Basel II Operational Risk An Overview of where we are as at 30 th September 2004 This presentation is annotated The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Session Overview • Why should we be interested? • What is Operational Risk? • Background to BIS, the Basel Committee, and the original Basel Accord • What is Basel II? • The Implementation Guide? • What about the FSA and the EU? • Joint Forum’s Consultative Document “Outsourcing in Financial Services” • Some thoughts going forward The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
“Internal and/or external auditors must perform regular reviews of the operational risk management processes and measurement systems. This review must include both the activities of the business units and of the independent operational risk function” ( paragraph 666 (e) The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Definition of Operational Risk “The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” This definition includes legal risk, but excludes strategic and reputational risk Paragraph 644 The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The Context “Trading on the world’s foreign exchange markets has soared to a record $1, 900 bn (£ 1, 048 bn) a day……………. London retained its position as the world’s forex capital, with almost a third of global currency trading…………. The rapid growth in financial markets transactions, far in excess of the growth in world trade, is a sign of increasing global capital market integration and more sophisticated risk management by companies and investors” Financial Times 29 September 2004 The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
www. bis. org The Bank for International Settlements (BIS) is based in Basel in Switzerland. The BIS serves as a bank for central banks. It was established on 17 May 1930 and is the world’s oldest international financial organisation. The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Who are the Basel Committee? The Basel Committee on Banking Supervision was established by the central bank Governors of the Group of Ten Countries in 1975. It currently consists of senior representatives of bank supervisory authorities and central banks from Belgium, Canada, France, Germany, Italy, Luxembourg, The Netherlands, Spain, Sweden, Switzerland, the United Kingdom, and the United States. It usually meets at the Bank of International Settlements in Basel, where its permanent Secretariat is located. The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
What was Basel I? INTERNATIONAL CONVERGENCE OF CAPITAL MEASUREMENT AND CAPITAL STANDARDS (30 pages) The Basel Capital Accord was published in 1988 and set out the first internationally accepted definition of, and a minimum measure for bank capital. It required banks to divide their exposures up into broad “classes” In 1996 the Committee supplemented the Accords original focus on credit risk with requirements for exposures to market risk. The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
What is Basel II A revised framework issued on 26 th June 2004, by the Basel Committee on Banking Supervision: 251 pages The overarching goal for the Basel II Framework is to promote the adequate capitalisation of banks and to encourage improvements in risk management, thereby strengthening the stability of the financial system through market discipline and enhanced transparency. The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Basel II It recognises that capital serves as a foundation for a bank’s future growth and as a cushion against its unexpected losses. The technical challenge for both banks and supervisors has been to determine how much capital is necessary to serve as a sufficient buffer against unexpected losses. Safety – Soundness - Stability The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
What is the scope of Basel II? There is a “three pillar” approach Minimum Capital Requirements Supervisory Review The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Market Discipline Roger Southgate
Minimum Capital Requirements The First Pillar Provides three methods for the calculation of capital to align more closely with the bank’s activities and sophistication of risk management activities Establishes an explicit capital charge for a bank’s exposure to the risk of losses caused by failures in systems, processes, or staff, or that are caused by external events, such as natural disasters. Provides explicit incentives in the form of lower capital requirements for banks to adopt more comprehensive and accurate measures of risk as well as more effective processes for controlling their exposure. The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Supervisory Review The Second Pillar Recognises the necessity of exercising effective supervisory review of banks internal assessment of their overall risks to ensure that bank management is exercising sound judgement and has set aside adequate capital for these risks. The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Market Discipline Third Pillar It sets out the public disclosure that banks must make that lend greater insight into the adequacy of their capitalisation The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
How are minimum capital requirements calculated? “There is a three pillar approach” Position Risk Credit Risk The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Operational Risk Roger Southgate
Operational Risk ( page 141 paragraph 660) “There are three measurement methodologies Basic Indicator Approach Standardised Approach Advanced Measurement Approach “Banks are encouraged to move along the spectrum of available approaches as they develop more sophisticated operational risk measurement systems and practices” The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Operational Risk ( pages 137 - 149, Annex 6 221 -225) In order to qualify to use these approaches, a bank must satisfy its supervisors that, at a minimum: Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework. It has an operational risk management system that is conceptually sound and is implemented with integrity, and It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas ( page 141 paragraph 660) The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Operational Risk ( paragraph 663) The bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function. The operational risk management function is responsible: for developing strategies to identify, assess, monitor and control/mitigate operational risk; for the design and implementation of the firm’s operational risk assessment methodology; and for the design and implementation of a risk-reporting system for operational risk. The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Operational Risk ( paragraph 663) The bank must systematically track relevant operational risk data including material losses by business line (slide 21). The bank must have techniques fro creating incentives to improve the management of operational risk throughout the firm The bank’s operational risk management system must be well documented ( internal policies, controls and procedures, which must include policies for the treatment of non-compliance issues). The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Operational Risk The tracking of internal loss event data is an essential prerequisite to the development and functioning of a credible operational risk measurement system( paragraph 670). Internally generated operational risk measures used for regulatory capital purposes must be based on a minimum five-year observation period of internal loss data, whether the internal loss data is used directly to build the loss measure or to validate it ( paragraph 672). A bank must have an appropriate de minimis gross loss threshold for internal loss data collection, for example 10, 000 euros ( paragraph 673). The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Business Line Mapping Annex 6 Corporate Finance Trading & Sales Retail Banking Corporate Finance Municipal / Government Finance Merchant Banking Advisory Services Sales Market Making Proprietary Positions Treasury Retail Banking Private Banking Card Services Commercial Banking Payment & Settlement External Clients Agency Services Custody Corporate Agency Corporate Trust Asset Management Discretionary Fund Management Non-Discretionary Fund Management Retail Brokerage The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Loss Event Type & Categories Annex 7 Internal Fraud External Fraud Employee Practices and Workplace Safety Client Products & Business Practices Unauthorised Activity Theft and Fraud System Security Employee Relations Safe Environment Diversity & Discrimination Suitability, Disclosure, Fiduciary Improper Business or Market Practices Product Flaws Selection, Sponsorship & Exposure Advisory Activities Damage to Physical Assets Disasters and other events Business Disruption & System Failure Systems ( hardware, software, telecoms, utility outage and disruptions) Execution, Delivery & Process Management Transaction Capture, Execution & Maintenance Monitoring and Reporting Customer Intake Documentation Customer / Client Account Management Trade Counterparties Vendors & Suppliers The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
“How we look at things determines what we see!” Small things can have big impacts The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
“How we look at things determines what we see!” The Space Shuttle “tile” disaster The Fawlty Towers TV Series The potential problem of insider dealing Small things can have big impacts The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
We see the visible tip! Operational Risk The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Definition of Operational Risk “The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” This definition includes legal risk, but excludes strategic and reputational risk Page 137 The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Implementing Basel II aims to build on a solid foundation of prudent capital regulation, supervision, and market discipline, and to enhance further risk management and financial stability. July 2004 40 pages The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The Components of a “Solid Infrastructure” for a Country The legal-regulatory infrastructure in place Human resources The current disclosure regime The status of corporate governance Accounting and provisioning practices Page 2 The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Internal Audit In evaluating the effectiveness of internal audit, supervisors may want to consider: The extent to which external audit places reliance on the work of internal audit. The quality of board and audit committee reports prepared by internal audit and how report findings are used by the board and senior management. The use of a risk-based, rather than traditional inspection based, approach to internal audit. The independence of the function. Page 27 The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Summary A move away from “one size fits all” Provides alternatives that recognise the appropriateness of the risk management capabilities of a bank to control the underlying business risks Focuses on “Internationally Active – Complex – Significant” Banks Takes account of the “Nature – Size – Complexity” The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The Timetable “The Committee intends the Framework to be available for implementation as of year end 2006 However, the committee feels that one further year of impact studies or parallel calculation will be needed for the most advanced approaches, and these therefore will be available for implementation as of year end 2007” The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The FSA As a result of Financial Services and Markets Act (FSMA) the FSA became the single regulator of financial services in the UK with effect from 1 st December 2001 The FSA has FOUR statutory objectives: £ Maintain market confidence £ Promote public understanding of the financial system £ Secure appropriate consumer protection £ Reduce financial crime The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The FSA July 2002 March 2003 July 2003 Originally due for Implementation 31/12/2004 EU Capital Requirements Directive (CRD) www. europa. eu. int 15/9/2004*** Implementation deferred for all except Insurance Companies EU Markets in Financial Instruments Directive (Mi. FID) 31/12/2006 FSA due to issue Consultation Paper in January 2005 ? FSA due to issue Consultation Paper in June 2005 The Information to carry out a further (ISACA) Roger Southgate The FSA also plan Systems Audit and Control Association. Quantitative Impact Study during 2005 London Chapter - www. isaca-london. org *** www. fsa. gov. uk/psb_letter_15 sept 04. pdf
Outsourcing Financial services businesses throughout the world are increasingly using third parties to carry out activities that the businesses themselves would normally have undertaken. “Out of sight” “Out of mind” “Out of control? ” The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Outsourcing in Financial Services In these situations: Consultative document How can financial service businesses remain confident that they remain in charge of their own business and in control of their business risks? How do they know they are complying with their regulatory responsibilities? August 2004 How can these businesses demonstrate that they are doing so when regulators ask? 28 pages The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The Joint Forum’s High-level Principles I A regulated entity seeking to outsource activities should have in place a comprehensive policy to guide assessment of whether and how those activities can be appropriately outsourced. The board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy. II The regulated entity should establish a comprehensive outsourcing risk management program to address the outsourced activities and the relationship with the service provider. III The regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by regulators. Page 3 The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
The Joint Forum’s High-level Principles IV The regulated entity should conduct appropriate due diligence in selecting third party service providers. V Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties. VI The regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities. VII The regulated entity should take appropriate steps to require that service providers protect confidential information of both the regulated entity and its clients from intentional or inadvertent disclosure to unauthorised persons. Page 3 The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Some thoughts going forward Service Management Enterprise Risk Management Root Cause Analysis 30 th September saw the publication of the COSO Enterprise Risk Management Framework, the new two volume set are available from the IIA www bsi-global. com www coso. org www iia. org. uk By Max Ammerman ISBN 0 -527 -76326 -8 Also take a look at Octave at www. cert. org/octave/pubs. html The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Session Overview • Why should we be interested? • What is Operational Risk? • Background to BIS, the Basel Committee, and the original Basel Accord • What is Basel II? • The Implementation Guide? • What about the FSA and the EU? • Joint Forum’s Consultative Document “Outsourcing in Financial Services” • Some thoughts going forward The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Thank you for your time and attention Roger Southgate CISA, CISM, FCCA, MBCS 07714 -769617 rsouthgate@isaca-london. org The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org Roger Southgate
Octave General Catalog of Practices Strategic Practice Areas Operational Practice Areas The Roger Also Information Systems Audit and Control at www. cert. org/octave/pubs. html. Southgate take a - www. isaca-london. org Association (ISACA) London Chapter look at Octave
Octave Strategic Practice Areas Security Collaborative Contingency Security Awareness and Strategy Management Policies and Planning/ Training Regulations Management Disaster Recovery The Information Systems Audit and Control Roger Also take a look at Octave at. Association (ISACA) www. cert. org/octave/pubs. html Southgate London Chapter - www. isaca-london. org
Octave Operational Practice Areas Physical Security Plans and Procedures Information Technology Security System and Network Management System Administration Tools Staff Security Incident Management General Staff Physical Access Control Monitoring and Auditing IT Security Practices Monitoring and Auditing Authentication and Authorization Physical Security Vulnerability Management Encryption The Information Systems Audit and Control Association (ISACA) Roger Southgate Security London Chapter - www. isaca-london. org Architecture and Design Also take a look at Octave at www. cert. org/octave/pubs. html
Octave Human Actors - Network Access accidental disclosure modification loss/destruction interruption deliberate disclosure modification loss/destruction interruption inside asset network outside asset Information Systems Auditactor Association (ISACA) access motive The and Control London Chapter - www. isaca-london. org outcome Roger Southgate Also take a look at Octave at www. cert. org/octave/pubs. html
Octave Human Actors - Physical Access accidental disclosure modification loss/destruction interruption deliberate disclosure modification loss/destruction interruption inside asset physical outside The and Control asset Information Systems Auditactor Association (ISACA) access motive London Chapter - www. isaca-london. org outcome Roger Southgate Also take a look at Octave at www. cert. org/octave/pubs. html
Octave System Problems software defects disclosure modification loss/destruction interruption viruses disclosure modification loss/destruction interruption system crashes disclosure modification loss/destruction interruption hardware defects disclosure modification loss/destruction interruption asset actor The Information Systems Audit and Control Association (ISACA) outcome Roger Southgate London Chapter - www. isaca-london. org Also take a look at Octave at www. cert. org/octave/pubs. html
Octave Other Problems natural disasters third party problems disclosure modification loss/destruction interruption telecommunications problems or unavailability asset disclosure modification loss/destruction interruption power supply problems asset actor The Information Systems Audit and Control Association (ISACA) London Chapter - www. isaca-london. org disclosure modification loss/destruction interruption outcome Roger Southgate Also take a look at Octave at www. cert. org/octave/pubs. html
Скачать презентацию Basel II Operational Risk An Overview of where
68ee73a5a6ceb9f6f95014aae7aa9254.ppt