Operational Risk Management: a practical approach to intelligent data analysis
ISBN 9780470517666
http://eu.wiley.com/WileyCDA/WileyTitle/productCd-047074748X.html http://onlinelibrarv.wiley.com/book/10.1002/9780470972571
Publisher: John Wiley and Sons, Chichester Editors: Ron S. Kenett and Yossi Raanan
http://xrl.us/bh8c2v Introduction to the book
Operational Risk Management is becoming a key competency for organisations in all industries. Financial institutions, regulated by the Basel II accord, need to address it systematically since their level of implementation affects their capital requirements, one of their major operational expenses. Health organisations have been tackling this challenge for many years. The Institute of Medicine reported in 2000 that 44,000 - 98,000 patients die each year in the US as a result of medication errors, surgical errors and missed diagnoses, at an estimated cost to the US economy of $17-$29 billion. Operational risks affect large organisations as well as Small and Medium-sized Enterprises (SMEs) in virtually all industries, from the oil and gas industry, to hospitals, from education to public services.
This multi-author book is about tracking and managing operational risks using state-of-the-art technology that combines the analysis of qualitative, semantic, unstructured data with quantitative data. The examples used are mostly from information technology but the approach is general. As such, the book provides knowledge and methods that can have a substantial impact on the economy and quality of life.
The book has four main parts. Part I is an introduction to Operational Risk Management, Part II deals with data for Operational Risk Management and its handling, Part III covers operational risks analytics and Part IV concludes the book with several applications and a discussion on how Operational Risk Management integrates with other disciplines. The fourteen chapters and the book layout are listed below with short descriptions.
Part I: Introduction to Operational Risk Management
This first part of the book is introductory with a review of modern risk management in general and a presentation of specific aspects of Operational Risk Management issues.
Chapter 1 : Risk Management: A general view (R. Kenett, R. Pike and Y. Raanan)
The chapter introduces the concepts of risk management and positions Operational Risk Management within the overall risk management landscape. The topics covered include definitions of risks, aspects of information quality and a discussion of state of the art Enterprise Risk Management. The organizations we have in mind are financial institutions implementing Basel II regulations, industrial companies developing, manufacturing and delivering products and services, health care services and others with exposure to risks with potential harmful effects. The chapter is meant to be a general introduction to risk management and a context setting background for the thirteen other chapters of the book.
Chapter 2: Operational Risk Management: An overview (Y. Raanan, R. Kenett and R. Pike) The chapter introduces the general concepts of Operational Risk Management in the context of the overall risk management landscape. Section 2 provides a definition of Operational Risk Management, Section 3 covers the key techniques of this important topic, Section 4 discusses Statistical models and Section 5 covers several measurement techniques for assessing operational risks. The final section summarizes the chapter and provides a roadmap for the book.
Part II: Data for Operational Risk Management and its Handling
Operational Risk Management relies on diverse data sources, and the handling and management of this data requires novel approaches, methods and implementations. This part is devoted to these concepts and their practical applications. The applications are based on case studies that provide practical, real examples for the practitioners of Operational Risk Management.
Chapter 3: Ontology based modelling and reasoning in operational risks (C. Leibold, H-U. Krieger and M. Spies)
The chapter discusses design principles of operational risk ontologies for handling semantic unstructured data in Operational Risk Management (OpR). In particular, we highlight the contribution of ontology modelling to different levels of abstraction in OpR. Realistic examples from the MUSING project (MUSING, 2006) and application domain specific ontologies are provided. We draw a picture of axiomatic guidelines that provides a foundation for the ontological framework and refers to relevant reporting and compliance standards and generally agreed best practices.
Chapter 4: Semantic analysis of textual input (H. Saggion, T. Declerck, and K. Bontcheva) Information Extraction is the process of extracting from text specific facts in a given target domain. The chapter gives an overview of the field covering components involved in the development and evaluation of information extraction system such as parts of speech tagging or named entity recognition. The chapter introduces available tools such as the GATE system and illustrate rule-based approaches to information extraction. An illustration of information extraction in the context of the MUSING project is presented.
Chapter 5: A case study of ETL for operational risks (V. Grossi and A. Romei)
Integrating both internal and external input sources, filtering them according to rules, and finally merging the relevant data are all critical aspects of business analysis and risk assessment. This is especially critical when internal loss data is not sufficient for effective calculation of risk indicators. The class of tools responsible for these tasks is known as Extract, Transform and Load (ETL). The chapter reviews state-of-the-art techniques in ETL and describes an application of a typical ETL processes in the analysis of causes of operational risk failures. In particular, it presents a case study in information technology operational risks in the context of a telecommunication network, highlighting the data sources, the problems encountered during the data merging, and finally the solution proposed and implemented by means of ETL tools.
Chapter 6: Risk based testing of web services (X. Bai and R. Kenett)
A fundamental strategy for mitigating operational risks in Web Services and software systems in general is testing. Exhaustive testing of Web Services is usually impossible due to unavailable source code, diversified user requirements and the large number of possible service combinations delivered by the open platform. The chapter presents a risk-based approach for selecting and prioritizing test cases to test service-based systems. The problem addressed is in the context of semantic web services. Such services introduce semantics to service integration and interoperation using ontology models and specifications like OWL-S. They are considered to be the future in WWW evolution. However, due to typically complex ontology relationships, semantic errors are more difficult to detect, as compared to syntactic errors. The models describe in the chapter analyze semantics from various perspectives such as ontology dependency, ontology usage and service workflow, in order to identify factors that contribute to risks in the delivery of these services. Risks are analyzed from two aspects: failure probability and importance, and three layers: ontology data, specific services and composite services. With this approach, we associate test cases to the semantic features and schedule test execution on the basis of risks of their target features. Risk assessment is then used to control the process of Web Services progressive group testing, including test case ranking, test case selection and service ruling out. The chapter presents key techniques used to enable an effective adaptation mechanism: adaptive measurement and adaptation rules. As a statistical testing technique, the approach aims to detect, as early as possible, the problems with highest impact on the users. A number of examples are used to illustrate the approach.
Part III: Operational Risks Analytics
The data described in Part II requires specialized analytics in order to become information and in order for that information to be turned, in a subsequent phase of its analysis, into knowledge. These analytics will be described here.
Chapter 7: Scoring models for operational risks (P. Giudici)
The chapter deals with the problem of analyzing and integrating qualitative and quantitative data. In particular it shows how, on the basis of the experience and opinions of internal company "experts", a scorecard is derived producing a ranking of different risks and a prioritized list of improvement areas and related controls. Scorecard models represent a first step in risk analysis. The chapter presents advanced approaches and statistical models for implementing such models.
Chapter 8: Bayesian merging and calibration for operational risks (S. Figini)
According to the Basel II accord, banks are allowed to use the Advanced Measurement Approach (AMA) option for the computation of their capital charge covering operational risks. Among these methods, the Loss Distribution Approach (LDA) is the most sophisticated one. It is highly risk sensitive as long as internal data is used in the calibration process. Given that, LDA is more closely related to the actual risks of each bank. However it is now widely recognized that calibration on internal data only is not enough for computing accurate capital requirements. In other words, internal data should be supplemented with external data. The goal of the chapter is to provide a rigorous statistical method for combining internal and external data and ensure that merging both databases results in unbiased estimates of the severity distribution.
Chapter 9: Measures of association applied to operational risks (R. Kenett and S. Salini)
Association rules are a basic analysis tools for unstructured data such as accident reports, call centres recordings and
CRM logs. Such tools are commonly used in basket analysis of shopping carts for identifying patterns in consumer
behaviour. The chapter shows how association rules are used to analyze unstructured operational risk data in order to
provide risk assessments and diagnostic insights. We present a new graphical display of association rules that permits
effective clustering of associations with a novel interest measure of association rule called the Relative Linkage
Disequilibrium.
Part IV: Operational Risk Applications and its Integration with other Disciplines
Operational Risk Management is not a stand-alone management discipline. This part of the book demonstrates how Operational Risk Management relates to other management issues and Intelligent Regulatory Compliance.
Chapter 10: Operational Risk Management beyond AMA: New ways to quantify non recorded
losses (G. Aprile, A. Pippi and S. Visinoni) A better understanding of the impact of IT failures on the overall process of Operational Risk Management can be achieved not only by looking at the risk events with a bottom line effect, but also drilling down to consider the potential risks in terms of missed business opportunities and/or near losses. Indeed, for banking regulatory purposes, only events which are formally accounted for in the books are considered when computing the operational capital at risk. Yet, the "hidden" impact of operational risks is of paramount importance under the implementation of the Pillar 2 requirements of Basel II which expands the scope of the analysis to include reputation and business risk topics. This chapter presents a new methodology in Operational Risk Management that addresses these issues. It helps identify multiple losses, opportunity losses and near misses, and quantifies their potential business impact. The main goals are: 1) to reconstruct multiple-effect losses, which is compliant with Basel II requirements and 2) to quantify their potential impact due to reputation and business risks (opportunity losses) and low level events (near misses), which is indeed a possible extension to Basel II Advanced Measurement Approach (AMA). As a consequence, the proposed methodology has an impact both on daily operations of a bank and at the regulatory level, by returning early warnings on degraded system performance and by enriching the analysis of the risk profile beyond Basel II compliance.
Chapter 11: Combining operational risks in financial risk assessment scores (M. Munsch, S.
Rohe and M. Jungemann-Dorner) The chapter's central thesis is that efficient financial risk management must be based on an early warning system monitoring risk indicators. Rating and scoring systems are tools of high value for proactive credit risk management and require solid and carefully planned data management. We introduce a business retail rating system based on the Creditreform solvency index which allows a fast evaluation of a firm's credit worthiness. Furthermore we evaluate the ability of quantitative financial ratings to predict fraud and prevent crimes like money laundering. This practice oriented approach identifies connections between typical financing processes, operational risks and risk indicators, in order to point out negative developments and trends, enabling those involved to take remedial actions in due time and thereby reverse these trends.
Chapter 12: Intelligent Regulatory Compliance (M. Spies, R. Gubser and M. Schacher)
In view of the increasing needs for regulation of international markets many regulatory frameworks are being defined and enforced. However, the complexity of the regulation rules, frequent changes and differences in national legislations make it extremely complicated to implement, check or even prove regulatory compliance of company operations or processes in a large number of instances. In this context, the Basel II framework for capital adequacy (soon to evolve to Basel III) is currently being used for defining internal assessment processes in banks and other financial services providers. The chapter shows how recent standards and specifications related to business vocabularies and rules enable Intelligent Regulatory Compliance (IRC). By IRC, we mean semi-automatic or fully automated procedures that can check business operations of relevant complexity for compliance against a set of rules that express a regulatory standard. More specifically, the BMM (Business Motivation Model) and SBVR (Semantics of Business Vocabularies and business Rules) specifications by the Object Management Group (OMG) provide a formal basis for representing regulation systems in a sufficiently formal way to enable IRC of business processes. Besides the availability of automatic reasoning systems, IRC also requires semantics enabled analysis of business service and business
performance data such as process execution logs or trace data. The MUSING project contributed several methods of analysis to the emerging field of IRC (MUSING, 2006). The chapter discusses standards and specifications for business governance and IRC based on BMM and SBVR.
Chapter 13: Democratization of enterprise risk management (P. Lombardi, S. Piscuoglio, R. Kenett, Y. Raanan and M. Lankinen)
The chapter highlights the interdisciplinary value of the methodologies and solutions developed for semantically-enhanced handling of operational risks. The three domains dealt with are Operational Risk Management, Financial Risk Management and Internationalisation. These areas are usually treated as 'worlds apart' because of the distance of the players involved, from financial institutions to Public Administrations, to specialised consultancy companies. This proved to be a fertile common ground, not only for generating high value tools and services, but also for a "democratised" approach to risk management, a technology of great importance to SMEs worldwide.
Chapter 14: Operational risks, quality, accidents and incidents (R. Kenett and Y. Raanan) This concluding chapter presents challenges and directions for Operational Risk Management. The first section provides an overview of a possible convergence between risk management and quality management. The second section is based on a mapping of uncertainty behaviour and decision making processes due to Taleb (2007). This classification puts into perspective so called "Black Swans", rare events with significant impact. The third section presents a link between management maturity and the application of quantitative methods in organisations. The fourth section discusses the link between accidents and incidents and the fifth section is a general case study from the oil and gas industry. This illustrates the applicability of Operational Risk Management to a broad range of industries. A final summary section discusses challenges and opportunities in operational risks. Throughout Chapter 14 we refer to previous chapters in order to provide an integrated view of the material contained in the book.
The book presents state of the art methods and technology and concrete implementation examples. Our main objective is to push forward the Operational Risk Management envelope in order to improve the handling and prevention of risks. We hope that this work will contribute, in some way, to organisations who are motivated to improve their Operational Risk Management practices and methods with modern technology. The potential benefits of such improvements are immense.