1. No category

Download attachment

Basel II in the
Asia Pacific
Banking Sector
Survey 2008
Implementing operational
risk management
advisory
Acknowledgements
We would like to acknowledge the effort and commitment of the following, without whom this
paper would not have been possible:
•
•
•
•
The participant banks and their operational risk teams
Michelle Perrett and David McAllister for coordinating and managing our regional efforts
Nicola Hassan and Ray Dundon for data management and copywriting
John Somerville and Mark Burgess for their valuable input
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Contents
Foreword
2
Executivesummary
3
BaselIIintheAsia-PacificRegion
Basel II implementation timelines
5
Progress to date with Basel II project
The current state of play with operational risk
Operationalriskmanagementapproachesandstructures
A holistic Operational Risk Management (ORM) framework
Centralised or decentralised ORM organisation structure
Size of the Risk Management and ORM functions
Quantitative or qualitative methodologies
Internal and/or external data
Software – internally developed or purchased
5
6
7
8
8
9
10
11
12
13
Thebiggestobstaclestoimplementingthepreferred
approach
14
ThebenefitsfromORMimplementationunderBaselII
15
Benefits obtained to date
Looking ahead
Basel II is perceived as a plus
Potentialadditionalbenefitsfromtheimplementation
oftheAdvancedMeasurementApproach
Linking risk and reward
Potential capital benefits from the more advanced approaches to Basel II
TargetingtheAdvancedMeasurementApproach
Somelessons
A comprehensive and holistic ORM framework
Building a robust ORM organisation with three lines of defence
Instilling a risk aware culture throughout the bank
Going beyond compliance to business performance
Incorporating a wide range of data and methodologies
Costs
Access to knowledge and experience
Appendix1–thesurveyquestionnaire
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
15
16
18
19
19
20
21
21
22
23
23
24
25
25
26
2Basel II in the Asia Pacific Banking Sector Survey 2008
Foreword
Banks in the Asia-Pacific Region are spending hundreds of millions of dollars
implementing the Basel II Accord.
Some banks (generally those from countries with a mature and globally
focused banking sector) have adopted the Advanced Measurement Approach
(AMA) – requiring more sophisticated and comprehensive operational risk
management (ORM) practices.
Others (usually from countries which have a majority of financial institutions that
operate only domestically) have opted for the Basic Indicator Approach (BIA) or
the Standardised Approaches (TSA).
However, has this expenditure resulted in these banks realising the potential
benefits from the investment? And, will it position them to participate in a more
globalised banking industry in the future?
Although those banks which have adopted either the BIA, or the TSA have largely
satisfied their immediate requirements (and those of their regulatory authorities),
are there greater business benefits to them from the significantly higher
investment required to move to the AMA in the future?
In addition, what demands and operational improvements are needed to
achieve AMA?
This report describes the outcomes of a survey during the last quarter of 2007
of 35 of the major banks in the Asia-Pacific Region, supplemented by KPMG
thought leadership on the topic.
The survey examined what stage each bank had reached in preparing for Basel II
– with particular emphasis on the approach adopted and the achievements made
in their ORM requirements. In addition, it reviewed the benefits perceived by the
banks themselves to be gained from the approach being used, and the actions
required to achieve that approach.
The report provides comprehensive insights from the key leaders in the
Asia-Pacific banking sector on better practice in the implementation of ORM
under the Basel II Accord.
Its thought-provoking information can be debated by your leadership team to
review the potential opportunities and benefits from adopting the AMA in the
future.
Arising from our involvement in the implementation efforts of Australian banks
- a significant proportion of the world’s banks which are adopting the AMA are
based in Australia - KPMG has deep experience and knowledge of the AMA and
the Basel II Accord. We are well placed to assist your bank in these discussions.
Dr John Lee
Partner
Head of ASPAC
Financial
Risk Management
KPMG Malaysia
Mike Ritchie
Partner
Head of ASPAC
Operational
Risk Management
KPMG Australia
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 3
Executive Summary
The banking sector in the Asia-Pacific Region is varied and disparate, and
the implementation timelines for the Basel II Accord in the Region vary
considerably.
Banks vary from global, full-service banks in fully developed economies (mature
countries), to small, local, limited service banks in countries with an emerging
economy or a developing financial sector (emerging countries).
Progress to date with Basel II projects varies between ‘mature’ and
‘emerging’ countries.
Respondents from mature countries are further advanced in their Basel II
projects than those from the emerging countries.
The current state of play in implementing operational risk management
(ORM) also reflects the categorisation of the countries.
Mature country banks have generally adopted the AMA, while in emerging
countries, banks have tended to use either the BIA or the TSA
Most regulatory authorities in the region require individual banks to comply
with the Basel II “Sound Practices for the Management and Supervision of
Operational Risk”, irrespective of the approach adopted.
Approaches used to implement Basel II reflect the diversity and maturity of
the banking sector in the region.
All respondents report the adoption of a ‘formal operational risk management
framework’, using a more holistic approach, expanding its scope beyond the
Basel II minimum requirements.
Since managing operational risk is relatively new to most banks in the
Region, they have adopted a more centralised organisation structure.
However, mature country banks (generally using the AMA) have adopted a
decentralised structure.
The more advanced approaches require the use of wider sources of data
– particularly externally derived data - and more sophisticated quantitative
and qualitative methodologies for assessing risk, and calculating capital
requirements.
But, a number of banks using less complex approaches are also adopting some
of the more sophisticated qualitative methodologies.
Software development is ‘scrambling’ to keep pace with the increasing
demands of compliance, and ORM in particular.
However, smaller banks generally use purchased software, while larger banks
use both internally developed and purchased software.
And, the high incidence of legacy information systems in larger banks in mature
countries results in a slightly higher tendency to use in-house developed
systems.
There were some obstacles identified to implementing the preferred ORM
approach.
The shortage of ORM expertise is a key factor inhibiting implementation exacerbated by increasing compliance demands generally in the financial
services sector.
Banks in mature countries saw the lack of data as a significant obstacle,
as well as the cost of compliance.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
4Basel II in the Asia Pacific Banking Sector Survey 2008
Depending on the approach being adopted, a range of benefits have
already been received from the implementation of more effective ORM
under Basel II.
Wide adoption of the “Sound Practices for the Management and Supervision
of Operational Risk” has led to significant benefits.
For banks using more complex approaches (TSA and AMA), the adoption of more
effective ORM has led overwhelmingly to “better management decisions”.
While, in the case of banks adopting the AMA, this has led, in turn, to better use
of risk data for “performance management”.
Looking ahead, banks are anticipating an even wider range of benefits as
experience grows.
There is a discernable belief that improved risk management will become more
widespread as a result of increased maturity of ORM.
But, there are low expectations for achieving reduced capital requirements.
Banks do not necessarily see capital reduction as the driver for better ORM they are focussing on other benefits.
Respondent banks also see their reputations being enhanced even from
the simpler approaches to ORM – a result of greater awareness of risk and
improved confidence in the community.
There are significant benefits in moving to the AMA.
Better access to risk information on a business unit basis permits matching and
comparison of the risks being taken with the rewards being achieved.
There are potentially significant capital reduction incentives to be realised.
There are five critical factors for the successful implementation of
the AMA.
1. Adopting a comprehensive and holistic ORM framework
2. Building a robust ORM organisation
3. Instilling a ‘risk aware’ culture
4. Going beyond ‘compliance’ to business performance
5. Incorporating a wide range of data and methodologies.
The costs involved in implementing the AMA are high.
They include access to external and qualitative data sources; hiring and training of
skilled staff; the purchase of software; and, developing the necessary risk aware
culture.
Nevertheless, the benefits of improved risk management and potential capital
reduction incentives for moving to the AMA, may outweigh these additional
costs.
Banks in the Asia Pacific Region have access to world-class knowledge and
experience in implementing Basel II AMA.
In Australia alone, there are seven large banks implementing the AMA – believed
to represent a significant proportion of the banks world-wide which are
implementing the AMA. These banks, and their advisers, represent a wealth
of knowledge and experience for banks in the region to call upon.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 5
Basel II in the Asia-Pacific Region
BaselIIimplementationtimelines
The banking sector in the Asia-Pacific Region is varied and disparate, from global,
full-service banks in fully developed economies, to small, local, limited service
banks in countries with an emerging economy or a developing financial sector.
As a result, the implementation timelines for Basel II in the countries in the
Region vary considerably.
Table 1: Basel II Implementation Timeline in Asia Pacific1
Types of risk
Basic implementation date
Grouping
Country
Credit
Australia
Mature Banking
Countries
Jan 2007
Japan
Q1 2007
New Zealand
Number of
respondents
to survey
4
Credit: Jan 2008
Operational: No timetable
Q1 2008
End 2006
2
2
End 2007
2
-
End 2008
Taiwan
2007
2008
1
Indonesia
2008
End 2010
11
Malaysia
2008
2010
11
Pakistan
2008
2010
-
Philippines
2007
2010
-
Sri Lanka
2008
N/A
-
Thailand
End 2008
End 2009
2
-
China
Non-complying
Countries
Operational
2008
South Korea
Emerging
Implementation
Countries
Credit
2008
Hong Kong
Singapore
Advanced implementation date
Operational
-
India
Other smaller
developing
countries
Non-compliance
-
1 Basel II Implementation in Financial Institutions in Asia Pacific – Issues and Challenges; July 2007. By Dr. John Lee, Executive
Director, Head of Financial Services; Priya Dharshini Terumalay, Manager, Financial Risk Management; Helena Ooi, Senior
Associate, Financial Risk Management. KPMG Malaysia
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
6Basel II in the Asia Pacific Banking Sector Survey 2008
The Asia-Pacific countries can be classified broadly into three groups based on
their Basel II implementation timeline:
1. Mature banking sector countries, where larger financial institutions
operate globally, and are generally allowed to choose the approach they
will adopt, based on the investment they wish to make. Most of the major
financial institutions however are required either formally or through moral
persuasion and peer group pressure to adopt the AMA, while smaller financial
institutions are generally adopting the TSA.
2. Emerging implementation countries, where financial institutions are
generally required to adopt either the BIA or the TSA in the initial period, with
the flexibility to move to the AMA at a later stage. The majority of financial
institutions in these countries operate only domestically, or regionally at best,
and are not generally internationally active.
3. Non-compliance (or later implementation) countries, where the regulatory
authority has indicated that financial institutions do not need to comply with
Basel II at this stage, or have indicated a longer time frame for compliance.
Table 1 also shows the number of respondents from each country to our survey.
Broadly speaking, our respondents can be classified into two groups – either
from mature banking sector countries (hereafter classed as mature countries),
or from emerging implementation countries (to be called emerging countries).
Among the 11 mature country respondents, Australia (four) and New Zealand
(two) make up the majority. While of the 24 respondents in the emerging country
group, Indonesia and Malaysia, with equal representation (11 each), together
comprise the significant majority.
ProgresstodatewithBaselIIprojects
As expected, reflecting the nature of the timelines shown in Table 1,
respondents from mature countries are further advanced in their Basel II projects
than those from the emerging countries.
While there are some variations among the respondents, the country groups
generally tend to be at the stages shown in Figure 1 for various aspects of the
Basel II implementation.
Figure 1: Current Phase of Implementation of Basel II Projects
Testing and validation
Implementation and
integration
Design and build
systems and models
Assessment of
detailed requirements
Pre-study high-level
assessment /
diagnostic review
Project planning
Establishing
the team
Not started
Credit risk
‘Emerging’ countries
Operational risk
Pillar 2
Supervisory review process
Pillar 3
Market disclosure
‘Mature’ countries
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 Thecurrentstateofplayinoperationalrisk
Not surprisingly, our survey results show that the current state of play in the
implementation of operational risk reflects the categorisation of the countries
into either mature or emerging.
Mature country banks have generally adopted the AMA for their ORM, unless the
banks themselves decide to adopt a simpler approach (e.g. Singapore).
Seven of the 11 respondents from mature countries are using the AMA.
On the other hand, in emerging countries the banks have tended to use
either the BIA or the TSA.
In this latter group, the choice adopted reflects the degree of maturity of the
banking sector in the country concerned. In Malaysia, where the sector is
generally more mature, the majority of our respondents (seven of 11) have
adopted the TSA. In Indonesia, most of the banks are following the Central
Bank’s roadmap on Basel II implementation which involves adoption of the BIA
in 2008.
Notwithstanding the reliance of some banks on either the TSA or the BIA, most
regulatory authorities in the region require individual banks to comply with the
Basel II “Sound Practices for the Management and Supervision of Operational
Risk”. This reinforces the fact that operational risk is seen as a key area by all
regulators, irrespective of the degree of maturity of their banking market. Where
they differ, however, is in the approaches they make available for calculating
the capital charge for operational risk. Over time, it is to be expected that more
and more jurisdictions will make available the more complex approaches. Global
banks will also increasingly roll out the use of the more complex approaches to
their Asia Pacific operations, which will provide further impetus
to the use of the more complex approaches, including by the domestic banks.
Individual banks are required to implement “clear (ORM) strategies and oversight
by the board of directors and senior management; a strong operational risk and
internal control culture; effective internal reporting; contingency planning (and
sound disclosure)”2.
For example, in Australia, the regulator has made it clear that it expects all
authorised deposit taking institutions, regardless of size, to apply a consistently
high level of ORM process sophistication. The primary difference between the
approaches implemented (TSA or AMA) relates to the method used for the
calculation of capital.
2 “Sound Practices for the Management and Supervision of Operational Risk”; Basel Committee on Banking Supervision. February 2003
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
8Basel II in the Asia Pacific Banking Sector Survey 2008
Operational risk management
approaches and structures
Implementation approaches for Basel II reflect the diversity and level of maturity
of the banking sector in the region.
A‘holistic’operationalriskmanagement(ORM)framework
Our survey respondents all report that they have adopted a ‘formal operational
risk management framework’ 3.
The Terms of Reference for their ORM activities indicate a more ‘holistic’
approach than simply complying with Basel II, by including both a diversity of risk
management tools used, and, generally, a wide definition of specific risk types
falling within the ORM framework.
For example, almost all banks included compliance, business continuity planning,
and fraud in their ORM terms of reference, while a substantial majority also
included anti money laundering (AML). The exceptions generally here were in the
emerging countries (Malaysia and Indonesia, in particular) where the regulatory
driver for AML is in its early stages.
An interesting survey result is the inclusion of insurance in the ORM terms of
reference.
In general, banks have included insurance within their ORM framework to cover
losses arising from failures in people, process, systems, or from the external
environment.
However, in their responses, the Australian banks reported that insurance
tends not to be incorporated specifically in their ORM terms of reference, yet
experience and discussions with such banks confirm that insurance is extensively
applied in risk management.
Many Australian banks are developing more sophisticated mechanisms to use
operational risk loss data, experience, and measurement results better to inform
the coverage and price of insurance needed by the bank. Subsequently, with
regulatory approval, these approaches may be eligible to generate further capital
reductions.
A number of respondents also reported that they include a range of other issues
in their ORM terms of reference, including:
• Information technology risk management
• Outsourcing (including for IT)
• Project management
• Execution failure
• Information security
• New product and service development.
Conclusion
Most participating banks view ORM from a holistic perspective, and have
expanded its scope beyond the Basel II minimum requirements.
3 There was one small bank which was an exception
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 9
CentralisedordecentralisedORMorganisationstructure
Mature country banks (generally using the AMA) reported that they adopt a
decentralised structure for their ORM organisation, with an executive/board
committee overseeing a small group/corporate level ORM function which tends
to set broad policy and standards, and monitor achievements. These structures
are then supported by business unit ORM functions, responsible for day-to-day
operations, and reflecting the profit centre nature of these business units (see
sidebar diagram).
Decentralised models are based on having a sound policy framework established
centrally, while the risk management effort is focused within the business. The
benefit of a decentralised structure is the flexibility it allows business unit ORM
functions to tailor procedures to assist business leaders embed operational risk
methods and behaviours within business processes.
Mature market regulatory bodies have also encouraged banks to focus on
embedding risk management behaviours within the business as critical a success
factor in meeting AMA requirements.
A typical decentralised organisation structure for ORM in a large bank using the
Advanced Measurement Approach
BOARD
Board Risk
Management
Commitee
CEO
Business
Units
Chief
Financial
Officer
Risk B/U 1
Risk B/U 2
Risk B/U 3
Chief Risk
Officer
Operational
Risk
Credit Risk
Market Risk
Executive
Forums
Board Audit
Committee
Internal Audit
Operational
Risk
Credit/
Market Risk
Corporate Level Activity
Business Unit Activity
In contrast, banks in the emerging countries tend to adopt a more centralised
structure, with very few reporting ORM functions at the business unit level.
In fact, all banks adopting the BIA reported a centralised structure, while more
than one half of the banks using a TSA reported a centralised structure.
Conclusion
Managing operational risk formally is relatively new to most banks in the region,
and adopting a more centralised approach initially assists with successful
implementation.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
10Basel II in the Asia Pacific Banking Sector Survey 2008
SizeoftheriskmanagementandORMfunctions
Our survey respondents were asked to report both on the size of their
Asia Pacific Region risk management function as a whole, and of the ORM
component of that overall function, within nominated bands: e.g. less than
10 employees; 10 – 25 employees; 25 – 50 employees; and more than 50
employees.
While primary responsibility for operational risk usually remains with the business
operations, which are accountable for managing operational risks, those banks
with fewer resources typically have the following attributes.
• A centralised operational risk structure is preferred.
• Operational risk management policy and methodologies are not tailored to
each business.
• Operational risk measurement approaches are less sophisticated.
• Banks are targeting either BIA or TSA.
Most banks from mature countries reported more than 50 staff in their total
Asia Pacific RM function. Only two, relatively small banks of the eleven from
mature countries had fewer than 50 staff, and these, incidentally, were also not
implementing the AMA.
Three of the nine larger banks also reported more than 50 people in their ORM
component in the Region.
More sophisticated banks typically have higher resource requirements which
reflect the substantially decentralised ORM organisation structures. Within a
decentralised structure, banks typically retain technical quantitative and qualitative
skills centrally with a mandate to continue policy capital modelling and reporting
roles. However resources within the Business Unit ORM functions may be a
combination of full time and part time staff applying risk processes with a greater
understanding of the business itself.
For emerging countries, 60 percent of banks adopting the TSA reported a total
risk management staff of more than 50 in the Region, with an ORM staff of
between 10 and 25. The remaining banks were smaller in both areas.
On the other hand, fewer than 30 percent of banks adopting the BIA reported
an overall Regional Risk Management function of more than 50 staff (generally
larger banks), while around 30 percent reported a function smaller than 10
people. Only 20 percent of the banks implementing the BIA had an Asia Pacific
ORM function of more than 10 staff.
Conclusion
Organisations adopting the more complex approaches to ORM have larger
risk management staff numbers – reflecting both the size of the bank, and the
decentralised ORM organisation structure.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 11
Quantitativeorqualitativemethodologies
The AMA for Basel II requires the adoption of more sophisticated quantitative
and qualitative methodologies for assessing and measuring risk.
Mature country banks using the AMA have focused the design of their ORM
tools and methods on enhanced loss data collection processes and risk
measurement techniques in order to create a more objective and consistent
assessment of their operational risk profile.
Figure 2 is indicative of the different approaches used by banks in the
development and use of tools, and their focus on qualitative versus quantitative
methods, depending on their origin – i.e. from emerging or mature countries.
25%
75%
75%
25%
Basic
Tools used
Sophisticated
Figure 2: Illustrative mix of methodologies and tools used – depending on
maturity of bank
Emerging
Qualitative
Methodologies used
Mature
Quantitative
It is not surprising then that banks from the mature countries have adopted a
wider range of more sophisticated methodologies, as Table 2 shows.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
12Basel II in the Asia Pacific Banking Sector Survey 2008
Table 2: Methodologies used for ORM
Basel
approach
adopted
Riskand
control
assess­
ment
(RCSA)
Keyrisk
indicators
Scenario
analysis
Scorecard
Attestation
Other*
Basic Indicator
Approach
93%
86%
21%
21%
0%
21%
Standardised
Approaches
100%
92%
23%
31%
15%
23%
Advanced
Measurement
Approach
100%
71%
86%
86%
86%
14%
*Other methodologies reported include:
• loss collection
• risk mapping/profiling
• key operational risk control
• extreme event scenario analysis
• use of internal and external loss data
• quarterly reporting
• X-function risk and control challenge process: case studies
• risk review management
• gap analysis.
In particular, more sophisticated banks are introducing risk management
methodologies that provide more objective risk information which is consistent
and can be compared across business units. The development of scenario
analysis, an explicit requirement of AMA, is an example of this.
Banks using less complex approaches for ORM (the TSA and BIA) are beginning
to adopt some of the more sophisticated qualitative methodologies for assessing
risk. For example, six banks from emerging countries, implementing either the
BIA or the TSA, report using scenario analysis, while another reports using
attestation. The wider adoption of scenario analysis is recognition of the value it
provides in determining ‘worst case’ plausible losses.
Internaland/orexternaldata
In line with methodologies used, banks from mature countries adopting the AMA
are using a wide range of external data in their ORM activities.
Table 3: Source of loss data
Basel
approach
adopted
Internal
data
External
data
Pooldata
Scenario
analysis
Businessenvironment
andinternalcontrols
factors
Basic Indicator
Approach
100%
21%
14%
14%
29%
Standardised
Approaches
100%
15%
8%
15%
69%
Advanced
Measurement
Approach
100%
86%
43%
86%
71%
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 13
It is interesting to note that the use of data varies considerably across banks.
These differences include whether the data is used for informational purposes
to supplement existing risk management solutions, or as a direct input into the
operational risk measurement approach.
Banks from the emerging countries report that they use predominantly internal
loss data, the minimum standard required for adoption of Basel II.
However, managers from Australian banks comment that internal data is the
least useful for risk calculation as it is not the key driver in determining the
amount of regulatory capital to be held. Generally, scenario analysis outputs and
external data have greater influence in the operational risk calculation process.
“To get a better handle on
the calculation for real capital
risk, external and other
sources of data are much
more useful than internal
data – but they are much
more challenging to collect
and analyse”
Australian banks agree that internal loss data experience provides most value in
assisting the business to understand its expected losses for budgeting purposes,
and in identifying emerging trends and changes in specific operational risks.
All banks adopting the AMA have indicated that they are predominantly using
a hybrid approach in their capital calculation methodology - employing each of
internal loss data, external loss data and scenario analysis.
Conclusion
The more advanced approaches to ORM require the use of wider sources of
data, particularly externally derived data, and more sophisticated quantitative and
qualitative methodologies for assessing risk and calculating capital requirements.
Software–internallydevelopedorpurchased
Perhaps reflecting the developing nature of ORM activities, there was no clear
trend reported on the origin of computing software used in the respondent
organisations.
Indeed, a significant number (more than one third of all respondents) reported
that they made limited use of software. Not surprising really, since most of these
were banks adopting the BIA.
However, responses show that smaller banks generally use purchased software,
while larger banks use both internally developed and purchased software.
The high incidence of legacy information systems in larger banks in mature
countries results in a slightly higher tendency to use in-house developed systems
in this group.
We have observed a heavy reliance on the use of spreadsheets, for example,
to collect and store risk information. A common area of challenge and concern
for regulators is the banks’ ability to ensure an appropriate security and control
environment over such systems.
Conclusion
Overall, software development is scrambling to keep pace with the increasing
demands of compliance, and ORM in particular.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
14Basel II in the Asia Pacific Banking Sector Survey 2008
The biggest obstacles to
implementing the preferred
approach
Our respondents rated six factors to highlight what they saw as the biggest
obstacles to the implementation of their preferred ORM approach under Basel II.
Once again, there were clear trends along mature and emerging country lines.
Table 4: Biggest obstacles to implementing preferred Basel II approach
Decreasinglevelofimportancefrom1-6
Country
grouping
Lackof
data
LackofOR LackofIT
governance flexibilty
structure
Business
process
redesign
Shortage
Costof
ofORM compliance
expertise
‘Mature’
1
6
3
5
2
3
‘Emerging’
3
6
2
4
1
5
In both groups, the “lack of an OR governance structure” was seen as the least
likely impediment to implementation, reflecting the widespread adoption of a
formal ORM Framework among respondents (see above).
Across the region, the “shortage of ORM expertise” rated very highly as a
key factor inhibiting the implementation of the preferred approach – a factor
exacerbated by the increasing demands for compliance generally in the financial
services sector.
Reflecting on the adoption of the AMA in mature countries, the consequent need
to use external and internal data, and the difficulties in collecting and analysing it
means that banks in these countries saw the “lack of data” as the main obstacle.
Likewise, the greater complexity of the AMA, and the relatively more onerous
demands of regulators when considering AMA applications in the mature
countries, sees that the “cost of compliance” is a significant obstacle among
banks in that group. Much of this cost relates to the high resource demand of
implementing the Basel II program of work.
Finally, the lack of good software and IT systems in the ORM field has led to
both groups rating the “lack of IT flexibility” as a significant impeding factor to
implementation.
Conclusion
The issues of the shortage of ORM expertise, and the lack of data, will be
important matters for banks considering moving beyond their current preferred
approach towards utilising the AMA. Comprehensive strategies to overcome
these obstacles will be needed to reap the benefits of the AMA.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 15
The benefits from ORM
implementation under Basel II
Benefitsobtainedtodate
Depending on the approach they are adopting, our respondents indicated a range
of benefits which they have already received from their implementation of more
effective ORM under Basel II.
Figure 3 - Benefits Already Achieved through Effective ORM
Our respondents also
describe a range of other
benefits which have
already been obtained from
implementing Basel II:
Highest
ranked
“We have had a significant
increase in awareness across
the organisation with regard
to risk management.”
“Our efforts have led to
much stronger governance
overall.”
Lowest
ranked
Reduction in
operation losses
Improved
efficiency
Basic indicator approach
Target
expenditure
Standardised approaches
Performance
management
Better management
decisions
Advanced measurement approach
“Losses have reduced
through improved focus
on risk management, but
we expect a more holistic
approach to managing
operational risks as data
matures.”
A most welcome result from Figure 3, is the importance placed by banks which
have adopted the BIA, on the achievement of a “reduction in operating losses”,
and “improved efficiency” from their effective implementation of ORM.
Clearly, the wide adoption of the “Sound Practices for the Management and
Supervision of Operational Risk”4 has led to significant benefits.
It is also clear that for the banks using the more complex approaches (TSA and
AMA), the adoption of more effective ORM has led overwhelmingly to better
management decisions. And, in the case of banks adopting the AMA, this has
led, in turn, to better use of the data for performance management .
4 “Sound Practices for the Management and Supervision of Operational Risk”; Basel Committee on Banking Supervision.February 2003
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
16Basel II in the Asia Pacific Banking Sector Survey 2008
Lookingahead
When asked to consider what benefits may be obtained in future from effective
ORM, the picture changes – especially for banks using the TSA.
Figure 4: Future Benefits Expected from Effective ORM
Highest
ranked
Lowest
ranked
Reduction in
operation losses
Improved
efficiency
Basic indicator approach
Target
expenditure
Standardised approaches
Performance
management
Better management
decisions
Reduced capital
requirements
Enhanced
reputation
Advanced measurement approach
Banks using the TSA expect that the better management decisions they have
already reported, plus the adoption of performance management, will lead to
reductions in operating losses, and improved efficiency in the future.
Banks using the AMA believe they can adopt risk based performance management to a greater degree, as their ORM activities become more effective.
There is a discernable shift to the belief that improved management overall will
become more widespread as a result of increased effectiveness of ORM.
Two results in Figure 4 are worth comment.
First, there are low expectations that the implementation of Basel II, and the
improved effectiveness of ORM, will result in reduced capital requirements.
Banks do not necessarily see capital reduction as the driver for better ORM.
Because of this uncertainty, banks are focussing on other benefits. They believe
that more widespread benefits, particularly better overall management decisions,
are likely from an improved ORM environment.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 1
The second notable result is the apparent expectation that, even banks which are
adopting the BIA, expect to achieve enhanced reputation.
Respondents see that increased awareness of risk, along with the sound
practices resulting from Basel II, and improved ORM generally, will reassure the
community and increase its level of comfort with the banking sector.
It is also worth noting that the respondent banks have divergent views about
whether the implementation of Basel II will infact create a level playing field.
Table 5: Perceptions of Basel II on competitive position
“BaselIIwillcreatealevelplayingfield
Country
grouping
Strongly
agree
Agree
Neither
Disagree
Strongly
disagree
‘Mature’
0%
18%
27%
45%
10%
‘Emerging’
29%
33%
25%
4%
9%
While only 18 percent of respondents from the mature countries agree that
Basel II will create a level playing field (and 54 percent either disagree or strongly
disagree), in the emerging countries 62 percent agree or strongly agree with the
proposition, while only 13 percent disagree or strongly disagree.
Larger banks from mature countries in the Region are generally obliged to adopt
the AMA, while smaller ones can use the less demanding and less costly TSA.
Hence, larger banks may see that they are required to do more to receive
a similar level of benefit. Furthermore, smaller institutions which have not
been encouraged to use the AMA, may feel those larger banks which receive
accreditation at AMA level will subsequently receive benefits for which they (the
smaller institutions) are not eligible (e.g. reduced regulatory capital).
However, in emerging countries, all banks are generally required to implement
the less complex approaches to Basel II (or are limited in being able to choose
the AMA by their regulators’ reluctance to adopt the more sophisticated
approaches at this time). Thus respondents may more likely hold the perception
that all banks are being placed on an equal competitive footing.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
18Basel II in the Asia Pacific Banking Sector Survey 2008
Our respondents have
highlighted a range of other
benefits which they expect
to receive from the Basel II
initiative in future:
“Increased stakeholder value,
and public creditworthiness”
“The implementation of
operational risk on an
AMA basis has greatly
improved the awareness and
management of operational
risk in the business.”
“We have enhanced our
controls and increased their
effectiveness. And we now
have action plans tracking,
and monitoring of significant
risks in the businesses.”
“Business is seeing that the
disciplines allow it to move
quicker to execution – and
we have greater executive
oversight and involvement in
the operational risk function”
BaselIIisperceivedasaplus
Generally speaking, our respondents view the implementation of Basel II as
positive. Irrespective of the country in which they operate, a high proportion of
respondents either agreed or strongly agreed with the following statements.
Table 6: Basel II sentiment
Statement
%‘stronglyagree’
or‘agree’
1. “Meeting the requirements of the chosen operational risk approach,
and of Pillar 2, will improve current operational risk practices &
management information”
79%
2. “Reconciliation between risk management & financial reporting data
will become easier as a result of Basel II”
56%
3. “Implementing Basel II will provide a better foundation of future developments in risk management & risk sensitive capital assessment”
88%
4. “Basel II will help align regulatory capital with economic capital”
71%
5. “An economic capital model is the preferred approach to fulfilling the
Pillar 2 requirement for a risk based capital planning process”
74%
Conclusion
Overwhelmingly, banks responding to our survey report that there has been a
wide range of benefits from implementing the ORM component of Basel II.
Even the simpler approaches, allied with implementation of the Basel Sound
Practices paper, have resulted in improvements in efficiencies and a reduction
in losses overall. And, as banks have moved into the more complex approaches,
better overall management decisions and performance management has
occurred.
Furthermore, banks are anticipating an even wider range of benefits to flow in
the future as experience grows.
Finally, the respondent banks see their reputations being enhanced as a result of
the adoption of even the more simple approaches to ORM – a result of greater
awareness of risk, and improved confidence among the community in which they
operate.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 19
Potential additional benefits from the
Advanced Measurement Approach
Our analysis shows that banks in the Asia Pacific Region have found the
implementation of ORM, even with the less complex approaches, has added
value to their organisation by reducing operational losses and improved operating
efficiency and overall management, ultimately leading to improvements in
business performance, and, potentially, the better use of capital.
Whatever approach they are adopting, in reaching their current stage of
implementation, banks will have incurred significant cost, and expended
considerable effort.
It is therefore useful for banks to ask themselves a number of questions when
considering further investment in their ORM framework.
• Does the existing ORM framework allow the effective and transparent
management of risk aligned with the bank’s risk appetite?
• Having come this far, are there any further benefits to be had from
proceeding to a more advanced approach – particularly the AMA?
• If so, what extra effort is required to get there?
• And, how should we go about it?
Linkingriskandreward
To derive additional business value from their Basel II investments, banks must
integrate their operational risk management into their strategic and day-to-day
business decisions.
By understanding their risk and control environment better, for example, banks
should be able to reengineer their business processes to be more effective
and efficient. However, linking operational risk management to performance
management is easier said than done. It involves a change of organisational
mindset as well as a defined means of aligning the management of operational
risk with business performance5.
The major advantage for banks that have implemented the AMA, and as a result
have access to detailed and accurate risk information on a business unit basis, is
their improved ability to match and compare the level of risk being taken with the
rewards being achieved in that part of the business.
This allows such options as:
• the ability to compare the risks of their various businesses, and so clarify
where the greater risks lie
• the capacity to measure the risk adjusted reward from each business, and so
understand fully the degree to which they add economic value
• combining the above to enhance management of individual performance
• the ability to apply real pressure to the management of risk as well as the
traditional cash earning, profit or growth drivers.
More sophisticated banks are still feeling their way in the use of this information.
The process is not as simple as applying risk based performance management,
or driving reporting based on comparative information. As with all changes in
complex organisations, the cultural changes are as important as the process
changes.
Nevertheless, mature banks are actively pursuing opportunities to leverage fully
their Basel investment to achieve the highly desirable outcome of effectively
managing risk through performance.
5 Managing Operational Risk: Beyond Basel II, KPMG International, 2007
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
20Basel II in the Asia Pacific Banking Sector Survey 2008
Potentialcapitalbenefitsfromthemoreadvancedapproaches
toBaselII
In addition to improved performance management, better management
decisions, and the reduction in operating losses reported by banks using the
AMA, additional capital reduction benefits may be possible for banks moving to a
more sophisticated ORM approach under Basel II.
A simple capital impact analysis6 of 10 financial institutions in the Region was
conducted in late 2006 to demonstrate the capital incentive under the TSA in
comparison to the BIA. The results of this analysis are summarised in Figure 5.
Figure 5: Operational risk capital charges under different Basel II approaches
Thailand
Singapore
Phillipines
Pakistan
Malaysia
0
15
30
45
60
75
90
105
120
135
150
165
180
195
210
225
240
255
270
USD (in million)
Alternate standardised approach
The standardised approach
Basic indicator approach
Based on this simple analysis, the Pillar 1 capital reduction obtained from moving
from the BIA to TSA could be around 20 percent.
More interestingly, by adopting the Alternative Standardised Approach (ASA), the
capital incentive obtained may be even more significant – possibly another 10 to
15 percent 7.
Although not analysed in the 2006 study, one may expect that the adoption of
the AMA may lead to even greater reduction in capital requirements.
Therefore there are potential Pillar 1 capital reduction incentives to be realised by
moving to the AMA.
However, the supervisory review process also considers those risks that fall within Pillar 2. Our understanding of the approach used by regulators in the region is that any initial Pillar 1 reductions may be partly offset by the need to hold capital against Pillar 2 risks leaving only a modest reduction in overall regulatory capital to be held by banks. This supports our earlier survey finding that banks do not believe the biggest benefit from adopting AMA is regulatory capital relief.
6 Basel II Implementation in Financial Institutions in Asia Pacific – Issues and Challenges; July 2007. By Dr. John Lee, Executive
Director, Head of Financial Services; Priya Dharshini Terumalay, Manager, Financial Risk Management; Helena Ooi, Senior
Associate, Financial Risk Management. KPMG Malaysia
7 The primary reason behind this is that the net interest margins of Asia Pacific financial institutions are significantly larger than the
m-factor under the ASA. In other words, the gross income yield earned by these financial institutions on the loans and advances is
significantly larger than the 3.5% m-factor.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 21
Targeting the Advanced
Measurement Approach –
Some lessons
Based on our survey results, coupled with KPMG’s experience of working
with banks adopting the AMA, there are five critical factors for its successful
implementation.
1. Adopting a comprehensive and holistic ORM framework (including an
appropriate ORM calculation ‘engine’ that meets both business and regulatory
requirements).
2. Building a robust ORM organisation with ‘three lines of defence’.
3. Instilling a ‘risk aware’ culture throughout the bank.
4. Going beyond ‘compliance’ to business performance.
5. Incorporating a wide range of data and methodologies in operational risk
assessment and management.
1.AdoptingacomprehensiveandholisticORMframework
Generally, banks using the AMA adopt a comprehensive and ‘holistic’ approach
to ORM, with wide-ranging terms of reference for the activities that fall within
the operational risk definition and management framework. Specifically:
• Information technology risk management
• Outsourcing (including for IT)
• Project management
• Execution failure
• Information security
• New product and service development
Figure 6: KPMG’s Operational Risk Management Framework8
RISK
STRATEGY
ORGANISATIONAL
STRUCTURE
REPORTING
Definitions
linkages and
structures
Loss
data
Risk
assessment
BUILDING BLOCKS
Key risk
factors
Mitigation
Capital
modeling
INFORMATION TECHNOLOGY
8 Basel II – A closer look. Managing Operational Risk. KPMG International, 2005
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
22Basel II in the Asia Pacific Banking Sector Survey 2008
Organisations contemplating the adoption of the AMA will need to concentrate
on the building blocks segment to ensure they have sound operations, and
access to a wide range of required data sources (see 5 below).
Furthermore, each bank needs to ensure it considers the existing risk culture of
its organisation.
This is a key factor which will guide the decision whether to adopt a centralised
or decentralised ORM function, and will influence the design, development and
implementation of risk solutions within the business.
A structured operational risk management framework is relevant to all
institutions, irrespective of their current level of operational risk management
sophistication, or the maturity of the banking system within which they operate.
In the case of institutions planning on adopting the less complex approaches,
a framework can help guide them towards enhancing their measurement and
management of operational risk, consistent with the Basel Sound Practices
paper. In the case of institutions planning on adopting a more complex
approach, a framework can help guide them on the successful development and
implementation of AMA and the necessary supporting enhancements in risk
management.
2.BuildingarobustORMorganisationwith‘threelinesof
defence’
Better practice among banks using the AMA involves a decentralised operational
risk management structure, with three lines of defence.
1. ORM teams at the business unit level, having day-to-day responsibility for the
ORM activities.
2. Corporate level oversight functions responsible for strategic risk management,
risk policy setting, and functional oversight of risk activities across the
organisation.
3. Assurance providers (e.g. Internal Audit) responsible for independent challenge
and review of the effectiveness of risk processes and organisational controls.
Figure 7 illustrates this concept, while the sidebar on page 12 gives an example
of a typical decentralised organisation structure:
Figure 7: A ‘decentralised’ ORM structure with three lines of defence
Lines of defence
1st
Business units
Risk
Day to day risk management
activities
Risk
2nd
Oversight functions:
Corporate development,
risk management, insurance,
OHS, environmental etc
Strategic management, policy
setting, functional oversight
Board,
Executive
Team and
CEO
Risk
3rd
Assurance providers
(e.g. Internal Audit,
Compliance)
Independent challenge and
review of control effectiveness
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 23
Responses to our survey indicate that the decentralised structure needed for the
AMA, will require an overall larger ORM function, and hence a higher ORM cost,
than for the less complex approaches – a potential problem given the widespread
shortage of skilled risk management resources.
In pursuing the significant benefits to be gained from the AMA, a comprehensive
program of both skill development and recruitment of particular expertise will be
needed.
3.Instillingariskawareculturethroughoutthebank
A comprehensive ORM framework and a robust ORM organisation structure
by themselves do not result in effective operational risk management.
They must be supported by a wide-spread organisation culture which supports
both long-term business performance and effective management of risk.
There are four key values which are vital for instilling such a culture: 9
1. Clarity and transparency – where vision, strategy and priorities are agreed and
communicated, with ‘trade-offs’ identified and resolved early. Risk appetite
is agreed strategically, and widely known and understood. Communicating
bad news and potential failure is preferred to covering it up as there are
no surprises. Mistakes and non-delivery of performance are used as an
opportunity for learning rather than for punishment.
2. Executives and senior management are easily accessible and welcome
contact with operational levels in the organisation. They set stretch targets,
but understand the implications on the operational levels, and welcome feed­
back and suggestions on ways to achieve the desired outcomes.
3. A collaborative working relationship exists between operating business units
and corporate functional units, so that the latter can understand the impacts of
their policies and standards on the operating units. In turn, the operating units
can appreciate the importance and validity of corporate requirements.
4. Accountability for both performance and compliance are important. Managers
and staff are held to account for both the outcomes demanded, and the way
in which they are to be achieved.
For maximum benefit, staff throughout the organisation are trained to identify
operational risk and are encouraged to report shortcomings and potential failures,
while ensuring that appropriate mitigation approaches are implemented.
4.Goingbeyondcompliancetobusinessperformance
Our survey results indicate that more sophisticated banks are actively pursuing
opportunities to fully leverage their Basel II investment by effectively managing
risk through performance.
They are looking for ways to see risk as a source of potential advantage, and for
the management of risk to be a part of their everyday activities.
In strategic planning for their organisation, they use the risk assessments as a
primary input for the preparation of strategy, and consider such things as:
• The risk appetite and risk tolerance of the organisation.
• How potential expected and unexpected losses may be balanced by
potential gains.
9 Adapted from “Walking the Talk: Building a Culture for Success”; by Carolyn Taylor, 2005. Random House
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
24Basel II in the Asia Pacific Banking Sector Survey 2008
• The ways in which risk areas may be viewed as strategic business
opportunities.
• Analysis of, and complementary development of more sophisticated
measurement techniques for, the more strategic risks, such as reputation,
industry economics, technology changes, and market changes – i.e. a more
external focus than simply concentrating on internal operational issues.
5.Incorporatingawiderangeofdataandmethodologiesin
operationalriskassessmentandmanagement
Perhaps the most significant requirement for banks moving to the AMA is the
recognition of the much wider range of data needed for effective operational
risk assessment and management.
Sophisticated banks understand that effective ORM requires a sound
understanding of how the three aspects of their business environment
inter-relate.
• The internal environment - the organisation itself, its people, systems, assets,
processes, culture, and risk management and control systems.
• The competitive external environment of customers, competitors, products
and substitutes, suppliers and partners.
• The wider external environment of economic growth, technological
development, political, social and demographic trends, and changes in the
physical environment.
More mature banks capture data on all aspects of their environment, to ensure
that they are not at further risk by being ‘blinded’ to other issues through simply
relying on their own loss data. Where data is not clear or explicit, particularly with
internal loss data, banks are using scenario analysis and external loss data to
provide the necessary clarity, and to supplement loss experience for analysis and
measurement purposes.
In particular, comparative external loss data (for example from industry sources
and individual local competitors) needs to be sourced. Pooled data (such as
ORX, or the ‘British Bankers Association – Gold’ [BBA Gold] data) needs to
be accessed and analysed for any relevance and application to the bank’s
operations.
Furthermore, the AMA requires a much broader range of methodologies to
be used to calculate capital requirements than other Pillar 1 risk measurement
approaches.
These especially require access to qualitative data such as scenario analysis,
scorecards, and attestation, with a greater ‘what if’ analysis of potential losses
and risk impacts.
Figure 8 illustrates the interrelationships between the various data types and
methodologies for effective operational risk assessment and management.
Access to, interpretation, and analysis of such data sources and methodologies
requires very capable and skilled risk managers. As we have already seen, these
are in short supply.
More flexible IT operations and software packages will be required to deal with
the more demanding range of data, and the more qualitative methodologies
required for the AMA.
Sophisticated banks, particularly within Australia are implementing processes
and controls to ensure all data captured is accurate, complete and verified for
integrity.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 25
Data
types
Capital
Calculation
Methodologies
RM Plans & Reports &
Feedback Audience
Strategies
Figure 8: Risk management data types, methodologies and reporting
Board and Executive
Management
Corporate Risk
Committee
Corporate ORM
Function
Business Unit
RM Function
Reports and feedback as required
Strategic planning and Risk Management Action Plans
Internal data loss distribution approach
Loss data
Loss incidents
Quantitative Internal
data
Risk indicators
Operational risk
assessments
Policy targets
Hybrid approach using internal and external data loss
distribution approaches with scenario analysis etc
Pooled data
Industry sourced data
Industry trends etc
Internal KPIs
External data
Scenario analysis
Risk self assessment
Attestation
Environmental trends
Qualitative data
In the Asia Pacific Region, the relatively small size of banks, and their lower level
of maturity, means that they have less well established legacy systems and less
comprehensive data-warehouses. Accordingly, investment in suitable software
packages will be needed.
Costs
The costs involved in implementing Basel II are high, irrespective of the approach
adopted.
Costs are driven by the current state of the banks’ ORM framework compared
with the minimum Basel II compliance requirements, and by the need to
compensate for possible under investment in the past.
Costs include access to the external and qualitative data sources; the hiring of
skilled staff which are in short supply; training of staff; the purchase cost of
software information systems; and development of the necessary ‘risk aware’
culture.
Relative costs will tend to be higher for financial institutions in emerging
countries as they do not have the economies of scale that financial institutions in
the more ‘mature’ countries may have.
Nevertheless, as we have seen above, the capital reduction incentives for
moving to the AMA are sizeable and may more than outweigh these additional
costs.
Accesstoknowledgeandexperience
Banks in the Asia Pacific Region are fortunate to have world-class knowledge and
experience in implementing Basel II at the AMA.
In Australia alone, there are seven large banks implementing the AMA. This
represents a significant proportion of the number of banks world-wide which are
implementing the AMA.
These banks, and their advisers, represent a wealth of knowledge and
experience for banks in the region to call upon.
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
26Basel II in the Asia Pacific Banking Sector Survey 2008
Appendix 1 – ASPAC Operational
Risk Survey 2007
This survey aims to gather benchmark information about Operational Risk Management (ORM) in banks throughout the
Asia-Pacific region, to enable us to build an understanding of ORM best practice. Your views are very important and we
thank you for taking time to complete this survey. The questionnaire should take approximately 15 minutes to complete.
All replies will be treated in strict confidence. The results of the survey will be analysed and presented in an aggregated
format.
PartA:Operationalriskinyourorganisation
1. What phase are you currently at in your Basel II project? Please select ONE option for each column
Operationalrisk
Creditrisk
PillarII/
Economiccapital
PillarIII
a. Not started
b. Establishing the team
c. Project planning
d. Pre-study High Level Assessment/Diagnostic Review
e. Assessment of detailed requirements
f. Design and build systems and models
g. Implementation and integration
h. Testing and validation
2. Which approach for calculating your capital requirements on operational risk are you most likely to adopt at the Basel
implementation date? Please select ONE option only
Approach
a. Basic Indicator Approach
b. Standardised Approach
c. Advanced Measurement Approach (AMA)
d. None is more likely than others at this stage
3. What structure do you use for Operational Risk Management (ORM)? Please select ONE option only
Structure
a. Executive level OR committee
b. Business Unit level OR committee
c. Group / Corporate OR function
d. Business Unit OR function
e. Additional OR resources embedded in the business
f. Other – please specify
..................................................................................
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 2
4. What are the terms of reference for ORM? Please select all that apply
Termsof
reference
a. Compliance
b. Insurance
c. BCP
d. Fraud
e. Anti money laundering
f. Other – please specify
..................................................................................
5. Do you have a formalised Operational Risk framework?
Formalised
framework
a. Yes
b. No -
Go to question 6
5a. If yes, what are the framework components for ORM? Please select all that apply
Framework
components
a. Governance
b. Risk assessment
c. Loss and incident management
d. Reporting
e. Technology
f. Capital management
g. Other – please specify
..................................................................................
6. What methodologies do you use for ORM? Please select all that apply
Methodologies
a. Risk and control self assessment (RCSA)
b. Key risk indicators (KRI)
c. Scenario analysis
d. Scorecard
e. Attestation
f. Other – please specify
..................................................................................
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
28Basel II in the Asia Pacific Banking Sector Survey 2008
7. From what source is loss data used / collected? Please select all that apply
Source
a. Internal data
b. External data
c. Pool data
d. Scenario analysis
e. Business environment and internal control factors
f. Other – please specify
..................................................................................
8. Please state your agreement with the following statements. Please select ONE option for each row
“Ithinkthattheadoptionofmypreferred
approachforoperationalriskwilldeliver:”
Strongly
agree
1
Strongly
disagree
2
3
4
5
a. Nothing – purely regulatory driven
b. Reduction in capital requirements
c. Enhanced reputation due to advanced risk
management techniques (stabilisation of own rating)
d. Improved overall risk management framework
e. Reduction in operational losses
f. Other area of added value – please specify
..................................................................................
9. Please state your agreement with the following statements. Please select ONE option for each row
“Thebiggestobstaclesimplementingmy
preferredapproachforoperationalriskare:”
Strongly
agree
1
Strongly
disagree
2
3
4
5
a. Lack of data for determination of operational risk losses
b. Lack of operational risk governance structure/framework
c. Lack of flexibility of current IT systems and interfaces
d. Required business process re-design
e. A shortage of operational risk management experts
f. Cost of compliance with Basel II
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 29
10. If applying the Advanced Approach which option is predominant in your capital calculation methodology?
Please select ONE option only
Capital
calculation
a. Loss distribution approach (using primarily internal loss data –ILD)
b. Loss distribution approach (using a balance of internal & external loss data - ELD)
c. Hybrid approach using a mix of ILD, ELD & scenario analysis
d. Qualitative assessment for all risks
11. What software do you currently use for managing operational risk information? Please select all that apply
Software
a. Internally developed software – one main solution that captures risk data and loss events
b. Internally developed software – a collection of independent solutions that together provide the required data
c. Purchased specialist operational risk software – that includes most required functionality (including capital calculation)
in one package
d. Purchased specialist operational risk software – a collection of tools that together provide the solutions we require
e. We currently have limited software and are looking at available solutions
12. Please state your agreement with the following statements. Please select ONE option for each row
Strongly
disagree
Strongly
agree
1
2
3
4
5
a. Meeting the requirements of the chosen operational risk approach and of Pillar
2 will improve current operational risk practices and management information
b. Reconciliation between risk management & financial reporting data will become
easier as a result of Basel II
c. Implementing Basel II will provide a better foundation of future developments
in risk management & risk sensitive capital assessment
d. Basel II will help align regulatory capital with economic capital
e. An economic capital model is the preferred approach to fulfilling the Pillar 2
requirement for a risk based capital planning process
f. Synergies can be leverage between IFRS & Basel II programs
g. Pillar 3 disclosures should be fully encompassed in IFRS changes
h. Basel II will create a “level playing field”
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
30Basel II in the Asia Pacific Banking Sector Survey 2008
13. What benefits have been obtained and/or do you hope to obtain through effective ORM?
Please rank the TOP 3 benefits in order of significance, with 1 being the most significant benefit
Benefitsalready
achieved
Benefitshoped
toachieve
a. Reduction in operational losses
b. Improved efficiency
c. Ability to target expenditure
d. Performance management tool
e. Better management decisions
f. Other – please specify
..................................................................................
PartB:Youandyourcompany
14. What is the name, job title, company name and address of the person completing this questionnaire?
Yourname
Jobtitle
Companyname
Companyaddress
15. What business(es) does your company operate in? Please select all that apply
Business
a. Globally active bank
b. Retail bank
c. Investment bank
d. Securities firm / asset manager
e. Cooperatives / Savings bank
f. Building society
g. Other – please specify
..................................................................................
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Basel II in the Asia Pacific Banking Sector Survey 2008 31
16. What is the number of employees in your company for the ASPAC region only?
ASPACemployees
a. Less than 100 employees
b. Between 100 – 500 employees
c. Between 501 – 1000 employees
d. More than 1000 employees
17. What is the number of employees in your Risk Management Department for the ASPAC region only?
ASPACRMDept
a. Less than 100 employees
b. Between 10 – 25 employees
c. Between 26 – 50 employees
d. More than 50 employees
18. What is the number of employees in your Operational Risk Management Department for the ASPAC region only?
ASPACRMDept
a. Less than 100 employees
b. Between 10 – 25 employees
c. Between 26 – 50 employees
d. More than 50 employees
19. How is your Operational Risk community organised?
Structure
a. Centralised – All resources in one central
(group/corporate) team
b. Decentralised – Small central group with most
resources operating in the business units
20. What is the size of your balance sheet (Total assets), in US$ for the ASPAC region only?
ASPAC
Balancesheet
a. Less than US$0.5 billion
b. Between US$0.5 billion – US$1 billion
c. Between US$1.1 billion – US$5 billion
d. More than US$5 billion
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
32Basel II in the Asia Pacific Banking Sector Survey 2008
21. What is the overall size of your Basel II Operational Risk budget (internal & external in US$) for the
ASPAC region only?
ASPAC
orbudget
a. Less than US$1 million
b. Between US$1 million – US$5 million
c. Between US$6 million – US$10 million
d. Between US$11 million – US$20 million
e. Between US$21 million – US$40 million
f. Between US$41 million – US$100 million
g. Between US$101 million – US$200 million
g. Greater than US$200 million
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
Contact us
Dr John Lee
Partner
Head of ASPAC
Financial Risk Management
KPMG Malaysia
+603 2095 3388 ext 1001
[email protected]
Mike Ritchie
Partner
Head of ASPAC
Operational Risk Management
KPMG Australia
+61 2 9335 8251
[email protected]
© 2008 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the
KPMG network are affiliated.
kpmg.com
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavour to provide accurate and
timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.
© 2008 KPMG International. KPMG
International is a Swiss cooperative. Member
firms of the KPMG network of independent
firms are affiliated with KPMG International.
KPMG International provides no client
services. No member firm has any authority
to obligate or bind KPMG International or
any other member firm vis-à-vis third parties,
nor does KPMG International have any such
authority to obligate or bind any member firm.
All rights reserved.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz