terminology used across the
supervisory authorities, the PRA has amended its policy to
include an expectation for firms to include 'lessons learned'
within their self-assessment document. Firms should identify any
lessons learned when undertaking scenario testing or via practi­
cal experience, and include the actions taken to address the
risks in their self-assessment document.
Severe/Extreme But Plausible Definition
5.9 The policy sets out that firms and FMIs should articulate spe­
cific maximum levels of disruption, including time limits within
which they will be able to resume the delivery of important busi­
ness services following severe but plausible disruptions. Firms and
FMIs are also required to take action to ensure they remain within
impact tolerances in severe/extreme but plausible scenarios. In
the case of FMIs, the terminology 'extreme but plausible' is used
to avoid confusion with other parts of their supervisory approach.
5.10 A number of firms and FMIs asked for clarity regarding the
'severe/extreme, but plausible' scenarios, and requested a defi­
nition be set out in the policy.
Services ■ 391
5.11 To allow flexibility for firms and FMIs in their approach to
operational resilience, the final policy expects that firms and
FMIs identify the severe/extreme but plausible scenarios they
use for testing. When setting severe/extreme but plausible sce­
narios, firms and FMIs could consider previous incidents or near
misses within the organisation, across the financial sector and
in other sectors and jurisdictions. A testing plan should include
realistic assumptions and evolve as the firm learns from previous
testing.
5.12 The supervisory authorities see this area as one where
the interest of firms and FMIs and the supervisory authorities
should be aligned - if a firm or FMI chooses scenarios that are
insufficiently severe/extrem e, boards and senior management
might be taking inappropriate risks with the running of their
businesses. The nature and severity of scenarios it is appropriate
for firms to use may vary according to their size and com plex­
ity. As a result, the policy does not include detailed guidance.
However, the supervisory authorities anticipate that this will be
a common area for supervisory discussion, including developing
an understanding of how and why scenarios have been selected.
The supervisory authorities expect best practice to develop over
time and that both firms and FMIs, and the supervisory authori­
ties will learn more over time.
Review of Testing
5.13 The consultations proposed that firms and FMIs would be
required to carry out regular scenario testing of their ability to
remain within their impact tolerances for each of their important
business services in the event of a severe but plausible disrup­
tion of their operations.
5.14 A number of firms and FMIs requested clarity on the
extent, level and nature of testing on a regular basis as pro­
cesses mature over time. Other respondents suggested that
regular testing could be too burdensome and have requested a
review of the requirement.
5.15 While the supervisory authorities agree that testing should
not become unduly burdensome, the supervisory authorities con­
sider that the process of reviewing mapping at least annually and
testing regularly is required for firms and FMIs to better under­
stand their systems and identify any vulnerabilities that need
remediation. Where appropriate, the supervisory authorities have
set out their expectations in their respective policy documents.
5.16 The final policy expects firms and FMIs to prioritise and
narrow their scenarios appropriately to ensure effective testing
that is not unduly burdensome. Firms and FMIs will also need to
test regularly their ability to remain within impact tolerances in
severe/extreme but plausible scenarios. The final policy states
392 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
that supervisory authorities would also expect firms and FMIs to
update their mapping annually at a minimum, or following sig­
nificant change if sooner.
Self-Assessment Templates and Guidance
for PRA-FCA Dual-Regulated Firms
5.17 The consultations proposed an expectation for firms to:
summarise the vulnerabilities they have identified to the delivery
of their important business services; and outline the scenario
testing performed and the findings from the tests. Firms would
need to indicate what actions are planned to improve their abil­
ity to remain within impact tolerances and demonstrate that the
timing for these is reasonable and in proportion to the systemic
importance of the firm's important business service. The PRA
and FCA define this documentation as self-assessment.
5.18 Respondents requested additional guidance or a template
for the self-assessment process. Firms also requested further
clarity on the level of detail required for the document.
5.19 The PRA and FC A consider that firms should undertake
bespoke self-assessments which reflect their individual impor­
tant business services and scenario testing. A self-assessment
should document the necessary information to make decisions
required to meet the outcomes of the policy. The level of detail
should therefore be appropriate for the decisions firms will
make. Setting exact minimum standards would not be propor­
tionate given the differences in the structures of individual firms.
Outsourcing and the Use of Third Parties
5.20 The consultations proposed that firms and FMIs would be
required to map their important business services and test their
ability to remain within impact tolerances for the purposes of
building operational resilience. This would be expected regard­
less of whether the operational resources are being provided
wholly or in part by a third party. Mapping and testing on third
parties is necessary for the firm or FMI and the supervisor to
obtain an accurate understanding of their operational resilience.
5.21 Some respondents raised concerns relating to third party
suppliers which may be reluctant to share information necessary
for mapping and testing, particularly where some firms have low
negotiating power in relation to large suppliers.
5.22 The supervisory authorities expect that the level of assur­
ance firms and FMIs receive from third party suppliers relating
to important business services should be proportionate to the
size and complexity of the firm or FMI and reflect the materiality
and risk of the outsourcing and third party arrangement. Firms
that enter into outsourcing or third party arrangements remain
fully accountable for complying with all their regulatory obliga­
tions. As part of their assurance, firms or FMIs may ask third par­
ties to provide mapping or scenario testing data but this is not
required in all cases, particularly if other assurance mechanisms
are effective and more proportionate.
25.6 INTERNATIONAL ALIGNMENT
6.1 A number of respondents commented on the UK's proposals
differing from international approaches. They also asked for clar­
ification regarding the differing terminology and the relationship
to potential international standards, such as those being devel­
oped by the Basel Committee on Banking Supervision (BCBS).
6.2 The supervisory authorities recognise the global and inter­
connected nature of firms and FMIs and the importance of
supervisory coordination, and are committed to working closely
with other regulators to ensure that supervisory approaches on
operational resilience are well coordinated.
6.3 In August 2020 the BCBS published its consultation on prin­
ciples for Operational Resilience.6 The UK's supervisory authori­
ties have made a significant contribution to drafting these
principles, using insights gained from developing their domestic
policy proposals.
6.4 Comparing their policy with the BCBS consultation, despite
some differences in terminology, the supervisory authorities
consider that there is alignment on the core principles:
• a distinction between operational risk and operational
resilience;
• operational resilience as an outcome, that firms and FMIs
continually need to work towards;
• the importance of operational resilience for both financial
stability and the safety and soundness of firms and FMIs;
• the concept of a risk or impact tolerance to define what
might be acceptable that does not assume zero failure; and
• the use of scenario testing to assure resilience.
6.5 The UK's supervisory authorities will continue to engage
with international policy development processes. It is realistic to
assume that there will be local differences in implementation.
And it is reasonable that different jurisdictions will have different
views on what they consider critical or important. But as long as
the principles are aligned, the supervisory authorities consider
firms and FMIs and their supervisors should be able to work
effectively across borders.
6 CBS Principles for operational resilience (https://www.bis.org/bcbs/
publ/d509.pdf).
Chapter 25 Operational Resilience: Impact Tolerance for Important
25.7 CONCLUSION
7.1 The supervisory authorities are grateful for the consultation
feedback in developing the operational resilience policy. They
are encouraged by the high level of engagement they have
received from industry and consumers.
7.2 The supervisory authorities expect firms to begin imple­
menting the policy requirements in line with the timeline as set
out in paragraphs 4.3 to 4.8 above. The final policy is now set
out in the individual supervisory authorities' policy documents,
which are detailed below:
• PRA - PS6/21: 'Operational resilience: Impact tolerances for
important business services';
• FC A - PS21/3 'Building operational resilience'; and
• Bank - Bank of England policy on Operational Resilience of
FMIs.
7.3 Identifying important business services and setting impact
tolerances will be the first steps in the new framework for opera­
tional resilience. The supervisory authorities recognise there
will be more to learn as the supervisory authorities and industry
progress on the shared goal of operational resilience.
7.4 The supervisory authorities have found that collaboration
with firms, FMIs, security, and other public and private sector
organisations provides a constructive approach to promoting
operational resilience. They intend to continue this strategy,
working with other organisations in both authority-led and
industry fora. The supervisory authorities believe that coopera­
tion in this area is vital to achieving good operational resilience
outcomes.
APPENDIX 2
A2.1 INTRODUCTION
1.1 This Supervisory Statement (SS) sets out the Prudential
Regulation Authority's (PRA) expectations for the operational
resilience of firms' important business services, for which they
are required to set impact tolerances. The policy objective is to
improve the resilience to operational disruptions of both firms
and the wider financial sector.
1.2 The policy addresses risks to operational resilience from the
interconnectedness of the financial system and the complex and
dynamic environment in which firms operate. The PRA consid­
ers that there is a need for a proportionate minimum standard
of operational resilience that incentivises firms to prepare for
disruptions and to invest where needed. Disruptions can affect
Services ■ 393
firms' safety and soundness, undermine policyholder protection,
and, in some cases, affect financial stability.
1.3 This SS is relevant to all:
• UK banks, building societies, and PRA-designated investment
firms (hereafter banks); and
• UK Solvency II firms, the Society of Lloyd's, and its managing
agents (hereafter insurers).
1.4 Banks and insurers are collectively referred to as 'firms' in
this SS.
1.5 Operational resilience in this SS refers to the ability of firms
and the financial sector as a whole to prevent, adapt, respond
to, recover from, and learn from operational disruptions.
The PRA's approach to operational resilience is based on the
assumption that, from time to time, disruptions will occur which
will prevent firms from operating as usual and see them unable
to provide their services for a period.
1.6 A clear focus by boards and senior management on their
firm's operational resilience will become increasingly important
as the wider financial sector becomes more dynamic, complex,
and reliant on technology and third parties. Moreover, inter­
national interconnectedness is increasing, for example as UK
firms may outsource to cloud computing providers operating in
a number of different countries. While this can improve firms'
resilience, it also gives rise to new risks to operations which the
PRA expects firms to manage effectively.
1.7 To address the growing risk a lack of operational resilience
poses, the Operational Resilience Parts of the PRA Rulebook7
require firms to set and meet clear standards for the services
they provide and test their ability to meet those standards.
Firms are required to review their existing approaches and make
improvements where necessary.
1.8 The policy supports the PRA in embedding operational
resilience into its prudential framework. The policy provides an
objective basis for the PRA to assess firms' operational resilience
and for the PRA's supervisors to have an informed dialogue with
the firms they supervise and drive them to implement change
where necessary.
1.9 This SS complements, and should be read in conjunction
with:
• 'The PRA's approach to banking supervision' or 'The PRA's
approach to insurance supervision';8
7 Operational Resilience - CRR Firms; Operational Resilience - Solvency
II Firms; and Rule 22 in the Group Supervision Part of the PRA Rulebook.
8 Available at: https://www.bankofengland.co.uk/prudential-
regulation/publication/pras-approach-to-supervision-of-the-
banking-and-insurance-sectors.
394 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• the Fundamental Rules Part of the PRA Rulebook;9
• the Operational Resilience Parts;
• the PRA Statement of Policy 'Operational resilience';101and
• SS2/21 'Outsourcing and third-party risk m anagem ent'.11
A2.2 IMPORTANT BUSINESS SERVICES
2.1 A business service is a service that a firm provides. Business
services deliver a specific outcome or service to an identifiable
user external to the firm and should be distinguished from busi­
ness lines, which are a collection of services and activities.
2.2 As set out in the Operational Resilience Parts,12 firms must
identify their important business services. The Operational Resil­
ience Parts define important business services as the services
a firm provides which, if disrupted, could pose a risk to a firm's
safety and soundness or, if a firm meets the criteria set out in
the Operational Resilience Parts,13 the financial stability of the
UK. The Operational Resilience Parts14*set out that insurers must
also identify important business services that may pose a risk to
policyholder protection.
2.3 The PRA expects firms to identify important business ser­
vices considering the risk their disruption poses to financial sta­
bility (where applicable), the firm's safety and soundness and, in
the case of insurers, policyholder protection. A firm's important
business services will be a relatively short list of external-facing
services for which the firm has chosen to build high levels of
operational resilience in anticipation of operational disruption.
2.4 Firms should also consider the practicalities of how they
identify their important business services. For example, they
should identify important business services so that:
• an impact tolerance can be applied and tested; and
• boards and senior management can make prioritisation and
investment decisions.
9 Fundamental Rules 2, 3, 5, and 6 are particularly relevant.
10 March 2021: https://www.bankofengland.co.uk/prudential-regulation/
publication/2021/march/operational-resilience-sop.
11 March 2021: https://www.bankofengland.co.uk/
prudential-regulation/publication/2021/march/
outsourcing-and-third-party-risk-management-ss.
12 Operational Resilience - CRR Firms 2.1, Operational Resilience - Sol­
vency II Firms 2.1.
13 Operational Resilience - CRR Firms 2.3, Operational Resilience - Sol­
vency II Firms 2.3.
14 The definition of 'important business service' is in the Operational
Resilience - Solvency II Firms Part.
2.5 When assessing the risk a business service poses to financial
stability (where applicable), the firm's safety and soundness, or
policyholder protection, the PRA expects firms to consider the
following factors:
(a) Financial stability - the impact on the wider financial sector
and UK economy, including:
• the potential to inhibit the functioning of the wider economy,
in particular the economic functions listed in SS19/13 'Resolu­
tion planning';15
• the potential to cause knock-on effects for counterparties,
particularly those that provide financial market infrastructure
or critical national infrastructure; and
• whether the service is covered by an impact tolerance set by
the Bank's Financial Policy Committee.
(b) The firm's safety and soundness - the impact on the firm
itself, including the:
• impact on the firm's profit and loss;
• potential to cause reputational damage; and
• the potential to cause legal or regulatory censure.
(c) In the case of insurers, an appropriate degree of policyholder
protection - the impact on policyholders affected by a disrup­
tion to the service, including consideration of:
• the type of product, type of policyholder, and their current or
future interests;
• the significance to the policyholder of the risk insured;
• the availability of substitute products that would offer a poli­
cyholder a similar level of protection; and
• the potential for significant adverse effects on policyholders
if cover were to be withdrawn or policies not honoured.
2.6 When assessing if an impact tolerance can be applied to an
important business service, firms are expected to consider if the
users of the service are identifiable. This means that the impacts
of disruption should be clear. The users of the service may
include retail customers, business customers, other legal enti­
ties, trustees, market participants, the supervisory authorities, or
other members of a regulated entity's group.
2.7 The focus on the implications of operational disruption for
firms' safety and soundness, financial stability, and policyholder
protection means that firms should not identify internal services
alone (for example those provided by human resources or pay­
roll) as important business services. Such internal services, if nec­
essary for the delivery of important business services, would be
15 June 2018: https://www.bankofengland.co.uk/prudential-regulation/
publication/2013/resolution-planning-ss.
Chapter 25 Operational Resilience: Impact Tolerance for Important
included in the mapping, scenario testing, and any remediation
work the PRA requires firms to perform.
2.8 Important business services deliver a specific outcome or
service to an identifiable user and should be distinguished from
business lines, such as mortgages, which are a collection of ser­
vices and activities. They will vary from firm to firm. Firms should
consider the chain of activities which make up the important
business service, from taking on an obligation to delivery of the
service, and determine those parts of the chain that are critical
to delivery of the important business service. The PRA expects
that the critical parts of the chain should be operationally resil­
ient, and that firms should focus their work on the resources
necessary to deliver them. Below is an example of where activi­
ties performed by internal services within a firm would need
to be included in the chain of activities (note, in the example
below, the risk management function itself is not required to be
operationally resilient in the terms of this policy):
• Trade execution: Where trade execution requires clearance
from the risk management function, the clearance process
would be included in the chain of activities that form part of
the important business service, and the operational resources
needed to provide that clearance would need to be opera­
tionally resilient. In this example, the important business ser­
vice (trade execution) could not be delivered if the clearance
process was operationally disrupted.
2.9 When assessing if boards and senior management can make
prioritisation and investment decisions for an important business
service, firms are expected to consider whether the number of
important business services is proportionate to their business. It
is likely that larger firms will identify a larger number of impor­
tant business services than smaller firms.
2.10 The PRA expects firms to review their important business
services annually at a minimum, or sooner if a significant change
occurs, and to determine whether any changes are required to
their list of important business services.
A2.3 IMPACT TOLERANCES
Setting an Impact Tolerance
3.1 The Operational Resilience Parts16 require firms to set an
impact tolerance for each of their important business services.
The Operational Resilience Parts define an impact tolerance
as the maximum tolerable level of disruption to an important
16 Operational Resilience - CRR Firms 2.2, Operational Resilience -
Solvency II Firms 2.2.
Services ■ 395
business service as measured by a length of time in addition to 3.7 Firms may choose to set their impact tolerances by assum­
any other relevant metrics. ing an important business service is unavailable for a specified
period of time and judging the potential impact this would
3.2 The Operational Resilience Parts17 require firms to set their
have. If this disruption would not pose a risk to the firm's safety
impact tolerances at the point at which any further disruption
and soundness, (in the case of insurers) policyholder protection,
to the important business service would pose a risk to the firm's
and (if applicable) the financial stability of the UK, the firm could
safety and soundness, and in the case of insurers, policyholder
consider the impact of a longer disruption. If, for example, the
protection, and, if a firm meets the criteria as set out in the
firm judges that after an important business service has been
Operational Resilience Parts,18 the financial stability of the UK.
unavailable for five days, there would be a risk to the financial
3.3 When setting an impact tolerance for an individual important stability of the UK, this would be the point within which the firm
business service, the PRA expects firms to take into account the would set its impact tolerance.
impact of failure of other related important business services.
3.8 When judging the point at which safety and soundness, (in
These may be related because, for example, they share com­
the case of insurers) policyholder protection, or (if applicable)
mon resources which support the delivery of the important
the financial stability of the UK is at risk, firms should consider
business services or where simultaneous disruption could have
identifying quantitative and qualitative indicators. In identifying
compounding impacts on similar external end users. The PRA
indicators, firms should consider the factors identified in para­
expects firms to take a proportionate approach in making this
graph 2.5 of this SS.
assessment, and only to consider extra layers of complexity
where there are significant benefits in terms of building opera­ 3.9 Impact tolerances are defined as the maximum tolerable
tional resilience. amount of disruption and should apply at peak times as well as
in normal circumstances. As such, when setting impact toler­
3.4 Impact tolerances provide a standard which boards and
ances, firms may wish to consider different times of the day,
senior management should use for prioritising investment and
different points in the year, or broader factors which may lead
making recovery and response arrangements (see Chapters 4 to
to activity within the important business service significantly
6 of this SS). They may be helpful in informing decision-making
increasing.
during operational disruptions, when they would be considered
alongside other information relevant to managing an incident
effectively. Impact Tolerance Metrics
3.5 The PRA expects impact tolerances to be set on the assump­
3.10 Firms should state their impact tolerances using clear
tion that a disruption will occur. Firms should not consider the
metrics. Firms should set at least one impact tolerance for each
cause or probability of disruption when setting their impact
important business service they have identified.
tolerances.
3.11 The PRA requires21 firms to use a time-based metric for all
3.6 An impact tolerance m ust,19 in all cases, include a time-
impact tolerances, but, where appropriate, firms should use a
based metric to measure the tolerable level of disruption to an
time-based metric in conjunction with other metrics. For exam­
important business service. Firms are also required to consider20
ple, a firm could set its impact tolerance at a certain volume
whether time-based impact tolerances should be used in con­
of interrupted transactions due to the disruption of the firm's
junction with additional metrics, such as the volume or value of
important business service, in conjunction with the disruption
transactions that the firm can tolerate being interrupted for that
continuing after a certain number of hours.
period of disruption. See paragraphs 3.10 to 3.16 for more on
impact tolerance metrics. 3.12 A time-based metric for an impact tolerance should specify
that a particular important business service should not be dis­
rupted beyond a certain period of or point in time, for example
after 24 hours or at the end of the day. An impact tolerance that
17 Operational Resilience - CRR Firms 2.3, Operational Resilience - combines time with a volume and/or value metric might state
Solvency II Firms 2.3.
that the firm will not tolerate the business service delivering less
1O
Operational Resilience - CRR Firms 2.3, Operational Resilience - than a certain percentage of normal operating capacity for a
Solvency II Firms 2.3.
specified period of time.
19 Operational Resilience - CRR Firms 2.4, Operational Resilience -
Solvency II Firms 2.4.
20 Operational Resilience - CRR Firms 2.4, Operational Resilience - 21 Operational Resilience - CRR Firms 2.4, Operational Resilience -
Solvency II Firms 2.4. Solvency II Firms 2.4.

396 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
3.13 Impact tolerances should not consider the frequency at
which operational disruptions are likely to occur. Rather, they
should be focused on setting the limit of the impact the firm can
tolerate from a single disruption.
3.14 Setting an impact tolerance enables firms to assess the
status of, and set resilience requirements for, the necessary
people, processes, technology, facilities, and information (the
'resources') that contribute to the delivery of important business
service. These requirements might include capacity specifica­
tions, recovery time objectives, and recovery point objectives.
These requirements should be set to enable the firm to deliver
the important business service within its impact tolerance.
3.15 There may be circumstances when a firm continuing to
deliver a service through disruption may have a more adverse
impact than suspending it. An example of this is where the firm
cannot sufficiently assure the integrity of data underpinning an
important business service.
3.16 The PRA's Fundamental Rules22 will remain relevant to
decision making during operational disruptions, including deci­
sions about when an important business service is suspended or
restored. When setting impact tolerances, the PRA expects firms
to consider the circumstances that might be prevailing at the
time of the disruption to help them make informed recovery and
response decisions and when they may decide not to resume
the functioning of their important business services within the
specified time. The PRA expects firms should not be forced into
inappropriate actions because of their impact tolerances in the
event of a disruption.
A2.4 ACTIONS TO REMAIN WITHIN
IMPACT TOLERANCE
4.1 The Operational Resilience Parts23*require firms to ensure
they are able to deliver their important business services within
impact tolerances in severe but plausible scenarios. Mapping
and testing the delivery of important business services will
equip firms to establish whether and how they can remain within
impact tolerances.
4.2 The PRA expects firms to take action where they identify a
limitation in their ability to deliver important business services
within impact tolerances. The PRA is unlikely to consider com­
plicated business models or the provision of services across
22 Fundamental Rules 2, 3, 5, and 6 are particularly relevant for this
example.
23 Operational Resilience - CRR Firms 2.5, Operational Resilience -
Solvency II Firms 2.5.
Chapter 25 Operational Resilience: Impact Tolerance for Important
borders as good reasons for a firm not to be able to act to
ensure they can remain within an impact tolerance - these fac­
tors are themselves vulnerabilities that the PRA expects firms to
address. However, incidents such as rapid technological change
may be a reason for a firm to not be able to remain within an
impact tolerance, as it may take time to improve resilience
under those conditions.
4.3 The PRA expects firms to develop and implement effec­
tive remediation plans for the important business services that
would not be able to remain within their impact tolerance. Firms
should take prompt action where they cannot remain within the
impact tolerance, so these plans should include appropriate tim­
ing for the necessary improvements.
4.4 In developing these plans to improve resilience and prioritis­
ing their work, firms should also consider the:
• nature and scale of the risk that disruption to the important
business service could have on financial stability (if appli­
cable), safety and soundness, and (in the case of insurers) the
appropriate degree of policyholder protection. Firms should
prioritise those that pose the greatest risk.
• time-criticality of the important business service, which is
high when the impact tolerance is set for a short amount of
time. The PRA expects firms to have undertaken planning
and set up recovery and response arrangements in advance
to be able to respond quickly to disruptions when they occur.
• scale of improvement necessary to remain within the impact
tolerance. An important business service that is far from
remaining within the impact tolerance may need to be priori­
tised over a business service that could nearly remain within
its impact tolerance in a severe but plausible disruption.
4.5 The PRA expects firms to be able to remain within impact
tolerances for important business services, irrespective of
whether or not they use third parties in the delivery of these ser­
vices. This means that firms should effectively manage their use
of third parties to ensure they can meet the required standard of
operational resilience.
4.6 Although firms may assume that an arrangement is inher­
ently less risky where the service provider is part of its own
group, this is often not the case. The PRA expects firms to
manage risk and make appropriate arrangements to be able to
remain within impact tolerance, whether using third parties that
are other entities within their group or external providers.
4.7 The PRA expects firms to develop communication strate­
gies for both internal and external stakeholders as part of their
planning for responding to operational disruptions. These com­
munication plans should be developed with a view to reduc­
ing harm to counterparties and other market participants and
Services ■ 397
supporting confidence in both the firm and financial sector. The
PRA expects firms' plans to include the escalation paths they
would use to manage communications during an incident and to
identify the appropriate decision makers. For example, the plan
should address how to contact key individuals, operational staff
suppliers, and the appropriate regulators.
4.8 The PRA requires24 firms to consider PRA objectives when
setting impact tolerances. It is also aware that dual-regulated
firms must identify a separate impact tolerance for their impor­
tant business services, where the delivery of the important
business service is also relevant to the FCA's objectives. Where
appropriate, a firm may set its PRA impact tolerance for a given
important business service at the same point as its FC A impact
tolerance. The PRA expects that work done to meet the require­
ments of one regulator should be leveraged to meet those of
the other, and would encourage firms to avoid duplicative work.
4.9 The PRA expects dual-regulated firms to understand
whether the scenarios that may cause firms to exceed their
respective PRA and FCA impact tolerances would differ
(whether or not those impact tolerances are aligned), and to
take action to remain within their PRA impact tolerances as
appropriate.
4.10 The PRA understands that in practice firms may concen­
trate their efforts on ensuring they can remain within the more
stringent tolerance. Where the PRA and FC A impact tolerances
differ for a dual-regulated firm, taking action to ensure firms can
remain within the more stringent tolerance will be acceptable if
a firm can demonstrate:
• how they have considered the PRA's objectives when setting
their impact tolerances;
• how their response and recovery arrangements ensure firms
are able to remain within the PRA impact tolerance; and
• that scenario testing has been performed with the PRA
impact tolerance in mind.
4.11 Below is an example illustrating how firms could effectively
concentrate their efforts on ensuring they can remain within the
more stringent impact tolerance for a given important business
service:
• Where a firm providing custodian services to small and
medium-sized asset managers and investment firms identifies
the safekeeping of securities for customers as an important
business service, it may judge that: (a) after six hours of dis­
ruption, this impacts customers' abilities to settle transactions
and thus poses a risk of consumer harm; and (b) after eight
24 Operational Resilience - CRR Firms 2.3, Operational Resilience -
Solvency II Firms 2.3.
398 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
hours of disruption, this creates a reputational risk which
threatens their safety and soundness. The firm identifies vul­
nerabilities in its safeguarding systems and thus increases its
investment to improve the robustness of its systems to allow
it to remain within the shorter impact tolerance, which also
serves to meet the longer impact tolerance.
Policy Implementation
4.12 The Operational Resilience Parts are effective from
Thursday 31 March 2022. By this point, firms must have identi­
fied their important business services and set impact tolerances.
In order to achieve this, and to identify any vulnerabilities in
their operational resilience, firms should have mapped their
important business services and commenced a programme of
scenario testing.
4.13 Firms are not expected to have performed mapping and
scenario testing to the full extent of sophistication by Thursday
31 March 2022. Both mapping and scenario testing are ongoing
processes, and firms are expected to perform them at varying
levels of sophistication over time. The PRA expects that firms'
approaches to both mapping and scenario testing should evolve
over time.
4.14 Senior management are expected to take responsibility
for delivering the policy outcomes. Firms are expected to have
a prioritised plan which sets out how they will comply with the
requirement to be able to remain within their impact tolerances
within a reasonable time, and no later than Monday 31 March
2025.25 For a firm's plan to be effective, firms must have started
putting the plan into effect by Thursday 31 March 2022. As part
of this planning, firms should prioritise their regular mapping
and scenario testing so that they will be able to identify vul­
nerabilities in sufficient time so that measures can be taken to
remediate them. Firms, particularly larger, more complex ones,
will need to make choices and prioritise with the ultimate goal
of delivering the outcomes of the policy.
4.15 The speed at which vulnerabilities are remediated should
be commensurate with the potential impact that a disruption
would cause, and will be an area of supervisory focus.
4.16 After Monday 31 March 2025, maintaining operational
resilience will be a dynamic activity. By this point, firms should
have sound, effective and comprehensive strategies, processes,
and systems that enable them to address risks to their ability to
remain within their impact tolerance for each important business
service in the event of a severe but plausible disruption.
25 Operational Resilience - CRR Firms 2.5, 2.6, Operational Resilience -
Solvency II Firms 2.5, 2.6.
A2.5 MAPPING
5.1 The Operational Resilience Parts26 require firms to identify
and document the necessary people, processes, technology,
facilities, and information (the 'resources') required to deliver
each of their important business services. This identification pro­
cess is referred to as 'mapping'.
5.2 Adequate mapping should enable firms to meet the follow­
ing outcomes:
(a) The identification of vulnerabilities. Mapping an important
business service should allow a firm to identify the resources
that are critical to delivering an important business service,
ascertain whether they are fit for purpose, and consider what
would happen if resources were to become unavailable.
(b) Test ability to remain within impact tolerances. Mapping
should facilitate the testing of a firm's ability to deliver impor­
tant business services within impact tolerances. To design and
understand the full implications of scenarios, a map of the rel­
evant business service is necessary. Further information on the
approach to testing is outlined in Chapter 6.
5.3 To meet the requirements in the Operational Resilience
Parts27, the PRA expects firms to take action where a vulner­
ability is identified, or testing highlights a limitation to remaining
within impact tolerances.
5.4 The PRA expects firms to map their important business
services to the level of detail necessary to use the mapping to
identify vulnerabilities and test ability to remain within impact
tolerances.
5.5 The PRA expects firms to map the resources necessary to
deliver important business services irrespective of whether the
resources are being provided wholly or in part by a third party,
which may be an intragroup or external service provider. Firms
should understand how their outsourcing and third party depen­
dencies support important business services.
5.6 Firms should understand the reliance placed on sub-out­
sourcing arrangements and if these arrangements pose a threat
to their operational resilience. Paragraph 9.5 of SS2/21 sets out
that firms should assess whether sub-outsourcing meets mate­
riality criteria set out in Chapter 5 of SS2/21, which includes the
potential impact on the firm's operational resilience and the pro­
vision of important business services. Paragraph 9.6 of SS2/21
Operational Resilience - CRR Firms 4.1, Operational Resilience -
r y /
Solvency II Firms 4.1.
27 Operational Resilience - CRR Firms 2.5, Operational Resilience -
Solvency II Firms 2.5.
Chapter 25 Operational Resilience: Impact Tolerance for Important
sets out that firms should ensure that the service provider has
the ability and capacity on an ongoing basis to appropriately
oversee any material sub-outsourcing in line with the firm's rel­
evant policy or policies.
5.7 As set out in SS2/21, 'firms that enter into outsourcing
arrangements remain fully accountable for complying with all
their regulatory obligations'. This is a key principle underlying all
requirements and expectations regarding outsourcing and other
third party arrangements. Therefore, a firm will remain responsi­
ble if a third party provider on whom it relies, whether wholly or
in part, to provide an important business service, fails to remain
within impact tolerances or causes the firm to do so. SS2/21 sets
out detailed expectations on how firms should obtain assurance
from third parties throughout the lifecycle of an outsourcing
or, where relevant, other third party arrangement. The level of
assurance that the PRA expects should be proportionate to the
size and complexity of the firm and reflect the materiality and
risk of the outsourcing and third party arrangement. As part of
this assurance, firms may ask third parties to provide mapping,
but this is not required in all cases, particularly if other assurance
mechanisms are effective and more proportionate.
5.8 Mapping information should be accessible and usable for
the firm. Firms should document their mapping in a way that
is proportionate to their size, scale, and complexity. Firms are
expected to develop their own methodology and assumptions
for mapping to best fit their business.
5.9 The PRA expects firms to update their mapping annually at a
minimum, or following significant change if sooner.
A2.6 SCENARIO TESTING
6.1 The Operational Resilience Parts28 require firms to test regu­
larly their ability to remain within impact tolerances in severe but
plausible disruption scenarios. Impact tolerances assume a dis­
ruption has occurred, and so testing the ability to remain within
impact tolerances should not focus on preventing incidents
from occurring. The PRA expects firms to focus on recovery and
response arrangements.
6.2 Firms should identify the severe but plausible scenarios they
use for testing. When setting scenarios, firms could consider
previous incidents or near misses within the organisation, across
the financial sector, and in other sectors and jurisdictions. A test­
ing plan should include realistic assumptions and evolve as the
firm learns from previous testing.
Operational Resilience - CRR Firms 5.1, Operational Resilience -
Solvency II Firms 5.1.
Services ■ 399
6.3 The Operational Resilience Parts29 require firms to prepare
a written self-assessment of compliance with the Operational
Resilience Parts. The PRA expects firms to document details of
their scenario testing, including assumptions made in relation
to scenario design and any identified risks to the firm's ability to
remain within impact tolerances.
6.4 Over time, the PRA expects a firm's scenario testing to
become more sophisticated as firms develop operational
resilience for each important business service. Firms would be
expected to test against more severe but plausible scenarios,
proportionate to the firm and the degree of operational resil­
ience each important business service has.
6.5 When considering the important business services to priori­
tise for testing, firms should consider the relative risk they pose
to financial stability (if applicable), safety and soundness, and
(in the case of insurers) the appropriate degree of policyholder
protection.
6.6 The PRA expects firms to develop a testing plan that details
how they will gain assurance that they can remain within impact
tolerances for important business services. The nature and
frequency of a firm's testing should be proportionate to the
potential impact that disruption could cause and whether the
operational resources supporting an important business service
have materially changed. When developing a testing plan, firms
should consider the following:
• the type of scenario testing, which may include paper-based
assessments, simulations, or live-systems testing;
• the frequency of the scenario testing - firms that implement
changes to their operations more frequently should under­
take more frequent scenario testing;
• the number of important business services tested - firms
that have identified more important business services should
undertake more scenario testing to reflect this; and
• testing the availability and integrity of resources - impact tol­
erances are concerned with the continued provision of impor­
tant business services. An important business service that can
continue to be provided but has insufficient integrity is not
within the impact tolerance. Firms should test their recovery
plans for both availability and integrity scenarios, proportion­
ate to their size and complexity; and
• how their environment is changing and whether this will give
rise to different vulnerabilities.
Operational Resilience - CRR Firms 6.1, Operational Resilience -
OQ
Solvency II Firms 6.1.
400 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
6.7 Scenario testing should not pose a material risk of creat­
ing a disruption. Where firms consider that live-systems testing
is most appropriate for scenario testing their ability to remain
within impact tolerances, firms should assess the risk that the
scenario testing may create a disruption to the delivery of
important business services. The PRA's Fundamental Rules30*will
remain relevant to decision making for how firms approach their
scenario testing. Firms should conduct scenario testing with due
skill, care, and diligence, act prudently, have effective risk strate­
gies and risk management, and control their affairs responsibly
and effectively.
6.8 The entire chain of activities that have been identified as the
important business service should be considered when develop­
ing testing plans.
6.9 The severity of scenarios used by firms for their testing could
be varied by increasing the number or type of resources unavail­
able for delivering the important business service, or extending
the period for which a particular resource is unavailable. The
mapping work that firms will undertake is likely to be useful
in informing them how their scenarios could be made more
difficult.
6.10 The PRA recognises that it would not be proportionate to
require firms to be able to remain within impact tolerances in
circumstances which are beyond severe or implausible. There
will be scenarios where firms find they could not deliver a par­
ticular important business service within their impact tolerance.
For example, if essential infrastructure (such as power, transport,
or telecommunications) were unavailable, some firms may not
be able to deliver their important business services within their
impact tolerance.
6.11 As impact tolerances are set on the assumption that disrup­
tions will occur, we do not expect firms to devote too much time
to considering the relative probability of incidents occurring.
6.12 Firms should test a range of scenarios, including those in
which they anticipate exceeding their impact tolerance. Under­
standing the circumstances where it is impossible to stay within
an impact tolerance will provide useful information to firms'
management and to their supervisors. Boards and senior man­
agement will need to judge whether failing to remain within the
impact tolerance in specific scenarios is acceptable and be able
to explain their reasoning to supervisors.
6.13 Chapters 5 to 10 of SS2/21 set out detailed expectations
on how firms should perform due diligence and obtain effective
30 Fundamental Rules 2, 3, 5, and 6 are particularly relevant for this
example.
and proportionate assurance from third parties, including
through scenario testing. In particular, the PRA expects con­
tractual agreements for material outsourcing arrangements to
include 'requirements for both parties to implement and test
business contingency plans. For the firm, these should take
account of firms' impact tolerances for important business ser­
vices. Where appropriate, both parties should commit to take
reasonable steps to support the testing of such plans'. SS2/21
further notes that firms' business continuity and exit plans for
material outsourcing arrangements should 'where possible and
re le va n t. . . align to, support, or even be a component of firms'
scenario testing for operational resilience. For instance, one of
the severe but plausible scenarios that firms may select for this
testing could involve a failure or disruption at a third party, or
their supply chain, based on previous incidents or near misses
within the organisation, across the financial sector, and in other
sectors and jurisdictions'.
A2.7 GOVERNANCE
Board Responsibilities
7.1 Boards are specifically required to approve the important
business services identified for their firm and the impact toler­
ances that have been set for each of these. The Operational
Resilience Parts31 require that a firm's board must approve and
regularly review the firm's important business services, impact
tolerances, and written self-assessment (see Chapter 8 of this
SS). In delivering this responsibility, boards must regularly
review assessments of the firm's important business services,
impact tolerances, and the scenario analyses of its ability to
remain within the impact tolerance for these important business
services.
7.2 While individual board members are not required to be
technical experts on operational resilience, the PRA expects
boards to ensure that they have the appropriate management
information. Boards should also collectively possess adequate
knowledge, skills, and experience to provide constructive chal­
lenge to senior management and inform decisions that have
consequences for operational resilience.32
n in-insurance-ss.
Operational Resilience - CRR Firms 7, Operational Resilience -
a
Solvency II Firms 7.
32 Rule 5.2 in the General Organisational Requirements Part of the PRA
Rulebook (CRR firms), Rule 2.7 in the Conditions Governing Business
Part of the PRA Rulebook (Solvency II firms).
Chapter 25 Operational Resilience: Impact Tolerance for Important
Management Responsibilities
7.3 Firms should establish clear accountability and responsibility
for the management of operational resilience, including imple­
mentation of the policy set out here. The PRA expects firms to
structure their oversight of operational resilience in the most
effective way for their business, using existing committees and
roles or establishing new ones if necessary.
7.4 Where it exists,33 the Chief Operations Senior Management
Function (SMF) 24 should hold overall responsibility for imple­
menting operational resilience policies and reporting to the
board. Consistent with paragraph 2 .1 1G of SS28/15 'Strength­
ening individual accountability in banking'34 and paragraph
2.22L of SS35/15 'Strengthening individual accountability in
insurance',35 the SM F24 function may be shared or split among
two or more individuals. This is on the basis that the split accu­
rately reflects the firm's organisational structure and that com­
prehensive responsibility for operations and technology is not
undermined. However, firms that have a single senior individual
with overall responsibility for internal operations and technology
should only have that individual approved as the SM F24. Where
the SMF24 function is split, the PRA does not expect it to be
split among more than three individuals. Further information on
the SMF24 function is contained in the aforementioned Supervi­
sory Statements.
7.5 Where a firm does not have a board, senior management
should take responsibility for the Operational Resilience Parts.36
A2.8 SELF-ASSESSMENT
8.1 The Operational Resilience Parts37*require firms to docu­
ment a self-assessment of their compliance with the Operational
Resilience Part. Firms are also expected to document the meth­
odologies they have used to undertake these activities. Firms'
boards are accountable for and should approve the information
33 Rule 3.8 in the Senior Management Functions Part of the PRA Rule-
book (CRR firms), Rule 3.7 in the Insurance - Senior Management Func­
tions Part of the PRA Rulebook (Solvency II firms).
34 December 2020: https://www.bankofengland.co.uk/prudential-
regulation/publication/2015/strengthening-individual-accountability-
in-banking-ss.
35 February 2020: https://www.bankofengland.co.uk/prudential-
regulation/publication/2015/strengthening-individual-accountability-
36 Operational Resilience - CRR Firms 7, Operational Resilience -
Solvency II Firms 7.
37 Operational Resilience - CRR Firms 6, Operational Resilience -
Solvency II Firms 6.
Services ■ 401
provided in these documents. The PRA expects boards and
senior management to seek to build resilience so that they gain a
high level of assurance that their firm is able to deliver its impor­
tant business services within impact tolerances. Firms should
document this information in the form of a self-assessment.
8.2 A self-assessment should directly address the requirements
set out in the Operational Resilience Parts.38 Broader elements
of firms' operational resilience, for example, operational risk
management and business continuity planning, should only be
referenced where they directly pertain to the Operational Resil­
ience Parts.39 Broader elements of firms' resilience should be
captured in existing firm practices.
8.3 When documenting a self-assessment to meet the O pera­
tional Resilience Parts,40 firms should:
• list their important business services and state why each
of these have been identified, with reference to the PRA's
expectations in Chapter 2 of this SS;
• specify the impact tolerances set for these important busi­
ness services and why each impact tolerance has been set,
with reference to the expectations in Chapter 3 of this SS;
• detail their approach to mapping important business ser­
vices. The PRA expects this to include how the firm has
identified the resources that contribute to the delivery of
important business services and how they have captured the
relationships between these. Firms should also document
how they have used mapping to identify vulnerabilities and
to support testing activity;
• describe their strategy for testing their ability to deliver
important business services within impact tolerances through
severe but plausible scenarios. Firms should also describe the
scenarios used, the types of testing undertaken, and specify
the scenarios under which firms could not remain within their
impact tolerances;
• identify any lessons learned when undertaking scenario test­
ing or via practical experience, including the actions taken to
address the issues encountered or risks highlighted; and
38 Operational Resilience - CRR Firms 6, Operational Resilience -
Solvency II Firms 6.
OQ
Operational Resilience - CRR Firms 6, Operational Resilience -
Solvency II Firms 6.
40 Operational Resilience - CRR Firms 6, Operational Resilience -
Solvency II Firms 6.
402 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
• identify the vulnerabilities that threaten their ability to deliver
important business services within impact tolerances. Firms
should make every effort to remediate these vulnerabilities,
detailing the actions taken or planned and justifications for
their completion time. The completion time should be appro­
priate to the size and complexity of the firm, and the PRA will
expect large and complex firms to take prompt action.
A2.9 GROUPS
9.1 The PRA expects firms to identify a proportionate number
of important group business services and respective impact
tolerances at the level of the group. Taking a group level view
of operational resilience ensures the risks to the whole group,
including parts of the group that are not subject to the individ­
ual requirements, are taken into account.
9.2 An important group business service41 is a service provided
by a member of the firm's group to an external end user42 which
if disrupted, could (via their impact on the group as a whole)
pose a risk to financial stability in the UK, the UK firm's safety
and soundness, or (in the case of PRA-regulated insurers) poli­
cyholder protection. For example, where there is a UK group
that has a subsidiary, branch, or business unit providing a service
to customers outside the UK, which could, if disrupted, pose a
risk to the safety and soundness of the UK group or UK financial
stability, the group should identify that service as an important
group business service and assess whether each important group
business service could remain within the impact tolerance in the
event of a severe but plausible disruption to its operations.
9.3 Impact tolerances should be set in the same way as they are
for an individual firm. Boards and senior management should con­
sider the level of disruption that would represent a threat to the
viability of the group and therefore pose a risk to financial stability
in the UK, a firm's safety and soundness, or (in the case of PRA-
regulated insurers) there being an appropriate degree of protec­
tion for those who are or may become the firm's policyholders.
9.4 The Operational Resilience Parts43 require that firms ensure
that the strategies, processes, and systems at the level of their
41 The definition of important group business services is in the Opera­
tional Resilience - CRR Firms Part and Group Supervision Part.
42 The definition of group external end user is in the Operational Resil­
ience - CRR Firms Part and Operational Resilience - Solvency II Firms
Part.
43 Operational Resilience - CRR Firms 8.4, Group Supervision 22.5.
group enable the firm to assess whether important group busi­
ness services are able to remain within their impact tolerances
in severe but plausible scenarios. A firm would be expected to
work with other members of its group to take action, should
it be likely that an important group business service could not
be delivered within its impact tolerance. Firms are required to
include this analysis in their self-assessments.
APPENDIX 3
A3.1 INTRODUCTION
1.1 This Statement of Policy (SoP) is relevant to all:
• UK banks, building societies, and PRA-designated investment
firms (hereafter banks); and
• UK Solvency II firms, the Society of Lloyd's, and its managing
agents (hereafter insurers).
1.2 Banks and insurers are collectively referred to as 'firms'.
1.3 The Prudential Regulation Authority (PRA) considers that
for firms to be operationally resilient, they should be able to
prevent disruption occurring to the extent practicable; adapt
systems and processes to continue to provide services and
functions in the event of an incident; return to normal running
promptly when a disruption is over; and learn and evolve from
both incidents and near misses. Therefore, operational resilience
is an outcome that is supported by several parts of the PRA's
regulatory fram ework.44
1.4 The Operational Resilience Parts of the PRA Rulebook45 and
SS1/21 'Operational resilience: Impact tolerances for impor­
tant business services'46 respectively require and expect firms
44 As explained in PRA DP1/18 'Building the UK financial sector's
operational resilience', p.8: https://www.bankofengland.co.uk/prudential-
regulation/publication/2018/building-the-uk-financial-sectors-operational-
resilience-discussion-paper.
45 Operational Resilience - CRR Firms; Operational Resilience - Sol­
vency II Firms; and Chapter 22 in the Group Supervision Part of the PRA
Rulebook.
46 March 2021: https://www.bankofengland.co.uk/prudential-regulation/
publication/2021/march/operational-resilience-impact- tolerances-for-
important business-services-ss.
Chapter 25 Operational Resilience: Impact Tolerance for Important
to identify important business services and set impact toler­
ances for these services. Firms must take action to ensure they
are able to deliver their important business services47 within
their impact tolerances.48 Testing against severe but plausible
operational disruption scenarios enables firms to identify vulner­
abilities and take mitigating action. The PRA's operational resil­
ience policy requires boards and senior management to drive
improvement where deficiencies are found.
1.5 The context of important business services and impact toler­
ances influences the PRA's approach to other parts of the PRA's
regulatory framework as well. This SoP sets out how the PRA
implements a consistent and targeted approach across its regu­
latory framework.
1.6 The SoP clarifies how the PRA's operational resilience policy
affects its approach to four key areas of the regulatory fram e­
work in particular (the relationship between these policies is
depicted in Figure 25A.1 below):
• governance;
• operational risk management;
• business continuity planning (BCP); and
• the management of outsourced relationships.
1.7 There is a valuable set of other relevant existing policies and
guidelines (eg the European Banking Authority's (EBA's) guide­
lines on information and communication technology (ICT) risks,
and the EBA's guidelines on ICT and security risk management).49
The PRA considers all of its policies and relevant international
guidelines in the context of its operational resilience policy, not
just those outlined here. The PRA's operational resilience policy
will complement existing policies and is not intended to conflict
with or amend them.
47 'Important business service' as described in Chapter 2 of SS1/21.
48 'Impact tolerance' as described in Chapter 3 of SS1/21.
49 Unless otherwise stated, any references to EU or EU derived
legislation refer to the version of that legislation which forms part
of retained EU law. See Appendix 2 of the SoP 'Interpretation of
EU Guidelines and Recommendations: Bank of England and PRA
approach after the UK's withdrawal from the EU': https://www.
bankofengland.co.uk/-/media/boe/files/paper/2019/interpretation-
of-eu-guidelines-and-recommendations-boe-and-pra-approach-sop-
december-2020.pdf.
Services ■ 403
 Firm must ensure they
Strategic Identify important are able to remain
Set impact tolerances
Outcomes business services within impact
tolerances

Governance and self-assessment

Supporting Map inputs for Test ability to meet Business Operational risk
Outsourcing
Requirements delivery impact tolerances continuity management

Fiaure 25A.1 Th e relationship b e tw e e n th e PRA's o p eratio n al resilien ce policy w ith o th e r key a re as of th e PRA's
reg u lato ry fram ew o rk.
The framework of: identifying important business services; setting impact tolerances; and taking actions to be able to remain within
impact tolerances set the strategic direction that the PRA expect firms to take. To achieve the strategy, firms must:

• map resources;
• test their ability to remain within impact tolerances;
• implement BCP requirements;
• implement operational risk management requirements; and
• implement outsourcing requirements.
Governance is an inherent part of each of the above elements, and self-assessment looks at how all of these elements combine to
build the resilience of a firm.

A3.2 THE RELATIONSHIP BETWEEN When the PRA considers its expectations for boards in its opera­
tional resilience policy and elsewhere in its regulatory fram e­
OPERATIONAL RESILIENCE AND work, it considers, for example, if boards:
GOVERNANCE
• have appropriate management information available to

2.1 The role of firms' boards and senior management is central to inform decisions which have consequences for operational

the PRA's operational resilience policy. Boards are accountable resilience;

for, and should approve, the identification of their firm's impor­
tant business services, impact tolerances, and self-assessment.
2.2 The ability of firms to deliver their important business ser­
vices within their impact tolerances depends upon appropriate
reporting and accountability to be in place throughout the firm.
Where limitations are identified, leadership from the firms' board
and senior management is essential to prioritise the investment
and cultural change required to improve operational resilience.
• have adequate knowledge, skills, and experience in order to
provide constructive challenge to senior management and
meet their oversight responsibilities in relation to operational
resilience; and
• articulate and maintain a culture of risk awareness and ethical
behaviour for the entire organisation, which influences the
firm's operational resilience.

Interaction with Other Management

Interaction with Other Board
Responsibilities
2.3 The PRA considers whether firms are delivering the outcome
of operational resilience when assessing the adequacy of a
firm's arrangements to deliver other expectations of boards.
Responsibilities
2.4 The Chief Operations Senior Management Function (SMF)
24, where it applies, includes responsibility for the firm's opera­
tional resilience. The PRA's operational resilience policy provides
further detail to firms on this responsibility.

404 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
A3.3 THE RELATIONSHIP BETWEEN
OPERATIONAL RESILIENCE AND
OPERATIONAL RISK POLICY
3.1 Operational risk management supports both operational
resilience and financial resilience. Firms should have effective
risk management systems in place to manage operational risks
that are integrated into their organisational structures and
decision-making processes.50

3.2 When assessing a firm's operational risk management, the

PRA considers the extent to which firms: have reduced the
likelihood of operational incidents occurring; can limit losses in
the event of severe business disruption; and whether they hold
sufficient capital to mitigate the impact when operational risks
crystallise.

3.3 The additional requirements the PRA's operational resilience LIKELIHOOD

policy places on firms to limit the impact of disruptions when
they occur, whatever their cause, develops the PRA's approach
to operational risk in two key ways:
• it increases firms' focus on their ability to respond to and
recover from disruptions, assuming failures will occur; and
• it addresses the risk that firms may not necessarily consider
the public interest when making investment decisions to
build their operational resilience. The PRA's operational resil­
ience policy requires firms to take action so they are able to
provide their important business services within their impact
tolerances through severe but plausible disruptions.
Risk Appetite and Impact Tolerances
3.4 Impact tolerances differ from risk appetites in that they
assume a particular risk has crystallised instead of focusing on
the likelihood and impact of operational risks occurring. Firms
that are able to remain within their impact tolerances increase
their capability to survive severe but plausible disruptions, but
risk appetites are likely to be exceeded in these scenarios (see
Figure 25A.2 below). Impact tolerances are set only in relation
to impact on financial stability, the firm's safety and soundness
and, in the case of insurers, the appropriate degree of policy­
holder protection.
Fiaure 25A.2 Th e relationship b e tw e e n risk a p p e tite
and im pact to le ra n ce .
Figure 25A.2 shows the relationship between impact and likeli­
hood for a firm's risk appetite and impact tolerance. Both risk
appetite and impact tolerances help ensure a firm's operational
resilience.
• The thick solid line represents the risk appetite, which
changes with impact and likelihood. Green, yellow, and red
illustrate the firm's appetite towards disruption at different
levels of impact and likelihood (green is within the firm's risk
appetite, yellow is outside of the firm's risk appetite, and red
is significantly outside of the firm's risk appetite).
• The dashed dark line represents the impact tolerance, which
is set at a high level of impact and assumes disruption has
occurred, so is indifferent to likelihood. The green, yellow,
and red are not related to the impact tolerance.
Financial Resilience
3.5 Firms are required to hold capital to ensure they can absorb
losses resulting from operational risks such as fraud, damage
to physical resources, or business disruption and system fail­
ures.51 However, the PRA's operational resilience policy does
not have an associated capital requirement. As such, it does not

51 CRR Firms - Internal Capital Adequacy Assessment 10.1 (for banks),

for insurers Solvency Capital Requirement - General Provisions 3.3
50 Directive 2013/36/EU (Article 85(1)). Solvency II Directive (Article 44). (for insurers).

Chapter 25 Operational Resilience: Impact Tolerance for Important Business Services ■ 405
affect the PRA's approach to operational risk capital policy or
add additional considerations for firms when they make capital
calculations.
Incident Management
3.6 In the PRA's general notification rules52 firms are required to
notify the PRA where an incident: could lead to the firm failing
to satisfy one or more of the threshold conditions; could have a
significant adverse impact on the firm's reputation; could impact
the firm's ability to continue to provide adequate services to its
customers; or could result in serious financial consequences to
the UK's wider financial sector or to other firms.
3.7 The PRA considers whether a firm has met the PRA's noti­
fication requirements alongside the PRA's expectations in its
operational resilience policy. For example the PRA expects
incidents to meet the test for notification if the incident would
disrupt the firm's ability to deliver its important business services
within its impact tolerances. This includes incidents which have
occurred, may have occurred or may occur in the foreseeable
future.
A3.4 THE RELATIONSHIP BETWEEN
OPERATIONAL RESILIENCE AND
BUSINESS CONTINUITY PLANNING
(BCP)
4.1 The PRA requires a bank to 'have in place adequate con­
tingency and business continuity plans aimed at ensuring that
in the case of a severe business disruption the firm is able to
operate on an ongoing basis and that any losses are lim ited'.53
Similarly, an insurer is required to 'take reasonable steps to
ensure continuity and regularity in the performance of its activi­
ties, including the development of contingency plans'.54 These
requirements and the PRA's operational resilience policy con­
tribute to firms' response and recovery capabilities.
4.2 BCP policies and the PRA's operational resilience policy are
closely linked. However, the PRA's operational resilience policy
52 Rule 2.1 in the Notifications Part of the PRA Rulebook.
53 CRR Firms - Internal Capital Adequacy Assessment 10.2.
54 Rule 2.6 in the Solvency II Firms - Conditions Governing Business Part
of the PRA Rulebook.
406 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
focuses on a firm's ability to deliver its important business ser­
vices rather than single points of failure. The PRA considers both
policies together when supervising firms. For example, when
assessing whether banks are meeting the PRA's expectations in
SS21/15 'Internal governance',55 the PRA considers if banks':
• recovery priorities for their operations56 prioritise the delivery
of important business services within impact tolerances;
• allocation of resources and communications planning for
business continuity planning focuses on the delivery of
important business services; and
• tests of business continuity plans complement the testing of
disruption scenarios and relate to impact tolerances.
A3.5 THE RELATIONSHIP BETWEEN
OPERATIONAL RESILIENCE AND
OUTSOURCING
5.1 As set out in the PRA's outsourcing rules,57 firms remain
responsible for their obligations when functions are outsourced
to a third party. In the PRA's operational resilience policy, the
PRA expects firms to be operationally resilient regardless of any
outsourcing arrangements or use of third parties. Firms should
not allow their ability to deliver their important business services
within their impact tolerances to be undermined when they
are delivered wholly or in part by third parties, whether these
third parties are other entities within their group or external
providers.
5.2 The PRA's policy for modernising the regulatory framework
on outsourcing and third party risk management (SS2/21 'O ut­
sourcing and third party risk management')58 complements the
PRA's operational resilience policy. SS2/21 reflects the increased
importance to firms of cloud computing and other new technol­
ogies. The PRA's approach is to consider SS2/21 and the PRA's
operational resilience policy in combination.
55 April 2017: https://www.bankofengland.co.uk/prudential-regulation/
publication/2015/internal-governance-ss.
56 Paragraph 2.1(b), SS21/15.
57 CRR Firms - Outsourcing, Solvency II Firms - Conditions Governing
Business 7.
58 March 2021: https://www.bankofengland.co.uk/prudential-regulation/
publication/2021/march/outsourcing-and-third-party-risk-_management-ss.
Principles for
Operational
Resilience
Learning Objectives
After completing this reading you should be able to:

Define and describe operational resilience and explain Explain recommended principles that banks should follow
essential elements of operational resilience. to implement an effective operational resilience approach.

E x c e rp t is rep rin ted with perm ission o f the Bank for International Settlem en ts. The full publication is available on the B IS w eb site free
o f charge: w w w .bis.org

407
26.1 INTRODUCTION
1. In the years that followed the Great Financial Crisis (GFC) of
2007-09, the Basel Committee's reforms of its prudential frame­
work have enhanced the supervision of the global banking sys­
tem and resulted in a number of structural changes to strengthen
banks' financial resilience. While significantly higher levels of cap­
ital and liquidity have improved banks' ability to absorb financial
shocks, the Committee believes that further work is necessary
to strengthen banks' ability to absorb operational risk-related
events, such as pandemics, cyber incidents, technology failures
and natural disasters, which could cause significant operational
failures or wide-scale disruptions in financial markets. In light of
the critical role that banks play in the operation of the global
financial infrastructure, increasing their resilience would provide
additional safeguards to the financial system.
2. Even prior to the Covid-19 pandemic, the Committee con­
sidered that significant operational disruptions would inevitably
test improvements to the financial system's resilience made
since the G FC . As the Covid-19 pandemic progressed, the
Committee observed banks rapidly adapting their operational
posture in response to new hazards or changes in existing haz­
ards that occurred in different parts of their organisation. Rec­
ognising that a range of potential hazards cannot be prevented,
the Committee believes that a pragmatic, flexible approach to
operational resilience can enhance the ability of banks to with­
stand, adapt to and recover from potential hazards and thereby
mitigate potentially severe adverse impacts.
3. Through the publication of this document, the Committee
seeks to promote a principles-based approach to improving
operational resilience. The approach builds on updates to the
Committee's Principles for the Sound Management of O pera­
tional Risk (PSM OR)1 and draws from previously issued principles
on corporate governance for banks, as well as outsourcing-, busi­
ness continuity- and relevant risk management-related guidance.
4. Recognising the work undertaken by several jurisdictions and
standard-setting bodies (SSBs) to bolster the operational resil­
ience of the financial sector,1
2 the Committee aims to strengthen
1 Revisions to the Principles for the Sound Management of Operational
Risk, March 2021, www.bis.org/bcbs/publ/d515.htm.
2 Bank of England and Financial Conduct Authority, Building the UK financial
sector's operational resilience, December 2019; European Banking Author­
ity, EBA guidelines on ICT and security risk management, November 2019;
European Commission, Legislative proposal for an EU regulatory framework
on digital operational resilience for the financial sector (DORA), September
2020; Monetary Authority of Singapore, Ensuring safe management and
operational resilience of the financial sector, April 2020: International Orga­
nization of Securities Commissions (IOSCO), Principles on outsourcing,
May 2020; and Board of Governors of the Federal Reserve System, Federal
Deposit Insurance Corporation and Office of the Comptroller of the Cur­
rency, Sound Practices to Strengthen Operational Resilience, October 2020.
408 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
operational resilience by furthering international engagement
and seeks to promote greater cross-sectoral collaboration over
this body of work.
26.2 AN EVOLVING OPERATIONAL
RISK LANDSCAPE
5. Banks and their customers have benefited from the applica­
tion of technology to financial services, although the increased
use of technology presents new risks. Until recently, some
of the most predominant operational risks that banks faced
resulted from vulnerabilities related to the rapid adoption of
and increased dependency on technology infrastructure for the
provision of financial services and intermediation, as well as the
sector's growing reliance on technology-based services pro­
vided by third parties. The Covid-19 pandemic has exacerbated
these operational risks and increased economic and business
uncertainty. Technology and relationships with third parties have
at the same time supported the continued delivery of products
and services to customers and promoted the ability of banks to
continue operations during the pandemic.
6. Pandemic-related disruptions have affected information
systems, personnel, facilities and relationships with third-party
service providers and customers. In addition, cyber threats (ran-
somware attacks, phishing, etc) have spiked, and the potential
for operational risk events caused by people, failed processes
and systems has increased as a result of greater reliance on
virtual working arrangements. The Committee's guidance on
operational resilience will continue to be informed by its moni­
toring of the impact of the Covid-19 pandemic and any lessons
learned.
26.3 ESSENTIAL ELEMENTS OF
OPERATIONAL RESILIENCE
7. Operational resilience is an outcome that benefits from the
effective management of operational risk.3 Activities such as
risk identification and assessment, risk mitigation (including the
implementation of controls) and the monitoring of risks and
control effectiveness work together to minimise operational
disruptions and their effects. In addition, management's focus
on the bank's ability to respond to and recover from disrup­
tions, assuming failures will occur, will support operational
resilience. An operationally resilient bank is less prone to incur
untimely lapses in its operations and losses from disruptions,
3 BCBS, Revisions to the Principles for the Sound Management of Oper­
ational Risk, March 2021.
thus lessening incident impact on critical operations and related
services, functions and systems. While it may not be possible to
avoid certain operational risks, such as a pandemic, it is possible
to improve the resilience of a bank's operations to such events.
8. In addition, business continuity, outsourcing of services to
third parties and the technology upon which banks rely are
important factors for banks to consider when strengthening
their operational resilience. Previously issued guidance in these
areas, whether issued solely by the Com m ittee4 or jointly with
other SSBs,5 does not adequately capture all essential elements
when considered on a standalone basis, but does advance oper­
ational resilience when considered collectively.
9. It is essential for banks to ensure that existing risk manage­
ment frameworks, business continuity plans and third-party
dependency management are implemented consistently within
the organisation. Banks should consider whether their opera­
tional resilience approach is appropriately harmonised with
the stated actions, organisational mappings, and definitions of
critical functions and critical shared services contained in their
recovery and resolution plans as specified in the Financial Stabil­
ity Board's (FSB's) Recovery and Resolution Planning framework,
as appropriate.6
10. The principles for operational resilience set forth in this doc­
ument are largely derived and adapted from existing guidance
that has been issued by the Committee or national supervisors
over a number of years. The Committee recognises that many
banks have well established risk management processes that are
appropriate for their individual risk profile, operational structure,
corporate governance and culture, and conform to the specific
risk management requirements of their jurisdictions. By building
upon existing guidance and current practices, the Committee
is issuing a principles-based approach to operational resilience
that will help to ensure proportional implementation across
banks of various size, complexity and geographical location.
4 BCBS, Risk management principles for electronic banking, July 2003,
www.bis.org/publ/bcbs98.pdf; and BCBS, Corporate governance prin­
ciples for banks, July 2015, www.bis.org/publ/bcbs.pdf.
5 Joint Forum (BCBS-IOSCO-IAIS), Outsourcing in financial services,
February 2005, www.bis.org/publ/joint12.pdf; and Joint Forum
(BCBSIOSCO-IAIS), High-level principles for business continuity, August
2006, www.bis.org/publ/joint17.pdf.
6 See FSB, Key Attributes of Effective Resolution Regimes for Finan­
cial Institutions, October 2014 (http://www.fsb.org/wp-content/
uploads/r_141015.pdf); relevant supporting guidance in Identification
of Critical Functions and Critical Shared Services, July 2013 (http://www.
fsb.org/wp-content/uploads/r_130716a.pdf); and Guidance on arrange­
ments to support operational continuity in resolution, August 2016
(https://www.fsb.org/wp-content/uploads/Guidance-on-Arrangements-
to-Support-Operational-Continuity-in-Resolution1 .pdf).
Chapter 26 Principles for Operational Resilience
26.4 DEFINITION OF OPERATIONAL
RESILIENCE
11. The Committee defines operational resilience as the ability
of a bank to deliver critical operations through disruption. This
ability enables a bank to identify and protect itself from threats
and potential failures, respond and adapt to, as well as recover
and learn from disruptive events in order to minimise their
impact on the delivery of critical operations through disruption.
In considering its operational resilience, a bank should assume
that disruptions will occur, and take into account its overall risk
appetite7 and tolerance for disruption. In the context of opera­
tional resilience, the Committee defines tolerance for disruption
as the level of disruption from any type of operational risk a
bank is willing to accept given a range of severe but plausible
scenarios.
12. The term critical operations is based on the Joint Forum's
2006 high-level principles for business continuity. It encom­
passes critical functions as defined by the FSB8 and is expanded
to include activities, processes, services and their relevant sup­
porting assets9 the disruption of which would be material to
the continued operation of the bank or its role in the financial
system. W hether a particular operation is "critical" depends on
the nature of the bank and its role in the financial system. Banks'
tolerance for disruption should be applied at the critical opera­
tions level.
13. The term respective functions used in this document explicitly
refers to the appropriate function(s) within the bank's three lines
of defence, as described in the PSM O R.10 These consist of
(i) business unit management; (ii) an independent operational risk
7 Per the BCBS's 2015 Corporate governance guidelines, which use
the FSB's 2013 Principles for an effective risk appetite framework, "risk
appetite" is defined as: the aggregate level and types of risk a bank is
willing to assume, decided in advance and within its risk capacity, to
achieve its strategic objectives and business plan.
8 FSB, Recovery and resolution planning for systemically important
financial institutions: guidance on identification of critical functions and
critical shared services, 2013. According to the FSB, critical functions are
defined as "activities performed for third parties where failure would
lead to the disruption of services that are vital for the functioning of the
real economy and for financial stability due to the banking group's size
or market share, external and internal interconnectedness, complexity
and cross-border activities. Examples include payments, custody, certain
lending and deposit-taking activities in the commercial or retail sector,
clearing and settling, limited segments of wholesale markets, market
making in certain securities and highly concentrated specialist lending
sectors."
9 In this context, "supporting assets" are defined as people, technology,
information and facilities necessary for the delivery of critical operations.
10 BCBS, Revisions to the Principles for the Sound Management of
Operational Risk, paragraph 6, March 2021.
■ 409
management function; and (iii) independent assurance. Depend­
ing on a bank's nature, such as its size, complexity and risk profile,
how these three lines of defence are implemented may vary.
26.5 OPERATIONAL RESILIENCE
PRINCIPLES
14. This section presents the Committee's principles for opera­
tional resilience which are organised across the following seven
categories: governance; operational risk management; business
continuity planning and testing; mapping of interconnections
and interdependencies of critical operations; third-party depen­
dency management; incident management; and resilient infor­
mation and communication technology (ICT), including cyber
security. The principles are to be applied on a consolidated basis
to banks consistent with the scope of the Basel Framework.
15. These categories are based on the Committee's updated
PSM OR, and previously issued principle-based guidance on cor­
porate governance, business continuity, outsourcing and other
relevant risk management frameworks. The practices described
below, some of which reflect previously issued guidance, should
not be viewed in isolation, but rather as integral parts of a
bank's forward-looking operational resilience approach in line
with its operational risk appetite and tolerance for disruption.
Governance
Principle 1: Banks should utilise their existing governance
structure11 to establish, oversee and implement an effec­
tive operational resilience approach that enables them to
respond and adapt to, as well as recover and learn from,
disruptive events in order to minimise their impact on
delivering critical operations through disruption.
16. The board of directors should review and approve the bank's
operational resilience approach considering the bank's risk
appetite and tolerance for disruption to its critical operations.
11 Consistent with the PSMOR, this document refers to a governance
structure composed of a board of directors and senior management.
The Committee is aware that there are significant differences in legisla­
tive and regulatory frameworks across countries regarding the functions
of the board of directors and senior management. In some countries,
the board has the main, if not exclusive, function of supervising the
executive body (senior management, general management) so as to
ensure that the latter fulfils its tasks. For this reason, in some cases it is
known as a supervisory board. This means that the board has no execu­
tive functions. In other countries, the board has a broader competence
in that it lays down the general framework for the management of the
bank. Owing to these differences, the terms "board of directors" and
"senior management" are used in this paper not to identify the segre­
gated legal liability in corporate governance practices but rather to label
two-tiered decision-making functions within a bank in general.
410 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
In formulating the bank's tolerance for disruption, the board
of directors should consider the bank's operational capabili­
ties given a broad range of severe but plausible scenarios that
would affect its critical operations. The board of directors should
ensure that the bank's policies effectively address instances
where the bank's capabilities are insufficient to meet its stated
tolerance for disruption.
17. Under the oversight of the board of directors, senior
management should implement the bank's operational resil­
ience approach and ensure that financial, technical and other
resources are appropriately allocated in order to support the
bank's overall operational resilience approach.
18. Senior management should provide timely reports on the
ongoing operational resilience of the bank's business units in sup­
port of the board's oversight, particularly when significant defi­
ciencies could affect the delivery of the bank's critical operations.
19. The board of directors should take an active role in estab­
lishing a broad understanding of the bank's operational resil­
ience approach, through clear communication of its objectives
to all relevant parties, including bank personnel, third parties
and intragroup entities.
Operational Risk Management
Principle 2: Banks should leverage their respective functions
for the management of operational risk to identify external
and internal threats and potential failures in people, processes
and systems on an ongoing basis, promptly assess the vulner­
abilities of critical operations and manage the resulting risks in
accordance with their operational resilience approach.
20. The bank's operational risk management function should
work alongside other relevant functions to manage and address
any risks that threaten the delivery of critical operations. Banks
should coordinate their business continuity planning, third-party
dependency management, recovery and resolution planning
and other relevant risk management frameworks to strengthen
operational resilience across the bank.
21. Banks should have sufficient controls and procedures12 to
identify and assess threats and vulnerabilities, and more gener­
ally their operational risk, in a timely manner and, to the extent
possible, prevent them from affecting critical operations deliv­
ery. The resp ective functions should regularly assess the effec­
tiveness of the implemented controls and procedures. These
assessments should also be conducted in the event of changes
to any underlying components of the critical operations, as well
12 These controls and procedures should be consistent with and
conducted alongside the risk identification process as articulated in
Principle 6 in the proposed revisions to the PSMOR.
as after incidents in order to take into account lessons learned
and new threats and vulnerabilities that caused the incident.
22. Banks should leverage change management capabilities in
accordance with the change management processes13 under
the overall management of operational risk as a way to assess
potential effects on the delivery of critical operations and on
their interconnections and interdependencies.
Business Continuity Planning and Testing
Principle 3: Banks should have business continuity plans in
place and conduct business continuity exercises under a
range of severe but plausible scenarios in order to test their
ability to deliver critical operations through disruption.14
23. An effective business continuity plan should be forward-
looking when assessing the impact of potential disruptions. Busi­
ness continuity exercises15 should be conducted and validated
for a range of severe but plausible scenarios that incorporate
disruptive events and incidents.
24. An effective business continuity plan should identify criti­
cal operations, and key internal and external dependencies
to assess the risks and potential impact of various disruption
scenarios on critical operations. These plans should incorporate
business impact analyses and recovery strategies as well as test­
ing programmes, training and awareness programmes, and com­
munication and crisis management programmes.
25. Business continuity plans should develop, implement and
maintain a regular business continuity exercise encompassing
critical operations and their interconnections and interdependen­
cies, including those through relationships with, but not limited
to, third parties and intragroup entities. Among other business
continuity goals, business continuity exercises should support
staff's operational resilience awareness including training of staff,
so that they can effectively adapt and respond to incidents.
26. Business continuity plans should provide detailed guidance
for implementing the bank's disaster recovery framework. These
plans should establish the roles and responsibilities for manag­
ing operational disruptions and provide clear guidance regard­
ing the succession of authority in the event of a disruption that
impacts key personnel. Additionally, these plans should clearly
13 See Principle 7 of the PSMOR.
14 Further BCBS guidance on business continuity can be found in docu­
ments published through the Joint Forum (BCBS-IOSCO-IAIS), High-
level principles for business continuity, August 2006, www.bis.org/publ/
joint17.pdf.
15 The business continuity planning and testing of critical operations should
be consistent with and conducted alongside the business continuity plan­
ning articulated in Principle 11 in the proposed revisions to the PSMOR.
Chapter 26 Principles for Operational Resilience
set out the internal decision-making process and define the trig­
gers for invoking the bank's business continuity plan.
27. Banks' business continuity plans for the delivery of critical
operations and critical third-party services contained in their
recovery and resolution plans should be consistent with their
operational resilience approaches.
Mapping Interconnections and
Interdependencies
Principle 4: Once a bank has identified its critical operations,
the bank should map the internal and external interconnections
and interdependencies that are necessary for the delivery of
critical operations consistent with its approach to operational
resilience.
28. The respective functions should map (ie identify and document)
the people, technology, processes, information, facilities, and the
interconnections and interdependencies among them as needed
to deliver the bank's critical operations, including those dependent
upon, but not limited to, third parties or intragroup arrangements.
29. Banks may leverage their recovery and resolution plans, as
appropriate, for definitions of critical operations and should
consider whether their operational resilience approaches are
appropriately harmonised with the organisational mappings of
critical operations and critical third-party services contained in
their recovery and resolution plans.
30. The approach and level of granularity of mapping should
be sufficient for banks to identify vulnerabilities and to support
testing of their ability to deliver critical operations through dis­
ruption, as described in Principle 3, considering the bank's risk
appetite and tolerance for disruption.
Third-Party Dependency Management
Principle 5: Banks should manage their dependencies on
relationships, including those of, but not limited to, third
parties or intragroup entities, for the delivery of critical
operations.16
31. Banks should perform a risk assessment and due diligence
before entering into arrangements including those of, but not
limited to, third parties or intragroup entities, consistent with
the bank's operational risk management fram ework,17 out-
sourcing/third-party risk management policy and operational
16 Further BCBS guidance on outsourcing of services can be found in doc­
uments published through the Joint Forum (BCBS-IOSCO-IAIS), Outsourc­
ing in financial services, February 2005, www.bis.org/publ/joint12.pdf.
17 The management of dependencies articulated in this principle should
be consistent with and conducted alongside the control and risk mitiga­
tion policies as articulated in paragraph 51 of Principle 9 in the PSMOR.
■ 411
resilience approach. Prior to the bank entering into such an
arrangement, the bank should verify whether the third party,
including, if relevant, the intragroup entity to these arrange­
ments, has at least equivalent level of operational resilience to
safeguard the bank's critical operations in both normal circum­
stances and in the event of disruption.
32. Banks should develop appropriate business continuity and
contingency planning procedures and exit strategies to maintain
their operational resilience in the event of a failure or disruption
at a third party impacting the provision of critical operations.
Scenarios under the bank's business continuity plans should
assess the substitutability of third parties that provide services
to the bank's critical operations, and other viable alternatives
that may facilitate operational resilience in the event of an out­
age at a third party, such as bringing the service back in-house.
Incident Management
Principle 6: Banks should develop and implement response
and recovery plans to manage incidents13 that could disrupt
the delivery of critical operations in line with the bank's risk
appetite and tolerance for disruption. Banks should continu­
ously improve their incident response and recovery plans by
incorporating the lessons learned from previous incidents.
33. Banks should maintain an inventory of incident response
and recovery, internal and third-party resources to support the
bank's response and recovery capabilities.
34. The scope of incident management should capture the life
cycle of an incident,19 typically including, but not limited to:
a. the classification of an incident's severity based on pre­
defined criteria (eg expected time to return to business as
usual), enabling proper prioritisation of and assignment of
resources to respond to an incident.
b. The incident response and recovery procedures, including
their connection to the bank's business continuity, disas­
ter recovery and other associated management plans and
procedures.
18 Incidents are current or past disruptive events the occurrence of which
would have an adverse effect on critical operations of the bank. Incident
management is the process of identifying, analysing, rectifying and
learning from an incident and preventing recurrences or mitigating the
severity thereof. The goal of incident management is to limit the disrup­
tion and restore critical operations in line with the bank's risk tolerance
for disruption. See the Financial Stability Board's Effective Practices for
Cyber Incident Response and Recovery, October 2020, https://www.
fsb.org/wp-content/uploads/P191020-1.pdf, as an example of detailed
response and recovery practices.
19 Recognising that the life cycle on an incident could span multiple
measures of time that could range from hours to weeks to months.
412 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
c. The implementation of communication plans to report inci­
dents to both internal and external stakeholders (eg regula­
tory authorities), including performance metrics during, and
analysis of lessons learned after an incident.
35. Incident response and recovery procedures should be peri­
odically reviewed, tested and updated. Banks should identify
and address the root causes of incidents to prevent or minimise
serial recurrence.
36. Lessons learned from previous incidents including incidents
experienced by others, should be duly reflected when updating
the incident management programme. A bank's incident man­
agement programme should manage all incidents impacting the
bank, including those attributable to dependencies on, but not
limited to, third parties and intragroup entities.
let Including Cyber Security20
Principle 7: Banks should ensure resilient ICT including cyber
security that is subject to protection, detection, response
and recovery programmes that are regularly tested, incorpo­
rate appropriate situational awareness and convey relevant
timely information for risk management and decision-making
processes to fully support and facilitate the delivery of the
bank's critical operations.21
37. Banks should have a documented ICT policy, including cyber
security, which stipulates governance and oversight require­
ments, risk ownership and accountability, ICT security measures
(eg access controls, critical information asset protection, iden­
tity management), periodic evaluation and monitoring of cyber
security controls, and incident response, as well as business con­
tinuity and disaster recovery plans.
38. Banks should identify their critical information assets and the
infrastructure upon which they depend. Banks should also prioritise
their cyber security efforts based on their ICT risk assessment and
on the significance of the critical information assets to the bank's
critical operations, while observing all pertinent legal and regula­
tory requirements relating to data protection and confidentiality.
Banks should develop plans and implement controls to maintain
the integrity of critical information in the event of a cyber event,
such as secure storage and offline backup on immutable media of
data supporting critical operations. Banks should regularly evaluate
the threat profile of their critical information assets, test for vulner­
abilities and ensure their resilience to ICT-related risks.
20 Cyber security as defined in the FSB's Cyber Lexicon of November
2018 (www.fsb.org/wp-content/uploads/P121118-1 .pdf).
21 The management of ICT articulated in this principle should be consis­
tent with and conducted alongside the ICT principle as articulated in para­
graphs 55-57 of Principle 10 in the proposed revisions to the PSMOR.
Striving for
Operational
Resilience
The Questions Boards
and Senior Management
Should Ask

Learning Objective
After completing this reading you should be able to:

Describe elements of an effective operational resilience

framework and its potential benefits.

E x c e rp t is u sed with perm ission o f O liver Wyman.

EXECUTIVE SUMMARY
Operational resilience has become a key agenda item for boards
and senior management. Increasing complexity in processes and
IT, dependence on third parties, interconnectedness and data
sharing, and sophistication of malicious actors have made dis­
ruptions more likely and their impact more severe. High-profile
examples of business and operational disruptions abound, cov­
ering all segments of the financial services industry.
Resilience is fundam entally different from traditional business
continuity (BC) and disaster recovery (DR). These disciplines
have historically been heavily focused on physical events,
were designed and tested in organizational silos, and are, by
most organizations, primarily viewed as a compliance exercise.
Operational resilience, instead, focuses on the adaptability to
emerging threats, the dependencies and requirements for pro­
viding critical business services end-to-end (crossing organiza­
tional silos), and the broader economic as well as firm-specific
impact of adverse operational events. It requires a mindset
shift in the organization away from resilience as a com pli­
ance exercise to resilience as a key organizational capability
that is everyone's responsibility to maintain and continuously
improve.
Financial regulators have started to stipulate expectations
around management of resilience, resilience reporting, and
effective oversight. In response, many firms are embarking or
will need to embark on transformational programs to strengthen
their resilience to disruption, incidents, and attacks across all
operational resilience domains - technology, data, third parties,
facilities, operations, and people. In addition, boards and senior
management need to provide effective challenge of their orga­
nization's resilience ambitions, program, and critical risks that
remain to their day-to-day operations.
Achieving operational resilience is inherently challenging given
the increasing complexity of processes, technology infrastruc­
ture, and organizational silos. However, the business benefits
go beyond pure risk and compliance, often forming an inherent
part of a firm's value proposition.
This paper explores the key questions that boards and senior
management should ask about their organization's level of
operational resilience.
27.1 WHY NOW?: NEED FOR
OPERATIONAL RESILIENCE
Continuity of service has always been a priority for financial
firms. After all, disruptions can impact revenue, client experi­
ence, and franchise value.
414 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
O perational resilience is the ability o f an organization
to continue to p ro vid e business se rvice s in the face o f
adverse operational even ts by anticipating, preven tin g ,
recoverin g from , and adapting to such events.
BC and DR have historically emphasized physical events (e.g.,
natural disaster, active shooter), are limited by organizational
boundaries, and are, by most organizations, primarily viewed as
a "check the box" exercise rather than true risk management.
However, several trends in financial services have sharply
increased the need for more mature operational resilience
practices. Exhibit 27.1 below explores the most important
trends, which we expect to continue to elevate the topic to
discussions at the top table.
These drivers have manifested themselves in high-profile busi­
ness and operational disruptions across the financial services
industry, both through internally-driven operational failures and
externally-driven malicious acts. These disruptions illustrate
some of the shortcomings of traditional BC and DR approaches:
• Firm have more dependencies for service delivery than ever
before, but traditional approaches focus on assets in siloes and
ignore potentially critical components of end-to-end service
delivery.
• In a rapidly changing environment, traditional "check the
box" and reactive approaches focused solely on recovery
make firms much slower to adapt.
• By focusing on a standard set of disruption scenarios, tradi­
tional approaches provide a false sense of comfort that insti­
tutions are prepared for all scenarios.
Additionally, financial firms recognize the need for greater opera­
tional excellence (efficiency and effectiveness). Organizations that
manage to effectively address the combined need for operational
resilience and excellence will be able to unlock significant benefits
across the organization (e.g., operational loss, operational cost
and complexity reduction, ability to support faster innovation
cycles, effective investment into operational capabilities).
27.2 BEND, BUT DON'T BREAK:
OPERATIONAL RESILIENCE
APPROACH
Operational resilience is the ability of an organization to continue to
provide business services in the face of adverse operational events
by anticipating, preventing, recovering from, and adapting to such
events. The fundamental principle is "bend, but don't break."
Even for many advanced institutions, adopting an operational
resilience approach will imply significant changes from tradi­
tional (more compliance-focused) BC and DR. Whereas these
 DRIVER IM PACT ON EXPO SU RE TO DISRUPTION

Competition and customer demand are driving Increasing complexity of processes and infrastructure
SCALE AND PACE
the need for more disruptive innovations and faster required for product and service delivery, and risk of
OF INNOVATION
innovation cycles imbalance between time to market and security/resilience

Availability of new technology, customer expectations, Traditional (manual) fallback methods no longer viable,
CONTINUED and desires for efficiency are driving increasing levels and more challenging to identify the "weakest link"
DIGITIZATION of automation and faster adoption of digital delivery among connected digital systems
capabilities

Incumbent institutions rely on older technology Challenging to embed risk and resilience requirements
RELIANCE ON LEGACY infrastructure that is less flexible, requires specialized in technology, which increases the exposure
INFRASTRUCTURE knowledge to maintain, and is difficult to integrate to disruptive events
with new technologies and processes

Institutions are increasingly adopting outsourcing More difficult to gain a comprehensive view of the
EXTENSION as a business strategy, expanding their reliance on firm's third-party dependencies and exposure, as well
OF THE SUPPLY CHAIN third parties (and their third parties' third parties) as to assess the risk and resilience posture of all
relevant third parties

Financial institutions are sharing more information More likely to be affected by vulnerabilities
INTERCONNECTEDNESS
and services more broadly (partly through deliberate and disruptions in another part of the ecosystem
AND SHARING
government policy)

CONTINUED RISE IN Cyber attackers are innovating rapidly to identify new More challenging to prevent, detect, respond,
SOPHISTICATION OF means of attack and ways of exploiting firms' and recover from cyber attacks
MALICIOUS ACTORS vulnerabilities

Exhibit 27.1 D rivers of e x p o su re to d isru p tio n.

traditional approaches focus solely on recovery, operational
resilience has a broader scope and needs to be integrated into
the risk-mitigation fabric of the organization.
Resilient organizations focus on anticipation, prevention and adap­
tation, rather than recovery actions once the "horse has bolted."
In addition, resilient organizations have creative ways to provide
critical business services in the event of a disruption, beyond simply
getting the technology up and running again (e.g., using branches
to service customers at scale when digital channels might be down).
Exhibit 27.2 shows the key characteristics of an operational
resilience approach compared to most organizations' starting
point - traditional BC and DR.
Financial services regulators have begun to take note and are
beginning to focus on promoting operational resilience, versus
traditional BC and DR. The principles outlined in Exhibit 27.2 are
reflected in an increasing body of regulatory consultation and
guidance papers.
avoiding systemic disruptions, while smaller institutions' objec­
tives will likely focus on maintaining shareholder value.
Global institutions will need to pay particularly close attention to
regulatory developments, as regulators in different jurisdictions
have not yet aligned on their expectations for firms.
RECENT RESILIENCE-RELATED
REGULATORY PUBLICATIONS
JU LY 2018
Bank of England/Prudential Regulation Authority/Financial
Conduct Authority discussion paper, "Building the UK
financial sector's operational resilience"
D EC EM B ER 2018
European Central Bank guidance, "Cyber resilience over­
sight expectations for financial market infrastructures"

With the lessons from the financial crisis still fresh, regulators European Banking Authority consultation paper, "G uide­
have overlaid a "system ic" lens, prompting firms to explic­ lines on ICT and security risk management"

itly consider and measure how disruptions would impact the
broader market. At the same time, they are emphasizing that
resilience is applicable to all institutions, even if the objectives
for each institution might differ. For example, Financial Market
Infrastructure's (FMI) resilience objectives will likely focus on
M ARCH 2019
Monetary Authority of Singapore consultation papers, "Pro­
posed Revisions to Guidelines on Business Continuity Man­
agement" and "Technology Risk Management Guidelines"

Chapter 27 Striving for Operational Resilience ■ 415

 CA TEG O RY O PERATIO N AL RESILIEN CE APPROACH
• Clearly defined accountability
of board and senior management
• Resilience incorporated into risk appetite
statements and metrics across operational
risk types
• Comprehensive and actionable reporting
to drive continuous improvement
• Critical business services end-to-end
(ignoring organizational silos)
• Broader economic impact of disruption,
in addition to firm-specific impact
• Comprehensive view of dependencies of
critical business service on organizational
assets (systems, data, third parties,
facilities, processes, and people)
• Resilience considerations embedded
in the upfront design of business services
and organizational assets
• Business disruption scenarios tailored to
each critical service based on an aligned
and forward-looking risk assessment
• Tolerances for business disruption (impact
tolerances) based on bespoke scenarios
• Single incident response regime (unified
incident command) for all incident types
• Plans and capabilities monitored, tested,
and adapted continuously
• Emphasis on building trust among crisis
management team to enable effective
response
Exhibit 27.2 K e y ch a ra cte ristics of o p eratio n al resilien ce.
416 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
TRADITIONAL APPROACH (BC/DR)
• Role of board and senior management limited
to post-event response
• Resilience not an explicit consideration in risk
appetite statements and metrics
• "Com pliance-type" update on exercises
• Individual business units or specific
technology assets
• Firm-specific impact of disruption
• View of dependencies in most cases limited
to the business unit or directly linked
technology assets
• Continuity and recovery capabilities bolted
on to satisfy requirements
• Standard business disruption scenarios
across business units
• Standard tolerances for business disruption
(recovery time/point objectives) for all
scenarios
• Distinct incident response regimes
for different incident types, which may
negatively impact response times
• Plans and capabilities tested infrequently
(e.g., annually)
• Little attention paid to dynamics
of crisis management team
27.3 HAS THE ORGANIZATION GOT
IT?: IMPORTANT QUESTIONS TO ASK
ABOUT OPERATIONAL RESILIENCE
Achieving operational resilience is inherently challenging and
complex:
• It requires organizations to understand how all domains (tech­
nology, data, third parties, facilities, operations, and people)
impact critical service delivery and to build a consistent set of
resilience capabilities and controls across these domains.
• It depends on cross-functional, specialized expertise to evalu­
ate and measure the resilience of the organization in light of
the specific risks it faces.
• It relies on extensive coordination, collaboration, and prepara­
tion to ensure that the organization appropriately considers
resilience in all activities and is ready when the worst happens.
Given the complexity of the topic, it is difficult for boards and
senior management to assess the current level of operational
resilience and determine whether the organization is making
resilience investments in the right areas.
W hat questions should boards and senior m anagem ent
b e asking to provide meaningful challenge and oversight?
We believe that boards and senior management should focus on
understanding the risk levels of their firms, assessing their firms'
readiness for disruptive scenarios, and gaining comfort that their
firms have a robust approach to resilience. Boards and senior
management should also demand a minimum level of data to
support ongoing oversight of risk levels and the progress made
along the resilience journey.
Exhibit 27.3 contains a list of key questions on resilience that
boards and senior management should ask their management
teams.
If the answers to these questions are unsatisfactory, it could signal
that the organization needs to increase focus on resilience. In this
case, boards and senior management should request that their
organizations establish a formal maturity baseline and refocus exist­
ing initiatives or launch a new program to uplift their resilience.
27.4 IMPROVING RESILIENCE:
GETTING STARTED
For firms needing to launch or reset their programs, we recom­
mend starting small, providing transparency to the boards and
Chapter 27 Striving for Operational Resilience
senior management, and getting resilience right for one critical
service before expanding the program.
Exhibit 27.4 lays out an approach to establishing an effective
operational resilience program that allows the organization to
enhance its capabilities without being overwhelmed by the scale
of the effort.
Organizations that manage to establish effective operational
resilience programs will be able to realize the benefits of better
resilience as well as related business benefits:
• Reduce and optimize their risk exposure, with improved vis­
ibility into their risks, better monitoring, a more proactive
approach to controls, and ability to deliver services even
when things go wrong.
• Better focus the organization and drive investment towards
the most important areas, based on a prioritization of their
critical business services.
• Be able to support the innovation agenda of the business
and enable faster innovation cycles without compromising on
risk management by ensuring the organization is adaptable
and considers resilience up front.
• Be more effective and efficient, leveraging a clear under­
standing of critical service delivery to reduce costs
(e .g ., optim ize outsourcing relationships), stream line
processes (e .g ., introduce tools and autom ation), and
enhance efficacy (e .g ., identify and rem ediate steps that
introduce errors).
However, building an effective program is not easy. It will
require new skillsets; closer integration and alignment of risk,
IT, and the business; a cultural shift away from "operational
resilience is IT's responsibility" to "operational resilience is
everyone's responsibility;" and fundamental changes to how the
organization operates.
Boards and senior m anagem ent can help their organizations
overcom e these challenges. They can encourage the right
level of investm ent, drive a "tone from the top" to break
siloes and change culture, and set clear expectations for
progress.
Ultimately, by asking the right questions and demanding
accountability when the answers are unsatisfactory, boards and
senior management can play a pivotal role in enabling their
organizations to achieve resilience. With the growing com plex­
ity in financial services, it is incumbent on every organization
to take resilience seriously, and it is incumbent on boards and
senior management to make sure their organization's resilience
program is on track.
■ 417
 □ What is our risk appetite for resilience risk?

I I □ What KRIs and KPIs provide us with a comprehensive view of our

maturity and uplift program?

G O V ERN A N C E □ Who is accountable in the 1st and 2 n<^ lines of defense for managing,
monitoring, and reporting on resilience?

□ Does the organization understand the dependencies of critical

business services on organizational assets?
□ What are our most critical assets that impact service delivery?

O RG A N IZA TIO N A L □ How does our approach to resilience change the way we manage
FO CUS operations, technology, and third parties?

□ What is our measure of criticality?

\ □ What are our critical business services and why?
>
V
□ How are we leveraging existing definitions of criticality and critical
business services (e.g., from resolution planning)?
IN TEGRATIO N
□ What is our impact on customers and the financial system?

□ What are the most important resilience risks for the organization?

□ How do we monitor and manage the level of resilience of the

organization?
M EASU REM EN T □ How is risk appetite reflected in our impact tolerances?

□ In which scenarios are we outside of our defined impact tolerances?

------------
□ How do we make sure we are effectively prepared for different
disruption events?

□ How frequently are we testing our response and recovery capabilities

PREPARED N ESS for different disruptive scenarios?

Exhibit 27.3 R esilien ce q u e stio n s fo r b o ard s and sen io r m an ag em en t.

418 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
 • Assign accountability and develop an operating model for resilience

• Conduct a resilience maturity assessment to establish a baseline

of the organization's capabilities

• Articulate the organization's critical business services

• Define the target resilience maturity ambition for the organization

• Identify an initial set of metrics (including resilience program metrics)

to provide ongoing reporting to the board

• Run a pilot on one critical service to enhance resilience:

- Identify key dependencies and assess risks
- Define impact tolerances and evaluate resilience through scenarios
- Craft an improvement roadmap

• Identify key learnings and program enhancements to facilitate

the rollout of the program more broadly

• Establish the program to drive resilience improvements based on

lessons learned from the pilot and identified areas of enhancement

• Expand the program to enhance capabilities and roll out a resilience

approach across the remaining critical services
Exhibit 27.4 K e y ste p s for estab lish in g an effective o p eratio n al resilien ce program .

Chapter 27 Striving for Operational Resilience ■ 419

Arbib, M. A. (Ed.) (1995), The Handbook of Brain Theory and Neural
Networks, The MIT Press.
Adelson, M., and Goldberg, M. (2009), On the Use of Models by
Standard & Poor's Ratings Services, www.standardandpoors.com
(accessed February 2010).
Akhavein, J., Frame, W. S., and White, L. J. (2001), The Diffusion of
Financial Innovations: An Examination of the Adoption of Small Busi­
ness Credit Scoring by Large Banking Organization, The Wharton
Financial Institution Center, Philadelphia, USA.
Albareto, G., Benvenuti, M., Moretti, S. eta/. (2008), L'organizzazione
dell'attivita creditizia e I'utilizzo di tecniche di scoring nel sistema
bancario italiano: risultati di un'indagine campionaria, Banca d'ltalia,
Questioni e Economia e Finanza, 12.
Altman, E. I. (1968), Financial Ratios, Discriminant Analysis and Predic­
tion of Corporate Bankruptcy, Journal o f Finance, 23 (4).
Altman, E. I. (1989), Measuring Corporate Bond Mortality and Perfor­
mance, Journal of Finance, XLIV (4).
Altman, E. I., and Saunders, A. (1998), Credit risk measurement: Devel­
opments over the last 20 years, Journal o f Banking and Finance, 21.
Altman, E., Haldeman, R., and Narayanan P. (1977), Zeta Analysis: a New
Model to Identify Bankruptcy Risk of Corporation, Journal of Banking
and Finance, 1.
Altman, E. I., Resti, A., and Sironi A. (2005), Recovery Risk, Riskbooks.
Bank of Italy (2002), Annual Report 2001, Rome.
Bank of Italy (2006), New Regulations for the Prudential Supervision of
Banks, Circular 263, www.bancaditalia.it (accessed February 2010).
Baron, D., and Besanko, D. (2001), Strategy, Organization and Incen­
tives: Global Corporate Banking at Citibank, Industrial and Corporate
Change, 10 (1).
Basel Committee on Banking Supervision (1999a), Credit Risk Modelling:
Current Practices and Applications, Basel, Switzerland.
Basel Committee on Banking Supervision (1999b), Principles for the
Management of Credit Risk, Basel, Switzerland.
Basel Committee on Banking Supervision (2000a), Range of Practice in
Banks' Internal Ratings Systems, Discussion paper, Basel, Switzerland.
Basel Committee on Banking Supervision (2000b), Credit Ratings and
Complementary Sources of Credit Quality Information, Working
Papers 3, Basel, Switzerland.
Basel Committee on Banking Supervision (2004 and 2006), International
Convergence of Capital Measurement and Capital Standards. A
Revised Framework, Basel, Switzerland.
Basel Committee on Banking Supervision (2005a), Studies on Validation
of Internal Rating Systems, Working Papers 14, Basel, Switzerland.
Basel Committee on Banking Supervision (2005b), Validation of Low-
default Portfolios in the Basel IT Framework, Newsletter 6, Basel,
Switzerland.
Basel Committee on Banking Supervision (2006), The IRB Use Test:
Background and Implementation, Newsletter 9, Basel, Switzerland.
Basel Committee on Banking Supervision (2008), Range of Practices and
Issues in Economic Capital Modeling, Consultative Document, Basel,
Switzerland.
Basel Committee on Banking Supervision (2009), Strengthening the
Resilience of the Banking Sector, Consultative Document, Basel,
Switzerland.
Basilevsky, A. T. (1994), Statistical Factor Analysis and Related Methods:
Theory and Applications, John Wiley & Sons Ltd.
Beaver, W. (1966), Financial Ratios as Predictor of Failure, Journal of
Accounting Research, 4.
Berger, A. N., and Udell, L. F. (2001), Small Business Credit Availability and
Relationship Lending: the Importance of Bank Organizational Structure,
US Federal Reserve System Working Papers, Washington, DC, USA.
Berger, A. N., and Udell, L. F. (2006), A more complete conceptual
framework for SME Finance, Journal o f Banking, 30.
Berger, A. N., Frame, W. S., and Miller, N. H. (2002), Credit Scoring and
the Availability, Price and Risk of Small Business Credit, US Federal
Reserve System Working Papers, Washington, DC, USA.
421
Berger A. N., Klapper, L. F.( and Udell, G. F. (2001), The Ability of Banks
to Lend to Informationally Opaque Small Businesses, US Federal
Reserve System Working Papers, Washington, DC, USA.
Berger, A. N., Miller, N. H., and Petersen, M. A. (2002), Does Function
Follow Organizational Form? Evidence from the Lending Practices of
Large and Small Banks, US National Bureau of Economic Research
Working Papers, 8752, Cambridge, MA, USA.
Blochwitz, S., and Eigermann, J. (2000). Unternehmensbeurteilung
durch Diskriminanzanalyse mit qualitativen Merkmalen, Zeitschrift fur
betriebswirtschaftliche Forschung.
Bohn, J. R. (2006), Structural Modeling in Practice, White Paper,
Moody's KMV.
Boot, A. W. (2000), Relationship Banking: What Do We Know? Journal of
Financial Intermediation, 9.
Boot, A. W., and Thakor, A. V. (2000), Can Relationship Banking Survive
Competition? The Journal o f Finance, 55.
Brunetti, G., Coda, Y., and Favotto, F. (1984), Analisi, previsioni, simu-
lazioni economico-finanziarie d'impresa, Etas Libri.
Brunner, A., Krahnen, J. P., and Weber, M. (2000), Information
Production in Credit Relationships: on the Role of Internal Ratings in
Commercial Banking, Working Paper 10, Center for Financial Studies
of University of Frankfurt, Germany.
Burroni, M., Quagliariello, M., Sabatini, E., and Tola, V. (2009), Dynamic
Provisioning: Rationale, Functioning, and Prudential Treatment,
Questioni di Economia e Finanza, 57, Bank of Italy.
Buzzell, R. D. (2004), The PIMS Program of Strategy Research: A Retro­
spective Appraisal, Journal of Business Research, 57 (5).
Buzzell, R. D., and Gale, B. T. (1987), The PIMS principles, The Free
Press.
Cangemi, B., De Servigny, A., and Friedman, C. (2003), Credit Risk
Tracker for Private Firms, Technical Document, Standard & Poor's.
Committee of European Banking Supervisors (2005), Guidelines on the
Implementation, Validation and Assessment of Advanced Measure­
ment (AMA) and Internal Ratings Based (IRB) Approaches.
Christodoulakis, G., and Satchell, S. (2008), The Analytics of Risk
Validation, Elsevier.
De Laurentis, G. (1993), II rischio di credito, Egea.
De Laurentis, G. (2001), Rating interni e credit risk management,
Bancaria Editrice.
De Laurentis, G. (Ed.) (2005), Strategy and Organization of Corporate
Banking, Springer.
De Laurentis, G., and Gabbi, G. (2010), The Model Risk in Credit
Risk Management Processes, in Model Risk Evaluation Handbook
(eds. G. N. Gregoriu, C. Hoppe, and C. S. Wehn), McGraw-Hill.
De Laurentis, G., and Gandolfi, G. (Eds.) (2008), II gestore imprese,
Bancaria Editrice.
De Laurentis, G., Saita, F., and Sironi, A. (Eds.) (2004), Rating interni e
controllo del rischio di credito, Bancaria Editrice.
De Lerma, M., Gabbi, G., and Matthias, M. (2007), CART Analysis of
Qualitative Variables to Improve Credit Rating Processes, http://www
.greta.it/credit/credit2006/poster/7_Gabbi_Matthias_DeLerma.pdf
(accessed February 2010).
De Servigny, A., and Renault, O. (2004), Measuring and Managing
Credit Risk, McGraw-Hill.
422 ■ Bibliography
De Servigny, A., Varetto, F., Salinas, E. et al. (2004), Credit Risk Tracker
Italy, Technical Documentation, www.standardandpoors.com
(accessed February 2010).
DeYoung, R., Hunter, W. C., and Udell, G. F. (2003), The Past Present and
Probable Future for Community Banks, Working Paper 14, Federal
Reserve Bank of Chicago, USA.
Diamond, D. (1984), Financial Intermediation and Delegated Monitoring,
The Review o f Economic Studies, 51 (3).
Draghi, M. (2008), A System with More Rules, More Capital, Less Debt
and More Transparency, Sixth Committee of the Italian Senate, Fact­
finding Inquiry into the International Financial Crisis and Its Effects
on the Italian Economy, Rome, http://www.bancaditalia.it (accessed
February 2010).
Draghi, M. (2009), Address by the Governor of the Bank of Italy, Annual
Meeting of the Italian Banking Association, 8 July 2009, Rome, http://
www.bancaditalia.it (accessed February 2010).
Dwyer, D. W., Kocagil, A. E., and Stein, R. M. (2004), Moody's KMV
Riskcalc™ v3.1 Model, Technical Document, http://www.moodyskmv
,com/research/files/wp/RiskCalc_v3_1 _Model.pdf (accessed February
2010 ).
Ely, D. P., and Robinson, K. J. (2001), Consolidation, Technology and
the Changing Structure of Banks' Small Business Lending, Federal
Reserve Bank of Dallas Economic and Financial Review, First Quarter.
Engelmann, B., and Rauhmeier, R. (Eds.) (2006), The Basel II Risk Param­
eters, Springer.
Fisher, R. A. (1936), The Use of Multiple Measurements in Taxonomic
Problems, Annals of Eugenics, 7.
Finger, C. (2009a), IRC Comments, RiskMetrics Group, Research Monthly
(February).
Finger, C. (2009b), VAR is from Mars, Capital is from Venus, Risk-Metrics
Group, Research Monthly (April).
Frame, W. S., Srinivasan, A., and Woosley, L. (2001), The Effect of Credit
Scoring on Small Business Lending, Journal of Money Credit and
Banking, 33.
Ganguin, B., and Bilardello, J. (2005), Fundamentals of Corporate Credit
Analysis, McGraw-Hill.
Giri, N. C. (2004), Multivariate Statistical Analysis: Revised and
Expanded, CRC Press.
Grassini, L. (2007), Corso di Statistica Aziendale, Appunti sull'analisi
statistica dei bilanci, http://www.ds.unifi.it/grassini/laura/Pistoia1/
indexEAPT2007_08.htm (accessed February 2010).
Golder, P. A., and Yeomans, K. A. (1982), The Guttman-Kaiser Criterion as
a Predictor of the Number of Common Factors, The Statistician, 31 (3).
Gupton, G. M., Finger, C. C., and Bhatia, M. (1997), Credit Metrics, Tech­
nical Document, Working Paper, JP Morgan, http://www.riskmetrics
.com/publications/techdocs/cmtdovv.html (accessed February 2010).
IASB (2009), Basis for Conclusions on Exposure Draft, Financial Instru­
ments: Amortized Cost and Impairment, 6 November 2009.
Ito, K. (1951), On Stochastic Differential Equations, American Mathematical
Society, 4.
Jackson, P., and Perraudin, W. (1999), Regulatory Implications of Credit
Risk Modelling, Credit Risk Modelling and the Regulatory Implica­
tions Conference (June 1999), Bank of England and Financial Services
Authority, London.
Landau, S.( and Everitt, B. (2004), A handbook of statistical analyses
using SPSS-PASW, CRC Press.
Loehlin, J. C. (2003), Latent Variable Models—An Introduction to Factor,
Path, and Structural Equation Analysis, Lawrence Erlbaum Associates.
Lopez, J., and Saidenberg, M. (2000), Evaluating credit risk models,
Journal of Banking and Finance, 24.
Lyn, T. (2009), Consumer Credit Models—Pricing, Profit and Portfolios,
Oxford Scholarship Online.
Maino, R., and Masera, R. (2003), Medium Sized Firm and Local
Productive Systems in a Basel 2 Perspective, in Industrial Districts
and Firms: The Challenge of Globalization, Modena University, Italy,
Proceedings, http://www.economia.unimore.it/convegni_seminari/
CG_sept03/papers.html (accessed February 2010).
Maino, R., and Masera, R. (2005), Impresa, finanza, mercato. La gestione
integrata del rischio, EGEA.
Masera, R. (2001) II Rischio e le Banche, Edizioni II Sole 24 Ore, Milano.
Masera, R. (2005), Rischio, Banche, Imprese, i nuovi standard di Basilea,
Edizioni II Sole 24 Ore.
Masera, R., and Mazzoni, G. (2006), Una nota sulle attivita di Risk e
Capital Management di un intermediario bancario, Ente Luigi Einaudi,
Quaderni, 62.
Merton, R., (1974), On the Pricing of Corporate Debt: the Risk Structure
of Interest Rates, Journal of Finance, 29.
Modigliani, F., and Miller, M. H. (1958), The Cost of Capital, Corporation
Finance and the Theory of Investment, American Economic Review, 48.
Moody's Investor Services (2000), Benchmarking Quantitative Default
Risk Models: a Validation Methodology (March).
Moody's Investor Service (2007), Bank Loan Recoveries and the Role
That Covenants Play: What Really Matters? Special Comment (July).
Moody's Investor Service (2008), Corporate Default and Recovery Rates
1920-2007 (February).
Nixon, R. (2006), Study Predicts Foreclosure for 1 in 5 Subprime Loans,
NY Times (20 December 2006).
OeNB and FMA (2004), Rating Models and Validation, Oesterreichische
Nationalbank and Austrian Financial Market Authority.
Petersen, M. A., and Rajan, R. G. (1994), The Benefits of Lending Rela­
tionships: Evidence from Small Business Data, Journal of Finance, 49.
Petersen, M. A., and Rajan, R. G. (2002), Does Distance Still Matter? The
Information Revolution in Small Business Lending, Journal of Finance,
57 (6).
Pluto, K., and Tasche, D. (2004), Estimating Probabilities of Default on
Low Default Portfolios, Deutsche Bundesbank Publication (December).
Porter, M. (1980), Competitive Strategy, Free Press.
Porter, M. (1985), Competitive Advantage: Creating and Sustaining
Superior Performance, Free Press.
Rajan, R. G. (1992), Insiders and Outsiders: the Choice Between Rela­
tionship and Arms Length Debt, Journal of Finance, 47.
Resti, A., and Sironi, A. (2007), Risk Management and Shareholders'
Value in Banking, John Wiley & Sons Ltd.
Saita, F. (2007), Value at risk and bank capital management, Elsevier.
Schwizer, P. (2005), Organizational Structures, in Strategy and Organiza­
tion of Corporate Banking (Ed. G. De Laurentis), Springer.
Sharpe, W. (1964), Capital Asset Prices: a Theory of Market Equilibrium
under Conditions of Risk, Journal o f Finance, 19.
Sobehart, J. R., Keenan, S. C., and Stein, R. M. (2000), Validation
Methodologies for Default Risk Models, Algo Research Quarterly, 4
(1/2) (March/June).
Standard & Poor's (1998), Corporate Ratings Criteria, http://www
.standardandpoors.com.
Standard & Poor's (2008), Corporate Ratings Criteria, http://www
.standardandpoors.com.
Standard & Poor's (2009), Default, Transition, and Recovery: 2008
Annual Global Corporate Default Study and Rating Transitions.
Standard & Poor's (2009a), Annual Global Corporate Default Study and
Rating Transitions, http://www.standardandpoors.com.
Standard & Poor's (2009b), Global Structured Finance Default and
Transition Study 1978-2008: Credit Quality of Global Structured
Securities Fell Sharply in 2008 Amid Capital Market Turmoil, http://
www.standardandpoors.com.
Standard & Poor's (2009c), Guide to Credit Rating Essentials, 21 August
2009, http://www.standardandpoors.com.
Steeb, W. H. (2008), The Nonlinear Workbook: Chaos, Fractals, Neural
Networks, Genetic Algorithms, Gene Expression Programming,
Support Vector Machine, Wavelets, Hidden Markov Models, Fuzzy
Logic with C++, Java and Symbolic C++ Programs: 4th edition, World
Scientific Publishing.
Stevens, J. (2002), Applied Multivariate Statistics for the Social Sciences,
Lawrence Erlbaum Associates.
Tan; P.-N., Steinbach, M., and Kumar, V. (2006), Introduction to Data
Mining, Addison-Wesley.
Tarashev, N. A. (2005), An Empirical Evaluation of Structural Credit
Risk Models, Working Papers No. 179, BIS Monetary and Economic
Department, Basel, Switzerland.
Thompson, M., and Krull, S. (2009), In the S&P 1500 Investment-Grade
Stocks Offer Higher Returns over the Long Term, Standard and Poor's
Market Credit and Risk Strategies (June), http://www.standardandpoors
.com.
Thurstone, L. L. (1947), Multiple Factor Analysis, University of Chicago
Press, Chicago.
Treacy, W. F., and Carey, M. S. (1998), Credit Risk Rating at Large U.S.
Banks, US Federal Reserve Bulletin (November).
Treacy, W. F., and Carey, M. S. (2000), Credit Risk Rating Systems at
Large U.S. Banks, Journal of Banking and Finance, 24.
Tukey, J. W. (1977), Exploratory Data Analysis, Addison-Wesley.
Udell, G. F. (1989), Loan Quality Commercial Loan Review and Loan
Officer Contracting, Journal of Banking and Finance, 13.
Vasicek, O. A. (1984), Credit Valuation, White Paper, Moody's KMV
(March).
Wehrspohn, U. (2004), Optimal Simultaneous Validation Tests of Default
Probabilities Dependencies and Credit Risk Models, http://ssrn.com/
abstract=591961 (accessed February 2010).
Wilcox, J. W. (1971), A Gambler's Ruin Prediction of Business Failure
Using Accounting Data, Sloan Management Review, 12 (3).
Bibliography ■ 423
A anchoring bias, 130
ancillary processes, 228
Aas, K.f 215
Ang, A., 234
absolute risk measurement, 206
Anti-Kickback Statute, 156
ABX index, 182
anti-money laundering (AML), 154
acceptance, of rating systems, 165-166
supervisory activity, 292
accounting performance vs. economic value, 23-24
anxiety bias, 130
accounting problem, 24
Applied Science and Technology Research Institute (ASTRI), 369
accuracy, data quality, 156
arbitrage, convertible bonds and, 181
accuracy indexes, for validation, 169
asset-liability management (ALM), 264
Acharya, V. V., 275, 279
asset management, OpRisk data, 133-134
acquisition/divestiture analysis, 203
assets under management (AUM), 133
adaptive response, in cyber resilience, 353
Association of Certified Fraud Examiners Report to the Nation
add-on factor, 228
(2006), 155
advanced IRB (A-IRB) approach, 333
asymmetries distribution, 26
advanced measurement approach (AMA), 119, 315, 316, 335
asymptomatic single-risk-factor (ASRF) model, 221, 222
for loss estimation, 255
asymptotic single risk factor model, 312
advanced persistent threat (APT), 355
at the margin, 22
adverse price movements, 121
audit, of third parties, 383
after the fact, 27
Australian crisis, 84
aggregate risk capital, 191
Australian Prudential Regulation Authority (APRA), 84, 98,
aggregating risks, 24-25
365, 366
aggregation. See also risk aggregation
auto lending, 275
challenges, 227
Autorite de Controle Prudentiel et de Resolution (ACPR), 370
of projections, 264-265
availability bias, 129
of risk measure, 210
available capital, 203, 207
AIG, 299
available-for-sale (AFS) securities, 254-255
Allen, L., 275
available stable funding (ASF), 325
Alliant Credit Union, 34
AXA Rosenberg Group LLC, 176
allowance for loan and lease losses (ALLL), 264
American Air Force, 130
American Axle Co., 180 B
amortised cost, 345 back-testing, 147-148, 170-173, 219, 229
analytic monitoring, in cyber resilience, 353 backward-looking indicators, of resilience, 372-373

425
balance sheet, 263-264 innovations of, 311
liability side of, 232 operational risk capital, 315
modeling, 276-277 Pillar 2, 311, 312
Bangia, A., 224, 272 Pillar 3, 311, 312
Bankers Trust, 186 regulation, 124, 162, 166
bank exposures, 314 validation principles, 217
bank holding companies (BHCs), 238-240 Basel II.5, 320-321
documenting decisions, 245 Basel II Accords, 154-155
internal capital planning (See capital planning) Basel III, 321
internal control framework, 241 capital conservation buffer, 323-325
policies and procedures, 242-243 capital, definition of, 322
scenario design, 247-248 CVA risk framework, 325, 334-335
banking book finalising post-crisis reforms, 339-346
formal stress testing, 272 internal ratings-based (IRB) approach, 325-326, 333-334
interest rate risk in, 198, 200, 229-235 leverage ratio, 323, 335-336
optionality in, 231-232 liquidity risks, 325-326
vs. trading book, 235 operational risk framework, 326, 335
banking conduct and culture output floor, 336-337
assessment of industry progress, 88-99 post-crisis reforms, 324
effective three lines of defense, 96-97 standardised approach for credit risk, 325, 330-333
holding managers accountable, 99 transitional arrangements, 337-338
investor view, 93 basic indicator approach (BIA), 315
mindset of, 90-91 basis risk, 178
performance management and incentives, 93-94 Bear Stearns, 268
regulators, supervisors, enforcement authorities, and industry benchmarking, 170-173, 219
standards, 97-99 benchmark models, 147, 254
senior accountability and governance, 91-93 Berkowitz, J., 272
skills and capabilities required of regulators, 105 bias, in scenario analysis, 129
staff development and promotions, 94-96 bid-ask spread, 231
training for lasting behavioral change, 106 bilateral clearing, 296, 298
Banking Executive Accountability Regime (BEAR), 84, 98 bilateral cyber-security information-sharing, 377
Banking Standards Board (BSB), 99, 106, 113 binomial test, 170
Banking Supervisory Requirements for IT (BAIT), 366 BIS, 192, 272
Bank of England, 306, 307, 325, 369, 386 Black, F., 230
bankruptcy, 21, 302-303 Black-Scholes biases/model, 176
Bank Secrecy Act (BSA), 154, 289, 292 board and management engagement, 74
banks' pricing behaviour, 232-233 board of director (BOD), 6-7
banks share information, 375 capital planning and, 243-244
Banziger, Hugo, 34 in cyber-security, 367
Barings Bank, 315 governance, 6-8
Basel Accord, 128, 306 recommendations for, 57-59
Basel Committee, 216 responsibilities regarding service providers, 284
interest rate risk, principles for, 233 risk management, 149
Principle 16, 229 board reporting, 244
validation principles, 217 board responsibilities
Basel Committee on Banking Supervision (BCBS), 140, 162, 212, 306, governance, 401
307, 393 interaction with other, 404
base-level metrics, 158 Board to Banker, 67
Basel I, 306-311 bootstrap procedures, 169
goal of, 307 bottom-up process, 52, 58
risk-based capital ratio, 307-311 Boudoukh, J., 275
Basel II, 196 Brace, A., 230
credit risk capital, 312-314 Breuer, T. M., 212
event type, 119-121 broker-dealers risk, 134

426 ■ Index
Buehler, Kevin, 34 capital conservation buffer (CCB), 323-325
burned-out capital, 187 capital management
business continuity (BC), 412, 414 decisions, 185
operational resilience and, 406, 411 process, 194
planning, 13-14 Capital Management Policy, 71
of service providers, 289 capital planning, 238-239
and testing, 411 assessing capital adequacy impact, 263-265
business cycle, 193 BHC scenario design, 247-248
business disruption and system failures (BDSF), 121-122 capital policy, 245-247
business environment and internal control environment factors (BEICFs), estimation methodologies for losses, revenues, and expenses,
125-128 248-263
key risk indicators (KRIs), 127 foundational risk management, 240-241
risk control self-assessment (RCSA), 126-127 governance, 243-245
business impact assessment (BIA), 382 internal controls, 241-243
business impacts, of data quality, 154-155 Capital Plan Rule, 238, 239, 244, 247
business impact view, 159 capital policy, 245-247
business indicator (Bl), 335, 340, 341 contingency plan, 246-247
business indicator component (BIC), 325, 335, 340, 344-345 goals and targets, 246
business-level use, of economic capital, 201-202 weak, 246
business line management, 136 capital requirements, 98
business performance captive finance, 180
enterprise risk management (ERM), 32-33 capture the flag, 350
business planning process, 51-54 cash flow mappings, 178
business process mappings, 8 cash flows, 24, 178
business process view, 159 catastrophe bonds, 33
business resumption, service provider contracts and, 288 catastrophe exposure, 156
business risk, 211 CDS indexes, 178
business services CDX.NA.IG, 178
definitions, 387-388 Central Bank of Ireland, 269
disruption to multiple, 389 central banks, 306
group, 402-403 central clearing, 296-298
important, 394-395 central counterparty (CCP), 296, 301
internal services, 387 and bankruptcy, 302-303
business unit (BU), 3, 43, 48, 49, 51 defined, 296
in OTC markets, 297
central risk function, 135-136
C challenger models, 242
calibration, quantitative validation, 170 change-control processes, 205
Campa, J. M., 233 charge-off models, 252, 254
Canabarro, E., 275 chief information officer (CIO), 368
capital chief information security officers (CISO), 368
for credit risk, 312-314 chief risk officer (CRO), 16, 28, 33-34, 368
definition of, 322 China Banking Regulatory Commission (CBRC), 98
for market risk, 310-311 chi-square test, 170
for operational risk, 315 Chrysler, 180
Tier 1 and Tier 2, 307 Citigroup, 91
capital adequacy assessment, 198-199, 204, 263-265 classification tests, for validation, 169
capital adequacy process (CAP), 238 clearing houses, 297
principles of, 239 ClearPort, 297, 303
capital asset pricing model (CAPM), 186 clients, products and business practices (CPBP) risk, 120-121
Capital Assistance Program (CAP), 269 CLO, 179
capital budgeting, 194, 203 closeout horizon, 228
decision rule, 190-191 cloud service providers (CSPs), 380
risk-adjusted return on capital (RAROC), 187-188 regulatory cloud summits, 380

Index ■ 427
cloud services, 359 confidentiality
CMBS, 182 of information for third-party interactions, 383-384
CMBX, 182 service provider contracts and, 286-287
CME Group, 297 conservatism, 250
Cochrane, J. H., 234 consistency
Coherent Stress Testing (Rebonato), 273 data quality, 156-157
Cole, Eric Dr., 354 rating systems, 166
collection threshold, 123-124 Consumer Financial Protection Bureau (CFPB), 98, 328
Collins and Aikman, 180 consumer loans, 231
commercial banking, 61 contagion approach, 221
commercial real estate (CRE), 332 context bias, 130
Commission de Surveillance du Secteur Financier (CSSF), 380 contingency considerations, of service providers, 289
committee composition, 8 contingency plan
Committee of European Banking Supervisors (CEBS), 269, capital, 246-247
270, 380 service provider contracts and, 288
Committee on Global Financial Stability (CGFS), 233, 272 contingent convertible bonds (CoCos), 326-327
Committee on Market Best Practices (CMBP), 40 contraction risk, 231
Committee on Payments and Market Infrastructures control and mitigation
(CPMI), 364 risk management environment, 11-12
committee operation, 8 Control Objectives for Information and Related Technologies
committee structure, 8 (COBIT), 365
Common Equity Tier 1 (CET1) capital, 330 convertible bonds, 178
common risk currency, 211 Cooke ratios, 307
Commonwealth Bank of Australia (CBA) Group, 41, 73-77 coordinated defense, in cyber resilience, 353
comparative advantage in risk-bearing, 17 copulas, 197, 213, 214, 222
comparative analysis, 9 core risk level, 189
compensation, service provider contracts and, 286 core risks, 16, 189
completeness corporate culture, 108-110
of databases, 124 corporate exposures, 314
of data quality, 156 corporate finance, 131
of rating systems, 165 corporate governance, enterprise risk management
complex metric, 158 (ERM), 35
compliance risk, 241 corporate operational risk management function (CORF), 3
data quality, 154, 156 corporate risk manager, 16
compliance risks, 284 corporate treasury, 16
comprehensive approach, 312 correspondent banking, 293-294
Comprehensive Capital Analysis and Review (CCAR), 95, 238, costs, service provider contracts and, 286
239, 327 Council for Registered Ethical Security Testers (CREST),
comprehensive risk measure, 321 354, 369
comprehensive validation countercyclical capital buffer (CCyB), 323, 324
evaluation of, 145-146 counterparties
ongoing monitoring, 146-147 credit risk engines, 228
outcomes analysis, 147-148 defaults of, 259
computer emergency readiness team (CERT), 378 high risk, 228
Computer Incident Response Center (CIRCL), 378 margined vs. non-margined, 227
computer security incident response teams (CSIRTs), 378 counterparty credit exposure, 225
concentration risk, 284, 379 measurement, 226
identification, 228 range of practices, 227-229
conduct, defined, 80 counterparty credit risk (CCR), 198, 199, 275
confidence-based impacts, data quality, 154 ancillary processes and, 228
confidence level challenges, 225-227
risk-adjusted return on capital (RAROC), 190 market risk and, 257-258
risk aggregation and, 212 model validation, 229
risk measures and, 209 operational-risk-related challenges, 226-227

428 ■ Index
country risks, 284 cyber-resilience
CPMI-IOSCO guidance, 371,380, 382 adaptation to changing conditions, 349
credit conversion factors, 309 business continuity planning and staff engagement, 349-350
credit equivalent amount, 309, 310 challenge of, 351
credit loan loss-estimation approaches, 252 communication and sharing of information, 373-378
CreditMetrics, 189, 221, 273 defined, 364
credit portfolio management, 201 gamification, 350
credit portfolio models, supervisory concerns relating to, 223-224 incident response planning, 353-354
credit risk, 25 and independent assurance, 370-371
assessment, 155 information security controls testing, 370-371
capital for, 312-314 interconnections with third parties, 379-384
copulas and, 222 negative attributes, 352
counterparty, 198, 199, 225-229 nudging behavior, 350
data quality, 155-156 objectives, 352-353
dependency modelling, 197, 197, 220-224 organization, attributes of, 351-353
interest rate risk and, 234-235 positive attributes, 352
internal ratings-based (IRB) approach for, 333-334 real-time crisis management, 348-349
and market risk, 226 response and recovery testing and exercising, 371-372
price of, 233 risk awareness in staff, 349
retail and wholesale, 251 risk management framework, 348
risk aggregation, 211 safety management, 350-351
standardised approach for, 330-333 security solutions, 354-357
CreditRisk+, 221, 222, 273 standards, 349
credit substitution approach, 315 standards and guidelines, 365, 366
credit support annex (CSA), 227, 298 supervising methods, 370
credit valuation adjustment (CVA), 258, 275, 325, 326, threat detection, 354-355
334-335 training programs, 349
CREST Certified Simulated Attack Manager (CCSAM), 369 cyber-risk controls, taxonomy of, 371
CREST Certified Simulated Attack Specialist (CCSAS), 369 cyber-security, 348, 412
CREST Certified Threat Intelligence Manager (CCTIM), 369 architecture and standards, 368
Critical Infrastructure Notification System (CINS), 376 information-sharing practices, interlinkage of, 373
cross-industry management roles and responsibilities, 367
high dependence on specialized skills, 87-88 and resilience metrics, 372-373
ineffective leadership and management skills, 88 risk awareness culture, 367-368
lack of diversity, 87 strategy, 366-367
misaligned incentives, 88 threat analysis, 348
presence of dominant companies, 87 workforce, 368-369
Cross Market Operational Resilience Group (CMORG), 372 Cyber Security Agency (CSA), 374
Crouhy, Michel, 190 Cybersecurity Fortification Initiative (CFI), HKMA's, 369
crowded trades, 227 Cyber Security Summit, 350
C-suite, 101, 102 cyber threats, 352
culture cyber war game, 372
dashboards, 109
defined, 80 D
of distribution, 110 Dai, Q., 230
of production, 110 damage to physical assets (DPA), 123
cure period, 227 Dang, T. V., 280
currency, data and, 157 Das, S. R., 223
current exposure method, 225, 308 databases
customer and product profitability analysis, 202 completeness of, 124
customer complaints, service provider contracts and, 288 external, 128
customer due diligence (CDD), 293 data collection, 167
customer segmentation, 201, 202 data, for loss estimation, 251
cyber-fraud, 376 data governance (DG), 154

Index ■ 429
data quality, 255-256 shortcomings of, 223-224
accuracy, 156 use of, 224
business impacts of poor, 154-155 derivatives bonds, 33
checks, 218 Derman, E., 230
completeness, 156 Deutsche Bank, 34
compliance risk, 154, 156 development risk, 156
confidence-based impacts, 154 differences of opinion, 98
consistency, 156-157 digital service providers (DSP), 378
control, 157-158 Dimakos, X. K., 215
credit risk, 155-156 direct market access, 134
currency, 157 directors, role of, 114
development risk, 156 disaster recovery (DR), 414
dimensions, 156 disclosure
employee fraud and abuse, 155 economic capital and, 205
financial impacts, 154 role of, 12
information flaws, 155 stress testing, 270, 277-279
inspection, 157-158 discriminatory power, 168, 169
insurance exposure, 156 discussion paper (DP), 386
issues view, 158-159 dispute resolution, service provider contracts and, 287
mapping business policies to data rules, 157 distorted risk measures, 208, 209
other dimensions of, 157 distributed denial of service (DDOS), 373
oversight, 157-158 diversifiable risk, 16
productivity impacts, 154 diversification
reasonableness, 157 assumptions, 206
and revenue assurance, 155 effect, 191-192
risk impacts, 154 inter-risk, 212-213
satisfaction impacts, 154 documentation
scorecard, 158 for capital planning, 243
underbilling, 155 risk management, 151
uniqueness, 157 documenting decisions, BHCs with, 245
validating rating models, 166-168 Dodd-Frank Act, 238, 277
dataset, 164-167 domestically systemically important (D-SIBs), 323, 327
deadweight costs, 16 due diligence, service providers and, 285-286, 293
debt-to-equity ratio, 185 Duffie, D., 223, 298
deception, in cyber resilience, 353 dynamic simulation model, 231
decision-making, 143
authority, 18
economic capital to, 27-28 E
financial aspects of, 140 earnings at risk (EaR), 230, 232
process, 44 economic capital, 184, 185. See also risk capital
decomposition, of risk measure, 210 adequacy assessment, 198-199, 204
default business-level use, 201-202
events of, 298 challenges in, 200
service provider contracts and, 287 change-control processes, 205
default mode model, 222 counterparty credit risk, 198, 199, 225-229
default probabilities, 165 to decision-making, 27-28
default risk charge, 337 defined, 196, 200, 215
Delphi Corp., 180 dependency modelling, credit risk, 197, 199, 220-224
Delphi technique, 130 governance and, 196, 201-207
delta risk, 300 for interest rate risk, 198, 200, 229-235
De Nederlandsche Bank (DNB), 97 internal model validation, 216-220
Department of Defense Guidelines on Data Quality, 155 recommendations, 198-200
dependency modelling risk aggregation, 197, 199, 210-216
in credit risk, 197, 199, 220-224 risk identification, 199

430 ■ Index
 risk measures, 196-197, 199, 207-210 events of default, 298
senior management involvement, 204 exception VAR, 311
supervisory concerns relating to, 205-207 excess equity, 19
transparency and meaningfulness, 207 exchange-traded market, 296, 302
unit involved, 205 execution, delivery, and process management (EDPM), 119-120
uses, 196, 201-207 "Exercise" Resilient Shield, UK/US, 372
validation, 197, 199 expected losses (EL), 36, 190, 252, 313, 314
economic value added (EVA), 36, 187 expected operational losses, 125
economic value of equity (EVE), 230, 232 expected revenues, 187
economic value vs. accounting performance, 23-24 expected shortfall (ES), risk measures and, 208, 209
employee engagement, 109 exposure at default (EAD)
employee fraud and abuse, 155 loss estimation and, 252
employment practices and workplace safety (EPWS), 122-123 value, 225
Enron, 221 extension risk, 232
enterprise risk, 70 external auditors, 14
enterprise risk management (ERM) external communication, 204
benefits of, 31-33 external databases, 128
business performance, 32-33 external dependencies, 13
chief risk officer, 33-34 external frauds, 122
components of, 34-37 external loss data, 9
corporate governance, 35 external resources, risk management, 150-151
and corporate level risk committee, 23 extreme value theory (EVT)
data and technology resources, 37 defined, 230
definitions, 30-31 drawbacks, 230
determining, 18-24
implementing, 22-28
leadership, 23 F
line management, 35-36 factor-based capital allocation approach, 18
micro benefits of, 17-18 factor loading, 234
organizational effectiveness, 31 failure resolution mechanisms, 298
portfolio management, 36 Fannie Mae, 268
risk analytics, 36 FASB Statements, 262
risk reporting, 31-32 fat tails, 24, 26
shareholder value, 16-18 Federal Deposit Insurance Corporation (FDIQ), 366
stakeholder management, 37 Federal Financial Institution Examining Council (FFIEC), 284,
enterprise-wide levels, 43 287, 365
enterprise-wide use, economic capital and, 202-204 Federal Insurance Office's (FIO), 132
entities, 284 Federal Reserve Bank, 238, 239
Equifax, 352 Federal Reserve Bank of New York, 98
equity capital, 26 Federal Reserve's Capital Plan Rule, 238
equity tranche, 180 feeder models, 242
Ernst & Young, 156 Feldman, Matthew, 34
escrow agreements, 287 Fender, I., 272
estimation methodologies Financial Action Task Force's (FATF), 292
general expectations, 248-251 financial condition, of service providers, 288-289
loss-estimation, 251-259 Financial Conduct Authority (FCA), 93, 386
PPNR projection, 259-263 Financial Consumer Agency of Canada (FCAC), 98
European Banking Authority (EBA), 93, 269, 271, 276, 364, 365 financial crisis
European Framework for Threat Intelligence-based Ethical Red Teaming 2000-2007, 133
(TIBER-EU), 371 2007-2009, 189
European Insurance and Occupational Pensions Authority (EIOPA), 316 financial distress, 19, 20, 26
European Securities and Markets Authority (ESMA), 364 financial impacts, data quality, 154
European Supervisory Authorities, 364 Financial Industry Information Systems (FISC), 369
event management, 8 Financial Industry Regulatory Authority (FINRA), 98

Index ■ 431
financial institutions, 185 futures contracts, 297
contract provisions and considerations, 286-288 futures exchange clearing, 297
defined, 284
failed, 306 G
operations and internal controls, 286
Gambacorta, L., 233
performance and condition, 285-286
gamification, 350
financial market infrastructures (FMIs), 364, 386
gaming, 130
Financial Policy Committee, 328
gap risk, 227
financial regulators, 414
GARCH (General Autoregressive Conditional Heteroscedasticity), 234
financial resilience, 405-406
Gaussian copula, 222, 223
financial sector professionals, 380
Gaussian copula model, one-factor, 312
Financial Security Institute (FSI), 369
General Data Protection Regulation (GDPR), 86
Financial Services and Markets Act 2000 (FSMA), 387
General Motors (GM), 180
Financial Services Information-sharing and Analysis Center (FS-ISAC), 376
General Motors Acceptance Co. (GMAC), 180
Financial Stability Board (FSB), 99, 110, 320
German Banking Act, 366
Financial Stability Oversight Council (FSOC), 328
German steel resilience, 355
financial terrorism, 292. See also money laundering and financial
Gibson, M. S., 272
terrorism (ML/FT) risk management
Global Banking Education Standards Board, 99
FinTech Knowledge Hub, 370
global systemically important banks (G-SIBs), 323, 327, 335-336
FinTech Lab, 370
global systemically important insurers (G-SII), 323
Fiori, R., 234
Goldstein, I., 279
fire sale, 189
Gonzales-Minguez, J. M., 233
firms, debt, 21
good risk, 112
Fisher's r2, 169
Google, 135
Fitch rating, 184
Gordy, M. B., 312, 313
fixed diversification, 213
Gordy model, 321,322
Fixed Income, Currencies and Commodities Market Standards Board,
Gorton, G., 280
99, 106
governance
fixed-rate mortgages, 231
board of directors, 6-7
Flannery, M. J., 268
board responsibilities, 401
flight to quality, 264, 274
capital planning and, 243-245
floating-rate bond, 232
cyber, 365-369
Foglia, A., 272
economic capital and, 196, 201-207
Ford, 180
of ERM, 28
Ford Motor Credit Co. (FMCC), 180
management responsibilities, 401
foreign-based service providers, 288, 289
operational, 3
foreign-exchange (FX) risks, 30
operational resilience, 410
forensic investigation, 353
risk management, 148-151
foundational risk management, 240-241
risk organization and, 136-137
foundation IRB (F-IRB) approach, 333
senior accountability and, 91-93
frailty approach, 223
senior management, 7-8
A Framework for Internal Control Systems in Banking Organisations
Gramm-Leach-Bliley Act of 1999, 155
(Basel Committee), 11
granular credit-risk rating system, 253
frauds
gross income, 315, 316
cyber-fraud, 376
gross loss, 342-343
employee fraud and abuse, 155
group-level use, economic capital and, 202-204
external, 122
Group Risk Appetite Statement (RAS), 74-75
internal, 122
Group Risk Management, 63
Freddie Mac, 268
Friedman, Paul, 176
full modelling/Simulation, 213, 214 H
full-revaluation methods, 259 haircut, for securities financing activities, 229
fully diversified capital, 192 Heath, D., 230
funding liquidity, 280 hedge, 17

432 ■ Index
held-to-maturity (HTM) security, 254-255 information security management, 370
Hickman, A., 273 information-sharing
high-quality liquid assets (HQLA), 325, 326 from banks to regulators, 375-376
historical averages, 257 cross-border cybersecurity, 377
holding managers accountable, 99 frameworks across jurisdictions, 373-374
Holmstrom, B., 280 percentage of jurisdictions, 374
Hong Kong Monetary Authority (HKMA), 98, 369, 377 from regulators to banks, 377
Hopper, G., 275 with security agencies, 377-378
hotel keycard failure, 351 sharing among banks, 375
house price index (HPI), 255, 274, 279 sharing among regulators, 376-377
huddle bias, 130 types of, 375
hurdle rate, 190-191 information technology (IT), 30
hybrid approach, 177 Information Technology Supervisors' Group (ITSG), 365
hybrid capital, 277 initial margin, 296
hypothetical portfolio testing, 218-219 determination of, 300
Institute of International Finance (IIF), 110
Institute of Risk Management (IRM), 110
I insurance, service provider contracts and, 287
IACPM and ISDA study, 220, 222-224 interest rate risk
lannotti, S., 233, 234 assessment of, 230-231
IBM OpVantage, 128 in banking book, 198, 200, 229-235
ICE Clear, 297 credit risk and, 234-235
IFRI and CRO Forum (2007) survey, 203, 205, 207, 209, 214 defined, 229
impact tolerances measurement challenges, 231-235
actions to remain within, 397-398 sources of, 229
disruption to multiple business services, 389 stress testing, 233-234
measuring, 389 internal audit, 3, 219, 241-242, 289
metrics, 396-397 function, 163
policy implementation, 398 risk management, 150
for PRA-FCA dual-regulated firms, 388-389 internal capital adequacy assessment process (ICAAP), 197, 200, 312
risk appetite and, 405-406 internal controls
setting an, 395-396 for capital planning, 241-243
vs. supervisory authorities, 389 service providers and, 289
implementing ERM internal data collection, 255-256
aggregating risks, 24-25 internal dependencies, 13
economic capital to make decisions, 27-28 internal frauds, 122
economic value vs. accounting performance, 23-24 internal loss data, 123, 342
governance of, 28 Internal Loss Multiplier (ILM), 326, 335, 340-341
inventory risks, 22-23 internal models approach, 227
measuring risks, 26 internal ratings-based (IRB), 162
regulatory vs. economic capital, 26-27 approach, 276, 312-313
incentive compensation review, 288 for asset classes, 333
incident management, 406, 412 bank, corporate, and sovereign exposures, 314
incident response planning, in cyber resilience for credit risk, 333-334
forensic investigation, 353 retail exposures, 314-315
initial breach diagnosis, 354 internal rating systems, 164
income simulation models, 232 internal reporting, 203
incremental default risk charge (IDRC), 321 International Accounting Standards Board, 125
incremental risk charge (IRC), 320-321 international alignment, 393
indemnification, service provider contracts and, 287 International Association of Credit Portfolio Managers (IACPM), 220,
inexpert opinion, 130 222-224
information and communication technology (ICT), 12-13, 412 International Association of Insurance Supervisors (IAIS), 306
information flaws, 155 International Financial Reporting Standard 9 (IFRS 9), 97
information security controls, 370-371 International Monetary Fund, 111

Index ■ 433
International Organization of Securities Commissions (IOSCO), long tail distribution, 24
302, 306, 364 look-back option, 189
International Organization of Standardization (ISO 31000), 31 Lopez, J., 314
International Swaps and Derivatives Association (ISDA), 220, 222-224, loss data identification
298, 309 general criteria, 342
inter-risk diversification, 212-213 specific criteria, 342-343
inventory risks, 22-23 loss data set, 342
investor, 93 loss-distribution approach (LDA), 256-257
ISDA master agreement, 298 losses
ISO 22301, 349 exclusion of, 343
ISO 27001, 349 inclusion of, 344
issuer defaults, 259 loss-estimation methodology
available-for-sale (AFS), 254-255
charge-off models, 254
J
correlation with macroeconomic factors, 256
Japanese Financial Services Agency (JFSA), 371
counterparty and issuer defaults, 259
Joint Policy Statement on Interest Rate Risk, 273
credit loan approaches, 252
joint public-private exercising, 372
data and segmentation, 251
Joint Statement on Innovative Efforts to Combat Money Laundering and
expected loss approaches, 252
Terrorist Financing, 292
held-to-maturity (HTM), 254-255
Jorion, R, 275
historical averages, 257
internal data collection and data quality, 255-256
K legal exposures, 257
loss-distribution approach (LDA), 256-257
Karolyi, G. A., 109
Kaspersky Lab, 350 market risk and counterparty credit risk, 257-258

KMV, 189 operational-loss-estimation approaches, 256

Koyluoglu, H. U„ 273 operational risk, 255
Kupiec, P. H., 272 overview, 251
Kuritzkes, A., 268 P/L estimates, 259
rating transition models, 253
regression models, 256
L retail and wholesale credit risk, 251
Large Exposures Framework, 322 revaluation, 259
leadership, 49, 51, 102 risk mitigants, 259
capabilities, 86 roll-rate models, 253-254
legal exposures, 257 scalar adjustments, 254
legal risks, 284, 340 scenario analysis, 257
Lehman, 268 stress scenarios, 258
lending technology, 167 translating scenarios to risk factor shocks, 258-259
Leung, Mona, 34 vintage loss models, 254
leverage ratio loss given default (LGD), 225, 275
Basel III framework, 335-336 credit-risk-related challenges to, 226
capital requirements, 323 loss estimation and, 252
license, service provider contracts and, 287 Luxembourg regulator, 380
limits on liability, service provider contracts and, 287
line management, enterprise risk management (ERM), 35-36
line of business (LOB) management, 48 M
liquidity, 301-302 machine learning, 95
liquidity coverage ratio (LCR), 325-326, 330 Macquarie University Risk Culture Scale, 112
living wills, 326-327 macroeconomic factors
loan-to-value (LTV) ratio, 331 correlation with operational-risk, 256
logistic regression, 165 scenario analysis based on, 234
London Interbank Offered Rate (LIBOR), 297 macro-prudential stress testing, 268, 270, 271

434 ■ Index
Madoff, Bernie, 133 modeling
Malware Information-sharing Platform (MISP), 378 balance sheet, 277
management actions, economic capital and, 206 independent review of, 242
management incentives, 202 losses, 275-276
management information systems (MIS), 6, 240, 243 revenues, 276-277
management oversight, 218 model quality, 141
management responsibilities model replication, 218
governance, 401 model risk management, 141-142
interaction with other, 404 model validation
managing information risk elements of comprehensive validation, 145-148
business impact view, 159 and other third-party products, 148
business process view, 159 vendor validation, 148
data quality issues view, 158-159 modified loss-distribution approach, 256-257
managing scorecard views, 159 Monetary Authority of Singapore (MAS), 98, 369, 374, 377
Manheim index, 275 money laundering and financial terrorism (ML/FT) risk management
mappings application of standard practices, 292
business policies to data rules, 157 correspondent banking, 293-294
cash flow, 178 customer due diligence and acceptance, 293
interconnections and interdependencies, 411 governance, 292
operational resilience, 391, 399 international scope, 294
risk measures, quality of, 178 risk assessment, 293
margin, 296 specific activities, 292
marginal capital, 192 transaction and monitoring, 293
marginal economic capital requirement, 186 wire transfers, 294
margin calls, 302 Monte Carlo Simulation, 198, 228
margined counterparty, 227 Monte Carlo VaR, 178
Mark, C., 313 Moody's, 19, 176, 184
market data, 177, 178 Moody's/KMV (MKMV), 221
market participant identifier (MPID), 134 Morgan, D. P., 280
market participants, 296 Morgan, J. R, 323
market risk, 25, 176 mortgage-backed securities (MBSs), 231
capital for, 310-311 mortgages, 231
counterparty credit risk and, 257-258 mortgage servicing right (MSR) assets, 262
counterparty EAD estimation challenges and, 225-226 Mosser, P. C., 272
credit risk and, 226
defined, 211
risk aggregation, 211 N
Market Risk Amendment, 170, 309, 311 naked access, 134
market variables, 17, 54, 55, 162 NarWest, 122
marking-to-model, 177 Nasdaq 100 Index, 135
mark-to-market National Association of Insurance Commissioners (NAIC), 132, 316
mode, 222, 223 National Australia Bank, 41, 64-69
value, 180 National Institute of Standards and Technology (NIST), 348, 364
matrix reporting, 136 negative convexity, 179
maturity adjustment factor, 314 net income after capital charge (NIACC), 187
McKinsey & Co., 34 net interest income, 261-262, 315
measuring risks, 26 net loss, 342-343
mezzanine tranche, 180 net present value (NPV), 19, 22, 36, 187
migration matrices, for validation, 169 net replacement ratio (NRR), 309, 310
minimum capital requirement (MCR), 317 net stable funding ratio (NSFR), 325-326, 330
Minimum Requirements for Risk Management (MaRisk), 366 netting, 309
Mizuho Securities, 135 over-the-counter (OTC) market and, 298
model errors, 176-177 Network and Information Security (NIS) Directive, 378

Index ■ 435
network intrusion detection system (NIDS), 355 self-assessment templates, 392
net worth, 268 severe/extreme but plausible, 391-392
non-core risks, 17 supervisory authorities', 389-390
nonfinancial risks, 272 testing review, 392
non-interest expense, 263 third-party dependency management, 411-412
non-interest income, 262-263 Operational Resilience Working Group (ORG), 364
non-margined counterparty, 227 operational risk management, 2-4
non-maturity deposits, 232 business continuity planning, 13-14
Nonpublic Personal Information (NPPI), 287 components of, 2
Northern Rock, 325, 326 control and mitigation, 11-12
nudge principle, 350 governance, 6-8
information and communication technology, 12-13
monitoring and reporting, 10-11
O operational resilience, 410-411
observation period, 169 principles for, 6-8
off-balance sheet exposure, 231, 260, 308 risk management environment, 8-10
credit conversion factors for, 309, 333 role of disclosure, 14
Office of Credit Ratings, 328 role of supervisors, 14
Office of the Comptroller of the Currency (OCC), 98 operational risks, 25, 176, 284
Office of the Superintendent of Financial Institutions (OSFI), 98 capital for, 315
Officer of the Comptroller of the Currency (OCC), 366 capital requirement, 335
on-balance sheet exposure, 231, 260 defined, 211,340
one-factor Gaussian copula model, 312 event data, 8
ongoing basis, 43 losses, 342
ongoing consultation, 193 loss-estimation and, 255
ongoing monitoring, 146-147 regression models, 256
operational data governance, 158 operators of essential services (OES), 378
operational-loss-estimation approaches, 256 OpRisk data
operational resilience, 417 adding costs to losses, 125
approach, 414-416 asset management, 133-134
and business continuity planning, 406, 411 business disruption and system failures (BDSF), 121-122
business services, 387-388 business environment and internal control environment factors
cyber security, 412 (BEICFs), 125-128
definition of, 409-410 clients, products and business practices (CPBP) risk, 120-121
delivering, 391-393 completeness of database, 124
essential elements of, 408-409 corporate finance, 131
evolving operational risk, 408 damage to physical assets (DPA), 123
executive summary, 414 elements of, 123-125
financial resilience, 405-406 employment practices and workplace safety (EPWS), 122-123
and governance, 404, 410 execution, delivery, and process management (EDPM), 119-120
ICT, 412 external databases, 128
impact tolerances, 388-390, 405 external frauds, 122
implementation timeline, 390-391 insurance, 132-133
improving, 417-419 internal frauds, 122
incident management, 406, 412 internal loss data, 123
interconnections and interdependencies, 411 policy, 137
mapping, 391, 399, 411 profile, 131-135
need for, 414 provisioning treatment of expected, 125
operational risk management, 410-411 recoveries and near misses, 124
vs. operational risk policy, 405-406 retail banking, 131-132
and outsourcing, 392-393, 406 retail brokerage, 134-135
PRA-FCA dual-regulated firms, 391 risk organization and governance, 135-137
principles for, 410-412 scenario analysis, 129-129
risk appetite, 405 setting collection threshold and possible impacts, 123-124

436 ■ Index
 time period for resolution, 125 observed practices, 260-261
trading and sales, 131 robust projections, 260
Option Adjusted Spread (OAS), 234 PRA-FCA dual-regulated firms
options, scenario analysis based on, 234 impact tolerances for, 388-389
Organisation of Economic Co-operation and Development (OECD), 308 scenario testing for, 391,399-401
organizational culture, 108 self-assessment templates and guidance for, 392
organizational design, 135 preferred risk, 58
organizational effectiveness, enterprise risk management (ERM), 31 prepayment risk options, 231
organized trading facilities (OTFs), 299 pre-SCAP, 270
original equipment manufacturers (OEMs), 180 presentation bias, 129
original exposure method, 308-309 Presidential Policy Directive, 349
other-than-temporary impairment (OTTI), 254, 255 PricewaterhouseCoopers, 155
outsourcing, 12 PricewaterhouseCoopers Survey, 204
operational resilience and, 392-393, 406 pricing transactions, 186
risk management, 283-290 principal components decomposition, 234
oversight process, service providers and, 288-289 privilege restriction, in cyber resilience, 353
over-the-counter (OTC) market probability of default (PD), 20, 190, 225
bilateral clearing, 296, 298 credit-risk-related challenges to, 226
CCPs and bankruptcy, 302-303 loss estimation and, 252
central clearing, 296-298 process verification, 146
clearing in, 296-298 Professional Development Program (PDP), HKMA's, 369
convergence of, 302 profitability analysis, 202
defined, 296 profit and loss attribution, 219
events of default, 298 Prompt Corrective Action (PCA), 323
impact of changes, 301-302 Prudential Regulation Authority (PRA), 370, 386
initial margin, 300-301 Prudential Standard CPS 236, 366
netting, 298 putable bonds, 232
post-crisis regulatory changes, 299-301
role of CCP in, 297 Q
uncleared trades, 299
qualitative processes, for validation, 217-218
over/under confidence bias, 130
qualitative review, 217
ownership, service provider contracts and, 287
quantitative approach, 140
Quantitative Impact Studies (QIS), 311
P quantitative processes
for validation, 218-219
parameter review group, 193
penetration test, 371
performance standards, service provider contracts and, 286 R
phishing attacks, 349 ratings stability, 169
Piazzesi, M., 234 rating systems, 162
Pillar 2, 311, 312 acceptance, 165-166
Pillar 3, 311, 312 completeness, 165
plan-do-check-act (PDCA) cycle, 368 consistency, 166
P/L estimates, 259 design, 164-166
point-in-time (PIT), 190 objectivity, 165
portfolio management, enterprise risk management (ERM), 36 supervisory validation of, 162
position data, 177 rating transition models, 253
post-crisis regulatory changes, 299-301 real economy, 273
post-SCAP, 270 Rebonato, R., 273, 275
potential exposure, 225 recovery, 342-343
PPNR projection methodologies, 259 recovery point objectives (RPO), 13
net interest income, 261-262 recovery time objectives (RTO), 13
non-interest expense, 263 redundancy, in cyber resilience, 353
non-interest income, 262-263 regression models, 256

Index ■ 437
regulation, 105 risk analytics, 36
regulators share information, 376-377 risk appetite framework (RAF)
regulatory capital vs. economic, 26-27 capturing different risk types, 49-50
regulatory cloud summits, 380 case studies, 61-77
regulatory-type approach, 224 for firms, 57-61
rehypothecation, 302 implementation, 43-45
relative risk measurement, 206 practices, 45-57
reputational risks, 241, 284 principal, 41-43
required stable funding (RSF), 325 role of stress testing, 54-57
Research Task Force of the Basel Committee, 212 risk appetites, 4, 35, 40, 70-74, 168, 405
residential mortgage-backed securities (RMBS), 178, 182, 255 benefits of, 43, 50-51
resilience, 349, 414. See also cyber-resilience; operational resilience into businesses, 47-49
backward-looking indicators, 372-373 and capital planning, 53
resilience engineering definition of, 7
hotel keycard failure, 351 dynamic tool, 50-51
safety management, 350-351 evolution of, 76-77
resilience metrics, cyber-security and, 372-373 and impact tolerances, 405-406
resilient organizations, 415 and liquidity planning, 53
resilient software, 354 and performance management, 53
retail banking, 131-132, 233 and risk culture, 46-47
retail exposures, 314-315 and strategic planning, 53
return on assets (ROA), 262 Risk Appetite Statement (RAS), 64
return on capital (ROC), 186 risk assessment, 8
return on capital at risk (ROCAR), 203 risk awareness culture, cyber, 367-368
return-on-risk, 69 risk-based capital allocation, 18
return on risk-adjusted assets (RORAA), 186 risk-based pricing, 201-202
return on risk-adjusted capital (RORAC), 203 risk budget, 65, 67, 68
return trade off, 58 risk capacity, defined, 62
revaluation methodology, 259 risk capital, 184
revenue assurance, 155 active portfolio management for entry/exit decisions, 185
revised IRB framework, 333 diversification and, 191-192
right to audit, service provider contracts and, 286 emerging uses of, 184-186
risk-adjusted performance measurement (RAPM), 184, 186-187 and incentive compensation, 185
risk-adjusted return on capital (RAROC), 32 measurement, 184
for capital budgeting, 187-188 performance measurement, 185
and capital budgeting decision rule, 190-191 pricing transactions, 186
confidence level, 190 risk-adjusted return on capital, 186-194
default probabilities, 190 risk control self-assessment (RCSA), 23, 126-127
economic capital and, 201-202 risk culture (RC), 42, 75
horizon, 188-190 change and challenge, 112-115
hurdle rate, 190-191 culture dashboards, 109
for performance measurement, 188-192 culture survey, 109
point-in-time (PIT) vs. through-the-cycle (TTC), 190 customer perceptions and outcomes, 109
in practice, 192-194 drivers and effects, 111-112
with qualitative factors, 193-194 measuring culture and cultural progress, 109
vs. shareholder value added (SVA), 203 reduce misconduct risk, 114
risk-adjusted return on risk-adjusted assets (RAROA), 203 and risk appetite, 46-47
risk aggregation, 45, 56-57 scope and definition, 110-111
economic capital and, 197, 199 validation, 109
framework, 210-211 risk departments, 135-136
methodology, 211-212 risk diversification effect, 185
range of practices, 212-213 risk factor model, 312
supervisory concerns relating to, 215-216 risk factor shocks, 258-259

438 ■ Index
risk identification risk reporting, 31-32
for bank holding companies (BHCs), 240-241 risk-return trade-off, 17-18
economic capital and, 199 risks
risk management, 22 comprehensive capture of, 206
board of directors, 149 covariance matrix of, 215
documentation, 151 grouping of, 211
external resources, 150-151 risk settings, 65, 67, 68
governance, 148-151 risk setting statements (RSSs), 69
internal audit, 150 risk tolerance, 7
macro benefits of, 16-17 risk types, 189
micro benefits of, 17-18 risk-weighted assets (RWAs), 260, 263-264, 275, 277, 307,
model development and implementation, 142-143 308, 323
model inventory, 151 roll-rate models, 253-254
model use, 143-144 advantages, 253
model validation, 144-148 Rosenberg, J. V., 215
overview of, 140-142 Royal Bank of Canada, 41,61-64
policies and procedures, 149 Rudebusch, G. D., 234
programs for service providers, 284-290 Rutter Associates LLC, 201
purpose and scope, 140
recommendations for, 60-61
roles and responsibilities, 149-150 S
senior management, 149 Sabre SynXis Central Reservations System, 351
Risk Management and Modelling Group (RMMG) (Basel Committee), 200 safety management, 350-351
risk management environment, 8-10 Sapra, H., 279
business continuity planning, 13-14 Sarbanes-Oxley Act, 35, 154, 289
control and mitigation, 11-12 Saunders, A., 275
identification and assessment, 8-10 SBC Warburg, 121
information and communication technology, 12-13 scalar adjustments, 254
monitoring and reporting, 10-11 scenario analysis, 9, 129-131
operational risk management, 5 for bank holding companies (BHCs), 257
risk manager, 177 based on GARCH models, 234
risk measures, 21, 26 based on historical distributions, 234
bank holding companies and, 240 based on macroeconomic factors, 234
calculation of, 209-210 based on options, 234
desirable characteristics, 207-208 based on principal component decomposition of yield
economic capital and, 196-197, 199 curve, 234
supervisory concerns relating to, 210 linking credit and interest rate risk, 234-235
types of, 208, 209 scenario design, bank holding companies (BHCs), 247-248
risk measures, quality of scenarios, 129
Credit Correlation (2005), 178-181 Schuermann, T., 215
mapping issues, 178 scorecard views, 159
model risk, 176-182 Scotiabank, 41, 70-73
subprime default models, 182 Scott, H., 268
valuation risk, 176-177 Sector Exercising Group (SEG), 372
variability of VaR estimates, 177-178 Securities and Exchange Commission (SEC), 98, 328
risk metric, 212 Securities and Futures Authority, 121
RiskMetrics, 272, 273 Securities and Futures Commission's (SFC's), 98
risk mitigants, 259 securitizations, 178
risk organization security master data, 177
firm wide policy, 136 segmentation
governance, 136-137 in cyber resilience, 353
risk departments, 135-136 for loss estimation, 251
risk posture, 52-54, 64-68 self-assessments, 8, 401,402

Index ■ 439
self-regulation, 109 sponsored access arrangements, 134
senior accountability spread duration, 233
applicability, 92 square root of time rule, 189
board-level conduct management reporting, 91-92 stakeholder management, 37
board responsibilities and involvement, 91 stand-alone capital, 192
data quality and availability, 91-92 standard deviation, 208, 209
and governance, 91-93 Standard Initial Margin Model (SIMM), 300-301
modeling behavior, 92 standardised approach
relevance and effectiveness, 92 application of, 341
role of asset owners, 92 Basel II, 312-313
third-party fund managers, 92 Basel III, finalising post-crisis reforms, 324
usefulness, 92 capital for, 315
senior management, 163 for credit risk, 330-333
capital planning and, 244-245 loss data set, 342
commitment, 193 operational risk capital requirement, 341
in cyber-security, 367 use of loss data under, 341-342
economic capital and, 199, 204 standardised credit risk assessment approach (SCRA), 331
governance, 7-8 Standard & Poor's, 184
recommendations for, 59-60 static simulation model, 231
responsibilities regarding service providers, 284 statutory capital, 24
risk management, 149 Steering Committee on Implementation (SCI), 40
Senior Management Function (SMF), 401 stranded capital, 26
Senior Managers and Certification Regime (SM&CR), 97, 99, 105 strategic planning, 203
Senior Supervisors Group (SSG), 40 strategic risks, 241
service-level agreements (SLAs), 158 capital, 187
service providers stressed VaR, 320
board of directors and senior management responsibilities, 284 stress metrics, 43
business continuity of, 289 stress testing, 43-45, 170-173
business model, 285 balance sheet and income statement dynamics, 277
contingency plan of, 288 for bank holding companies (BHCs), 241
defined, 284 and Basel rules, 327
due diligence and selection, 285-286 Bayesian approach, 273
financial condition of, 288-289 counterparty credit risk exposure and, 228
foreign-based, 288, 289 designing the scenarios, 273-274
multinationals valued, 306 disclosure, 269, 270, 277-280
oversight and monitoring of, 288-289 in interest rate modelling, 233-234
risk management programs, 284-290 in literature, 272-273
risks from use of, 284 losses and revenues, 274-277
shareholder value added (SVA) vs. RAROC, 203 macroprudential, 271
Sharpe ratio, 187 role of, 54-57, 206
Sheffield Elicitation Framework (SHELF), 130, 131 scenario-based, 241
simple approach, 312 validation and, 219
simple summation, 213, 214 subcontracting, service provider contracts and, 288
single-factor models, 230 supervision, 105
Single Supervisory Mechanism (SSM), 376 supervisors, 95
Singleton, K. J., 230 role of, 14
software development life cycle (SDLC), 354 supervisory authorities, 372
solvency capital requirement (SCR), 317 vs. impact tolerances, 389
Solvency II, 316-317 objectives, 389
sovereign exposures, 314 Supervisory Capital Assessment Program (SCAP), 238, 268-271
specific risk (SR), 310 supervisory college model, 380
capital for, 311 supervisory validation, 162
spectral risk measures, 208, 209 suspicious activity report (SAR), 289

440 ■ Index
SwapCIear, 297, 303 treasury bond, 297
swap execution facilities (SEFs), 299, 328 Trump Hotels, 351
system development risks, 155 Turnbull, Malcolm, 84
system downtime, 127
systemically important financial institutions (SIFIs), 323 U
systemic issues, 105
UAW, 180
system implementation, 217
UBS, 34
system integration, 146
UK Financial Conduct Authority, 99
system slow time, 127
UK Senior Managers and Certification Regime (SMCR), 99
uncleared trades, 299
T underbilling, revenue assurance and, 155
underinvestment problem, 17
Tarashev, N., 224
under-reporting events, 124
tax benefits of debt, 19
underwriting risk, 317
t-copula, 222
unexpected loss, 313, 314
technology service provider (TSP) risk, 284
unfiltered access, 134
termination, service provider contracts and, 287
unintended consequences, 99
testing, of third parties, 383
uniqueness, data quality and, 157
Thaler, William, 350
unit of account, 211-212
third lines of defence (3LD), in cyber-security, 367
USA PATRIOT Act, 154
third-party dependency management, 411-412
use test, 217
third-party fund managers, 92
third-party products, 148
third-party services, 379 V
auditing and testing, 383 validating rating models
business continuity and availability, 381-382 data quality, 166-168
governance of, 379-381 internal validation, 162
information confidentiality and integrity, 382-383 profiles, 162-163
regulated/certified, 380 qualitative validation, 164-168
resources and skills, 384 quantitative validation, 168-173
supervisory expectations for visibility, 383 regulatory validation, 162
third-party vendors, 163 roles of internal validation units, 163-164
threshold, 19 validation, 3
through-the-cycle (TTC), 190 economic capital and, 197, 199
Thyssenkrup, 355 of inputs and parameters, 218
TIBER-EU (European Framework for Threat Intelligence-based Ethical of internal economic capital models, 216-220
Red Teaming), 371 of models, 242
tick-box, 43 qualitative, 217-218
tick the box compliance, 132 quantitative, 218-219
Tier 1 Capital, 307, 322 supervisory concerns relating to, 220
Tier 2 Capital, 307 valuation risk, 176-177
time horizons, 189, 210, 212, 231 value-at-risk (VaR), 21, 198
timeline, implementation, 390-391 calculation methodology, 184
time period for resolution, 125 as CCR exposure engine, 228
top-down process, 52 for counterparty credit exposure measurement, 225, 226
total capital, 307 risk-adjusted return on capital (RAROC), 32
total loss absorbing capacity (TLAC), 326 risk measures and, 208, 209
total risk, 17-18 stressed, 320
trade control, lack of skills in, 118 variance-covariance matrix, 197, 213-215
trading book vs. banking book, 235 variation margin, 296, 302
transition matrix, 20 vega risk, 300
transparency, 199, 207 vendor validation, 148
Treacy, W. F., 313 verification, 3

Index ■ 441
vetting, 166 wholesale funding, 322
vintage loss models, 254 Wilks', 169
Visteon, 180 Williams, John, 98
volatility, levels of, 21 wire transfers, 294
Volcker Rule, 328 workforces, cyber, 368-369
Working Group on Risk Appetite (WGRA), 41
W wrong-way risk, 226, 228
Wyman, Oliver, 102
Wachovia, 268
Washington Mutual, 268
Weibull distribution, 316 Z
Wells Fargo, 98 zero tolerance, 42
wholesale credit risk, 251 Zhu, H., 224, 298

442 Index